If there was any doubt about the enormous cyber security challenge confronting businesses today, the following prediction should alarm corporate executives everywhere.
According to Cybersecurity Ventures, cybercrime damages will increase to $6 trillion in 2021. It’s being called the greatest transfer of economic wealth in history, more profitable than the total global illegal drug trade.
Cyber protection of sensitive corporate data requires rugged internal security protocols that must of course include data encryption. Also important is the training of employees to prevent them from taking the bait, thus opening the gate to an attack. Optimizing cloud-based security is another measure.
Yet if a breach does occur, companies can only turn to their insurance carriers and hope they can be compensated for any costs associated with the attack.
However, as Rachel Runge of Gowling WLG points out, companies relying solely on their current CGL policies may run into problems.
“Many traditional insurance coverages, such as commercial general liability, contain ‘electronic data’ or other exclusions that limit the extent of coverage available under such policies.”
That’s not to say all cyber claims against a CGL policy are invalid. Runge cites a recent Ontario Superior Court case between an insurer and its policy holder that determined, “where there is a mere possibility of coverage under the policy, the duty to defend is triggered.”
However, she adds, “The decision should not be taken to mean a standard CGL or E&O policy will provide ample coverage for cyber-related losses.”
As a result, specific cyber insurance is becoming an important consideration. Google itself is getting into the act, recognizing that even their cloud data storage is not immune to attack. The company announced in early March that it has teamed up with Allianz and Munich Re to provide what is said to be the first collaboration between a cloud provider and major insurance company.
Cyber protection is becoming more expensive, however, due to increased claims, says Moody’s Investors Services. Insurers are also challenged when assessing the risks, due to the shortage of data relating to what makes a company safe from attack.
Any insurer offering cyber insurance will want to know a lot about the potential exposure, writes Deepshikha Dutt of Dentons LLP.
“Is the company a data vendor or data owner? Are there overseas operations or call centres? What is the extent of the company’s internet operations? What is the extent of reliance on cloud storage computing?”
Furthermore, there will likely be exclusions for intentional acts by employees, something Dutt says is a growing concern due to the number of individual and class action lawsuits related to privacy breaches.
Nevertheless, Doug Tait of Thompson Dorfman Sweatman LLP in Winnipeg, Man. calls cyber insurance a “complicated necessity.”
“Unlike many insurance products which are now fairly standardized, cyber insurance policies currently have very little standardization, and policy wording may vary greatly between policies,” he writes. “While all the policies may be called cyber insurance policies, not all insurance providers offer the same thing. The subtleties between policies may not be readily apparent but there could be very important differences.”
Tait highlights the two types of coverage commonly available. First party coverage relates to various forensic and notification costs. Third party coverage provides reliance in the event of claims and suits from other parties affected by the attack.
Other risk considerations Tait suggests include: network coverage in the event of a system shutdown that causes the damage or loss of data; social engineering coverage, such as impersonations of employees or suppliers; hardware coverage in the event company computers are damaged and need replacement; and coverage for intellectual property and damage to corporate reputation.
Due to high premiums and deductibles, Tait recommends companies tailor coverage to their exact needs. He adds since this area of insurance is new, there may be room to negotiate provisions and to narrow exclusions.
“This willingness to negotiate can lead to an organization getting coverage that best suits its particular needs.”
John Bleasby is a Coldwater, Ont.-based freelance writer. Send comments and Legal Notes column ideas to firstname.lastname@example.org.