The cyber insurance policy market is “a little like the Wild West of insurance,” but cyber insurance might help cover notification and legal costs incurred for data breaches or losses stemming from cybercrime, according to Scott Godes, an attorney with Dickstein Shapiro in Washington, D.C., and author of the Corporate Insurance Blog.
Cyber insurance policies might even cover losses resulting from a new type of phishing, “spear phishing,” noted Larry Ponemon, chairman of the Ponemon Institute in Traverse City, Mich.
“Cybercrime is changing,” Ponemon remarked.
One new threat to the security of employee data is spear phishing, in which hackers present themselves to employees as HR and say they need the employees’ passwords. The hackers figure out in advance who has the information they are seeking, through social media or phone calls.
By targeting key individuals with e-mails that contain the company logo and company URL, hackers can make surgical strikes against one or two individuals and obtain really good corporate data that they can sell on the black market, he said. The hackers might find the right e-mail for an employee with access to employee data by “friending” the employee on Facebook.
Ponemon said that as hacking becomes more sophisticated, more organizations are contemplating cyber insurance.
Variety of Cyber Insurance Policies
The type of cyber insurance that is offered “varies widely from insurance company to insurance company,” Godes remarked.
A cyber insurance policy might say it covers the cost of notifying people about a data breach, the cost of investigating a claim and the cost of defending a third-party lawsuit, he noted.
The two main types of cyber insurance offer coverage for unauthorized access to individual information, such as Social Security numbers and credit card numbers, and content liability insurance to cover the cost of defamation and intellectual property issues when employees produce Internet content, according to Ken Goldstein, vice president with Chubb Group Insurance Cos. in Simsbury, Conn.
Cyber insurance can offer coverage that typically is not afforded by a general liability insurance policy, noted Peter Foster, senior vice president with Willis North America in New York. General liability covers damages to tangible property but not intangible property like data or a breach of medical information.
Cyber insurance first started filling in that gap in the late 1990s, he said, noting that coverage was first offered by a small number of insurance companies, such as Zurich North America, Chubb, AIG and Lloyd’s of London. Originally, cyber insurance was offered to financial institutions.
General liability insurance has a basic form that most insurance companies work from, but with cyber insurance every underwriter typically develops its own policy, Foster remarked.
That said, it’s common for cyber insurance policies to cover privacy liability, forensics costs and breach notification costs, he noted. Breach notification might be required by the Health Insurance Portability and Accountability Act or by state data breach notification laws, noted Don Fergus, an independent risk consultant in the Washington, D.C., metro area, and chairman of the ASIS IT Security Council.
It’s important for risk managers and other professionals who are purchasing cyber insurance to look carefully at the insurance policy to see what is covered, said Eric Sinrod, an attorney with Duane Morris in San Francisco.
When HR is purchasing cyber insurance, “It’s very important for HR professionals to properly ascertain what the particular risks are and match up with potential coverage and price it out,” he said. “Some preventive steps can reduce the risk. It’s always a good idea to reduce risk unless preventive measures are more expensive than the risk.”
And Erich Bublitz, technology practice leader with ThinkRisk Underwriting Agency in Kansas City, Mo., said that HR should ensure that the data security insurance form covers not only data losses of external parties, but also those that affect employees.
Allen Smith, J.D., is manager, workplace law content, for SHRM.