Growth of online commerce points toward sizable market potential
By Shawn E. Dougherty
More than one billion records have been exposed as a result of data breaches to commercial businesses in the past year. The cost of a data breach can run companies anywhere from several hundred thousand to many millions of dollars. Are your clients fully covered for this exposure? If they are insured with a standard commercial general liability (CGL) or commercial property policy—or even a businessowners policy—the answer is probably not.
The explosive growth of technology over the past decade has touched upon almost every facet of our lives. The rapid transition from desktop PCs with wired access to the Internet to mobile technology—laptops, handheld smartphones and tablet devices, such as iPads, with wireless access to the Internet—has had a profound impact on society and on the way commercial firms conduct business.
From big box stores to specialty boutiques to firms that have abandoned the traditional brick-and-mortar storefront and adopted an electronic commerce model, almost every commercial business in America today has realized the necessity of an Internet presence in order to remain competitive. Businesses depend on the Internet in some fashion: whether to sell products or services, manage complex datasets, or publish information and make it available to customers through their Web site. And now, many businesses also rely on third-party hardware and software hosting services to remotely store their data "in the cloud."
Technological advances and the use of computers and the Internet to conduct business create new types of risks and exposures for commercial insureds. Cyber risk, cyber liability, e-commerce, e-risk, and similar terms are frequently used interchangeably and are generally intended to address the same types of exposures—those related to conducting business electronically over the Internet. In recent years, insurance carriers have responded to these exposures by introducing stand-alone cyber insurance policies specifically designed to provide first- and third-party insurance coverage for computer and Internet-related exposures, including operating a Web site. For example:
• A business can suffer a hacker attack where confidential information within a computer system is accessed.
• Viruses and denial of service attacks can infect a computer program and damage or destroy data.
• Information may inadvertently be posted on a Web site that is defamatory or infringes on another's copyright or trademark.
While these risks are insurable under cyber insurance, they are, for the most part, generally not covered under CGL or commercial property insurance policies, or, if covered, typically only on a limited basis.
The following describes some of the computer- and Internet-related risk exposures a commercial insured may face and how a cyber insurance policy may address those exposures.
The risk of a security breach
It's no longer a matter of "if" but "when." Data breach incidents are reported in the news on almost a daily basis, and many more are never disclosed: a computer system that has been hacked; a stolen or lost laptop or smartphone; stolen, misplaced, or improperly discarded or shredded paper files; or unauthorized data file access by a current or former employee. The numerous ways in which data breaches occur require organizations to be vigilant in safeguarding against such attacks.
There have been many high-profile data breaches in recent years, including TJX Companies (94 million records) and Heartland Payment Systems (130 million records). In 2011, the Sony Corporation encountered several hacking attacks through its PlayStation Network (more than 100 million user accounts) and Citigroup faced a hacking incident that resulted in more than $2.7 million being stolen from about 3,400 customer accounts. More recently, in January of this year, online shoe retailer Zappos reported a hacking incident that exposed the names, e-mail and mailing addresses, phone numbers, and partial credit card numbers for 24 million of its customers.
Any business that stores data—particularly personal information of clients, such as credit card information, Social Security numbers, driver's license numbers, or medical information—has exposure and liability to data breaches. Currently, 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation generally requiring businesses that suffer a data breach to notify all affected and potentially affected parties. In addition, various federal laws—such as Graham-Leach-Bliley, the Health Insurance Portability and Accounting Act of 1996 (HIPAA), and its 2009 HITECH (Health Information Technology for Economic and Clinical Health) modification—also hold companies in the financial services and health care industries liable for the disclosure of confidential customer information.
Cyber insurance policies address the insured firm's liability for the data breach, the costs incurred by the firm to notify affected parties of the breach, and also the cost to restore the firm's brand and business reputation.
Liability coverage typically applies to actual or alleged neglect, breach of duty or omission on the part of the insured firm, or if the firm's computer system transmits a virus to a third party. Coverage can also be obtained should a client's personal information be disclosed because of intentional programming errors or omissions that occur in data entry into the company's computer system.
Coupled with the liability coverage for a data breach, coverage to investigate the breach, handle notification costs, and pay for expenses of public relation firms incurred by the insured firm commonly fall under cyber insurance policies. The cost of providing notification of a data breach to affected and potentially affected parties can be catastrophic, particularly to a small business. Costs to establish call centers and to implement credit-monitoring services for affected clients also may be incurred. Depending on the size and extent of a data breach, these costs can quickly escalate into millions of dollars. For example, in 2007, Milwaukee PC sustained a breach resulting in 65,000 customer credit card numbers being potentially compromised. Milwaukee PC's issuance of warning letters of the potential identity theft problem to its customer base resulted in a cost of approximately $4 million.
The loss to a company's brand and business reputation following a data breach can be just as significant. According to the Ponemon study (see box below), it can take from 10 months to more than two years for a firm to restore its reputation after a breach of customer data. In fact, many small commercial firms cannot survive after incurring the expenses associated with a data breach and/or the resulting loss of revenue from the loss of customers.
