Virtually every business today could be affected if something were to happen to its Internet-technology applications, databases or computer systems. In the modern age, everyone works in a technology bubble, whether they know it or not. Gone are the days when client information was stored in metal file cabinets or locked desks. All businesses, except for maybe the lemon-aid stand on the corner utilize various degrees of automation. If you are automated, then you are susceptible to the threat of a breach of your systems, your data and your trust. Recently, one of the top insurance industry trade magazines had a cover story on cyber coverage, asking rhetorically, “Is it the new must have coverage?” They now liken cyber coverage to workers' compensation, general liability, commercial auto and commercial property insurance. If you run a business, don't open your doors without it. A person who is running a current business, or someone who is starting a new venture, really needs to consider this as much as they would any other aspect of their business.
Below is a high-level outline of what cyber insurance really is and how it can affect a business.
Two types of coverage
A. Cyber liability
- Professional errors and the risks of doing business on the Internet or working with a network system.
- Data privacy wrongful acts (i.e., someone hacking in and stealing personal information).
- Network security wrongful acts (i.e., inadvertently transmitting a virus to another business).
- Content and media wrongful acts (i.e., illegally using/obtaining images or posting information on a webpage).
- Internet protocol wrongful acts (i.e., using a given address for reasons outside of business purposes).
- Personal information warfare involves computer-based attacks on data about individuals. It may involve such things as disclosing or corrupting confidential personal information, such as those in medical or credit files.
- Corporate information warfare may involve industrial espionage or disseminating misinformation about competitors over the Internet.
- Global information warfare is aimed at a country's critical computer systems. The goal is to disrupt the country by disabling infrastructure systems, such as energy, communication or transportation.
Direct cost implications
- Crisis management expenses.
- Loss of sales during the disruption.
- Staff time, network delays, intermittent access for business users.
- Increased insurance costs due to litigation.
- Costs of credit monitoring.
- Loss of intellectual property—research, pricing, etc.
- Costs of forensics for recovery and litigation.
- Costs for data restoration.
- Loss of critical communications in time of emergency.
Indirect cost implications
- Loss of confidence and credibility in your financial systems.
- Tarnished relationships and public image.
- Strained business partner relationships—domestic and international.
- Loss of future customer revenues for an individual or group of companies.
- Loss of trust in the government and computer industry.
- Loss of trust in your business.
Industries most vulnerable
- Financial institutions
- Volunteer organizations
- Insurance agents
- Doctors offices
- Data breach
- Data theft
Examples of precautionary measures
- Install firewalls to protect computer networks against unauthorized access.
- Limit access to computing and information resources to authorized personnel only.
- Encourage, or even require, users to change passwords frequently.
- Conduct regular background checks of employees in sensitive positions.
- Install audit features that monitor logon and logoff activities.
- Provide warnings that unauthorized users may be subject to monitoring and prosecution.
- Develop a trap and tracing mechanism with local telephone companies and implement systems that identify outside callers.
- Report significant security breaches to relevant government agencies.
- Implement policies and guidelines regarding what can be posted and where and what information is accessible to employees.
- Resources such as an employee handbook on what is allowed.
- Identify and implement controls over external access to internal networks (through dial-in modems and extranets).
- Install antivirus software and require employees to scan all software and electronic files received from outside sources.
- Encourage employees to use encryption technologies, if appropriate.
- Implement security upgrades when they become available.
- Increase awareness among users of cyber terrorism and the importance of computer security.
- Communicate with other members of the industry and computer security professionals regarding best practices to protect computer networks and possible cyber terrorist attacks. 5/15
If you are concerned about your business suffering a cyber loss, and you should be, please contact Tim Russell to discuss purchasing a policy.
Content: Jim Pitz, PIA