“Everybody needs it, and most companies don’t realize they don’t have it until it’s too late.” This was a quote by Jacob Olcott, a principal with Good Harbor Consulting’s cybersecurity team, in a recent NY Times article, here
I don’t see the logic in this statement, but then, I am an insurance broker. If you are living under the misguided assumption that your insurance covers everything, I am sorry to deflate your bubble.
You only have Cyber Risk insurance coverage if you know you have Cyber Risk insurance coverage. It only comes by way of a long and intrusive application. This application requires that the C-Suite employee charged with insurance decisions must actually speak with the Tech Geeks in the company to explain VPN’s, anti-virus software, multifactor authentication, incident response plans, secondary systems, and network security audit, etc. The submission process includes a review of intellectual property clearance procedures. And, in most cases, the annual premium is material in relation to the common commercial property and general liability insurance policies.
There is no automatic coverage in a common general liability or property policy for the majority of cyber risks. If a lawsuit alleges a disparaging comment was made is a website, then there might be some justifiable confusion. Because, there is a chance the general liability was amended without your knowledge to specifically recognize that your website is considered “advertising” and therefore defamation risk will be insured. However, the majority of Cyber Loss is not going to come from defamation.
Cyber Risk presents both “third party” loss, by way of litigation for accidental release of personally identifiable information or copyright infringement, and “first party” loss, resulting from crisis management expenses, fund transfer fraud, extortion, business interruption, security breach notification expenses and public relations consulting.
The expense of notifying compromised accounts or credit monitoring for thousands or even millions of customers is loss that can bankrupt an organization. And, even if it doesn’t bankrupt the company, the ultimate disclosure of a material privacy/data breach can result in follow on class action securities for negligence or insider trading.
The complication surrounding the management of Cyber Risk, and the eventual transfer of risk to insurance, is the relative lack of legal precedent. Legal precedent is used to help company executives identify risk and it provides guidance for loss control activities. It allows people to learn from the mistakes and loss of others without directly suffering the loss. The same issue applies to cyber risk insurance. With this being a very new category of risk, there is no standardization in available coverage, in policy contract wording, or in pricing. Pricing in these products is partially based on insurers “best guess” for future loss development, because actuarial analysis is impossible with little precedent and little insured loss data. However, pricing is also determined by the level of coverage being provided, so it is incumbent on you and your insurance broker to provide a detailed analysis of the coverage being offered for each quote received.
The broker you choose to assist you in understanding Cyber Risk and Cyber Insurance is critical to the process. Your broker must be cyber savvy and it is important they are a “truly” independent broker who will canvas the whole market place.
Precedent is starting to develop, and based on a recent case it does not look good for the Defendant. Jones v. Tsige, here
, is a very recent Ontario Court of Appeal decision which considered the violation of Jones’ privacy to be in the $20,000 range and finally decided on $10,000 in damages against Tsige, suggesting “where the plaintiff has suffered no pecuniary loss (damages) should be modest but sufficient to mark the wrong that has been done.” In arriving at this decision the court had to set aside the original summary judgment dismissing the action. The decision was unanimous. The implications are significant because the court recognized that “Jones suffered no public embarrassment or harm to her health, welfare, social, business or financial position and Tsige has apologized for her conduct and made genuine attempts to make amends.” I will let you read the juicy details, but this puts a very large damage award (not to mention legal costs to be paid for both sides), on a case with a single perpetrator, single victim, no relationship between them, genuine remorse by defendant, no financial damage inflicted, no bodily injury, no emotional distress. This is just straight invasion of privacy electronic financial information and the court’s “desire to promote specific deterrence.”
Greg Shields is a partner with Mitchell Sandham Insurance Brokers, a (truly) independent company providing commercial, private client and financial services insurance. He specializes in casualty products that address directors’ and officers’ risk, crime, fiduciary liability, professional errors and omissions, and cyber/media risk. Mitchell Sandham Insurance Brokers provide negotiation and risk consulting services, coverage and claims advice to small and medium-sized enterprises, multinationals and nongovernmental organizations. Greg can be contacted at (416)862-5626 or firstname.lastname@example.org .