[BreachExchange] Is Your Business Insuring Cyber Risks?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 20 19:17:57 EDT 2017


http://www.themetropreneur.com/columbus/insuring-cyber-risks/

What cyber risks is your company exposed to and what insurance options are
available? How much of your customers’ or clients’ personal financial or
health information is stored in electronic form in your company’s computer
systems?

As you collect more pieces of electronic information, the risks of that
information falling into the wrong hands can also increase. This is
especially true when the wrong hands could be thousands of miles away
typing on a keyboard.

The list of cyber risks is always fluid and ever increasing in depth and
scope. Such risks include identity theft resulting from security breaches,
business interruption from a hacker shutting down a network, damage to data
records, theft of digital assets, the introduction of malware or viruses,
the cost of credit monitoring for people impacted by a security breach, and
even something as simple as human error resulting in inadvertent disclosure
of sensitive information through email. Cyber risks can originate from an
individual in their basement, to activists making a statement, to
opportunists looking for notoriety, and even nation states and terrorists.
The risks and the perpetrators are diverse and extensive.


Commercial General Liability polices do not typically cover such cyber
risks, which can leave a company exposed to these ever-evolving risks.
Cyber liability policies have been, and are being developed, in an attempt
to cover these cyber risks. Cyber coverage can include expenses related to
cyber extortion or terrorism, or the costs associated with breaches of your
customers’ privacy. Cyber liability policies can also cover liability for
the loss of confidential information resulting from unauthorized computer
system access or the costs associated with replacing and restoring business
assets that were stored electronically. Finally, cyber insurance can be
written to cover business interruptions resulting from a cyber security
breach.

While cyber insurance policies are becoming more common, companies cannot
assume their cyber policy covers all of their current cyber threats. There
are still gaps that can develop in coverage. These gaps are products of an
ever-changing threat matrix that evolves with the always-increasing growth
in technology.

Recent court decisions have exposed the risk of these coverage gaps. These
include a large restaurant chain seeking coverage for card payment industry
data security standard assessments, but could not prove this was included
in its cyber policy. This resulted in $2 million in fees and assessments
that were not covered.

Another recent case involved whether a crime policy covered a complex
cyber-criminal scheme. A court held that a multi-million dollar wire to a
fraudulent bank account was not covered because it resulted from human
error and not a “direct result” of an email.

In another example, a grocery store was sued by a credit union after credit
card accounts were stolen. This theft resulted in reimbursement costs to
customers for fraudulent charges, the reissuance of cards, and even claims
for the loss of good will. While the policy covered a first-party loss of
the grocery store, it did not cover the third-party loss resulting in the
credit union suit.

Any potential cyber coverage gaps should be analyzed as a company’s
technology use and business structures change. Companies can often find
themselves moving forward in business and technology, but be less diligent
in pursuing the proper coverage. This is especially true in the relatively
new arena of cyber risks and cyber insurance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170320/546754c9/attachment.html>


More information about the BreachExchange mailing list