The Cyber Insurance Purchase by Jim Phillips, ARM, AAR, CRIS

July 18, 2018

Posted in Business Insurance, Risk Management by

It’s not if, it’s where? Isn’t that the saying? Well no, but in regards to the access of your personal information it should be. Think about how simple it is to pay bills, check account balances, and even order dog food delivered to your door. Purchasing habits have evolved to the point we no longer sign our names, we simply place our thumb on a button. Not much thought is given to where this information goes, how it is safeguarded, or even what the impact of losing it means. Personally speaking we are mostly protected. If our credit card or bank accounts are fraudulently charged we let the bank know and they credit our accounts. The same is not true in regard to commercial enterprise. Businesses face countless costs, as well as liabilities that do not simply get waived.

There is also no shortage of cyber criminals attempting to gain access to the data used to conduct this business. In 2018 report released by Symantec found 1 in 13 links contained in emails direct end users to malware. The goal in 90% of the cases studied was simply information gathering. The Ponemon Institute projects that 1 in 4 businesses are likely to experience a breach. The most concerning statistic is from the US National Cyber Security Alliance concluded that 60% of small companies that suffer from cyber-attacks go out of business. This is the crux of the exposure covered by, and the need for, cyber insurance.

The next logical question is what does a cyber policy cover? The answer is not so simple. There is no standard policy, and coverage is changing at a rapid pace. Cyber policies began as liability protection for firms who failed to protect personal information. Coverage today has evolved to provide equally meaningful protection for the costs incurred to the business, as well as the liability created by the failure to protect data. These coverages should be reviewed carefully and periodically as cyber insurance is relatively young in the insurance product cycle. There are dynamic factors like legislation the HiTech Act of 2009 to the recently enacted General Data Protection Regulation (GDPR) in Europe. Remember the “where” part from the initial question.

While policy terms, underwriting appetite, and risk services vary tremendously by insurer, policies are typically broken into distinct sections for first party versus third party losses. First party losses include loss of revenue, notification expenses, data forensics, legal fees, and can even include property damaged by the event. Third party losses come when another party sues for the damages your business caused them. To help illustrate some of these costs consider the following situations related to both types of loss.

Let’s start with first party; consider the following example: A local plumber uses a proprietary software to manage their company. First thing in the morning an employee clicks on an email link. This link enables a ransomware package to immediately run through the company’s computer system instantly locking up every terminal. There are forty licensed plumbers making almost $30 per hour waiting to be released. That’s $1,200 per hour in labor on hold. The first call is made to the outsourced IT vendor for support. They rush to the rescue at a rate of $150 per hour and an urgency charge of $1,000.

By now a ransom for five bitcoins has been received to release the data which has been locked up. The ransom is considered not meaningful until the backup is found corrupted. Which brings about the question, where do you get bitcoin? Throughout this entire process the phones have been ringing and customers are upset. Finally after five full working days the system is restored, and operations can resume. Some activity has taken place with old fashioned manual tickets, and they must now be entered into the system as well.

In the aftermath forensic investigation determined that the ransomware allowed unauthorized access to your billing and employee files. The data shows there are over 3,000 individual records you must notify. You place a call to your attorney to protect yourself and find out you must indeed notify the attorney general in your state as well. The attorney can help you for the nominal cost of $400 per hour to make that filing. At the end of the first week a simple click of a button has led to a total cost of $157,500 before many of the typical costs associated with a breach have been paid. Common costs like; notification and credit monitoring expenses, fines or penalties, or actual costs to restore data lost to corrupt backups. These represent significant expenses that must be considered when purchasing a cyber policy.

First Party Cost Illustration-First Week
Wasted Labor – $1,200/hr x 30 hours $36,000
Extra Staff Time to Rebuild $7,500
I.T. & Forensics – $300/hr x 30 + One Time $10,000
Legal Fees – $400/hr x 20 hours $8,000
Lost Income – 1 week @ $5M avg annual sales $96,000
Grand Total $157,500

Now let’s consider the potential damages to other parties caused by typical business activities. At first glance many gage the liability as minimal. Didn’t we just agree the credit cards refund fraudulent charges? However, suits are filed quickly for a number of reasons beyond refunding lost money. Lawsuits allege many harms including; breach of contract, breach of consumer protection statutes, and negligence. Even though several states have ruled a breach alone does not constitute negligence firms must defend themselves up to that point. Claims involving breach are often highly technical and specialized legal experience is required. As you can guess, it’s not inexpensive. Beyond the breaches from a third party, what if the bad actor was indeed an employee? A rogue employee with simple access to customer files can be disastrous.

A little more complex example: A specialty metal manufacturer operating in the Midwest with sales in Europe, Asia, and India has their system hacked due to the poor password management of a plant manager. Hackers are able to access the entire production network, but not employment or billing files. At first the management team breathes a sigh of relief as no personal or payment information appears to have been taken. However, as IT runs the situation by their corporate counsel she wisely alerts management to the issues faced by the new GDPR in Europe. Remember the where question? The manufacturer quickly hires counsel in Europe, Asia, and India to make proper response. European Regulators begin investigations levying fines for not having data protection plans, not vetting third party recipients of the data, and transferring private information outside of borders without adequate levels of protection. The next shoe drops as once notified customers begin filing suits for breach of contract in their negligence protecting proprietary designs and processes.

In this second example the legal costs to navigate multiple jurisdictions with complex information is difficult to quantify. Even more difficult to calculate are the damages for failing to protect the sensitive client designs. Many of the claims illustrations given by major national insurers have the defense and settlement costs exceeding seven-figures. In contrast, the first party loss of income associated with the angry customers is more predictable, and equally expensive.

The two above examples highlight many, but not all, the coverage considerations when purchasing cyber policies. As previously mentioned, these policies are not standard and constantly evolving. Insurers have carefully crafted definitions, coverage grants, and offer services to address these exposures. It is the role of the trusted advisor to help their client identify the exposures, and purchase the right policy. A policy in 2018 that is costing less, and critical to the sustainability of our economic prosperity.

 

Jim Phillips, ARM, AAR, CRIS, is responsible for the ONI Risk Partners commercial insurance division. His experience includes designing and placing insurance programs for the most complex risks in the Midwest. This article was published in the July/August issue of FOCUS, a bi-monthly publication of the Independent Agents Services Corp., a subsidiary of the Independent Insurance Agents of Indiana, Inc.