In today's society, we’re experiencing a steady increase in the number of users who utilize the Internet and technology each and every day. As a result, businesses are looking more to technology in order to stay efficient in their business practices. While technology is convenient in many ways, it also exposes businesses to cyberattacks.
According to the Poneman Institute's Cost of Cyber Crime Study, there was an 18% increase in the number of cyberattacks in 2013, and a report by Symantec on internet security found that 61% of small and midsize businesses experienced a cyberattack in 2013. Hackers are constantly looking to disrupt business operations; hence, it is more important than ever to prepare organizations for potential security breaches.
If sensitive or protective data finds itself into the wrong hands, it can result in claims expenses for which businesses will be liable. This could include identity theft, fraud and other cyber-related crimes. Organizations of all sizes and in every industry are exposed to cyber-related breaches, which can cost companies millions of dollars each year. While the types of threats remain relatively the same, there are some emerging risks and trends in cyber liability that businesses should take into account.
Regulatory and insurance environment
In the last two years, significant data breaches have affected well-known companies such as Target, Home Depot, JP Morgan Chase and eBay — just to name a few. The issue has become so prevalent that President Obama issued an executive order in February 2013 to strengthen the U.S. cyber security framework.
In October 2013, the National Institute of Standards and Technology proposed a cyber security framework for critical U.S. infrastructure, and it looks like it will be at the top of the agenda for Congress in 2015 with bipartisan support for compromised legislation. This will be a significant change for businesses as they will now be required to have cyber security protocols in place to protect sensitive data and systems, which historically has been voluntary. Some business sectors including electric utility, telecommunications and the financial industry, already have existing processes in place and will be quick to adopt the new standards.
As a result of increased awareness in cyber liability and possible future regulatory requirements, more companies are looking toward the insurance industry to assist in managing their risk. Any organization that uses technology to perform business operations runs the risk of cyber threats. Cyber liability policies can cover a variety of costs associated with a breach including credit monitoring, expenses to defend claims, fines and penalties, notification costs and any loss resulting from identity theft. Currently, there are a select but growing number of insurance carriers offering cyber and privacy liability coverage. The pricing is competitive, but with only 26 percent of businesses now purchasing cyber coverage, this will increase demand for coverage and reduce capacity, further driving up premiums.
Until now, many companies have been relying on their commercial general liability (CGL) policies to cover the costs of data breach claims. However, insurance carriers are increasingly denying coverage for cyber claims filed through their CGL policies. These insurance carriers have pushed the issue to ban cyber coverage through the courts and it looks like they’re having some success. The Insurance Services Office (ISO) recently revised its standard CGL policy forms so that the coverage excludes any cyber-related claims. The latest carrier to make this move is the Travelers Cos. unit who asked the court to rule that it is not obligated to indemnify and defend P.F. Chang's China Bistro for a 2013 data breach.
Travelers basically states that the “property damage” covered in its CGL policy does not include loss or damage to “electronic media and records.” In addition to Travelers, a New York State Supreme Court judge held in a bench ruling that Zurich America Insurance Co. does not have to cover New York-based Sony Corp. of America for litigation related to the 2011 hacking of its PlayStation Network. It will take time for this exclusion to be widely adopted by the insurance industry, but as long as data breaches continue to increase along with the cost, it will be an industry standard exclusion for all.
New and emerging cyber risks
Another emerging risk in cyber liability is the use of wearable devices in the workplace. As more people are using wearable devices to do everything from track location and movement, to detect vital signs, to streamline communication, the privacy issues faced by employers will grow. While these devices range from headgear to footwear, they are still relatively new in the marketplace and yet their popularity is exploding. As with any new trend or device, they will eventually show up on employees in the workplace — either they will bring their personal device with them, or companies will use them to improve workers’ health and safety.
The risks companies face with these devices include privacy, liability and security issues. Many companies just assume that their current workplace policies will cover these problems. However, intellectual property loss is probably one of the greatest risks facing businesses. Many of these devices have the ability to covertly record and take photos without user activation. To make matters worse, there is very little security in these devices, so a hacker could use them to spy on individuals.
Another major risk is employee privacy in the workplace. What if employees are wearing these devices in the restroom? Or the health data from an employee's device is accidently downloaded in an unsecure file onto the company server through a wireless link? Depending on the policy, there may be limited insurance coverage or none whatsoever for a particular scenario.
Finally, the recent Sony Entertainment cyberattack by North Korea over the release of the movie The Interview brings to light a new type of cyber threat — one that isn't motivated by some form of direct financial exploitation or gain, but for political or idealistic reasons. The fact that it was executed by a foreign government is alarming and one that is hard to manage.
For Sony, the real damage was done with the release of some very negative executive emails and theft of sensitive employee data, which will have reputational and financial costs. The ultimate consequence of this could end in the boardroom. While cyber-related directors and officers (D&O) liability claims are rare, this potential emerging threat could likely change that in the future. Businesses could face securities class action lawsuits when network systems are compromised that result in a long-term stock price drop.
With all these emerging risks coming into play, it is the sole responsibility of business owners to stay ahead and protect themselves from any potential threats, which will continue to arise as technology evolves and expands. The time to start actively minimizing a company's cyber risks is now, before it is too late.
Jay Shelton is the senior vice president of risk management services at Assurance. He performs a full range of risk and insurance management functions, including policy selection and negotiation, broker and TPA management, claim management, risk identification, forecasting model development, trend analysis, OSHA and EPA compliance and the development of performance benchmarking.