Property Casualty 360

This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers, click the "Reprints" link at the top of any article.

From the November 19, 2012 issue of National Underwriter P&C • Subscribe!

Cyber Coverage: Protecting Against the ‘Hack Attack’

Travelers’ Tim Francis on the essential elements of a Cyber Liability program, which industries are at high risk and who should get the first call when a breach occurs

By Anya Khalamayzer, PropertyCasualty360.com

November 19, 2012 • Reprints

Cybercrime, including identity fraud, is the world’s fastest-proliferating criminal threat. According to Interpol, cybercrime, which used to be committed by expert individuals, is now perpetrated by organized syndicates that target big and small businesses alike. The crime-enforcement association estimates that, to date, such organizations have stolen up to $1 trillion in intellectual property from businesses worldwide.

And even though the average cost of a data breach jumped by nearly a million dollars between 2009 and 2010, only 23 percent of U.S. businesses now have formal Internet-security policies in place.

While there is no sure firewall against smart and determined criminals, Tim Francis, vice president of portfolio management at Travelers Bond and Financial Products, discusses how equally determined organizations can maximize their insurance protections against data thieves.

What are the components of a comprehensive Cyber Liability program?

Two important concerns of Cyber coverage are Liability Protection, for when third parties hold the insured responsible for information stolen during data breaches or other network intrusions; and First Party coverage for the forensic investigation, litigation and remediation expenses attributed to the breach. A well-rounded Cyber program will also include additional coverage options that can be tailored to the insured’s needs. Additional coverage can include regulatory-defense, crisis-management or public-relations expenses as well as Business Interruption and Cyber Extortion coverage.

How has Cyber coverage evolved over the past several years?

Every year leads to newer developments in coverage as more claims are filed, technology changes, customers harness technology in different ways to conduct business, and tech crimes evolve. A few years ago, coverage was predominantly liability-based—hence the term “Cyber Liability.” However, coverage has become a combination of Liability and First Party coverage to deal actively with breach notification and response to states’ breach laws. It has also evolved to encompass an increasing variety of customers in different industries and in a variety of corporate sizes.

Which sized business is most vulnerable to data breach—small ones like cafes that allow multiple users to access Wi-Fi capabilities, or large corporations with much to lose but that can also afford to invest in security technology?

Vulnerability may have less to do with the industry or the size of the business than it does with the business’ ability to prepare for, respond to and cope with a data breach or other cyber event. Typically, people assume that the largest breaches happen to large companies with much stored information. That logic is correct, but it doesn’t necessarily mean that those companies are the most vulnerable.

Smaller breaches can result in an enormous amount of money spent to determine the breach’s scope, what types of records were compromised and who was affected. A smaller breach consisting of a few hundred records may require the same work to be done as those concerning several million records. The actual impact of a small breach can be more damaging to a small company’s bottom line than a large breach to a large company with the resources and reputation to survive such an attack.

Which industries are currently at the highest risk of a cyber attack?

The most frequent attacks occur in industries that collect, store and communicate a lot of personally identifiable information, such as education, financial services, health care, government and retail—but in truth, cyber events can and do happen in every industry. The health-care industry is currently at a higher level of cyber-hacking risks because this type of information can be sold more efficiently and for a higher value than credit-card information. Keep in mind, though, that the majority of breaches that occur go unreported.

What is the cost of an average compromised record?

Actual costs will vary greatly depending on how many records are involved, but as a general rule of thumb, according to 2011 research by the Ponemon Institute, the cost to a company is approximately $200 per record [compromised]. This total amount is a combination of the actual cost of investigating and alleviating the situation, potential liability and potential loss of future business to the company’s competitors.

Who should a hacked business call first? The police, their lawyer or their insurer?

While it depends on the situation, Travelers would advise a business to contact all of the above as early as possible once a breach is detected. This is why it is so important that the customer is prepared and has a plan in place, should a breach occur. This preparation should include a tabletop exercise that lays out what the next steps are and who is responsible for executing different aspects of the plan.

About the Author

Anya Khalamayzer, PropertyCasualty360.com

Anya Khalamayzer is Assistant Editor of Risk for PropertyCasualty360-National Underwriter. Khalamayzer graduated from CUNY Baruch College after intensive internships with Time Out New York Kids and Crain’s Investment News. Keenly interested in environmental science, music and the arts, her articles have been published in Gotham Gazette, Wonkster blog and Ear to Mind magazine. She can be reached at akhalamayzer@sbmedia.com.