Additionally, businesses that experience a security breach resulting in the misuse of private consumer information can incur regulatory fines and penalties. Regulatory defense and penalties coverage under cyber insurance policies generally covers defense for regulatory proceedings brought against the firm by governmental agencies for alleged violations of privacy regulations and laws.
The risk of publishing information on a Web site
Companies that publish information on Web sites face the same legal exposures as other publishers in cases of copyright infringement, defamation, and violation of rights of privacy. However, many courts have ruled that businesses cannot hide behind "journalism shield laws" if they do not meet the strict definition of a "journalist."
Cyber insurance policies typically provide coverage for errors, misstatements, or misleading statements posted on a Web site that infringe on another's copyright, trademark, trade dress, or service mark, or defame a person or organization, or violate a person's right of privacy.
Cyber insurance coverage differs from CGL insurance policies in that CGL policies generally offer coverage for claims of copyright or trade dress injuries arising out of an insured's advertising activities, whereas cyber policies tend to go beyond that and also cover infringement of trademark and service mark.
The risk of damage to data caused by a virus
Trojan horses, worms, and e-mail viruses cost U.S. businesses billions of dollars each year. And phishing—the act of obtaining personal information or spreading malware using e-mails, pop-up messages, texts, and phone calls from what appears to be a legitimate business—only adds to that amount. In recent years there have been several high-profile computer viruses that have made the news, including the Love Bug (and its variants), which affected more than 40 million computers; Code Red, which launched denial-of-service attacks; and Blaster, which exploited a Windows operating system and caused billions of dollars in damages. More recently, the Flashback malware reportedly infected more than 600,000 Mac computers and the Flame virus, a variant of the Stuxnet virus, began infecting PCs around the world and stealing information.
Cyber insurance policies typically provide coverage for the cost to replace or restore electronic data or computer programs that are damaged or destroyed by a virus, malicious code, or denial-of-service attack and usually include coverage for the cost of data entry, reprogramming, and computer consultation services.
The risk of an extortion threat
Cyber extortion threats have become more prevalent in recent years. Threats that may have been made in the past through traditional channels such as the telephone are being replaced by computer programs called "ransomware," which can release a virus onto a computer system if a ransom is not paid. The FBI estimates more than two-thirds of organizations hit by a serious computer attack never report it, and the SANS Institute, an information security training organization, reports that thousands of these companies may be paying ransom demands. The mere threat of a release of confidential personal information can be damaging to a firm's reputation. It can also trigger privacy-related lawsuits under the various federal and state laws.
The extortion coverage offered in many cyber insurance policies is similar to that provided in traditional kidnap and ransom insurance programs. Cyber insurance policies generally cover an insured's computer system against threats to: introduce a virus, malicious code, or denial-of-service attack; divulge the firm's proprietary information contained in the system or a weakness in the source code within the firm's computer system; and inflict ransomware or publish the confidential personal information of its clients.
The risk of a business income loss
A firm that ceases business activities conducted on its Web site because of a virus attack or extortion threat—even for a short period of time—can sustain substantial loss of business income, particularly retail businesses. (Imagine this happening during the weeks between Thanksgiving and Christmas—which include the newly labeled Cyber Monday— where it is estimated retailers now generate more than 40% of their annual income.) In cyber insurance policies, the amount of covered loss is typically based on lost revenue from cyber activities and is often offset by revenue generated from other means of communication, such as telephone sales.
Cyber risk is something the specialty market has addressed for several years, though those customers tended to be larger computer-centric firms. Recognition of the coverage need is just now starting to trickle down to smaller firms. The take-up rate of cyber risk insurance policies has been relatively slow and similar to that of employment-related practices liability insurance coverage. While many consider cyber insurance a "must have" coverage, commercial insureds have to first recognize the need for the coverage and then understand that coverage for these exposures is typically not provided by the standard CGL, commercial property, or businessowners insurance policies.
According to the 2011 "Data Breach Intelligence" report from Risk Based Security, Inc., almost half of the data breaches that occurred in 2011 involved retail business operations and more than one billion records have been exposed. And while lost or stolen laptops is still the all-time number-one cause of data breach, for the past two years, hacker-type breaches have surpassed the incidents of laptop thefts.
The growth potential for cyber insurance is significant. As technology continues to advance and become even more embedded in day-to-day business activities—and the capabilities of computer viruses and hackers become more complex, stealth-like, and frequent—businesses will be at greater risk. The need for the cyber insurance coverage is evident; it is the "must have" coverage of this decade. Hopefully your insureds will recognize this before it is too late.
Data breach costs on the rise
The Ponemon Institute's "2010 U.S. Cost of a Data Breach" study reports that the cost of a data breach continues to rise. According to the study, data breach incidents cost U.S.-based companies $214 per compromised customer record in 2010 compared to $204 per record in 2009. The average organizational cost of a data breach increased to $7.2 million from $6.7 million in 2009, with the most expensive data breach costing $35.6 million and the least expensive costing $780,000. Costs are projected to rise in 2012 as the frequency and severity of hacker attacks and data breaches continue to increase.
Shawn Dougherty is assistant vice president, Specialty Commercial Lines at ISO, a Verisk Analytics business unit.