Cyber Insurance: 2012

NEW YORK TIMES

"A Law to Strengthen Our Cyberdefense"

http://www.nytimes.com/2012/08/02/opinion/a-law-to-strengthen-our-cyberdefense.html?_r=2&ref=opinion

RAND on Cyber Warfare

Insurance policies do not protect you against acts of war. They don't do it for your home and auto, and I doubt they will do it for your data assets. It's good to be a bit familiar with the areas in which you have limited protection. Here are links to the RAND corporation's page on Cyber Warfare, and wikipedia's entry on RAND:

http://www.rand.org/topics/cyber-warfare.html

http://en.wikipedia.org/wiki/RAND_Corporation

Cyber breaches in anticipation of London Olympics

Britain's MI-5 investigates Cyber breaches in anticipation of Olympics

http://wrin.tv/index.php/component/content/article/3-headline/383-world-risk-and-insurance-news-june-28-2012

A conversation with General Pace

Last month, I was thrilled to attend a talk hosted by Peter Pace, former Chairman of the U.S Joint Chiefs of Staff at JP Morgan's headquarters in New York City. During a Q&A session that followed the main talk, he fielded some good questions from investment bankers in the audience. The last question he answered was about which threats to American security kept him up at night.

His response surprised me.

First he listed things that you would expect, such as the campaigns in Iraq and Afghanistan, political instability in Africa and the Middle East, the rise of China, the craziness of North Korea, the specter of general nuclear proliferation. Then he went back over each of these things and explained why they do not bother him too, too much.

What really bother him, he said, is the threat of cyber attack. The United States is extremely vulnerable to cyber weapons, he said. He mentioned that large firms like JP Morgan no doubt have the resources to protect themselves a bit from these threats. [Word on the street has it that they do this by hiring people straight out of the CIA and NSA]. But that smaller firms have no such protection, and it is in the best interest of everyone for large corporations and the US government work on security gaps together.

He said the advent of cyber weapons will have the same impact on relationships between nations as nuclear weapons has. Unlike nuclear weapons, however, thousands of cyber attacks occur each day. He knows what the United States could do to launch a cyber attack and knows what the country cannot defend against. Nation states have generally practiced self-deterrence and do not want a cyber attack launched against them.

It is not nation states that concern him as much as small terrorist groups. He said that small groups of individuals have the power to launch the sort of actions that only nation states could just a few years ago.

After the talk, I introduced myself to him as an Iraq veteran, which I hoped would soften him up a bit so I could pepper him with questions. When I asked him what kind of books or articles I could read in order to understand all this better from an insurance perspective, he said that the scene changes so fast that anything more than two years old is out-dated. He told me that updating your reading every two weeks was more like it. This all raised more questions than it answered. What sort of redundancies should web-based businesses develop, so that they can weather any conceivable storm???

I welcome anyone's thoughts on this.

Philadelphia Insurance Companies

Philadelphia Insurance Companies is a firm that has developed a broad range of coverage for Cyber Liability and they do a great job describing their programs. As this field develops, various insurance carriers will compete to corner areas of this insurance market. One of the factors in choosing which ones to go with [aside from the obvious factors of price and service] is how clearly informative a company is educationally. Right now, the material provided at this link is a good place for getting familiar with types of coverage. As time goes on, this will change and develop a great deal.

https://www.phly.com/products/CyberSecurity.aspx

Step One For Protecting Your Technology

Information Technology can be pretty overwhelming. There are lots of acronyms, abbreviations, and buzzwords you have to know just to do your everyday work. On top of that you have tons of vendors and sales reps that want to sell you some kind of server, software, or service to protect you from all that can go wrong. How do you evaluate all this technology when you barely understand it? If you're like most people you get overwhelmed and procrastinate. Really, who wants to go home after putting a long day at work and start working on their technology protection strategy.

