Expanding Security Breaches Fuel Mushrooming Demand for Cyber Liability Coverage Among Businesses of All Sizes, Across All Industries

Cyber security breaches, whether the result of cyber attack, internal or third-party data center error or simple carelessness, have never only been a problem or concern for the largest financial institutions or Fortune 500-sized companies with massive IT infrastructures. Small- and mid-sized businesses must also do all they can to protect the integrity of client and company data against a backdrop of tightened government regulations, growing personnel costs and budgetary concerns. While firewalls and other technologies can block many malicious trojans, worms and viruses, just a single security breach can wreak havoc on a business' reputation, bottom line, even its very existence.

Cyber liability insurance for businesses of all sizes has never been a luxury. Now, more than ever, it has become an absolute necessity, according to Michael Palotay, senior vice president, Underwriting at NAS Insurance Services, Inc., an Encino, Calif.-based liability provider. This is especially true in the healthcare and retail sectors.

“Healthcare providers, given the sensitive nature of patients' personal medical data and increased regulatory scrutiny, account for 70 percent of our cyber liability book, but for the past two to three years we have seen growing demand among client companies of all sizes across industries,” Palotay said.

Highly publicized breaches, such as this past spring's Global Payments breach that affected Track 2 data from approximately 1.5 million credit card holders, as well as a number of Global Payments servers, underscore the growing danger of hackers gaining access to and disrupting networks with relative impunity. These have brought the need for cyber liability insurance to the forefront, as compromised patient, consumer and business data can cause substantial loss of revenue and harm reputations beyond repair.

“Municipalities also present a strong market potential for cyber liability policies not only because of these growing dangers, but also due to the fact many cash-strapped cities are unable to budget for the highest levels of technical security,” Palotay said. “And these are exactly the type of entities more susceptible to attack and in need of insurance protection.”

However, willful cyber attacks are only one part of the equation. Accidental breaches resulting in the loss of medical records, credit card and banking account information can inflict deep emotional and severe financial distress upon victims, who in turn may seek individual or class action damages. Corporations, specifically credit card companies, also levy substantial, potentially backbreaking fines against breached retailers to partially offset resulting fraud-related losses.

While a growing number of businesses and institutions recognize the importance of cyber liability coverage, NAS and specialized and non-specialized insurers, the latter of which merely offering token coverage as part of a one-stop-shop approach, are still only scratching the surface when it relates to capacity.

“There is enormous potential,” Palotay said. “I'd be shocked if 10 percent of exposed [entities] carry cyber liability coverage. Rates are fairly stable, even though some clients, such as local governments, are requesting greater limits to protect against the periodic increased likelihood of attack, such as during special events,” he said, citing such examples as NATO and World Trade Organization meetings and this year's upcoming Democratic and Republican Party conventions. At the same time, terms and conditions are loosening, NAS staying ahead of the “industry curve” by changing them roughly every four months.

“Large, non-specialized insurers view cyber liability coverage as the 'next big thing,' and in many cases offer it on a 'me-too' basis,” he said. “While the entire industry is still relatively early with respect to these policies being somewhat standard, [NAS] leads the way in changing terms and conditions; the others follow.”

NAS does not act as a risk manager, dispensing IT-related advice to clients to help them guard their cyber assets against damage or attack. But the company does provide information designed to help them get a head start in creating policies and operational procedures to enable them to better spot and contain breaches and guidance on what steps to take in response to them.

What largely sets NAS apart from insurers late to the game, in addition to greater protection, are its focused cyber liability policies and claims handling prowess. “Quick response is critical; and policies must have high enough limits, separate from the aggregate indemnity,” Palotay said. “For example, our policies pay out not only for the initial loss, but also provide enough to cover third-party lawsuits. Our [cyber liability] policies also protect against losses resulting from business interruption, data losses, power surges and negligence,” he said, adding NAS recently introduced BrandGuard, a policy feature that helps businesses cover costs relating to revenue lost as the result of tarnished public reputations.

NAS' staple NetGuard multimedia coverage offers protection against potential legal claims resulting from the online posting of copyrighted content or inadvertently fraudulent information on corporate websites or to such platforms as YouTube. “NetGuard also provides protection against suits arising from accidental trademark infringement, such as when third parties post to your website,” Palotay said.

Thankfully for businesses, perhaps due to legislators' hesitancy to introduce new rules during the run up to this November's Presidential election, Palotay doesn't anticipate the imminent introduction of additional governmental regulations potentially impacting cyber liability. But he does urge retailers to be adequately protected against the aforementioned credit card company penalties relating to security breaches.

PCI (Payment Card Industry) fines relate to an ever-more-stringent set of laws and rules under which credit card companies and banks assess fines for accidental breaches or cyber attacks that lead to fraud-related losses, in most cases non-recoverable. Businesses of any size that refuse to pay these fines are “turned off,” meaning they lose the privilege of accepting credit cards. For retailers, Palotay said, this is the kiss of death.

“The PCI requires a certain level of security in the form of firewalls, anti-virus programs and encryption designed to eliminate fraud,” he said. “But it still happens. Retailers must have enough cyber liability insurance to pay breach-related fines, not if but more likely when breaches occur. Cyber security will only take on added importance moving forward. NAS has the capacity, and is uniquely positioned to provide cyber liability protection coverage for companies of all sizes across all industries.”