Cyber Security Insurance
It's nearly impossible to look at the news these days and not see the latest example of a massive security breach affecting thousands or millions of people. Any organization that keeps records of Personally Identifiable Information (PII), whether in an electronic database or on paper, has a cyber liability exposure that may be worth insuring.
What Is a Data Security Breach?
In the context of state and federal regulatory requirements for breach disclosures, a data breach is the loss, theft, accidental release, or accidental publication of PII, including:
- Names and addresses
- Social Security numbers
- Bank account numbers
- Credit card details
- Driver's license numbers
- Patient histories and medical records
A data breach can also involve the loss or theft of other types of information, such as trade secrets, sales reports, and intellectual property, but for the purposes of regulatory compliance, governments are primarily concerned about the accidental release of third-party data (e.g., customer records), as opposed to first-party data (e.g., a legendary pizza restaurant's tomato sauce recipe).
Data theft from New York State businesses is on the rise, despite their attempts to protect themselves with firewalls, anti-malware programs, and other tools. Exploits that evade detection are being discovered all the time, and these countermeasures can do only so much. In fact, it is well known among information security professionals that humans are the weakest link in any data security system.
For instance, you could be using state-of-the-art intrusion detection software on your network, but that's no match for a social engineering attack in which an unsuspecting employee, acting in good faith, is deceived into giving compromising information over the phone. Similarly, an employee's company-issued laptop could get lost or stolen, and it may contain passwords or other private information that can be used for unauthorized purposes.
Malicious Hackers Are Now Favoring Small Businesses
Data breaches at major corporations routinely make headline news, while attacks on small and medium-sized businesses (SMBs) often don't get any press. This has led to a false sense of security among SMBs, which are becoming more attractive targets for a few reasons:
- They don't believe that their assets are worth targeting, so they don't make security a high priority. Consequently, their systems are more vulnerable.
- In these hard economic times, businesses are cutting back on expenses that would result in better security but reduced profits. They're also turning more and more to cloud storage and cloud computing as a way to save money, but this may actually increase their cyber risk, depending on the security practices of the cloud vendors. The choice to use a third party to store your data does not absolve you of the costs and requirements to comply with the New York State Breach Law. The data is still your responsibility, and the law applies to you dealing with the expenses associated with the breach.
- Some businesses are so small that they don't have IT departments or IT security teams to ensure that sensitive data are stored and accessed appropriately.
- In companies that do have IT departments, management expects security matters to be handled by the IT staff, but in many cases, they lack the necessary skills (or budget) to do this job. In reality, everyone from the receptionist to the CEO has a responsibility to ensure that they are following security best practices within their own roles (using strong passwords, not opening suspicious email attachments, shredding documents with PII that is no longer needed, etc.).
Aside from stealing data for fun and profit, some malicious hackers are also interested in using other people's computers and Internet connections as a way of concealing their own identities when sending mass spam emails or committing other crimes, such as making fraudulent purchases with stolen credit cards or downloading child pornography.
Unfortunately, your property and general liability policies don't cover these scenarios, and a security breach could be financially devastating, not to mention damaging to your company's reputation. That's where cyber security insurance comes into play.
What Is Cyber Security Insurance?
Today, businesses keep their most important and most valuable data in digital format. Your own data, your employees' data, and your clients' data are all stored on computer systems, either on premises or in the cloud, or possibly both. Whether you're conducting business over the Internet or not, data are still at risk because there's no such thing as a 100% secure system.
Weak data security creates a risk management blind spot that could have disastrous consequences for your business, not to mention your customers. Cyber security insurance, or cyber liability insurance, is a policy designed to cover the exposures created by our digital age. It should not, however, be used as an excuse to be careless with sensitive data because underwriters want to see that insurance applicants already take security seriously by restricting access to information according to their employees' roles, enforcing strong password policies, using anti-virus software and firewalls, and having an incident response plan in place, among other things.
How Much Do Data Breaches Cost?
In the event of a breach, the New York State Information Security Breach And Notification Act requires you to notify the affected customers and the Attorney General's office. You may also have to notify the three credit reporting agencies, depending on the number of consumers whose data were compromised. The penalties for violating this law can be quite severe: you could pay up to $10 per instance of failed notification (not to exceed $150,000), plus damages to consumers for actual costs or losses that they incurred as a result of the breach.
The aforementioned penalties are just for New York State. If you do business in other states, then you will need to comply with breach notification regulations in those states as well. To put this into perspective, it's more stress-inducing than the U.S. tax code.
Without a cyber security insurance policy in place, a data breach can balloon into a legal and financial nightmare, even if you do follow the law by reporting it to the concerned parties. It costs a fair bit of money to send notifications by snail mail and to have a call center contact your customers by phone. In addition, the letter that you send must be carefully drafted by an attorney to ensure that it doesn't open your company up to further liability. It may also be necessary to hire a computer forensics investigator to determine how the breach occurred.
You may have noticed that the above expenses pertain to third parties. What about you, the first party? How much will it cost to fix any equipment that was compromised in the attack? How much will it cost in lost revenues if you have to shut down your business until the incident gets sorted out? And what is it going to take to restore your company's reputation? These are questions that only you can answer, and that will help you determine how much cyber liability coverage you need.