The first step that I recommend to anyone working on a technology protection strategy is to visualize what they would do when confronted with the most common technology disasters. Sure you may need protection from a potential hacker that might try to break into your network Oceans 11 style, but those types of break-ins are relatively rare for small businesses. However I can almost guarantee one of these problems will happen to your business in the next three years:

Wall Street Journal on Lawyers Cyber Security

http://online.wsj.com/article_email/SB10001424052702304458604577486761101726748-lMyQjAxMTAyMDIwNTEyNDUyWj.html?mod=wsj_valetleft_email

"Operation Cupcake": an example of Cyber Breach

http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8553366/MI6-attacks-al-Qaeda-in-Operation-Cupcake.html

Proof that British Intelligence still has panache. This article from the Telegraph gives an example of what can happen when a website is breached and its intended purpose compromised. In this case, the outcome was benevolent.

Reading your Cyber Insurance Policy

When you get your insurance policy and try to read it, you will confront some tedious reading. In order to understand the protection you have purchased, here is an effort to summarize it all for your better understanding.

Declarations Page - the first few pages contain the main details you need to know about your policy at a glance. Your company’s name and address, as well as the limits, retentions and premium of the policy.

Policy Limit - the amount up to which the insurance company will pay if you have a loss. (For example, if you have a $1,000,000 limit, they will pay for damages that go up to that amount, but no more).
Policy retention - the "retention" or "deductible" is how much you have to pay out of pocket when you have a loss. Insurance policies include this amount so that policy holder's have an incentive to exercise diligence in avoiding losses. (For example, if the retention amount is $5000, you have to pay up to $5000 for any loss you have, and then the policy will cover anything beyond that amount.)
Policy premium - how much you pay per year for your insurance. The policy premium is based on how much coverage you get. The more coverage you get, the more you pay. Strive to get as much coverage as you need, to keep your premiums as low as possible. But don't scrimp too much.

Your cyber insurance policy is based on how you filled out your original application. When you fill out your insurance application, make sure you answer all the questions accurately. You will need to indicate annual income, description of business operations, personal information held (social security numbers, credit card info, employee personal health data, bank account information, home addresses). You will be asked to indicate your computer security controls, privacy policies, the internet media you use, any regulatory issues you have, any prior claims or prior insurance. Let your agent know when any of this information changes.

Your Policy Outlined - in the body of the policy, you will find the following things described. Your insurance agent and underwriter understand what these things mean, but for your own reference, here is a run-down of the vital matters:

Insuring Agreements

Information Security & Privacy Liability
Privacy Notification Costs.
Regulatory Defense and Penalties
Website Media Content Liability

Defense and Settlement of Claims

This section describes how the insurance company will legally defend you to reduce the amount of money that you both have to pay out. They will do everything in their power to reduce damages.

Exclusions

This section lists all the things that the policy does not cover. Because a Cyber insurance policy is designed to protect you from specific kinds of IT risk, it does not cover the property and general liability risks that your normal business owners policy covers.
This section also lists the things that will not be covered due to your own dishonesty or fraud.

Definitions

This section is like a glossary that lists terms used in the policy and gives a definition for them. This is good to review so that you can feel conversant in the terminology of the policy.

Limit of Liabiltiy

This section describes in depth what was indicated on the Declarations Page, the Aggregate Limit of Liability. Aggregate Limit means the total amount the policy will pay out in a given year.

Retention

This section described in detail the Retention that was indicated on the Declarations Page, that is, the amount that you are responsible for paying if you have a loss. Some policies will have no retention, others will have one.

Notice of Claim, Loss or Circumstance that might lead to a Claim

This deals with how you need to notify the insurance company if you have a loss. For you as the owner of this insurance policy, all you need to do is notify your agent as soon as you have a loss or think you might have one, so he can take it from there.

Assistance and Cooperation

This describes how you have to cooperate with the insurance company if you have a loss.

Subrogation

This describes how the insurance company will go after other companies who may be at fault if you have a loss.

Other Insurance

This describes how the insurance payouts will work if you have other insurance policies in addition to this one.

Mergers and Acquisitions

This section describes how you need to structure your insurance if you buy a new subsidiary or if you merge with another company. Should you do either of these things, contact your agent, so they can review all of your insurance will you and re-adjust the policy to your new situation.

