While the words “sexy” and “insurance” seldom appear in the same sentence, cyber liability changed that in 2011.
Speaking about coverage for data-breach risk, Jake Kouns, senior director of technology and a data-privacy underwriting expert at property-and-casualty insurance holding company Markel, said in October, “It’s the new, sexy insurance. There are 30 carriers now writing it.”
The reason for this inrush of underwriters, of course, is that the digital storage and transfer of data is a critical part of doing business today for a huge—and constantly growing—swath of industry sectors. Insurance companies, banks, asset managers, retailers and, as Sony reminded us this spring, even game makers—they all handle private financial data.
And it’s not just hackers, viruses and phishing emails that put data at risk. Security breaches can just as easily be caused by lost or misplaced files or even mishandled waste. A breach that results in a client’s data being stolen and used in a damaging way can lead to substantial third-party liability claims—and government penalties.
A report from Lloyd's and technology company HP earlier this year warned that businesses becoming more reliant on technology will face more complex and damaging digital attacks as sophisticated criminals quickly adapt their methods to steal from, disrupt and spy on businesses.
Larger companies have been attuned to the risks of data-poaching and Web-site shutdowns for a while now—and many have stopped inquiring about coverages and have actually started buying policies. Why cyber liability could prove to be a major new business opportunity for agents, brokers and carriers is that the risks of expensive data breaches very much extend to small and midsize businesses as well.
Indeed, it is companies outside the Fortune 1000 that could find it very difficult to recover from a data breach without the right insurance, says Kouns, who also serves as chairman/CEO of the Open Security Foundation—a nonprofit public organization that seeks to help businesses minimize their information-security risks.
While cyber coverage has moved from an afterthought to a front-burner issue for many risk managers this year, the types of coverages being offered are still all over the map. Policies can cover everything from helping reconstitute data to the public-relations expenses needed to repair a damaged reputation.
Prices, too, are evolving—and are perhaps still too low. “Right now you can get a policy with a $1 million limit for $1,500 in premium,” notes Kouns. “That is worrisome. It’s too cheap. Companies will buy the coverage and think they don’t need to do anything to secure their systems.”
Even though cyber risk is everyone’s problem, the Zurich-sponsored survey “A New Era in Information Security and Cyber Liability Risk Management” in October showed that IT personnel are the ones who are generally considered (by 73.2 of the respondents) to be responsible for protecting against such threats. Only 13.2 percent believed it is the risk-management/insurance department’s responsibility.