Cyber liability: Is your back covered?
A company's entire database was encrypted by a disgruntled employee. A ransom note read in effect: "try and break the code or pay me $1 million and I'll give you the password." The company paid the $1 million.
A hacker infiltrated a well-known online shopping web site and stole 300,000 customer credit card numbers and sold them on the black market. The courts found that the retailer was responsible for all unauthorized charges made on the credit cards.
A U.S.-based technical instruments manufacturer had a former employee delete their entire database. It cost the company $7.8 million in lost revenues and $2.2 million to replace the data.
These are just a sampling of the thousands of technology-based nightmares that have become a reality for businesses in the 21st Century. The good news is that with the proper insurance planning, these scenarios are readily survivable.
"Cyber liability" refers to a range of coverages designed for organizations involved in e-commerce or the Internet. They cover financial losses from events such as theft of client credit card numbers, introduction of a virus into clients system, cyber-extortion, destruction of data and loss of income due to server failure. These coverages can also address third-party losses. The reason a standard business liability policy is insufficient is that there must be physical damage or bodily injury to trigger coverage. A traditional liability policy also does not cover economic loss or professional services.
This is not just an issue for large companies. These days, more and more small businesses are growing their revenue through online sales. Often they rely on someone else to host their web sites, track inventory or authorize credit card purchases. They generally have no control over these systems' reliability or maintenance and therefore have significant exposures.
Perhaps the group with the most obvious exposure include Information Technology professionals such as:
– Web site developers
– Systems and computer
– Database services
– Network administrators
– Security consultants
– Software developers
– Transactional Internet services
IT professionals hold themselves out as experts in a particular area and as a result can be held liable should they commit an error or omission in rendering their professional services. In addition, they have liability exposures arising from how they provide their services, such as allowing a third party unauthorized access to a client's systems.
Many smaller IT professionals may never see a claim, but when a claim occurs, it can be significant, and litigating an IT professional claim can be extremely expensive due to the highly technical nature of most of the subject matter.
The typical IT professional claim involves financial loss by a client due to an error or omission by the consultant. An example is the failure of an electronic data processing consultant to recommend an appropriate system for a client, which results in a financial loss to the client.
Another claim might result from damage to a client's systems resources, such as a virus transmission or unauthorized access and data loss. It can even extend beyond traditional economic loss to include bodily injury or property damage for some professionals.
Although cyber liability insurance has been around for more than five years, there still is little observed data. Businesses don't want the public to know about security breaches in their system, so most incidents go unreported. Because of this, standardized insurance prices and policies are hard to come by.
Insurance companies want to insure statistically good risks. To obtain a cyber liability policy, the insurer will want a full assessment of your system security conditions. If your systems are satisfactory to the insurance company, you're much less likely to have a claim. And if you are less likely to have a claim, it makes sense to purchase a policy with very high deductibles and self-insure the smaller losses that are not likely to cripple your company.
Christopher Strickland is Senior Risk Advisor with Fawcett/Dopke Agency; 946-3600.