TAKING THE LEAD IN CYBER
Things to think about when advising clients on cyber issues
By Emy R. Donavan
Small businesses may think cyber attacks happen only to big businesses, governments and large organizations. But they shouldn’t be fooled. Hackers look for vulnerabilities on everyone’s network. They will get in, if only to use one network to take down another.
While smaller enterprises are waking up to the realities of cyber risks, many still underestimate their exposure. This omission proves catastrophic for some. According to the Ponemon Institute’s 2017 State of SMB Cybersecurity Report, hackers breached 54% of all small businesses in the U.S. last year, up from 50% in 2016. The average total cost of a data breach is $3.62 million. That is not a loss most companies can afford.
These smaller businesses, which often don’t have the revenue for a separate IT department, are especially susceptible to phishing attacks via email or fraudulent activity in their e-commerce storefronts.
Cyber events cause a range of issues, from product recall to liability to loss of funds. While general liability and crime policies may provide clients a significant amount of coverage for such exposures, cyber events create additional kinds of losses that traditional policies do not cover. These include the cost to comply with customer notification of data breach as required by state regulators; the cost to rebuild or recreate databases destroyed by a cyber attack; the cost of forensic work necessary to determine what went wrong in the IT system, and much more.
Policy design and intent
Just because a policy says it includes coverage for “computer fraud,” “data/digital coverage,” etc., does not mean a cyber policy is in place. Here are some things to think about when advising clients on cyber issues. And if your clients aren’t thinking about these and other issues, just remember: their competitors are!
Don’t fall into the same trap as these companies.
- Several employees of a hospitality company discovered when filing taxes that the taxes had already been filed. The company engaged a “breach coach” and a forensic expert to conduct a technical analysis. The investigation found that an HR executive had inadvertently downloaded malware that extracted W2 information, affecting over 10,000 former and current employees. The company issued written notification to all affected parties, provided two years of complimentary credit monitoring, and engaged a PR firm to assist with talking points and management of social media.
- A restaurant giant wanted coverage for payment card industry data security standard (PCI-DSS) assessments but did not purchase PCI coverage in its cyber policy. When the company’s system was breached, $2 million in fees and assessments was not covered. Businesses should demand specific policy language for specific risks, especially for exposures like PCI-DSS assessments.
- An Internet security company disclosed a new threat in which emails were sent to more than 3,000 businesses with the subject line “Shipping Information.” The email noted a forthcoming delivery by UPS and included a seemingly innocent package tracking link. When the recipient clicked on the link it triggered the release of malware, potentially unleashing a virus. Several companies fell for the trap and may now have vulnerabilities in their systems that they don’t even realize exist.
- In February, a group in Eastern Europe sent emails laden with malware to the staff of a major chain restaurant. By clicking on the fake emails, the employees inadvertently enabled hackers to compromise the POS systems of a majority of its locations. The hackers then were able to obtain the credit card data of millions of people.
In spite of the publicity many cybercrimes generate, the Council of Insurance Agents & Brokers (CIAB) reported in its spring 2017 Cyber Market Survey that 68% of U.S. companies do not purchase cyber-specific coverage.
Granted, confusion exists concerning the differences between full cyber policies and other policies that might contain some cyber coverage. For example, how should a data breach of a tech company’s data and its clients’ data be covered? Cyber? Tech E&O? Tech Professional Indemnity blended with cyber?
On specific coverages for cyber, the market is providing extremely broad terms—sometimes at an insurer’s own peril. For example, we are starting to see contingent business interruption (CBI) written on a blanket basis for non-IT provisions, combined with primary non-contributing language, without thought as to whether the insured has a property policy with non-damage BI in place.
Similarly, sub-limited contingent system failure (all trigger cyber CBI) is appearing in policies, which I believe gives underwriters a false sense of security: A vendor does not have to tell a client why its system went down (human error or cyber attack), and the vendor has no contractual or reputational incentive to do so.
Program administrator response
What to do? Ask claims staff whether the language you have drafted will respond as you intend in a claims situation. In this new era of cyber challenges and changes, we are all cyber underwriters!
Help your clients become better cyber risks by encouraging them to:
- Encrypt backups
- Harden access permissions
- Strengthen network perimeters
Cyber isn’t a problem for tomorrow or for someone else. The time is now. The responsibility belongs to all of us.
Emy R. Donavan is global head of cyber, media and tech professional indemnity at Allianz Global Corporate & Specialty. Allianz has a program team to advise on cyber issues and it recently joined Cisco, Apple and Aon to provide clients streamlined access to key pieces that strengthen security technology, provide cyber security domain expertise, offer enhanced cyber insurance, improve IT security and reduce cyber risk. To learn more, go to bit.ly/AGCSCyber. Email Emy email@example.com.