For any company, recognizing risks and guarding against them is all part of running a successful business. And risks can change with the changing times.
That’s clearly the case with one of the biggest and fastest-growing risks that businesses now face: cyber-related incidents. The World Economic Forum Global Risks Report 2019 highlights a significant increase this year in the risk of cyberattacks leading to theft of money and data, and disruption of operations.
Financial loss from cyber incidents is also on the rise. A global study by the Ponemon Institute and IBM Security found that the average total cost of such an event was $3.86 million in 2018, up 6.4 percent from the year before; organizations in the United States having the highest total average cost at $7.91 million.
As cyberattacks become more frequent and more damaging, businesses are awakening to the fact that they must rethink their risk strategies – including insurance strategies – to protect themselves and their customers from the magnitude of cyber-related financial losses.
A generation ago data was contained in paper files and secured behind locked doors or in computer systems prior to our modern interconnected environment. Thus, the risk of hackers breaking into company records was not something many companies gave much thought to when they purchased business insurance. Moreover, thieves had little interest in retrieving such content. Risk managers were more likely to worry about the physical hardware. So they would take out a property policy to insure the physical hardware and perhaps the loss of business income if the computers were lost related to fire, storm, damage or theft.
But in our current digital age, most companies depend on enterprise-wide computer systems where all company information is often behind one access point, including the cloud, accessible anytime, anywhere. And the data those systems continually collect and store – including customer data – might be a company’s most valuable asset. That’s one reason why these assets are prime targets for cyberattacks. And that is why regulators have upped the ante on privacy safeguards companies must implement and the penalties for failing to do so.
With the changing business, legal and regulatory environment, companies can no longer rely solely on traditional commercial general liability (CGL) or property policies that may have sufficed a generation ago. To be a responsible risk manager in today’s world, a company must educate itself on cyber-related risks that continue to evolve; identify their own particular cyber-related exposures; and become familiar with the solutions the insurance industry has developed for addressing these exposures. Do traditional property and casualty policies address the full scope of cyber risks an insured faces? Or is it time to look at standalone cyber insurance policies designed to address risks specific to cyber-related incidents? To make these decisions, businesses need to understand how those policies differ from one another.
Property policies, for example, are generally intended to cover physical loss of, or damage to, the insured party’s real or personal property, as well as business income losses that result from such damage. But property policies typically either exclude or offer only very limited coverage for the loss of or corruption of electronic data.
General liability policies, meanwhile, are intended to provide an insured company with defense and indemnity coverage against third-party claims and lawsuits arising from bodily injury, property damage. CGL policies also provide coverage for a limited number of liabilities referred to as “personal & advertising injuries” – such as libel and certain other specific offenses. Based on CGL policy terms, exclusions and definitions, many types of cyber losses may not be covered.
That’s why cyber insurance has become so crucial. Cyber policies are specifically designed to fill many of the cyber coverage gaps in other types of insurance. Cyber policies provide specific coverages for losses caused by computer viruses, denial of service attacks, and the digital release of third party information. They are also designed to cover costs associated with the replacement of digital assets, business interruption and extortion; and provide coverage for the cost of compliance with state, federal and even international regulatory provisions governing data privacy and notification. Insureds that implement affirmative cyber coverage addressing first- and third-party coverages will be more resilient and confident that cyber risks have been addressed. Obviously, all policies are subject to specific terms and conditions which may vary from one insurer to the next.
So where to start, when considering cyber insurance? In assessing cyber risk, a company must consider various factors, including these:
- The types of non-public information in your databases that could damage the business if stolen.
- The value of all your data assets.
- The value of your customer data, and the vulnerability to your customers if that data is breached.
- The length of time your company could withstand a business interruption from a cyber attack.
- The financial impact of your company’s being shut down for a length of time.
Technology and cyber-related issues can be hard to grasp – not only because they are constantly evolving but because the concepts tend to be intangible and full of complexities. But businesses aren’t alone in tackling these challenges. Zurich, as a cyber insurer, possesses a dedicated in-house cyber risk engineering team to enhance your ability to avoid the risk of loss in the first instance. We work with businesses to design and implement cybersecurity strategies that include employee training on cybersecurity best practices, business continuity and overall cyber resilience that go far beyond traditional insurance.
With the cost of cyberattacks and data breaches breaking records year after year, now is the time for all organizations to reassess cyber risks, exposures and protection strategies. For many big businesses, the question is not whether an attack might occur – it’s simply a matter of when.