In the past two years, major data breaches in the United States have brought the issue of cyber security to the forefront. The well-known Target breach of 2013 resulted in a preliminary settlement of $10 million, 56 million credit cards were compromised in the Home Depot Breach of 2014, and, in the same year, the infamous Sony breach saw the release of confidential data that included personal information, email transcripts, and previously unreleased films. This year, we have seen yet more institutions succumb to major security breaches: between 69 million and 80 million records were compromised in the Anthem breach in February, and more than 4 million employee files were breached at the US Office of Personnel Management in June.
The spotlight on cyber security raises the question: How can companies protect against cyber theft? One answer is cyber liability coverage. Below, we have summarized Accounting Today’s September 17, 2015, webinar, Protecting Your Firm Against Cyber Theft in order to share with you the expertise of presenters Alvin Fennell III, Vice President of Business Development at Aon Insurance Services, and Philip Rowan, Director of Underwriting Consulting at CNA Insurance. We review their responses to key questions on cyber liability coverage: who needs it, what does it cover, and how essential is it?
Is Cyber Liability Coverage Essential?
This is not a straightforward question to answer. Indeed, many people wonder if there’s a point in cyber liability coverage. If someone really wants to breach a company’s data, you might ask, is there really anything you can do to prevent it? Fennell and Rowan agree that there is no foolproof way to make a company’s data impenetrable. Instead, they insist that the goal is to make companies harder targets.
Consider the example of locking your front door: a lock won’t make it impossible to get into your home, but locks and other home-security devices will make burglars more likely to target homes that present fewer obstacles and a lesser degree of risk.
Who Needs Cyber Liability Coverage?
Professional firms that collect and store personal and financial data are subject to security threats and so should consider obtaining liability coverage. According to Fennell and Rowan, several types of data can be accessed, including Personally Identifiable Information (PII) and Protected Health Information (PHI). The data that worries most companies are:
- Social security numbers
- Taxpayer numbers
- Financial accounts
- Credit and debit card numbers
- Driver’s license / state ID numbers
- Passport numbers
- Health records
It is important to be aware that there are numerous ways in which data can be compromised, often resulting in costly claims. These include:
- Lost or stolen laptop / flash drive / hard drive / etc.
- Unauthorized access
- Website breach
- Rogue employee
- Inadvertent access (e.g., email or fax)
- Paper files
What Does Cyber Liability Cover?
Companies may already have coverage from traditional insurance products that cover some aspects of data breaches. However, there are limits to the coverage traditional products can provide. For example, general liability insurance would likely cover damage to IT equipment, but it is not intended to cover IT exposures and may include specific exclusions for network risk. And while professional liability insurance can typically be used to respond to and defend against actual claims, this insurance product often includes specific exclusions of cyber liability.
Cyber liability coverage, on the other hand, offers protection specific to cyber threats. Below is a summary of various types of cyber liability coverage that companies may wish to add:
- Breach coverage: Unlike traditional insurance products, breach coverage does not require a claim to trigger coverage. Coverage likely includes access to resources including:
- Law firms
- Computer forensic firms
- Public / media relations firms
- Call centers set up to respond to inquiries to your firm. Companies often don’t have the time or resources to handle all the calls investigating the breach.
- Credit monitoring: some states require it for those impacted by a breach
- Identity restoration services: for those who have actual losses (fraud) that has occurred based on the breach
- 1st party claims: This policy provides coverage for losses sustained directly by the insured. Costs can include responding to negative attention, sending notification of breach letters, providing credit monitoring to those affected, time spent investigating a breach and working with authorities, and time and resources spent creating new plans.
- 3rd party claims: These are losses sustained by a company’s clients that are not related to the insured but that the insured is responsible for.
- Forensics: This means hiring a firm to determine what data was taken and what data was accessed, provide notification to proper parties and offer credit monitoring to those who need it, and come in at the back end and remediate the system to prevent a second breach.
- Credit monitoring: This can help rebuild trust between clients and firm.
- Regulatory compliance: Laws vary by state. The laws are specific to the client, not to the company that was breached. The timing for notification compliance varies by state.
- Loss mitigation services:
- Penetration testing: Software attack on a computer system that looks for security weaknesses and is used as part of a security audit.
- Phishing Attack Simulation & Follow-Up Training: Attempt to acquire sensitive identifiable information (user name, password) by masquerading as a trustworthy entity.
- Breach Prevention Best Practices: Customized based on size of firm. The point is to control risk.
Beyond Cyber Liability Insurance
Coverage can protect companies after a breach, but steps can be taken to prevent a breach before it occurs. eFileCabinet offers secure document storage that eliminates the need to keep high-risk paper files, does away with storing files directly on a hard drive or laptop, and includes some of the most well-protected Cloud-based storage on the planet. Fill out the form for your own 15-minute demo.