The world is different now. Information is valuable. Information falling into the wrong hands carries destructive potential. Jason Hayes, CIC, AIS, RT Specialty, addressed the members of the Federation of Insurance Women of Texas, to make them more familiar with data breach risks and how breach incidents can be insured. Hayes spoke during the FIWT 2022 Leadership and Education Mid Year Expo in College Station on April 23. His presentation was sponsored by the Texas Surplus Lines Association.
Holding personal financial and health information of third parties creates responsibility, said Hayes, a responsibility to protect the information from loss. Standalone cyber insurance policies offer both first party and third party protection in the event of a data breach, said Hayes. Generally, he added, cyber policies bought through the E&S market offer more tailored coverages and better pricing.
“Every business has this exposure,” said Hayes. “You are legally obligated to protect data you collect.” If the information is breached, the business must navigate the different laws in each state that mandate how victims must be notified, he said.
“We are a virtually connected world,” said Hayes, making cyber loss “super possible” for everyone.
Losses can mount, said Hayes, depending on how many private records are compromised. He offered a range of estimates, from $1.8 million to $71.0 million for loss costs based on the number of records compromised, with 25,000 on the low end and a million on the upper end. “A million dollars is not what it used to be,” said Hayes.
Hayes attributed his range of loss costs to privacy notifications, call centers, credit monitoring, identity theft repair, and fraud liability to the third parties whose data was compromised. His estimated costs assumed only 20 percent of those notified would choose to have their credit monitored, and of those, only five percent would experience ID theft or fraud.
Common coverages to look for in a cyber liability policy include breach response expenses and legal liability coverages. Breach response includes legal counsel, computer forensics, public relations, notification costs and credit monitoring. The legal liability coverages include defense costs and damages, regulatory defense and penalties and payment card industry fines and penalties. Some policies offer first party coverages of cyber extortion, data restoration, forensic investigation, crime, business interruption and crisis management.
“A handful of insurers will insure regulatory fines and penalties,” he said. Others may only provide defense.
These coverages are not available in general liability, property insurance, media liability or intellectual property policies, he said. Crime insurance policies cover employee theft of money, securities and property, but data is excluded from the definition of property.
Hayes urged the participants to pay attention to sub-limits offered in the policy. “Every insurer offers something different.” Some insurers have a sublimit on notification and credit monitoring expense, and some insurers have coinsurance provisions applicable to certain expenses, he said.
Hayes cautioned anyone experiencing a breach incident to notify the carrier and have the carrier respond. Allowing the insured’s internal IT team to attempt to fix the situation can lead to the inability of the forensics team to investigate. He likened this to “dirtying up the crime scene.”
Cloud storage is useful to many businesses, but a breach in the cloud does not relieve the business of the responsibility it has to its customers, said Hayes. “The duty to notify belongs to the person closest to the client,” he said.
Ransomware, the computer-age equivalent to extortion, is getting more common. The bad actors who are locking up data systems for ransom payments “are not throwing darts,” said Hayes. Generally, they have entered the system and ascertained the value of the data months before the ransome demand. An example from his experience was a client who received a ransom demand for $365,000. With a little research, the client determined it would cost $380,000 to rebuild the data from backups and other records. The range of premium for this peril is “wild and unpredictable,” he said. A lot depends on the underwriter’s understanding of the applicant’s risk profile.
Hayes offered some tips to improve the risk profile:
-Encrypt all wireless connections.
-Keep antivirus and firewall systems updated and effective.
-Add multifactor identification for access to systems.
-Train employees on phishing and hold phishing drills.
-Maintain data backups outside the resident system.
Small businesses which expect that they are not a target for hackers are mistaken. Hackers know these enterprises lack the security resources of larger companies. “Data held by small business is low hanging fruit,” said Hayes.
Among key takeaways Hayes cited:
-Data breaches are the new normal.
-Work with a broker that specializes in the coverage.
-Be proactive. Don’t wait until something has happened.
-Know that nontraditional cyber exposures can be material. Bodily injury, property damage, pollution and more can result from IT systems being breached and computer-controlled processes being halted.
The Network Security/Data Privacy/Cyber Liability presentation carried two hours of C.E. credit. The FIWT Mid Year Expo included two hours of C.E. by Angela Ford, IIAT. Ford’s presentations offered advice for using technology and understanding data and workflows. A non-CE presentation by Melissa Harrison, Higginbotham, provided attendees approaching Medicare age-eligibility information on Medicare coverages. More than a third of the FIWT conference attendees attended Harrison’s presentation.