I am commonly asked why I chose to study insurance when I attended Penn State University. My answer is pretty simple—the curriculum did not require me to study a foreign language. However, I quickly discovered that insurance is its own foreign language.
The insurance language is comprised of words whose meanings have been altered from everyday use by “definitions” in insurance policies and often, decisions in court cases. We, in the industry, have learned the very specific insurance definitions and use them as such in our daily work conversations. Similar to a foreign language, these terms are often misunderstood by others without insurance agents acting as interpreters. Additional confusion occurs when there is a new insurance coverage and the industry has not yet settled on the use of standardized terms.
The current situation with Cyber Insurance is similar to a country that speaks the same language but uses numerous dialects. Presently, I have three cyber insurance quotes sitting on my desk. All of the quotes are for the same client but each came from a different insurance company. One of the coverage’s is termed “Security and Privacy Liability” by one carrier, “Privacy Liability” by another carrier and “Network and Information Security” by the third carrier. They all address the same exposure but use totally different terms.
Such inconsistencies in the terminology makes it difficult to fairly compare the quotes. For that reason, I developed my own “dictionary of exposures” that I use to compare one proposal to another (think of exposures as things that can cost you money). With this dictionary, I do not expect that the non-insurance professional will be able to look at a quotation and determine what is or is not covered but you can ask the appropriate questions to determine if the policy being proposed addresses/covers the specific exposures that are of concern.
There are three terms that will be helpful in understanding what is being proposed to you:
- First Party Coverages– Coverages that address/pay for exposures that cause direct financial loss to the insured (you). Example: A Property Insurance Policy that pays for fire damage to a building you own.
- Third Party Coverages– Coverages that address/pay for financial losses created by a Third party suing you (the First party) for which the insurance company (the Second party) is going to pay. Examples: defense costs, court ordered payment to the Third party or contractual obligation you have to the Third party, i.e. Commercial General Liability is a Third Party Coverage.
- Personally Identifiable Information (PII): Information that can be used on its own to identify, contact or locate an individual. For example, credit/debit card data, social security numbers, etc.
Cyber Dictionary of Exposures (a list of exposures created by your company being active in the Cyber world!)
- Security Liability (Third Party Exposure): When a lack of security has caused damage to a Third party. For example, if your company network was used to transfer a virus to your competitor’s network and shuts it down. Or one of your customer’s PII was accessed and used to steal their identity, deplete their bank accounts and damage their credit rating.
- Notification Costs (First Party Exposure): Required by law, you must notify your customer’s if their PII information was released. This covers the cost to have forensic experts search your network to determine whose information was stolen and how, and it covers the cost to send letters to the affected customers. This does not have to be “hacked”, PII information could be released if a laptop, phone or thumb drive is lost!
- Crisis Management (First Party Exposure): Coverage to hire a Public Relations Firm to write notification letters, provide credit monitoring to the affected individuals, and send press releases to minimize your reputational damage.
- Media Liability (Third Party Exposure): Allegations of false, plagiarized, or fraudulent information on the internet. If your company is active on social media platforms, this coverage includes defense of the suit and payments ordered by the court if false accusations are posted online that ruin reputations.
- Business Interruption and Extra Expense (First Party Exposure): Coverage for lost revenue or increased expenses due to your inability to use your network because a hacker damaged your system. For example, if your company network was shut down and your employees could not work.
- Computer Program and Data Restoration or Digital Asset Loss (First Party Exposure): Coverage to restore your network data or databases. Most current property insurance policies do not recognize data held in an electric form as “property” and do not provide coverage.
- Regulatory Penalties and Contractual Obligations to Others (Third Party Exposure): The fines and penalties, such as HIPPA, if you fail or allegedly fail to protect confidential medical information. If your company processes credit cards, you are subject to penalties from your contract with the Payment Card Industry (PCI).
- Damage to the Internet of Things (First Party Exposure): How much of your infrastructure is controlled by your computer technology and how much is connected to the internet for maintenance reasons? For example, Target was hacked through their HVAC contractor who had access to their network.
The exposures discussed to this point do not involve the criminal’s direct access to your money but such exposures exist and thus get their own subsection in my dictionary called “Cyber Crime”. All are First Party Exposures. The exposures below are unique in that some are addressed by the current Standard Crime Policy and others can only be covered by a Cyber Policy.
- Cyber Extortion: Coverage if a hacker loads or threatens to load malware on your network unless you pay money to them. They may allege the theft or potential theft of PII and offer to sell it back.
- Computer Fraud: Coverage if your network is used to fraudulently transfer funds (typically from your bank account) to the hackers account.
- EFT Fraud: Coverage if your network is used to fraudulently transfer funds by Electronic Funds Transfer.
- Social Engineering: Coverage if a hacker mimics you, a fellow employee or a valued customer through email and convinces someone to voluntarily transfer funds to the hacker.
- Telephone Billing Fraud: Coverage if a hacker sells phone time on your voice over IP, resulting in the used time being billed to your account.
It is important to understand that Cyber Exposures are evolving as fast as technology will allow and this is not an all-inclusive list. However, reviewing this list will help you identify exposures that are dangerous to your business and for which you need to have coverage in place.
When buying Cyber insurance, make sure you only deal with an insurance professional who knows and understands Cyber exposures and the Cyber insurance market. Cyber insurance is not a personal automobile policy (relatively standardized, often mandated by state laws and any licensed agent should understand the coverage’s) and should not be treated as such.
In closing, do not assume that because you have security software in place that you do not have exposure to cyber risks. Many buildings have still burnt to the ground even with functioning sprinkler systems. You need both Cyber Security and Cyber Insurance!