By Steve Haase, president of INSUREtrust, andAllen Cross, senior risk consultant atINSUREtrust

|

The cyber liability market is poised to grow at a double-digitpace again this year, as more companies, prompted by the constantstream of headlines about cyber criminals attacking bigcorporations, reluctantly realize that they need coverage.

|

While the word “cyber” has taken on a broad range ofmeanings—from electronic espionage to the virtual reality world ofthe Internet—the cyber insurance marketplace not only addresses thedangers to business posed by criminals looking for data stored oncorporate computer networks, but also paper files that get into thewrong hands, and a wide range of other cyber events. In many cases,vulnerable data involves confidential corporate informationincluding contracts, financials and possible equity offerings. Butthe most widely recognized at-risk data is personally identifiableinformation (PII): names, addresses, Social Security numbers andother intimate personal information that criminals can sell onblack markets for great profit.

|

The most recent prominent case involves WyndhamHotels. In June, the Federal Trade Commission announced it wassuing the hospitality company, alleging it failed to protectcustomers' credit card information after a series of breaches left600,000 accounts exposed. A hotel typically gathers a range ofpersonal data—from credit card numbers to email addresses, phonenumbers, even car license plate numbers of customers who park inits garage.

|

Related: Read the article “Supply Chain, Cyber& Rising Property Rates Emerging Concerns for Retail RiskManagers” by Anya Khalamayzer.

In spite of these high-profile breaches, many small andmidsized businesses still resist purchasing insurance coverage.Many business owners believe they are not vulnerable, thinkinghackers only go after big corporations with huge amounts of data.Entrepreneurs also widely believe that no one really wants theirdata, failing to fully appreciate the value of the data theyown.

But cyber crooks go after big and small businesses alike, andthe aftermath of a data breach, especially for a small company, canbe catastrophic. So although a small, independent contractor whonever collects any PII may be justifiably less concerned about abreach, most small businesses collect many types of PII in the formof present and past employee information and should be veryconcerned about a cyber incident. PII is only one of many reasonsto buy a cyber policy. Other risks include the exposure tocommercial information protected under a non-disclosure agreementor confidentiality agreement and the exposure that companies withlarge content and/or social networking activities incur,necessitating broad cyber media coverage. Considering the widerange of risks, even the smallest independent contractor has realliabilities. The costs incurred from a single event—ranging fromlawsuits to regulatory fines to notification costs—could run intomillions of dollars and easily bankrupt a thriving business.

|

The biggest challenge for an agent is to educate the insurancepurchaser about the very real exposure to loss and potentiallydevastating consequences of a cyber breach.

|

To do this professionally, agents mustunderstand the coverage offered by the cyber insurance marketplace.But cyber coverage is complicated. Trying to evaluate the productsof different carriers is akin to comparing apples to oranges toSwiss cheese.

|

The process is tedious and time-consuming: There is no standardform because of the nature of the cyber liability market. Cybercoverage is primarily a non-admitted product, meaning each carriercan fashion its policies to meet marketing and financial riskmodels, because it has no obligation to submit their coverage tostate regulators.

|

Although some convergence in product offerings among carriers isexpected in the next few years, there appears to be no substantialmovement toward a commoditized type of policy for probably 10 yearsor more.

|

Related: Read the article “Public-Sector CyberExposure a Growing Concern” by Bonnie Cavanaugh.

However, some broad trends in the way carriers constructcoverage are happening. Insurers now offer more protection forfirst-party breach claims, including costs for crisis managementand notification of victims, computer forensics, credit monitoringand ID theft recovery for victims. They also are starting to coveroffline content and liability created by third parties.

