Reducing cyber risk exposures: 8 category coverages to consider.
The everyday use and reliance on the computer for today's businesses is a generally accepted way of life. Computers handle business transactions ranging from the purchase of $10 in gasoline at the local station to the purchase of a $10 billion manufacturing company. The use of computers helps to smooth the flow of business. However, this dependability on computers can also lead to huge problems for entities not prepared to handle the problems that accompany such reliance.
Cybercrime, cyberterrorism and cyberdisruptions are problems that exist for businesses and must be addressed. There are various risk management techniques to help a business manage them and one of these options is to purchase insurance.
The Insurance Services Office (ISO) has produced an insurance policy that addresses many areas of concern in the e-commerce area. EC 00 10 01 14, the Information Security Protection Policy, provides the insured with insuring agreements in eight separate categories. Here is an analysis of the policy.
The first insuring agreement declares the insurer will pay for a loss when the insured becomes legally obligated to pay for a website publishing liability. The scope of this coverage includes any actual or alleged error, misstatement, or misleading statement posted or published by an insured on its website that results in: an infringement of another's copyright, title, slogan, trademark, trade name, trade dress, service mark, or service name; any form of defamation against a person or organization; or a violation of a person's right of privacy. Note that the term "loss" on EC 00 10 includes compensatory damages and punitive damages (to the extent such damages are insurable by law), but does not include civil or criminal fines or penalties.
The coverage here is similar to the personal and advertising injury coverage that is provided under the standard CGL form with some noted differences. One difference is that the infringement coverage under EC 00 10 does not specify that the breach occur in the named insured's advertisement as does coverage under CG 00 01. And EC 00 10 applies to "any form of defamation" while the CGL form specifically mentions slander and libel. Of course, the violation of a person's right of privacy can occur under both forms in various ways, such as public disclosure of private facts or unauthorized release of confidential information (for example, a person's private medical records).
The second insuring agreement pertains to security breach liability. If the insured is held liable for the acquisition of personal information (held within the insured's computer system or in nonelectronic format while in the care, custody or control of the insured) by an unauthorized person, the insuring agreement offers insurance coverage to the insured. This agreement also applies to loss as a result of a computer system transmitting, by e-mail or other means, a virus to another person or organization.
The next insuring agreement pertains to programming errors and omissions liability. Any actual or alleged programming error or omission that results in the disclosure of a client's personal information held within the insured's computer system may lead to a claim or a lawsuit against the insured.
Insuring agreement three provides coverage for the insured. This agreement acts as complementary coverage for the previous insuring agreement. These three insuring agreements obligate the insurer to pay for both loss and defense expenses.
Suppose the insured suffers the loss of the electronic data or a computer program stored within its computer system? EC 00 10 offers coverage for replacement or restoration of electronic data wherein the policy will pay the cost to replace or restore the data or programs, the cost of data entry, and reprogramming and computer consultation costs. The loss must result directly from an e-commerce incident. Such an incident means a virus, malicious code, or denial of service attack that is introduced into the computer system owned, leased or operated by the named insured with the purpose of damaging, destroying, deleting, corrupting or preventing the use of or access to any part of the named insured's computer system. So, if the insured suffers a loss of its electronic data by having its computer system attacked with a virus or a malicious code, EC 00 10 will provide some relief. This relief, however, will not include the cost to duplicate research that led to the development of the insured's electronic data.
It is common knowledge that a company can be subject to an extortionist's threats to attack the company's computer system with a virus or some malicious code or threats to prevent normal access to the system, or even publish a client's personal information. The fifth insuring agreement in EC 00 10 offers to pay for the costs of hiring an entity to determine the validity and severity of an extortion threat, plus reward money paid to an informant that leads to the arrest and conviction of the extortionist. Any other reasonable expenses incurred by the insured for the fees and costs of negotiators and for the fees and costs of a company hired to protect electronic data from further threats are also covered.
EC 00 10 will pay for the loss of business income and extra expense due to an interruption resulting directly from an e-commerce incident. The interruption means an unanticipated cessation or slowdown of the named insured's e-commerce business normally conducted via the website or the e-mail system. The policy will pay the actual loss of business income the named insured sustains; any extra expense the named insured incurs is also paid. Note that the insuring agreement also will respond to an interruption of business resulting directly from an extortion threat.
The seventh insuring agreement applies to public relations expenses. If the insured has suffered negative publicity because of its responsibility for e-commerce security breaches or programming errors, or because the insured itself has allowed its private information to be publicized, there may be a decline in the reputation of the insured. In order to recapture the public's trust and future business, the insured will need a public relations campaign. EC 00 10 will pay for the fees and costs of a public relations firm to protect and restore the insured's reputation.
The final insuring agreement of EC 00 10 is to pay for loss resulting from a security breach. The payment here would include costs to establish whether a security breach has occurred, costs to investigate the cause, scope, and extent of a security breach, costs to notify all parties affected, the fees and costs of a call center to handle inquiries from parties affected, and post-event credit monitoring costs for victims of a breach. Since some laws may now require such activities, any insured that suffers a cybersecurity event will need insurance to pay the costs of the activities.
EC 00 10 has exclusions that will prevent coverage or otherwise curb the offered coverages. Some of the exclusions are loss based upon: war, bodily injury, any interruption in normal computer function or network service due to insufficient capacity to process transactions, power surge, pollution, and arising out of any claim brought by one insured against another. The insured has the responsibility to read the policy in order to know the exclusions.
This brief summary provided an overview of an insurance policy available to all businesses that could be subject to cybercrime or terrorism. While other non-insurance risk management techniques are available, each business must face the present and future challenges posed by the information age and make the best decision possible to manage the exposures that accompany this new type of crime.