Despite risks, cyber insurance finding few takers

The Internet age has spawned a new type of criminal, hackers that can introduce viruses, malware or conduct simple theft. If you think it can’t happen to your company, guess again.
On Oct. 22, South Carolina’s Department of Revenue reported that as many as 3.6 million Social Security numbers and 387,000 credit and debit card numbers might have been exposed to a hacker in several recent cyber attacks that assaulted the department.
In September, U.S. Bank, PNC Financial Services Group Inc., Wells Fargo, JPMorgan Chase and Bank of America all reported that cyber attacks were attempted.
Regardless of a company’s size, the threat of a virus or hacking is a very real one. One virus could make all your data inaccessible and one breach could release millions of pieces of valuable information about your clients.
That’s why most insurance companies have started to offer cyber insurance or, in some specific cases, cyber-liability insurance. The response, however, has been tepid at best.
“You would think that there would be a big demand for it but it hasn’t really taken off,” said Brian Hunter, president of Hunter Insurance of Lincoln. “What’s happening is that a lot of these insurance companies, under their business-owner’s policies, are offering an endorsement where you can buy some limited-liability insurance coverage for it, as opposed to a separate policy that is a little more inclusive.”
Hunter said he offers two types of insurance; a first-party protection that protects the company’s computers from hacking and helps finance breach assessment and protection, and a second offers third-party protection should data such as Social Security numbers be hacked. If sensitive personal information becomes breached, the company has protection should a lawsuit be filed.
“It’s been a really hot topic over the last two or three years and that’s when some companies started offering special programs,” he said. “I find that most companies are not aware of it or they’re winging it, hoping it won’t happen to them,” he said.
“If your company works on the Internet they need it,” he continued. “They should at least … get a quote, and then come to a decision as to if they need it or not.”
The ramifications of a breach are significant. According to the 2011 Cost of Data Breach Study: United States, written by Symantec of Mountain View, Calif., and the Ponemon Institute of Traverse City, Mich., the average cost of a data breach was $5.5 million in 2011, down from $7.2 million in 2010. Symantic is a computer-security company and the Ponemon Institute is a research center dedicated to privacy, data protection and information-security policy. The primary cause of a breach of sensitive data was attributed to negligence by a corporate insider, according to the report. It also noted that breaches resulting from a cyber attack were 25 percent more costly to the organization than those due to other factors.
The study examined data collected from 14 different industry sectors and included analysis of 49 separate data-loss events.
At the Travelers Companies of New York City, three types of cyber products are offered. The first is called cyber-first essentials, a basic package of insurance coverage for those that don’t require extensive and in-depth coverage. Like all the company’s cyber products, cyber-first offers both first- and third-party coverage.Travelers’ Timothy Francis is the enterprise cyber lead for insurance and stresses the need for liability insurance. “There are now 47 states and territories that require that if a company holds personally identifiable information, or health information, and there is a breach or the information is compromised, it has to be reported publicly,” he said. “The company must also conduct its due diligence and make a good-faith effort to communicate to those victims the facts regarding the loss.
“What you read in the papers might be compelling and attention-getting, it’s really just the tip of the iceberg” regarding such losses, he said. Now because of the requirement, businesses are becoming more aware of their exposure and more sensitive to the reputational damage that could occur. Customers could be lost.
“That’s where a lot of the risk control and the protection of the policy come into play, not just dealing with the actual events and the specific obligations that you have under the law, but really a protection of the bottom line,” Francis said.
As for the industry as a whole, Francis, like Hunter, believes cyber insurance still suffers from a lack of appreciation by the public. “I think people might not understand or fully appreciate the core coverage,” he said. •

No posts to display