Conversely, carriers have reduced their appetites to coverunencrypted data. Just 12 months ago, most insurers wereunconcerned about the encryption status of information. Today onlyabout 40 percent of carriers are willing to take on the risk ofunencrypted data. There is even less appetite for coveringunencrypted data in the financial and healthcare industries.Encrypting data can be costly and slow down networks, which is whyso many companies have not implemented it.

|

The water becomes muddied when a company transmits sensitivedata via smartphones, because these devices are more difficult tosecure than laptops and desktops. Many businesses continue to leavethemselves vulnerable through this practice.

|

Firms are presenting new challenges to the cyber market with thegrowing adoption of cloud computing. By either using software as aservice or simply storing data at a remote server owned by a thirdparty, companies are potentially endangering themselves. There arecertainly good business reasons to employ the cloud, but from aliability standpoint it is unchartered territory. One big problemis cloud providers refuse to take any responsibility for lost orstolen data, arguing that doing so would wipe them out after justone incident.

|

The original data collector using the cloud owns the dataanyway, so it legally retains all the risk for that data. In fact,cloud service providers and cloud users often debate the level ofliability to retain. In this environment, carriers are strugglingwith ways to minimize their exposures while still filling the needfor cloud coverage in the marketplace.

|

Regulation generates another area of liabilityfor data collectors. The national personality of the U.S. balancesa culture of individual liberty with the desired efficiencies ofconsumer capitalism. Thus, sacred personal privacy is equallyprized with maintaining a marketplace for new digital products andservices. Regulations at the state and federal level attempt tomaintain harmony between these two values, but are not withoutcontroversy.

|

When a data breach actually occurs for a policyholder, there arenumerous expenses typically covered. The largest of these costs isvictim notification. Forty-seven states require the business tonotify victims of a breach. According to a Ponemon Institutesurvey, the average cost per record is nearly $200, while theoverall average cost of a breach to the company is $5.5million.

|

Adding to the misery of notification, laws defining whatconstitutes a breach, how long the company has to tell victims andhow the company must communicate with the victims vary from stateto state. In California, ZIP codes are considered PII. These kindsof differences make the notification process complicated for firmswith customers in multiple states. In the event of a breach, thelaws of each state where customers are domiciled must be followed,multiplying costs to discern what states might be involved andacting within each legal timeframe.

|

Related: Read the article “3 Essential ProfessionalLiability Coverages” by Deb Ropelewski.

While some would like to see national regulations completelyhandle cyber privacy issues, others fear the heavy hand of federalregulations. Still, the federal government is in the mix withnumerous laws and regulations that add to the layer of regulatoryrequirements for business.

Last fall, the Securities and Exchange Commission issued newguidance on cyber issues, encouraging publicly traded companies toinform investors of an attack, or even vulnerabilities thatconstitute a material risk. But businesses of all sizes arereluctant to do so because of damage to their reputation and thepotential to give cyber criminals useful information in planning anattack. Although the guidance is not currently mandatory, itprobably will be in the future, and the topic is in the sights offederal regulators.

|

The Health Information Technology for Economic and ClinicalHealth Act (HITECH), federal legislation passed in 2009, dictatesdata rules to entities in possession of medical records. Thesefirms must notify the U.S. Dept. of Health and Human Services(HHS), the news media and affected individuals of a data breachinvolving 500 or more persons. While HITECH was formulated tostimulate the use of highly portable digital medical records,Congress recognized the need for safeguarding this kind of data inthe Internet age.

|

The biggest change to health care privacy since the HealthInsurance Portability and Accountability Act (HIPPA) was passed in1996, HITECH is having a major impact, mainly because of theincreased fines it imposes—up to $50,000 in penalties for eachindividual violation, topping out at a maximum, cumulative penaltyof $1.5 million. Medical practices accounted for 18 percent ofcyber incidents last year, reports DATALOSSdb, meaning carriers canbe left on the hook for paying these substantial fines.

|

Regardless of what sector a business is in, though, it needscyber insurance. Coverage costs are starting to decrease, and thepotential risks are simply too high to be ignored. Agents who wantto cultivate a reputation for being a comprehensive risk managementexpert simply must address cyber risks with their clients.