Cyber Insurance – Would Your Business Survive a Data Security Breach?
Presented here is a brief discussion on Cyber Insurance , one type of business insurance, and does not constitute insurance advice. This is not intended to be a comprehensive description of coverage, and does not include details of the coverage nor the terms, conditions, qualifications, limitations and exclusions applicable. Policies should be reviewed in their entirety and related to your specific operations. Many insurers permit changes (Changes to insurance policies are usually called “endorsements” or “riders”) in their limitations or exclusions to match your specific requirements. As insurance advice must be tailored to the specific circumstances of each situation, nothing provided herein should be used as a substitute for the advice of a competent insurance broker. IN NO EVENT WILL RHODES & WILLIAMS LIMITED BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THE INFORMATION PRESENTED IN THIS DOCUMENT.
What is Cyber Risk?
Simply put, cyber risk is the exposure to financial loss for an organization that arises out of the use of computer networks and the internet.
Technology and Media have transformed the way we communicate. As more and more organizations rely on technology to conduct business, it can significantly increase their vulnerability to cyber security threats. This can result in substantial monetary and reputational costs that can wreak havoc with it’s bottom line.
According to most recent technology related journals and articles, when speaking of data security breaches, it’s not as much a matter of if a breach will occur, but when.
What are some types of Cyber Risk?
Your system could be sabotaged by disgruntled employees, malicious insiders, or criminals from the outside. These individuals (internally or externally) might be motivated by theft for financial gain, identity theft, fraud, extortion, revenge, pride or believe it or not, just for fun – in order to identify weak points in the system.
There are two areas of loss an organization needs to consider when purchasing cyber insurance.
First Party Losses (the organization’s direct loss) and
Third Party Losses (the organization’s liability to others)
First Party Losses can occur as a result of loss, damage or destruction of data, network damage, system failure, theft of data, increased cost or working, lost business revenue, damage to your organization’s reputation and cyber extortion.
Third Party Loss can arise from breach of confidentiality, invasion of privacy, defamation, misleading advertising, infringement of copyright and intellectual property, disclosure of private facts, misappropriation of name and brand and transmission of computer viruses.
Traditional insurance policies contain significant gaps that can range from, but are not necessarily limited to, theft of data, destruction by hackers, cyber extortion, liability for privacy breach from the unauthorized disclosure of data through human error, system malfunction or hackers to name a few.
In order to evaluate the need for Cyber insurance, you might want to start off asking yourself the following questions.
Are You Prepared For:
- Identity Theft from lost or stolen social insurance or credit card numbers, driver’s license or financial information?
- a hacking incident that could result in theft of this confidential information?
- a lawsuit alleging a technology error or alleged security failure that results in damage to your clients?
- a lawsuit alleging libel, slander, defamation, or product disparagement involving information contained in email, PDAs, servers, flash drives, the internet or on laptops?
- a lawsuit alleging infringement of intellectual property, trademark or copyright?
- interruption to your e-business resulting from an Internet virus, hacking attack or security failure?
- a cyber extortion threat?
- the expenses involved in securing a crisis management firm, privacy notification and disaster recovery?
- theft or loss of an employee’s laptop or flash drive containing company or client email, private information / records or similar information?
Chubb Insurance Company offers the following list to help organizations identify the risks involved and some of the costs and repercussions that could result from a cyber breach.
What every business needs to know about data breaches:
- The culprit is often someone close to your business. A surprisingly large proportion of data breaches are carried out by insiders-over half by some estimates-or by business partners. A trusted employee could be the culprit.
- The perpetrator could live halfway around the globe. To vandalize your building, a criminal must be on site. But a hacker can operate from anywhere in the world. Organized cyber crime rings operate worldwide 24/7.
- Size doesn’t matter. Half of all companies that suffer data breaches have fewer than 1,000 employees.
- Any company can be hit. Cyber criminals don’t care from whom they steal private information. It could be retailers, health care institutions, manufacturers, professional service providers, media and entertainment companies, and financial institutions; are all likely to be targeted.
- A breach can result from a simple mistake. An employee might misplace a laptop, Blackberry, or computer flash drive or leave these in an unsecured location, such as an unlocked car.
- Cyber risk is steadily increasing. Data breaches affect hundreds of millions of records a year and reports of breaches continue to rise at a dramatic rate.
The costs of data security breaches can be significant:
- Many US states, and now Alberta*, require organizations to notify all customers if a breach is even suspected and to take necessary steps to correct the situation-a cost estimated at up to $30 or more per customer. If you multiply these costs by the organization’s total number of customers, you can get a pretty good idea of the costs involved in the notification process alone.
*To date, the Alberta PIPA is the only private-sector privacy legislation that imposes a statutory obligation on private-sector organization to disclose privacy-related data breaches. However, proposed amendments to PIPEDA (Personal Information Protection and Electronic Documents Act), if enacted, would add a mandatory notification requirement to that statute. Federal and provincial privacy commissioners have also published guidelines that suggest disclosure and notification should be made in certain circumstances.
- Often overlooked is the potential loss of confidence in your organization by your customers and potential customers when a security breach occurs. The fact is that a cyber security failure can significantly impact shareholder value, as well as corporate stability, reputation, and financial performance.
- Until a data breach occurs, there’s really no way to know the extent of the leak or the financial devastation it can cause. Maybe that’s why businesses often underestimate their data security breach risks. Even if your business uses state-of-the-art security controls, your customers, shareholders, and corporate assets are still at risk from a determined criminal element that can bring operations to a grinding halt.
- When you stack up the potential costs brought on by a data security breach, risk mitigation, through insurance coverage and loss prevention, is more than a smart investment. It’s business critical.
 Blake, Cassels & Graydon LLP, “Doing Business in Canada”