ACE-ing the cyber liability market
As technology transforms the business world, ACE delivers robust coverage and risk management
By Elisabeth Boone, CPCU
As the engine for business communication, data storage and transmission, and a host of other transactions and applications, the Internet offers the benefits of speed, power, efficiency, and cost effectiveness. At the same time, businesses face the threats and costs of addressing a myriad of cyber liability exposures. Are the advantages of using the Internet and social media really worth the time, money, and effort required to deal with the risks?
That's a question worth asking, says Christopher Christ, assistant vice president and manager of the Northwest regional professional lines E&O unit of ACE USA, the U.S.-based operating division of the ACE Group. Christ is based in the San Francisco office and works with privacy, network security, and technology accounts.
"I handle more than a dozen products, and among our customer base, the greatest interest is in Internet-related exposures and the products available to address them," he says. "On average, this sector represents between 30% and 50% of the activity in our office every month."
A major challenge for both insureds and underwriters, Christ observes, is the fact that Internet technology and exposures are constantly changing: a risk that didn't exist yesterday may pose a serious threat tomorrow. "We need to keep abreast of developments that can affect our clients so we can assist them in managing their exposures," he says.
"Our dedicated underwriting, claims, and legal teams focus on technology- and Internet-related risks, and our legal experts keep current with judicial and legislative trends that affect our clients' exposures," says Michael Tanenbaum, senior vice president of ACE Professional Risk. Based in the New York City office, Tanenbaum oversees the professional liability errors and omissions unit, which encompasses network security and privacy technology.
Today, technology is used by organizations of every size and structure; and how an entity uses technology affects the kinds of risks to which it is exposed as well as the extent of the exposure. Common exposures include breach of personal and corporate information, failure of network security, social media, Web site content, business interruption, extortion, damage to digital assets, actions of third-party vendors, compliance with regulatory requirements, and costs incurred in the event of regulatory proceedings.
ACE Professional Risk offers a suite of products and services that are tailored to the specific technology exposures of its target classes.
Designed for entities of all sizes, the ACE Privacy Protection® policy addresses privacy liability that arises from lost computer equipment, network security breaches, and human error, as well as liability for mistakes made by third-party service providers. Coverage also is provided for data breach expenses, network security liability, Internet media liability, and the threat of network extortion. Limits are available up to $20 million with no minimum or retention. Target classes include retail, financial institutions, and health care or managed care facilities that manage sensitive customer or employee information, third-party corporate information, a computer network, or a Web site.
The ACE DigiTech® policy provides liability protection for technology companies' products and services and for sensitive data that is hosted on the insured's systems. The policy covers technology and Internet errors and omissions liability; electronic media activities liability; network security liability including regulatory proceedings; privacy liability for failure to protect sensitive data hosted on the insured's systems; data breach expenses; network extortion threats; and miscellaneous professional services liability for acts, errors, or omissions that arise from the provision of services that are beyond the scope of technology services.
Target classes include providers of general technology services; consultants/integrators of hardware, software, and systems architecture; application service providers; data processors, and software developers.
The ACE Digital DNA® (Data Network Availability) program is designed to address the network security and privacy liability exposures of both technology and non-technology companies. Providing stand-alone limits for first-party protection, the program is available to businesses of all sizes. The program covers digital asset loss, cyber extortion, security failure notification expense, business interruption, and contingent business interruption. Limits are available up to $15 million.
Risk management resources
Policyholders have access to the ACE Privacy and Network Security Loss Mitigation Program, Christ says. The ACE eRisk Hub® is a Web-based resource that helps policyholders keep abreast of best practices and regulatory guidelines and prepare comprehensive response plans. Founded and managed by NetDiligence®, a cyber security and e-risk assessment services provider, the eRisk Hub is available to policyholders at no cost.
NetDiligence also provides a self-assessment service that a policyholder can use to evaluate its network and data security posture. More in-depth assessments are available for qualifying risks.