What Does Cyber Insurance Cover?
A good cyber security insurance policy will cover both first- and third-party costs of a data breach:
- Damages to third parties caused by a network security breach
- Breach of Privacy – includes damage resulting from alleged violations of HIPAA, the Fair Credit Reporting Act, and state and federal privacy protection laws
- Customer Notification – reimbursement can be provided for legal expenses and other costs associated with notifying customers and offering them 12 months of credit monitoring
- Public Relations expenses to repair your reputation as a result of a data breach
- Rogue Employee – covers damage to your computer network and devices if an employee decides to "go rogue" and steal or destroy data
- Emergency Response – covers expenses related to incident response, including a computer forensics investigation
- Digital Assets – covers expenses such as data recovery and fixing the damage that occurs as a result of an intrusion or virus
- Administrative or Operational Mistakes – covers loss resulting from these mistakes and extends to an employee or an outsourced IT worker
- Ransomware Expenses – covers attacks that lock up files all throughout your network and demand payment to unlock them
A cyber policy is not one-size-fits-all, like a property policy. There's plenty of flexibility to design one that fits your company's unique needs, based on your industry and cyber risk profile. Technology companies, for example, are going to need different coverages than retail stores. Businesses that intend to purchase software and other products and services from technology vendors often have specific cybersecurity insurance requirements that, if not met, will cause these businesses to buy what they need from tech companies that are less of a cyber risk. In other words, not having an appropriate insurance policy may cause you to lose deals to your competitors.
Regardless of industry, however, our policies are modular in nature. We can even include the cyber coverages in a general liability and property policy to keep the paperwork as simple as possible. And, despite the focus on digital data, your cyber insurance policy can be written to cover your dead-tree documents, too.
Cyber Insurance Premiums
When calculating cyber insurance premiums, data breach insurance companies consider three main factors: the industry in which your company operates, the number of records in question (this affects notification compliance costs), and the actions that your company is currently taking to prevent and mitigate attacks. Our cyber liability insurance application will give you an idea of the types of things that we look for when evaluating your cyber risk.
Cyber Insurance Quotes
If you would like to buy cyber insurance, we would be happy to offer you a quote. Please fill out the quote request form toward the top right side of the page for more information. Alternatively, you may download the Security & Privacy Insurance Application and send the completed form to us by email.
Cyber Claim Examples
We have gathered some cyber insurance claim examples for your perusal. This is by no means a comprehensive list, and there are many more breaches that don't get reported in the news.
An ex-employee of a check services company admitted to stealing personal data of over 1,250,000 customers and selling part of it to a third party marketing company. A class action suit was filed and the check services company must enhance their security and provide credit and bank monitoring services and identity theft reimbursement.
The Medical Center (Bowling Green, KY)
The Medical Center at Bowling Green is notifying 5,418 patients whose medical information may have been breached when a computer hard drive was stolen. The computer hard drive was taken from the hospital's mammography suite and contained information from patients who underwent bone density testing between 1997 and 2009.
Montana Tech (Butte, MT)
A Montana Tech employee mistakenly included the personal information of former students in an email message sent to faculty, staff and students last week. The email was an invitation to watch students present their research projects. But the file that this year's information was taken from included the names, addresses, Social Security numbers and, in some cases, birth dates of students whose research projects were done from 1998 through 2005.
DRC Physical Therapy Plus (Monticello, NY)
Officials have seized hundreds, perhaps thousands, of files containing Social Security numbers and other private patient information found dumped outside the shuttered office of DRC Physical Therapy Plus. The manila folders, dating back to at least 1998, include information sheets showing the names, addresses and birth dates of patients and, in some cases, Social Security numbers. Deputies impounded a dump truck loaded with patient files and about a dozen or so boxes stacked inside the bucket of a front-loader.
ManorCare Health Services (Wheaton, MD)
Montgomery County's Department of Health and Human Services is looking into how numerous Wheaton nursing home papers containing sensitive patient information have made their way into nearby neighbors' yards over the past few months. The county sent a nursing home inspector to investigate complaints from residents in the Wheaton Regional Park Civic Association who said they have found internal documents from the nearby ManorCare Health Services that contain patient conditions, names and Social Security numbers. The inspector cited ManorCare for inappropriate conduct.
Cardiology Consultants Inc. (Pensacola, FL)
Cardiology Consultants Inc. today reported that a computer used to process ultrasound images was stolen from one of its Pensacola offices. The computer did not contain patient financial information or Social Security numbers. The stolen computer did contain the first and last names, dates of birth, medical record numbers, exam dates and, in some cases, the reason for the ultrasound.
Online Shoe Seller Zappos.com
A hacker may have accessed the personal information of up to 24 million customers. Their credit card and payment information was not stolen, but names, phone numbers, email addresses, billing and shipping addresses, the last four digits from credit cards, and more may have been accessed in the attack, according to an email that CEO Tony Hsieh sent on Sunday to employees.