Insuring for the Business Risks of a Cyber World
It might be tempting to assume that your business is unlikely to face any significant exposure to so-called cyber risks. But this likely is not the case. In fact, organizations of all sizes and shapes are facing new and potentially significant challenges posed by these types of threats.
It is important to keep in mind that exposure to potential cyber-liabilities is not limited to technology companies, major financial firms and national security targets. Your business faces technology-related risks if it advertises on the internet, stores customer records electronically, uses point of sale terminals to process credit card payments, uses software that is hosted remotely on the "cloud," or would suffer downtime if other businesses with which it conducts transactions or has relationships have computer outages. In other words, cyber-risk is a part of doing business in the modern world.
As with any business risk, careful planning to prevent unduly hazardous situations or behavior, along with the adoption of responsible business practices, is the first line of defense in the increasingly virtual marketplace. There are a multitude of measures that can be taken to prevent or minimize potential cyber-risks. Some common defensive measures include instituting adequate password protection protocols, quarantining unverified communications from external sources, implementing firewalls around sensitive information, backing up data, monitoring for viruses and other malware, and verifying that hosted business solutions meet suitable security standards.
No matter how robust, no defense is ever completely impregnable. Cyber-risks are continually developing and efforts to defend against potential attacks remain at least a step behind the evolving tactics of potential assailants.
The Broad Spectrum of Potential Cyber Risks
Cyber-risks come in a wide array of forms, ranging from temporary or minor website disruptions to attacks that can shut down a business altogether. The following are some commonly identified risks:
- Loss or theft of mobile devices, tablet computers, memory sticks, thumb drives or other mobile communication or transaction equipment and any resultant consequences of unauthorized access, theft or the unauthorized use of data
- Phishing attacks in which criminals troll the internet posing as legitimate businesses in an effort obtain confidential or sensitive information
- Malware attacks intended to take over software or hardware control systems whether for the purpose of sabotage, extortion, the theft of business proprietary information or criminal mischief
- The use of electronic means to disseminate false, misleading or damaging information intended to damage the reputation of the target
- Extortion or blackmail attempts using the threat of launching an attack through any of the foregoing methods
- Attacks by disgruntled customers or employees using any of the foregoing means
- Attacks on cloud computing networks and hosted data repositories in which attacks potentially can spread across enterprises
- Attacks motivated by political or social activism, whether by sophisticated provocateurs or amateur mischief makers (the protest-oriented hacker collectives that have received attention in the news media in recent months are an example of this kinds of attack)
- Advanced, persistent threats in the form of business or sovereign-sponsored espionage (such as the targeting and harvesting of sensitive competitive proprietary business information) or sabotage (such as feared potential attacks on the power grid or pipeline networks)
With Interconnectedness Comes Exposure
Maintaining information on a computer network or in a hosted or cloud-based environment provides tremendous convenience, efficiency and cost savings, but it also poses risks. These risks are not limited to the direct exposure of a business to the types of risk noted above. Given the interconnectedness of the modern business world, there is also a significant likelihood of collateral damage. If someone with whom you exchange information electronically or upon whom your business relies is the victim of a phishing attack, for example, that attack may spread to you. Similarly, if there is an interruption that shuts down the operations of a host site on which you rely to conduct business, your business also may be interrupted.
The potential impacts of these risks range from nuisances to enterprise endangering threats. Without being exhaustive, the list of exposures that might result from these cyber-risks includes the following:
- Theft of money and other property from a business or its customers
- Loss or disclosure of business sensitive information
- Damage to the reputation of a business
- Liability for publishing inaccurate or derogatory statements about another person or business
- Physical damage to computer systems or other property
- Loss of business resulting from downtime due to damage to one's own information systems, the inability to access remotely hosted systems, and other interruptions to business
- Liabilities and/or penalties resulting from the disclosure of confidential or personal customer or employee information
- Cost of correcting any breaches in system security
- Cost of providing customers with mandated notification of possible information breaches and any required subsequent curative measures
The potential losses associated with cyber-risks include first-party risks of loss (i.e., the risk of loss or damage to an insured's own property or interests), business interruption risks (i.e., the risk that business will be disrupted because of the loss or corruption of data, or the inability to access data whether the interruption is because of physical or "virtual" damage to property) and third-party liability risks (i.e., the risk that an insured will be legally liable to another party).
Protecting Against Potential Cyber Risks
As noted, the first line of defense in protecting a business against the risks of the virtual marketplace is the adoption of good business practices. But with the constantly evolving nature of business conduct, it is not prudent to assume that good business practices, including a robust defense, are sufficient to completely eradicate the exposure to cyber-risks.
Of course, this observation is qualitatively no different than acknowledging that good workplace safety procedures do not eliminate the risk of workplace accidents or that establishing fire protection procedures do not eradicate the risk of fires. Likewise, the available solutions to the fact that our best laid plans are 'oft laid astray are little different in the world of cloud-based business than they are in the brick and mortar marketplace.
Measures that a business can use to address the continuing risk of loss or liability include the following:
- Contractual indemnifications and/or disclaimers of liability with service and software provides and/or customers
- Insurance for the purpose of making the insured whole for the risks insured against
- Retaining the risk based on the assumption that the potential loss or liability can be borne by the business without catastrophic consequences
Traditional Insurance Policies May Provide Some Protection
A careful and honest assessment of the risks facing a business and the magnitude of those risks is necessary in order to determine responsibly what combination of risk management tools is most suitable for a particular business. For possible reasons ranging from the seeming novelty of cyber-risks, to the developing bases of cyber-liability, or because many businesses have yet to incur significant cyber-liabilities, the majority of businesses continue to self-identify as self-insuring in this regard and do not purchase stand-alone cyber-liability insurance.
