With 'Anonymous' hackers and negligent mistakes affecting eventhe biggest business entities, the importance of cyber liabilityinsurance is increasingly becoming apparent. PC360 spoke withMichael Palotay, senior vice president of underwriting at NASInsurance Services, about important trends in cyber liabilityinsurance and what to look out for when assessing a company'srisk.

Q: What are some current trends in Cyber Liabilitycoverage?

MIKE: A lot of carriers are jumping into themarket—many of which haven't written the coverage before. It's atough coverage to jump into because handling the claims correctly is soimperative. When a breach occurs, it's important to have theexperience to know exactly how to respond as quickly as possibleand do what it takes to minimize the impact on the insured'sreputation—which can be substantial—as well as minimize the chanceof a third-part lawsuit against the insured.

Another thing that we've been seeing—and we're doing it, too, atNAS—is the trend of a carrier putting cyber on all kinds ofdifferent policies. For example, you see many carriers puttingcyber on a directors and officers policy, general liability policyor a package policy. That could be good for the insurance buyer,but all of these add-on coverages are not created equal. They varywidely, and a customer might get lulled into this false sense ofsecurity that they are adequately covered in the event of a breach.Depending on the limit and the coverage features, many times it isnot even close to being adequate.

It's important for the insurance broker to really get a handleon what the insurance exposure is and how much coverage a customerneeds to properly protect them.

Q: How difficult does the constant changes in technologyand hackers' methods make writing cyber coverage?

MIKE: That's a big reason why we're seeing abig increase in demand [for cyber coverage]. There recently hasbeen, and there continues to be, cyber breaches in the news a lot.There's an emergence of politically-oriented hacking groups thatare highly sophisticated and have shown to be able to break intosome of our most sophisticated security systems, such asgovernmental entities like the FBI.

I think to the average small- to mid-size business, when they'rewatching this and they're learning about how much a breach costs,they realize that it's a lot more expensive than one would havethought. Then they think, “OK, how well am I protected?” If the FBIis getting hacked into, it's a big jump to think that yourpart-time IT guy who installed some firewall is really going toadequately protect you against these sophisticated hackers.

However, I don't want to overstate the hacker thing becausewhile it is bringing some awareness to the need for cyber, the vastmajority of claims we get at NAS are because of negligence.

We have a lot of doctors' offices and medical groups, and a lotof times a claim is them leaving a laptop on a train or taking abunch of filing cabinets full of medical records and throwing themaway.

Q: How do you deal with negligence claims?

MIKE: From an underwriting perspective, we knowmistakes are going to happen. What we want to do is really makesure that the damage is very limited if something like thathappens. The most important thing that we check to preventnegligence is to make sure that portable devices are encrypted.That dramatically reduces the risk, because it's incrediblydifficult to break encryption.

Q: Would you check for encryption on mobile devices, aswell?

MIKE: Yes, to an extent. There certainly isexposure with backup drives or USB thumb drives that can hold alarge amount of data. There is a more limited extent on mobiledevices like a cell phone or smartphone because usually they're notstoring large databases of customer information. There might besome information in their email or something, but it's usually to amuch smaller extent.

The ideal risk has a broad plan with an understanding of all ofthe information they store and retain. The good insureds arefocusing on this and making sure they reduce their risk where theycan and then get into the insurance with the understanding thatthings can still happen no matter how prepared they are.

Q: Are insureds adapting these strategies or are theyreluctant to take these precautions?

MIKE: I will say that the average submission wesee has a higher level of security now than a few years ago.Awareness has seeped into the insurance purchasing market, but itstill has a long way to go.

Q: What are some cyber risks that people aren't talkingabout as much as they should?

MIKE: I think that everyone talks about thedirect costs of a breach, like notification and legal expenses,fines, penalties—these are a lot easier to quantify than theindirect costs. However, many companies find that after they have abreach, they have a significant loss of revenue.

For example, after a breach, a company has to send a letter toall its customers saying it lost their private information. Nowthese customers have to worry about identity theft and monitortheir credit, and that's a betrayal. It's a competitive landscapeout there, and depending on the industry, there's a very goodchance that company's customers will go somewhere else. That'sgoing to have an impact.

To a really large company, it might just be a little blip intheir revenue and it won't threaten their continued existence. Buta small- to mid-size company can't afford a big drop in theirrevenue for a few months or a year. That could really ruin theirbusiness. It's kind of like a business interruption claim, but veryfew—if any— companies out there that sell cyber liability coverthis.

Q: What are some important factors to focus on whenwriting cyber liability lines?

MIKE: I think many cyber underwriters out thererate on the revenues of a company as opposed to the number ofidentities. At NAS, we've been collecting both data sets on therisks we write, and we've found that there are some substantialoutliers where a very small company has a very large amount ofidentities. Identities equal exposure in a cyber policy. Potentialloss is really contingent on how many identities a company'slost.

So service-oriented companies like cloud computing hosts orhealthcare third-party administrators or a mortgage servicer or amedical biller might only be making a few million in revenue, butthey might have millions of records. I don't think that's beingtaken into consideration by many markets and I think that's a wayto not get enough rate and as a result, get stung pretty badly on aclaim.

Q: Has customer demand for cyber liability beenincreasing?

MIKE: I've been doing this for seven years now,and I would say that demand for the coverage is certainly the mostI've ever seen it. However, while demand is high, it's still justscratching the surface, and there's still such a lack of awarenessout there about how much these claims cost if a company has abreach. There's still a lack of awareness of how valuable thiscoverage is.

Q: What kind of coverage does NAS offer for cyberliability?

MIKE: We have a standalone cyber product calledNetGuard Plus. Then, we also have cyber on all of our technologyprofessional liability that we write. We have cyber in one form oranother in almost every single one of our products. We think it'simportant to at least give some protection included with the normalpolicy that they purchase.