It could happen to you

Experts explain how cyberinsurance could save the day if your network is violated.

Imagine that you’re in charge of the networks at an e-retailer that rakes in $100 million a year through e-commerce transactions. One day, hackers break into the servers that hold all your customers’ accounts and payment details, and news of the event begins to break in the media. Concerned that their data has been accessed by unauthorized personnel, customers band together and slap your company with a class-action lawsuit for failure to adequately protect their private information. What are your firm’s options to cover the legal costs of defending its case?

The company might have to delve deep into its pockets to pay legal fees and any settlement costs if cyberliability insurance does not cover them. The Insurance Information Institute, a communications body supported by the property and casualty insurance business, says commercial general liability insurance providers now specifically exclude data and other network security  risks from their policies.

A sampling of insurance providers and brokers who sell cybyerinsurance policies.

“There are limitations in the policy language of traditional insurance programs that don’t extend to cyber-risk,” says Aaron Latto, e-commerce underwriting director at the global technology underwriting unit at The St. Paul Companies of St. Paul, Minn.

The problem is that many policies were written and calculated before technology – particularly the Internet – became the underpinning of many businesses and transactions. According to New York insurance broker Marsh, Inc., traditional policies respond to liabilities and natural perils that damage physical assets, rather than network exposures that are “intangible.” Therefore, many traditional insurance carriers offer specific cyberliability programs instead. Experts say businesses, especially those that retain sensitive customer data and carry out transactions over the Internet, should consider cyberliability insurance that covers events such as hacker damage, customer privacy violations, intellectual property infringement and business interruption.

Let’s return to the scenario of the e-commerce firm whose servers were hacked. The company previously had decided to buy cyberinsurance because its entire business is based on online transactions and the protection of its customers’ data is paramount. The company’s risk manager – let’s call him Steve – found a local insurance agent by searching through the list of partners on the Web sites of some large insurance providers that carry cyberinsurance, such as AIG, The St. Paul Companies and Zurich North America. Steve also checked the regional offices of large national insurance brokers such as Aon and Marsh, and collected a list of agencies that focus on technology insurance through Tech Assure.

Steve chose an agent who collected information about the e-commerce operation, including revenue details and claims history. He applied for coverage from an insurance carrier that requires prospective customers to fill out an application of five to 10 pages and undergo an assessment of its network security infrastructure.

Insurance carriers use varying levels of security assessments, depending on the complexity of the network and the amount of desired coverage. “In a more basic security assessment, a security firm may analyze the applicant’s host system using scanning tools designed to detect security vulnerabilities,” Latto says.

The security firm doing the assessment might generate a report that details the findings, prioritizes any vulnerabilities detected and offers recommendations. More in-depth assessments might include analysis of the applicant’s written policies and procedures, physical site visits and interviews with company personnel.

For our e-tailer, the application and the assessment sought to gather details including the level of e-commerce transactions, the company’s patch management procedures, interfaces to the company’s Web site, and the terms and conditions for employees and visitors to the site.

Some carriers, including The St. Paul Companies, don’t require independent assessments, because the written applications provide enough information for the carrier to make a judgment of the level of exposure.

After reviewing the application and assessment report, the carrier offered Steve a cyberliability policy that covered:

•  Failure to protect confidential customer information.

•  The transmission of computer viruses to customer(s).

•  Infringement of third-party intellectual property rights (use of another company’s domain name, for example).

•  Claims resulting from online advertising for others, such as through Web links or frames.

•  Publicity rights violation (the posting online of a person’s likeness that was originally for use only in the e-tailer’s paper-based brochure).

A company such as our e-business with $100 million in annual revenue would pay between $10,000 and $50,000 per year for the above coverage, Latto says. The premium depends on the company’s revenue, its level of exposure and the kinds of controls it has in place.

After the break-in and dogged by the class-action lawsuit, Steve put in a claim to his company’s insurance provider, which reviewed the claim and decided that it was covered under “failure to protect confidential customer information.” The e-tailer would be eligible for a payout of between $1 million and several million dollars, depending on the policy’s limit for payouts.

The insurer would fund the legal defense and all covered damages resulting from a judgment or settlement up to the policy limit, Latto says.

“Class-action lawsuits are very expensive to defend,” he says. Even if the company is not at fault, it can still spend several hundred thousand dollars to prove [compromised security] was not their responsibility. Insurance helps to pay for your defense. And if you lose the defense and have to pay out in settlements, insurance is invaluable for that too.”