Although they have been around for over a decade, it is only recently that an increasing number of organizations accept cyber-incident insurance as a necessary business expense. According to the Ponemon Institute, a leading think tank that tracks and quantifies the economic impact of cyber-attacks, the average cost to an organization for cybercrime was $3.79 million in 2015 – an increase of 23% over the past two years.
Several high-profile cybercrime cases have garnered the attention of the media and consumers alike. For example, Target Corp. suffered a breach that cost the company over $162 million in expenses and affected 70 million customers. Similarly, more than 56 million Home Depot customers had their credit cards exposed to hackers. Upwards of 50 lawsuits have been launched against the company since they disclosed the breach in September 2014 which has cost the home improvement giant approximately $232 million to date.
It is important to recognize that an organization does not have to be the size of Home Depot or Target to fall victim to a data breach. Toronto-based IT firm Scalar Decisions Inc. commissioned a study involving Canadian businesses. More than half of the respondents experienced an incident involving a loss or exposure to sensitive information. These respondents came from a wide variety of industries and nearly two-thirds worked at companies with between 251 and 5,000 employees in Canada.
Although there is a positive relationship between the cost of cybercrimes and the size of an organization, the Ponemon Institute finds that smaller organizations incur a significantly higher per capita cost than larger organizations when a breach occurs.
No matter the size, most organizations now store some form of sensitive information in digital format, such as customer information, intellectual property, and money in the bank. As more businesses and consumers turn to electronic means to conduct business, the stakes are getting higher and the need for protection is increasing.
Businesses may be unaware that their commercial general liability (CGL) and property insurance do not cover cyber breaches. In fact, CGL policies often exclude cyber risks and standalone business interruption policies often do not extend to “intangible” events. Given that these traditional policies pre-date the Internet, it is not surprising that the cyber-insurance market is flourishing. Modern cyber-insurance coverage is now available within a standalone policy or, more commonly, as an endorsement to an existing policy. Adjusters handling a cyber-claim under an endorsement to another type of policy will need to review the policy carefully to check for issues such as high deductibles or sub-limits on first-party exposures.
In short, cyber-liability insurance is intended to cover losses not typically covered under traditional policies, such as CGL. While it is important to recognize that complete protection from a cyber-attack is impossible, many insurers are now offering policies that cover a wide range of risks.
While there is no standard form of cyber insurance, current policy options cover a broad spectrum of risks, capturing both first and third party risks. This includes coverage for information asset loss (i.e. reimbursement for the costs to restore data compromised or deleted during a network attack); cybercrime such as cyber-extortion expenses (i.e. the costs associated with paying experts to retrieve compromised data and/or negotiating and paying a ransom demanded by an extortionist); business interruption and extra expense (i.e. reimbursement of lost business income following a network attack, financial losses of third parties due to a company’s systems being unavailable); and data and network breach (i.e. investigation, assessment, and notification costs of affected individuals or entities in the event of a data breach/defence and liability resulting from a claim for a data breach or from a privacy regulatory proceeding).
So what might a cyber-breach claim look like? Here are a few examples of the types of claims adjusters working in this area could be faced with:
- An employee receives an email that appears to be from a client. In opening the email, the employee detonates a “logic bomb” which erases all of her client agreements and proprietary software used in the course of business. Her employer claims for reimbursement to restore the software and obtain the missing contracts.
- A local skin care products company has started an online shopping service through their website which is managed by a third party service provider. The third party service provider experiences a network intrusion, causing their servers to be down for four days. During this time, customers are not able to access the company’s website and cannot shop for its skin care products. As a result, the company makes a claim and is reimbursed for loss of sales while the network was down as well as the expense of creating a temporary webpage advising customers their online store is temporarily unavailable.
- A business consulting firm has been engaged to assist a company in securing a business deal. The consultant is given access to the company’s confidential information which he stores on his laptop. The consultant’s laptop is stolen from his vehicle and the company’s sensitive information is compromised. The company is ultimately not awarded the business deal as a result and sues the consulting firm for loses arising from not securing the deal. The insured consulting firm makes a claim for legal costs associated with defending the suit.
All cyber policies include various exclusions and, despite what an insured may believe, not all losses are covered. Moreover, the insured’s conduct can have an effect on whether a policy will cover the loss. For example, coverage may not extend to a circumstances where an insured company did not take reasonable steps to keep its software updated and secure. Beyond determining whether a particular policy covers the claim, investigating cyber-claims involve highly technical and complex investigations, likely requiring outside vendors in order to determine the scope of the breach and better understand how it occurred. The Ponemon Institute’s Global Study found a positive relationship between the time it takes to contain a breach and the cost to the organization. Thus, adjusters and experts must move rapidly in order to contain the breach and prevent further loss. Lastly, as business reputational risk may be a factor, a public relations firm could be needed to handle any media and other stakeholder interest.
It remains to be tested in a Canadian court whether a plaintiff has a suffered an “injury” when their information has been stolen – but not misused. If so, how are damages quantified in such a case? In the United States, where cyber-liability actions are more common, courts have been split on this issue, leaving little in terms of a reliable precedent to be applied in the Canadian context. The fluidity of the legal framework surrounding civil actions for data breaches creates both risks and opportunities as this fledgling insurance market grows.
In addition to business policies, many insurance companies in Canada have started offering identity theft coverage as an additional option to home, condominium or tenant insurance policies. This coverage often includes reimbursement for identity restoration expense, professional advice, and reimbursement for lost income for the time a person takes to speak to police and credit agencies.
Cyber-liability insurance is still in its infancy, and like the risks it attempts to mitigate, policies are constantly evolving. While more insurers in Canada are now offering these policies, the dearth of claims in this area leaves some uncertainty as to how this new insurance market will react to cybercrime and how insurers and insureds will be protected. According to the Insurance Institute of Canada, a barrier to the expansion of cyber insurance markets involves the lack of information about the likelihood, severity, and consequences of major attacks needed to determine a calculable loss. A second barrier involves the accumulation of risk associated with catastrophic attacks that must be managed to ensure that they do not overwhelm the financial capacity of insurance companies.
Moreover, it is not yet known how cyber policies will respond to the so-called “Internet of Things” revolution. An increasingly gadget-oriented society, where consumers demand mobility, remote access and interaction between devices, the connectivity push will only continue, along with the risk of a breach. This trend will be compounded by the relatively new capacity to monitor virtually anything – checking a person’s heartbeat or temperature with wearable technology, unlocking doors with mobile devices, remotely monitoring your home’s heating, security, fire detection and so on.
Nevertheless, as the digital integration of personal and commercial information and activities increases, the acceptance of cyber insurance as necessary coverage will also increase. One can imagine a scenario where purchasing cyber insurance will go hand-in-hand with property / casualty policies. Although uncertainty remains in this relatively new insurance market, it can be safely said that as the costs of managing a cyber-breach are revealed, companies are turning to insurers to mitigate risk.