Getting Personal

Traditionally, corporate risk officers have been charged with protecting the tangible assets of the company. But their job becomes more complicated when this oversight extends to risks related to network security, intellectual property and brand reputation.

It is Monday morning and the risk officer receives notice that the company’s network has been breached. There now exists a high probability that hundreds, if not thousands, of customer records have been compromised and are in the hands of a third party. Immediately, thoughts of public outrage, business disruption and reputational damage go through your mind. What do you do next in order to mitigate damage — notify customers, advise the board, issue a press release or source the weakness within the system? For hundreds of companies, this scenario could transpire on any given Monday, regardless of their level of preparedness.

We live in a world where information is exchanged instantly and local companies now have global reach via the Internet. It’s become a primary channel through which we communicate and do business. This evolution brings with it new opportunities and rewards, as well as new risks and liabilities. The advances of technology accelerate how we transact business, and provide those with dubious intentions the tools and access to cause a material disruption to both business continuity and consumer confidence.

CYBER-RISK

Network security has become a critical risk concern for businesses, as revenues generated through online channels have grown as a percentage of total revenue, and strategic outsourcing partnerships are forged. Where traditionally corporate risk officers have been charged with protecting the tangible assets of the company, their job becomes more complicated when this oversight extends to risks like intellectual property and brand reputation.

Cyber-liability exposures and data breaches, especially those that involve the integrity of personal information, are well publicized, creating the potential for putting a company’s reputation at risk. In the past 12 months, governments, financial institutions and healthcare providers alike have all been exposed to data breaches resulting in significant settlements and reserves; not to mention the resulting panic from major stakeholders — specifically, customers. As fast as a system can be breached, news of that breach can spread across the globe in seconds. It can take months to repair the damage arising from losses that stem from just seconds of disruption. Any business that collects and stores its customers’ personal information exposes itself to additional risks. Not-forprofits, educational institutions and retailers are also at higher risk, since the standard of care regulators impose on companies is stricter now than in the past. Data is also more sensitive: it’s shared across multiple

networks and portable. One also must consider the risks existing inside an organization. A data breach is not limited to a network failure, but to any compromise of the security, confidentiality or integrity of personal information. Employees have access to sensitive information on a daily basis and through fairly simple means, such as a Universal serial bus (USB) memory stick, can easily download customer or patient data or compromise company trade secrets. Given the breadth of these databases and the prices paid on the black market for personal information, this can be a tempting source of supplementary income for line employees. With employees becoming more mobile in today’s business environment, a single laptop can be a window into accessing thousands of customer records. The costs per record might be in the hundreds of dollars once charges for investigation, record recreation and customer notification are tallied.

Companies face many types of costs, both tangible and intangible, resulting from a security breach or privacy incident. These costs include:

• loss of current and future customers; • loss of income;

• reputational loss;

• share price drop;

• public relations costs;

• notification expenses;

• legal expenses;

• fines and penalties;

• judgments and settlements; and

• internal and external IT costs to repair system.

MANAGING CYBER-RISK

Risk avoidance is not a viable option for many companies, but steps can be taken to mitigate further liability risks from data breaches. These steps include:

• reviewing legal/network audit — Review existing protocols and align them with current laws regulating the collection, storing and disclosure of personal information. Ensure that protocols extend to any third-party service providers charged with assuming responsibility of critical piece(s) of the corporate network infrastructure;

• establishing an effective privacy policy;

• disaster recovery planning and business continuity planning — Regularly complete and test the plans corporation-wide;

• establishing mobile device protocols– Corporate information is readily available from laptops and Blackberries and other mobile devices. Consider implementing encryption software and establishing password protection protocols for employees;

• training employees — Educate staff about the risks and importance to adhering to corporate information protection policies.

• developing data classification standards — Establish protocols for access to highly-sensitive information; and

• the possible purchasing of insurance — As with all risks, loss control measures are often insufficient. Given the range of products available to provide coverage for data breaches and privacy liability, consider an insurance solution.

INSURANCE MARKET RESPONSE

Insurers of traditional policies recognize the specialized nature and scope of cyber-risks, but often they do not have the resources to underwrite them. Some of the policy wordings in standard policies that are inadequate for insuring cyberrisks include:

• exclusions and definitions in policies that limit or fully exclude network-related losses;

• definitions of property that exclude electronic data;

• business interruption/extra expense is triggered only if the direct loss is insured; and

• property direct losses that were designed for physical assets and physical perils; not information assets and electronic risks.

Insurance companies are increasingly addressing these issues by providing specifically-designed coverage; at the same time, standard forms are clarifying intent with data and cyber-risks exclusions in both property and liability forms. The reinsurance market implemented the virus exclusion in 2001. Realignment of the insurance industry around emerging risks has been going on for years, resulting in the development and prevalence of specialty products in the market such as equipment breakdown and environmental policies. It is therefore no surprise to see the same reaction to privacy and network security risk.

The market has been addressing cyberrisks in a focused way for the past decade. Yet only in recent years has it focused on privacy liability arising from both network-and non-network-related losses. Some insurers have taken this further, offering coverage for breaches of personal information for any reason.

Historically, securing insurance was an onerous, time-consuming and costly exercise that typically involved a third-party network security audit. Also, the coverage was limited to claims arising from unauthorized access or use of a computer system, and not for losses arising from broadly-defined data breaches. Nowadays, insurers typically require details on revenue, scope of services and customer base, details on the disaster recovery plan, security audits, privacy plan and contracts, and interviews with IT, legal and risk management.

Insurers offering specialty cyber-privacy products include AIG, ACE-INA Insurance, Lloyd’s of London, Chubb Group of Insurance Agencies, CNA Insurance and St. Paul Travelers. Other insurers might address components of the exposure through extensions to errors and omissions (E&O) and General Liability policies. Capacity available from a single carrier could range up to Cdn$25 million, depending on the nature of a specific risk. A significantly higher amount is available through excess layers.

Network security and privacy liability coverage can include:

• liability for media/content on an insured Web site;

• cyber-extortion monies;

• failure to properly handle, manage, store, destroy or otherwise control personal information in any format;

• damage caused by retransmission of a computer virus due to inadequate network security;

• infringement of intellectual property for media or software on the Internet;

• identity theft response fund, covering customer notification expenses and crisis management expenses (including legal, public relations and/or crisis management services to restore corporate reputation);

• loss or corruption of data caused by hackers, malicious codes or rogue employees;

• business interruption (BI) for network attacks and loss income if Web site is shut down; • contingent BI losses caused by network outages due to problems at a service provider.

In the end, the development of these products will be tied to regulatory and legal responses to some of the larger breaches that have occurred. Each jurisdiction will likely have different rules and regulations as it relates to privacy protection protocols and customer notification. Thus, insurance products must keep pace with the various liabilities and costs that companies incur from any security violation and resultant damages.

It might be argued that the tighter the network security and audit requirements imposed on insureds, the less need there would be for insurance at all. But loss prevention and insurance are not meant to be mutually exclusive. Ultimately, the harsh reality is that the risks companies must manage are getting more complex and the consequences more severe. It is encouraging to see the insurance industry’s response to risks arising from data breaches — specifically privacy-related losses — has evolved to the point where meaningful risk transfer solutions are available.