Vaccinating Your Business From The Hackers: Part 2 of 4
In Part 1 of our series, we discussed how many traditional insurance policies may leave your business vulnerable in the event of a breach. Because of this and not surprisingly, the insurance industry has developed new insurance products designed to fill in the gaps, fortify businesses against these losses, and vaccinating your business from the hackers. These products are becoming increasingly standardized to provide stable coverage. These new policies fall neatly into two categories: First Party Coverage and Third party Coverage.
First Party Coverage
These polices typically cover costs the insured incurs in responding to a data breach incident and any loss or damage to the insured's technology systems. Depending on the product, first party cyber-liability policies may exclude or limit coverage for:
- losses caused by power outages or compromised telecommunications services;
- fire loss;
- damage to computer hardware;
- design failure arising out of the architecture or configuration of the insured's computer system; and
- ordinary wear and tear of the computer system.
Third Party Coverage
These policies typically cover certain third party losses on a claims-made basis and may include damages arising from the distribution of content over the internet, damages arising from the unauthorized access or use of the insured's computer system and denial, impairment or interruption in service to a customer's account. Some polices may afford coverage to the insured for crises management expenses including:
- notifications to customers of an adverse event;
- credit monitoring and credit protection services for customers;
- management of negative publicity from adverse media reports; and
- preservation of evidence and forensic investigation if paid to outside consultants.
These optional coverages are often for only a limited or agreed-upon time period following the security breach and they may exclude claims or lawsuits against the insured, legal fees attendant to such claims, damages arising from the insured's violation of its own privacy policy or any fines or penalties imposed. New product suites include coverage for cloud computing, data privacy, network interruption and intellectual property issues. Areas where coverage has yet to be explored include a decline in stock price following a cyber-security breach, impact on reputation and BYOD (buy your own device) risks created by adeptly designed malware which turns employees' devices – smartphones, tablets and PCs – into unwitting attackers at their own companies and of their own accounts.
In a nutshell, the savvy corporate consumer should shop for business appropriate policies and be well informed of the coverage ultimately purchased. An annual audit of policies may be a prudent move as well since these policies seem to change to meet ever-emerging needs.
Tips for Businesses in Choosing Cyber Risk Coverage
- Buy the broadest coverage available; this includes 1st and 3rd party coverage.
- Make sure your coverage protects information in the care, protection and control of third parties.
- Assure that data recovery is covered.
- Consider whether you need coverage for regulatory activity or requirements attendant to same.
- Consider whether coverage should address data transmittals outside of the office and/or on unencrypted devices.
- Assess the need for coverage if your business takes credit card payments.
- Consider purchasing coverage for loss control evaluation services or identity theft resolution services. The former may help the smart corporation or organization minimize threats on the front end while the latter may assist in solving problems after-the-fact.
- Examine need for coverage for injuries to corporate clients.