I’ve Been Hacked! Am I Covered?

In the wake of the Equifax, Target, Yahoo, and even the SEC being hacked, many small businesses are wondering how can they protect themselves when major companies with much larger budgets and cybersecurity techs on staff can’t protect themselves. I recently went to a course where one of the speakers said: “There are two types of people, those who have been hacked and those that just don’t know it yet.”

Many people don’t realize that the biggest current threat to the insurance industry is cybersecurity. The average cyber-attack could cost a company between four and six million dollars to fix. So, do you need cyber insurance? You should be concerned about your risk exposure if you:

• Gather, maintain, disseminate or store private information
• Have a high degree of dependency on electronic processes or computer networks
• Engage vendors, independent contractors or additional service providers
• Are subject to regulatory statutes
• Are required to comply with PCI Security Standards/Plastic Card Security statutes
• Are concerned about contingent bodily injury and property damage that may result from cyber incidents
• Rely on or operate critical infrastructure (Personally Identifiable Information risk are less prominent for industries such as utilities, manufacturing and logistics)
• Are concerned about intentional acts by rogue employees
• Are a public company subject to the SEC Cyber Disclosure Guidance of 2011

The issue of cybersecurity is in its infancy in the insurance world. Because of this, many brokers are unaware of the potential coverages, requirements and overall insurance needs of many of their clients. Not only does your agent have to be familiar with the types of coverages there are but they should also be aware of what federal and state statutes your company needs to be in compliance with. For example, the New York State Department of Financial Services has more stringent rules under 23 NYCRR 500 than the federal rules. Those rules took effect on March 1, 2017.

Standard insurance policies, while affording some coverage, are not enough to fully protect you if a cyber-attack occurs. In your typical property insurance policy, you are only covered for your tangible property, which data is not. In addition, the loss must be caused by a physical peril while perils to data are normally viruses and hackers.

There are different 1^st and 3^rd party coverages currently available in the market that cover areas such as:

• Network business interruption
• Intangible property: costs to restore or recreate data or software
• Breach response/management costs associated with:
  • Breach notification, including the hiring of outside law firms and public relations consultants
  • Credit monitoring/protection
  • Notification hot-line/call center
  • Forensic costs
  • Identity theft resources
• Cyber extortion
• Loss of income from cyber attack

In the coming weeks I, along with my colleague, Verne Pedro, will write additional blogs and dive deeper into the current relevant legal opinions in this industry. Mr. Pedro will also speak at the upcoming First-Party Claims Conference on, Cyber Claims – Documentation and How to Identify and Prove the Claim. I would suggest anyone in attendance at FPCC take this course.

Seeing as though my Yankees are in the post-season I thought it appropriate to give you a quote from a former baseball player about security. Side-arm pitcher, Dan Quisenberry said, “I lull them into a false sense of security by watching me pitch…if overconfidence can cause the roman empire to fall, I ought to be able to get a ground ball.”

Don’t have a false sense of cybersecurity. Make sure you’re adequately covered.¹
_________________
¹ Credit to Aon Risk Solutions for some of the information contained in the blog post.