The ACE Data Breach Coach is a toll-free hotline staffed by legal experts who can provide immediate assistance to a policyholder who experiences a data breach.
A key element in the loss mitigation program, Tanenbaum notes, is the ACE Data Breach Team, a pool of independent third-party professional service providers who help policyholders execute on comprehensive data breach response plans. In addition to legal counsel, the panel comprises specialists in computer forensics, notification, call center operation, public relations, crisis communications, fraud consultation, credit monitoring, and identity restoration.
Many large organizations have well-developed data breach response teams and prefer to choose third-party vendors who meet their needs, Tanenbaum remarks. In contrast, he explains, "It has become clear that many mid-sized and smaller companies have the desire but may often lack the resources to develop a sophisticated network security risk management program. As a result, they require additional guidance in locating qualified vendors to deal with these events." For these entities, Tanenbaum comments, the ACE Data Breach Team can be a useful solution.
ACE Professional Risk recently announced an expansion of the data breach team. "Because of increasing regulations that affect industries like health care, consumer finance, and retail trade, it is important to have a wide range of service providers who have experience within a particular industry that may require a tailored approach, based on legislative developments," Tanenbaum explains.
Social media: Cool tool, big risk
As businesses expand their use of social media, and as the lines continue to blur between employees' online personal and business lives, businesses must formulate, implement, monitor, and update policies for employee use of the Internet and social media. How does a business weigh the risks of using social media against the disadvantages of not using it? What practical steps can employers take to prevent employees from engaging in online behaviors that may expose the organization to serious risks?
Those and related issues were explored in a podcast that was broadcast last year by ACE USA. The podcast was titled "Social Media: The Business Benefits May Be Enormous, But Can the Risks—Reputational, Legal, Operational—Be Mitigated?" Participating in the discussion were Toby Merrill, vice president of ACE Professional Risk's cyber liability unit; Kenneth Latham, vice president of ACE USA Professional Risk with responsibilities in the employment practices liability underwriting unit; and Richard Santalesa, Esq., senior counsel at Information Law Group's East Coast office in New York.
The benefits of using social media are well known: Social networking is a powerful tool for building brand recognition and loyalty, as well as for establishing a dialogue with customers and prospects. The rewards of using social media, however, must be balanced with the risks, Latham observes.
"Social media makes a whole new world of privacy, security, intellectual property, employment practices, and other legal risks possible," Latham explains. "It's important to understand the considerable downside that exists hand in hand with the remarkable upside of using social media for a variety of business aims, which can occur in three major areas of risk: reputational, legal, and operational."
Santalesa, whose firm focuses on legal issues related to the use of information technology, identifies five main risks associated with business use of social media: employment, privacy, security, intellectual property, and media.
Merrill outlines a five-step process that organizations can use to address their social media risks:
• Conduct a broad assessment of the company's social media activities to identify potential risks, and weigh the risks against the benefits.
• Identify the key players who will be responsible for developing, executing, and monitoring the company's social media strategy.
• Consider drafting a simple but comprehensive social media policy or set of guidelines particular to the company, its customers, and its industry. Create separate guidelines for employees using social media while not at work.
• Formally address the risks of social media participation with employees, and provide regular training programs about the dangers of damaging the company, albeit it inadvertently, when using social media.
• Consider creating a social media agreement that employees review and sign annually, often as a condition of continued employment, and as part of their employment contract. The agreement should be updated annually, or more frequently as warranted, to address changes in social media that can affect the company in new ways.
Experienced legal counsel play a vital role in identifying and addressing the legal risks that can arise from a company's use of social media, Santalesa points out.
"Engage the proper legal team early in the process," he advises. "Companies should involve lawyers who understand information technology law, since they can help prevent all of the legal pitfalls described above. If lawyers are included early in the planning stage, processes and policies can be developed that are effective for business, while at the same time reflecting the level of risk with which the organization is comfortable."
For more information:
Web site: www.acegroup.com/us