If the choice to remain self-insuring with regard to cyber-liability is the result of an assumption that cyber-risks are important only to technology or high-profile companies, it is based on an erroneous assumption. At a minimum, good risk management practices dictate that businesses conduct a focused self-assessment of their potential cyber-risks both direct and indirect, the magnitude of the associated potential exposures, and their ability to absorb potential losses or liabilities. Not every business will determine that it needs stand-alone cyber-liability insurance, but that decision should not be made by default as a result of ignoring the issue.
For some businesses, the web of coverage provided by insurance policies other than stand-alone cyber-liability insurance may be sufficient for their needs. In some circumstances, insurance policies that are not expressly written as cyber-policies may provide coverage for certain categories of cyber-liabilities. Among the types of insurance policies that may insure for some categories of cyber-liabilities are comprehensive general liability, first party property, employment practices liability, errors and omissions, and fidelity insurance policies. These kinds of insurance policies typically contain coverage terms such as the following that might apply to some types of cyber-liabilities:
- Comprehensive general liability policies typically provide coverage for "personal and advertising injury." Under some circumstances, the disclosure of information about a third party for which there is an expectation of privacy may be personal and advertising injury.
- First-party property policies may provide coverage for the damage or destruction of equipment or even of electronic data. These policies also may provide coverage for business interruption loss resulting from such damage or destruction. Under some circumstances, first-party property insurance also may provide business interruption coverage for losses resulting from damage to third-party property on which the insured is dependent.
- If personal employee information is exposed or disclosed, there may be coverage under some EPLI policies to the extent that those policies provide coverage for liabilities resulting from the unauthorized disclosure of confidential employee information.
- For companies in the business of providing technical, support or security services, errors and omissions liability insurance policies may provide coverage to the extent that negligence or the failure to act with due care on the part of the insured results in cyber-related injury, such as a security compromise or the disclosure of protected information, to a customer in a manner for which the insured can be held liable.
- Fidelity policies may provide coverage for the loss of money or other property caused by the unlawful conduct of an employee or for such losses caused by unauthorized system access by a non-employee under some versions of a funds transfer fraud coverage extension.
Before assuming that this cluster of insurance policies provides an adequate level of protection, it is important to become familiar with the terms, conditions and exclusions of those policies. Depending on the policy conditions, the scope of coverage provide for a particular cyber-risk may be limited. The patchwork of different coverage grants in different insurance policies may leave gaps in coverage or may pose difficult coordination issues. In addition, cyber-liabilities that would otherwise be covered under a traditional insurance policy might be subject to an exclusion that bars coverage.
Moreover, if a business determines that its risk profile for cyber-liabilities is such that it is adequately protected with insurance policies other than stand-alone cyber-liability insurance, it is important to keep in mind that the risk management environment for cyber-risks is developing and changing.
In reaction to the developments in the environment for cyber-risks, insurers have sought to introduce new limitations and exclusions to traditional insurance policies. For example, a cyber-risk for which coverage was provided under previous first-party property policies may become subject to exclusions added in subsequent policy years. It should not be surprising if insurers continue to respond to the possibility of coverage for cyber-risks under traditional insurance policies by adding increasingly restrictive policy conditions and exclusions. Thus, continued diligence and attention to developments in both the risk environment and the insurance marketplace are imperative if a business chooses to insure for cyber-risks through the coverage provided in its existing insurance programs.
Cyber-Liability Insurance Coverage Can Fill the Gaps—With Appropriate Diligence
If a business decides that it would be prudent to buy cyber-liability coverage, the work facing a risk-management decision-maker is still incomplete. In the cyber-liability insurance marketplace, one size does not fit all. Cyber-liability policies are not fungible commodities that can be differentiated only by price. Cyber-liability insurance policies are relatively new products and there is no such thing as a "standard" cyber-liability insurance policy. Just because an insurance policy is called a cyber-liability policy, it does not necessarily follow that the policy covers all kinds of cyber risks or all of the types of exposure to those risks.
There are wide differences the in scope of coverage provided by the available cyber-liability policy forms and different policy forms may respond to very different categories of risk or may contain very different terms and conditions. Unlike some other types of insurance, there is not yet any broad consensus in the marketplace about the basic essentials of the terms and conditions in the cyber-insurance marketplace and insurers are still developing new policy language. Therefore, a prospective insured should pay serious attention to the terms of the available coverage and make a determined effort to assess which available option best fits its needs.
In addition, cyber-liability insurance policies frequently are offered with a wide range of coverage options or modules from which a prospective insured can select. Thus, when purchasing cyber-liability insurance, it is extremely important for the potential policyholder to assess its risk profile, to identify the scope of the available coverage options, and to select the coverage that best responds to its particular needs.
There is no single solution for addressing the developing challenges posed by cyber-related risks. Those risks and the potential liabilities associated with those risks are continuing to change and develop and the risks faced by every business are different. But pretending that these risks do not exist is not a viable option in the increasingly networked and interconnected business world. Addressing these risks requires careful planning, the responsible assessment of the risks facing a particular business, and consideration of the business and legal consequences of the available risk management tools. Moreover, planning for how to manage cyber-risks is not a one- time event, rather it is an ongoing process requiring adjustment and reconsideration as the risks facing a business and the available risk management tools continue to evolve.