Most IT leaders plan for cyber-attacks by constructing firewalls and installing security hardware and software. Even so, with the widespread proliferation of malware, companies are finding that their IT infrastructure has been attacked, customer data has been compromised, the IT system is being held for ransom, and assets are missing.
Almost every day there are reports of cyberintrusions, attacks and related security breaches. If your company does not have the right insurance, it could be even more of a disaster. For example, according to regulatory filings, at the time of Target’s cyberbreach in 2014, it had about US$100 million in insurance coverage with a $10 million deductible, but that did not even make a dent in the estimated losses of $1 billion.
What company can afford not to have insurance for a potential cyberdisaster? Let’s look at some protective measures that can be taken to safeguard your business.
As a practical matter, you or your chief risk officer should examine your current insurance policies to see if you have insurance protection for these cyberrisks
- Network and information security liability
- Communications and media liability
- Crisis management event expenses
- Security breach remediation and notification expenses
- Computer program and electronic data restoration expenses
- Computer fraud
- Funds transfer fraud
- E-Commerce extortion
Of course, each business has its own insurance needs, so you will need to make your own decisions about the right coverage. For instance, if your company is in the healthcare industry, specific coverage for HIPAA data should be included.
Inspect Your Policies
Some insurance companies offer cyberprotection as an add-on policy to general commercial liability, while other insurance companies include cyberprotection in policies for cybercrime.
It would be wise to take a look at what coverage your company has, what is available, and make sure you do have cyberinsurance coverage.
Whether cyberinsurance is deemed a part of certain GCL policies is the subject of a declaratory judgment complaint brought by Travelers Indemnity Company in the U.S. District Court in Connecticut in October 2014. The Complaint alleged that P.F. Chang’s restaurant chain did not have cybercoverage with Travelers. Because there was no cybercoverage, Travelers claimed “that it is not obligated to defend or indemnify P.F. Chang’s…under GCL insurance policies issued by Travelers.”
It appears that Travelers filed the claim for two reasons. First, P.F. Chang’s had filed a claim for insurance coverage under its Travelers GCL policy for a cyberbreach involving seven million customers’ credit and debit cards. Second, class action cases were brought by P.F. Chang’s customers in several states, accusing P.F. Chang’s of failure to prevent the breach, and breach of implied contract.
Interestingly, the breach itself began on Sept. 18, 2013. However, P.F. Chang’s was unaware of the breach until nine months later, on June 10, 2014.
It will be interesting to follow this case to see how the Court views the CGL coverage.
Examples of Cyberinsurance Coverage
AIG, one of the largest insurance companies in the world, offers CyberEdge, which provides coverage for security or data breach losses as follows:
- Direct first-party costs resulting from a breach
- Lost income and operating expense resulting from a security or data breach
- Threats to disclose data or attack a system to extort money
- Online defamation
Travelers, another large insurance company, offers CyberFirst, which includes a number of related insurance coverage provisions:
- Technology errors and omissions liability
- Network and information security liability
- Communications and media liability
- Employed legal professional liability
- Expense reimbursement
How to Assess a Cyberincident
Most IT leaders plan for cyberattacks by constructing firewalls and installing related security hardware and software. However, with the widespread proliferation of malware, companies are finding that their IT infrastructure has been attacked, customer data has been compromised, the IT system is being held for ransom and assets are missing. This obviously puts a burden on the IT leadership — CIOs, CISOs and CTOs — to do an immediate assessment of what transpired:
- Identify malware within their networks
- Review logs to see when and where the cyberintruders came in
- Determine what if any data was remotely accessed
- Determine what if any data was sent off the network
- Determine whether backup files can be used to reconstruct encrypted data
Following the assessment, companies may need to report to customers, as well as to their own employees, under a variety of laws in 47 states. Plus, in addition to everything else that violoated companies must do, if credit card or banking information has been compromised, they may have a legal duty to provide credit protection services for up to one year. This happens more often than people want to know.
Report the Cyberincident — It May Be a Crime
Of course, it is important that the U.S. government learns about all cyberincidents so they can investigate in order to find the bad guys. The incidents should be reported to the Internet Crime Complaint Center which is a partnership between the FBI and the National White Collar Crime Center. The IC3 defines Internet crime:
…as any illegal activity involving one or more components of the Internet, such as websites, chat rooms, and/ or email. Internet crime involves the use of the Internet to communicate false or fraudulent representations to consumers. These crimes may include, but are not limited to, advance-fee schemes, non-delivery of goods or services, computer hacking, or employment/business opportunity schemes.
If your company has a cyberintrusion, consult your lawyer first to be sure you take the appropriate steps, including making a timely cyberinsurance claim.
Leave a Reply