Imagine you are a debt collector and your company is the victim of a cyber attack, resulting in a cyber security breach. The breach has exposed all of the debtors’ information stored on your computer: name, social security number, credit card details and other personal information.
Most business owners have never thought about the financial disaster associated with a cyber breach. They think, “It will never happen to me,” or “I’m too small (big) to be a target.” However, business owners, ranging from startups to Fortune 50 companies, are starting to wake up to the fact that anyone can suffer a cyber breach, as the attacks become more sophisticated and frequent. A recent example is that U.S. First Lady Michelle Obama’s personal identifiable information was just hacked in September.
According to the annual Ponemon Institute report, which conducts independent research on privacy and data protection, the average cyber breach loss is $5,400,000. Similarly, Verizon released its annual investigative report on data breaches, which found small businesses are the number-one target of cyber attacks. Smaller companies are at a greater risk because they usually do not have adequate security infrastructure for protecting financial information, customer data and intellectual property, while larger companies often do.
Most business owners do not know what to do next when they are victims of a cyber attack. Most likely, the business owner will confidently pull out and dust off their company’s Commercial General Liability (CGL) and/or Professional Liability (i.e., Attorney Malpractice) policies. After alerting their insurance carrier and insurance broker of the breach, the business owner patiently waits, only to find out they were not covered and the expenses incurred are now their responsibility. For the first time, the business owner becomes aware that those policies either exclude coverage or only cover a fraction of the expenses incurred.
A common misconception is that “data” is covered under a CGL or Professional Liability policy. In fact, this couldn’t be farther from the truth. Typically, CGL policies specifically exclude “data” from the policy coverage, because data is considered an “intangible” object. Also, Professional Liability policies are designed to protect professionals against liability incurred as a result of errors and omissions in performing professional services and not against data breaches.
A perfect example of this misconception occurred in 2011, when Sony PlayStation Network experienced a cyber attack that led to the theft of the data of 77 million users. The intrusion attacked their servers, during which time usernames, passwords, credit card details, security answers, purchase history and addresses were stolen.
Shortly after the breach, and $180M in damages later, Sony sued their CGL carrier, Zurich American Insurance and its insurance broker, demanding the carrier and/or insurance broker should be responsible for the costs incurred as a result of the breach. Zurich refused to pay because “data” was excluded under Sony’s CGL policy, and Sony needed a specific insurance policy to cover the damages from the attack. The insurance broker and the agency were sued because of the broker’s supposed “ignorance” in not providing Sony with the appropriate coverage to protect against a data breach. Too late, Sony realized the broker did not possess the apparent “expertise” they had been promised when contracting for the insurance. The result of the suit was that Sony was held responsible for the expenses.
So, what’s the solution?
The solution is Cyber Liability insurance, which covers liabilities that arise out of unauthorized use of, or unauthorized access to, electronic data or software within your computer network or business. Cyber Liability insurance has been available since the early 1990s, and its popularity has spread due to the increasing numbers of breaches during the past few years. Cyber Liability insurance offers both first and third-party coverage, and it generally applies to damages claimed against your company as a result of errors or omissions you allegedly committed in creating, sending, receiving or storing electronic data. The types of losses, liabilities and lawsuits that Cyber Liability policies may cover include the following:
• a data breach or the inability of others to access data on your computer system
• lawsuits against you based on allegations that you failed to properly protect sensitive data
• interruptions in business due to breaches of a company’s computer network
• costs to investigate, negotiate, settle threats and attempted extortion via cyber attack
• lawsuits against you for acts of libel, slander, defamation, copyright infringement, invasion of privacy or domain name infringement
• regulatory investigations, fines and/or penalties
• failure to protect private or confidential information
The strict regulations being imposed in the Debt Collection Industry are holding businesses to a higher standard in protecting clients’ information. The Consumer Financial Protection Bureau (CFPB) calls it “consumer data.” Cyber Liability insurance is valuable protection against losses from data security breaches. It will protect you from the expenses incurred after a breach and will give your business a fighting chance of survival. It is very important to work with a Cyber Liability Specialist, as many Cyber Liability policies contain potentially costly limitations and exclusions. These limitations and exclusions need to be reviewed carefully during the initial underwriting process, since each business has different protection needs. If you are learning about the availability of Cyber Liability insurance for the first time by reading this blog, you need to think seriously about the insurance advice you’ve been given. Don’t let your firm be another Sony.
By Andy Koepke, Risk Architect, CLRA Group, LLC
CLRA Group, LLC, is a full-service Risk Management Insurance Brokerage, located in the Washington D.C. metropolitan area. The firm is the leading expert in Cyber Liability insurance. Andy Koepke currently sits on the Northern Virginia Technology Council (NVTC) Cyber Security & Privacy Committee. He was brought on specifically for his expertise in protecting businesses from being breached by a cyber attack. If you have any questions and/or are interested in receiving a quote through his exclusive Cyber Liability Program, please feel free to contact him. Phone: (571) 262-1595; Email: Akoepke@clragroup.com