Cyber Coverage: The New 'Must-Have' In The Property & Casualty Portfolio?

Imagine Amazon.com or a regional bank trying to do business without their databases and computer systems.

As more and more companies–and their insurers–are realizing, this reliance on IT creates a hornet's nest of risks that can result in crippling losses that conventional, turn-of-the-century P&C insurance coverages won't respond to. These new issues call for a new category of coverage.

THE NEW RISKS

On the one hand is the issue of first-party losses. These might include business interruption, which could be caused by a flood or fire in a data center, or malicious hacking by a disgruntled employee or even a cyber-crook half a world away.

Traditional p&c insurance might help replace some of the lost hardware or compensate for physical damage to the data center. Yet there is no coverage for the onerous costs of restoring data, reinstalling software, or for lost revenue, since standard p&c packages typically exclude such losses completely.

It means a company could be out of business for days or weeks, while also being responsible for costs of restoring the IT functionality.

Perhaps even more ominous are the all-new liability exposures inherent in IT operations. A raft of relatively new regulations and legislation makes companies responsible for safeguarding personal and confidential data they collect as part of everyday e-commerce operations.

Companies are liable for customer credit card numbers, financial transactions, medical history, credit information and other sensitive data.

Regulations ranging from HIPAA (the Health Insurance Portability and Accountability Act) for health care information to Sarbanes-Oxley and an array of state laws provide stiff penalties for companies that mishandle data, permit leaks or unauthorized access, or otherwise fail to safeguard sensitive information, which conventional insurance will not cover.

There is also the risk of being sued by third parties for somehow allowing–or failing to prevent–unauthorized access to sensitive information.

An example of this would be an overseas hacker who infiltrates an online shopping Web site and steals hundreds of thousands of customer credit card numbers. The Web site now faces claims from angry customers for unauthorized charges made on their credit cards, as well as claims from banks that issued the cards for costs incurred in canceling and reissuing them.

Traditional insurance simply will not apply here.

The new reality is that criminals, terrorists and insiders are beginning to recognize that the real Achilles heel of today's companies and organizations is the IT side of their businesses. Secrets, sensitive data and inside information have now become their prime targets.

THE INSURANCE OPTIONS

Since common p&c insurance coverage doesn't respond to most IT and privacy-related losses–and are in fact specifically excluded in most forms–major carriers and specialty insurers are now offering an array of cyber products designed to address the critical gaps.

These cyber products–usually called "Network Security and Privacy Liability" policies–tend to vary significantly from carrier to carrier, as the markets try to discern what provisions and terms prove most attractive to enterprise customers at different levels of risk. The situation is similar to where employment practices liability insurance was just a few years ago.

The Network Security and Privacy Liability policies are generally designed to address first-party risks and third-party liability–sometimes in the same policies, sometimes separately.

First-party coverage typically includes:

• Business Interruption

•  Data Restoration

•  Cyber Extortion Payments

•  Crisis Management Expenses

•  Media/Intellectual Property

•  Regulatory Actions

• Expenses to Notify Affected Parties

•  Expenses to provide credit monitoring

•  Forensic costs to determine how the breach occurred

•  Transmission of a virus/worm

•  Loss or damage to an organization's own network, or e-theft

The third-party side usually addresses liability arising from network and information security, privacy liability and electronic media. (See related text box, "Liability Risks")

Depending on the nature of a company's operations and IT structure, insureds can negotiate a number of coverage enhancements that address situations not covered in the core policy.

UNDERWRITING CYBER

Thanks in part to an overall soft market, capacity for cyber coverage is abundant at this point; however, one sector that is facing increased underwriting scrutiny is the financial institutions segment.

In addition to evaluating basics like revenue, employee count and the nature of the business, underwriters take into account the technical safeguards a company has in place, its overall privacy and security policies–and occasionally, the recommendations of an outside consultant or security auditor.

Underwriters may also require certain upgrades to procedures or technology as a condition of the insurance.

In designing insurance coverage for an enterprise, agents and insureds should start with a thorough assessment of potential risks and vulnerabilities of the existing systems, perhaps with the help of a security specialist, and then secure the appropriate insurance coverage.

Network Security and Privacy Liability insurance is just another important component of a risk management strategy in today's business environment. The more businesses rely on information technology as an engine for operations and communication, the more crucial it becomes to protect IT assets with the right coverage.

Rick Grimes is an executive vice president for Professional Risk Solutions, a wholesale insurance broker that places directors and officers, errors and omissions and cyber security and liability coverages headquartered in Somerset, N.J. Mr. Grimes may be reached at rick@prsbrokers.com.

Karen Kutger, vice president and branch manager for the Philadelphia branch of Professional Risk Solutions, may be reached at Karen@prsbrokers.com.