In the first part of this article we discussed some of the emerging cyber risks in today’s business world and explained some of the key differences between a specialized cyber risk policy and a standard Commercial General Liability (CGL) policy. In this second part, we have created a scenario in which “the insured”, an insurance agency, experiences a cyber attack on its network. We start, however, by presenting the initial process that the agency might go through to evaluate and purchase their own cyber risk coverage. We then present the hacker scenario in which the agency suffers a loss and finally, we provide answers as to how the claim was resolved. We also provide an alternative scenario to further clarify what is covered by cyber risk insurance vs some crime policies. The main focus of this second article is to provide a reality-based example of a cyber-related loss, some of the damages incurred, and how a cyber loss might be adjusted.
Evaluating and Obtaining Coverage
Wellington Insurance Agency had been around for more than 21 years, but not until recently did they start to think about obtaining cyber risk insurance. The owner of the agency, Tom Wellington, had heard more stories about cyber attacks in which companies became liable for large loss amounts. Also, some of his clients had purchased coverage and possibly he was like the “cobbler’s children who had no shoes”. He decided that it was time to discuss coverage with the agency’s risk manager, Jane, who was a long time Account Executive for the agency.
The two discussed how being connected to the Internet had created several new exposures for the agency over the years. Jane quizzed Tom about the exposures, “What are the different types of information maintained on the network and how much is there?” Tom replied, “We store employee, customer, insurance carrier, and claim information on our network. This information is made up of names, addresses, social security numbers, and insurance account information. As you know, we sell health insurance benefits and maintain some very personal information on our client’s employees. As far as how many data files we maintain, we have 35 employees and about 2200 customers, and the files on the employees of our clients represent another 40,000 or more.” Jane asked, “I know that you know your employees pretty well, but could any of them cause a breach of security or send out a virus to third parties. “Well, I do trust our employees, but I do have some new I.T. personnel; it is possible that one of them could try and take advantage of their position.”
It was obvious to Jane that the agency would need at least Network and Internet Security coverage, often referred to as Cyber Risk or Cyber Liability coverage. This basic coverage would provide protection against third parties claiming they were economically harmed by a breach in the insured’s network. Furthermore, because the agency is subject to HIPAA regulations, primarily due to the types of information involved in selling health benefits, Tom wanted to include coverage for civil regulatory actions. Tom had read about several cases where different companies had incurred a wide dollar range in fines. By adding civil regulatory action coverage, he felt that the agency could greatly reduce the uncertainty surrounding the severity of regulatory fines.
Jane kept firing the questions, “Alright, what about paper files containing sensitive information?” Without hesitation, Tom replied, “We do almost everything electronically, so I don’t feel there is much exposure with paper files. Jane knew differently though, “What about the several years of paper files stored off premises and the sensitive information on paper files at the office? I think this is definitely a concern and we should at least consider coverage for these exposures.” “Oh wow, you are right! I sometimes forget about our off-site storage,” Tom said.
Jane was also concerned about the agency’s employees keeping sensitive information on their laptops and taking them off of the business premises. Jane stated that she was pursuing coverage for those exposures via a privacy endorsement. Tom asked, “Are smartphones typically covered under the endorsement?” Jane replied, “Not all carriers are willing to underwrite the use of smartphones at this time, but coverage is available. That leads me to my next question. How much advertising, content, and intellectual property do you have published online or stored on your network?”
Tom stated, “As you know, the agency has its own website but I don’t think there is much to be concerned with there. We do have a privacy statement, but everything else is somewhat general. We have our ‘resource center’ that gives customers basic advice on preparing for college, protecting a small business, etc. Customers are allowed to request certificates of insurance, policy changes, and quotes on the website as well. Really, that is about it.” “What about all of those customer logos on our website that you like to brag about,” Jane asked with a little smirk on her face. “Oh yeah, I have been meaning to check into whether or not we have their permission,” answered Tom.
“Yes, we definitely need to do that,” Jane stated. “The Privacy endorsement I mentioned will at least provide some protection against security breaches on laptops taken off the premises. Furthermore, this coverage generally insures against any unintentional breach of privacy statements on your website. I think we should dig deeper on the smartphones and see how much exposure we really have. If we feel coverage is necessary, we will want to compare the overall exposure with the additional premium and the actual coverage provided.”
“Next question, I know the agency has its own page on Facebook but do any of the agents have personal pages on any of the social media websites?” Tom replied, “No, the company does have its own page; however, we do not allow our agents to post personal pages as representatives of the company at this time. I felt that we could eliminate a fair amount of risk this way.” Jane was glad to see that Tom had been actively thinking about the agency’s risk exposures. “That’s not a bad idea,” she replied.
“One last question, if we are going to cover our website for content liability including intellectual property exposures shouldn’t we ask to cover other content such as our corporate newsletter, proposal forms and other marketing material as well?” Tom thought for a second, “Yeah that is not a bad idea either; let’s look into coverage for that as well.” Jane got up from her chair, “Alright, well I think I have all the information I need. I will start filling out the applications for coverage and keep you posted.”
The following day, when filling out applications, Jane noticed that some of the applications asked if “all” data were encrypted. She knew this wording was important as she was aware that some insurers attach unencrypted data exclusions to their cyber policies. Jane knew that the company had unencrypted data, and therefore, she added a note to the application form stating that the agency protects their unencrypted data through passwords and restricted access. She wanted the insurance carriers to know that, although there was more risk involved with the agency’s unencrypted data, the company had already put into place loss prevention techniques to reduce that risk of loss.
Not more than a week later, Jane received quotes from six of the eight insurers. Based on premiums alone, Jane was able to eliminate three of the quotes and then presented the benefits and pitfalls of the remaining three to Tom. One quote had very low sub-limits for notification costs and Jane believed it was important to carry higher sub-limits. This option was eliminated. Another quote offered broader coverage for Regulatory Actions by not covering just defense costs, but also fines, penalties and compensatory award funds. As Tom had mentioned before, he felt this coverage was essential and therefore gave this policy high consideration. The last quote under deliberation was the only one that offered both digital and non-digital content coverage; furthermore, this carrier was the only one out of the original six that was willing to cover smartphones.
Tom and Jane were faced with a tough decision, but ultimately decided that they had to have the broader coverage for Regulatory Action over the broader coverage for digital and non-digital content. Jane thought that it would have been nice to have coverage for paper content, but in the 21 years of the agency’s operations they had never experienced a loss related to their paper files. Also, it would have been preferable to have smartphone coverage but Tom found that only a couple of the smartphones were owned by the company and the rest were owned by employees. Therefore, coverage was bound.