New online publishing and social media venues. New applicationsand business systems. New, and almost always mobile, devices. Andwith the cloud, new locations for your data and applications, fromaround the corner to around the world. Technological changemaintains its relentless pace—and each new development brings newrisk factors that businesses ignore at their peril.

It's no longer a question of “if,” but rather, “when,” acyber-related threat confronts your business or your clients'businesses, warned Laura Toops, editor of American Agent &Broker, as she kicked off a recent PropertyCasualty360 webseminar titled “Cyber Liability: A View from the Trenches.” CitingPonemon Institute data, Toops noted that 71% of businesses surveyedfaced cyber-attacks in 2011. Yet the majority of companies remainunprepared for cyber-attacks that can threaten their data, theircustomers' data, their employees, and the operations and reputationof their businesses, Toops said. Only 38 percent say they areincreasing their 2012 budgets to address these cyber threats.

Everyone's on the Hot Seat
All too often, cyber liability still is viewed as a problem to beaddressed by the IT department. That's a critical mistake, Toopssaid, because a cyber-attack puts “a lot of people on the hotseat”—among them agents and brokers, risk managers, seniormanagement, outside auditors, and even a company's board ofdirectors. She cited the recent example of Wynham; in June, theFederal Trade Commission sued the hotelier for alleged datasecurity failures that resulted in three security breaches duringthe past two years.

Remarkably, only a third of companies today have cyber-relatedinsurance coverage. “The question is, 'Why not more?'” commentedattorney Lori S. Nugent, co-chair of the data security and cyberliability practice at Wilson Elser, as she shared her experienceshelping clients cope with real-world cyber losses and thelitigation that frequently follows cyber-attacks. “Both individualsand the companies they work for can be sued.”

Nugent delved into a number of risks associated with the rise ofe-publishing and social media—in particular, the risks associatedwith defamatory communication. It can be easy to forget in theeffortlessness of online commentary that “if you say somethingdefamatory, you can be sued,” she said. Prior to the Internet age,damages from defamation cases were often linked to the circulationof a publication. “Now, it can go viral and literally go around theworld.” Online endorsement or disparagement of products—whetheryour own company's products or a competitor's—also is risky ground,Nugent added—especially “in cases of failure to disclose that youwork for the company.”

Tracking for Trouble
Privacy violations are another critical concern forcompanies—especially with the widespread use of technology to trackweb site visitors. Tracking of visitors to your company's web sitecan be fodder for class action lawsuits, according to Nugent,especially “when individuals visiting your site didn't authorizethe tracking and you're using technology to track everywhere theuser goes even after they leave your web site.” On the other hand,she said, “we've had good success in litigation when our clientscould prove that either they didn't track or that the tracking wasapproved by users.”

Unfortunately, “sometimes companies are not aware of thetracking that is being done on their behalf,” Nugent warned. Forexample, this can happen when, unbeknownst to the IT or legaldepartments, a third-party vendor convinces the marketingdepartment to implement tracking to gather more useful data on website visitors. It is crucial that companies “know what trackingvendors do in your name,” she said. Companies should make a cleardecision—either to not track their web site users, or to track verycarefully, with clear consent from users.

Preventing and Mitigating Cyber Losses
Data breaches—not just hackers breaking into networks, butespecially the loss or theft of devices and paper-based data—remaina company's most commonplace cyber risk. Nugent prescribed severalkey steps for protecting businesses:

1. Moderate your data diet. Take in only theinformation you need, discard it when you don't need it, and nevershare it unless the other party needs it and you are authorized toprovide it.

2. Protect sensitive data. Physical securityremains very important—so lock your cabinets and office doors.Implement robust firewalls, encryption, and other forms of networksecurity. Protect mobile devices used by employees with encryption,the ability to remotely “wipe” the device if it's lost or stolen,and ideally by not allowing sensitive data to be loaded onto thedevice in the first place.

3. Have a written security plan. An informationsecurity plan should document what sensitive information youhandle—what you receive, what you keep, and what you send—how youprotect it, and what you do in case of a breach.

4. Have a breach response plan. Eliminatefinger-pointing by knowing who is responsible for what, when mustnotification be provided, and who must be notified. Take steps toensure regulator and contractual compliance. Recognize that nothingis “off the record” and that it takes effective response to protectyour reputation and your business.

Risk Transfer for Cyber Liability
Cyber insurance represents another key way to prepare for thethreat of cyber-attack. But companies must do their homework tofiguring out what coverage to pursue—and how their risk managementefforts can translate into lower costs for risk transfersolutions.

Going through the application process is an important firststep, said Scott Hammesfahr, who specializes in cyber liabilityunderwriting for Zurich North America. Completing an applicationserves three main goals. First, it facilitates communicationbetween departments that may not work together regularly such asIT, HR, Legal, and Risk Management. Second, it will set pricingexpectations for risk transfer solutions allowing for betterbudgeting. Finally, it highlights the sorts of controls thatunderwriters feel most contribute to effective riskmanagement. Underwriters and agents often can provideguidance on where the company should improve cyber riskmanagement—including recommending third-party technical consultantsto implement better controls that in turn can reduce the cost oftransferring cyber risk.

People, processes, and technology are all important factors inthe underwriting of cyber risk coverage, Hammesfahr explained.Companies should have qualified employees with clear accountabilityfor data security and privacy, training should be formalized, andefforts must be coordinated across internal departments. Formalprocesses should encompass security and privacy policies,regulatory compliance, disaster recovery planning, network mapping,password management, physical records, and more. Technology should“establish the front line of defense with the right technologysecurity tools and products such as firewalls, encryption,monitoring tools, and established redundancies,” he said.

Cyber risk transfer solutions vary by carrier, so companiesseeking to purchase cyber insurance coverage should pay closeattention to what is covered, Hammesfahr said. Key questions to askinclude:

• Does coverage extend to third-party service providers?
• Is there coverage for the actions of rogue employees?
• Are there sub-limits built into the coverage form?
• Does privacy breach coverage apply regardless of applicablenotice laws?

Download this article.

View the web seminar.