Examples of Cyber Loss

Business Interruption - crippled computer systems, a downed website or abrupt data loss can produce a spiral effect of lost revenue to limit your ability to meet payroll and other expenses. Business Interruption forces you to suspend normal operations until everything is fixed back to normal. A normal insurance policy protects you from Business Interruption if you building burns down. Cyber Insurance protects you from the same thing, but in a digital sense.

Notification Costs - these expenses mount quickly. As the laws regarding data breach change and develop, legal obligations for businesses are increasing. In the event of cyber breach, you may be required to inform customers and the public that their information is at risk. This can get very expense. Payment for call centers, drafting written alerts and press releases, printing, postage, advertisements/ publications to inform them about the breach. Cyber insurance will cover these expenses, so you do not have to shoulder them yourself.

Credit Protection - in a cyber information breach, your company will be financially liable for the credit monitoring services that each of your customers will require.

Crisis Management - fees for public relations to reestablish your name and credibility.

Cyber Extortion - this is when a when a hacker holds your information hostage. Ransom money has run into the millions in some cases.

Legal Fees - what you pay in the face of lawsuits. Because your company had a duty to secure customer information, you could face lawsuits for the breach of this duty, resulting in hefty legal fees. Insurance companies are not only well equipped with lawyers who specialize in dealing with lawsuits of this type, they are able to settle claims out of court to minimize the losses you face.

Forensics Costs - what you Because there was a breach of your security system, your company will now have to pay for a digital forensics analysis to determine how the breach occurred, and new security systems to guard against future instances will have to be installed

During this whole process, your business's day-to-day operations will be interrupted while security breach issues are cleaned up

Lost Time = Lost Revenues - self explanatory. During this whole process, your business' day-to-day operations will be interrupted while security breaches are cleaned up.

What is Cyber Insurance?

Cyber insurance protects businesses against the hazards of Data Risk.

Data is the most valuable asset for most businesses, and data breach is one of the biggest risks. Cyber insurance protects you from a range of costs that you could incur in the event of a data breach. Business interruption costs. The costs of reconstructing data, defending against lawsuits, providing notifications to people whose data has been compromised all fall under this category. The laws regarding these issues are constantly evolving. There are 46 states with separate laws for information risk. There are federal laws, and international laws that are starting to surpass laws in the United States.

Don't think that by writing this article we intend to generate fear, the way that insurance companies normally do. We are here for the opposite reason, to make you informed and confident.

Examples of data breach include scenarios such as posting sensitive data on your website, breach of customer privacy, intellectual property infringement, virus transmission between computers, employees who lose their laptops or flash drives containing sensitive information, computer malfunction/ employee action that distributes customer information by mass e-mail.

If your business uses a computer system, you are exposed to data risk every day. If you have a website, you are also in the publishing business, whether you intend to be or not, and anyone can access your content. If your business collects or handles confidential information (like home addresses, social security numbers, people’s names, credit card or bank account details), you are legally responsible for what is done with that info. If you have employees, and you gather their personal information to provide benefits, you are responsible for what happens to that info.

The size of your company does not protect you, especially if you Outsource

Large banks, retailers, and healthcare organizations are known to have this kind of exposure, but so does every other business. Being small or outsourcing to a third party doesn’t isolate you from exposure. Smaller enterprises may be more at risk than large ones. Big firms can usually take a hit and absorb some losses if they don’t have the right coverage in place. But a smaller company that takes a hit like this can be put out of business.

If you use third party vendors, you are not safe.

Companies that use third party vendors to handle some of their data – whether it is payroll or customer information – still have exposure. If you collect the data from individuals, you may use vendors to do certain things with it, but the law still looks to you to comply with the issues.

Can you afford Cyber Insurance?

The form you fill out for cyber insurance provides a self-assessment for your current risk situation. The best insurance providers in this field give you access to a stable of professionals who specialize in crisis management, law, and front line breach coaching. When losses do occur, people tend to panic. They realize their reputation is now on the line and the customers and competitors will start to pick up on it. Premiums for run from $2,000 to $5,000 for a million dollars of coverage. Policies in that range that will get you an advocate and a response team to help with any incident. As a smaller company, you want to make sure that someone responds because you don’t have employees on staff who are able to devote their full time to cyber loss forensics.