Protecting cyber risk exposures
By David Thamann
The everyday use and reliance on the computer to carry on today's business dealings is a generally accepted way of life. Computers handle business transactions ranging from the purchasing of $10 dollars in gasoline at the local station to the purchasing of a $10 billion manufacturing company. The use of computers, no doubt, helps to smooth the flow of business today. However, this reliance on computers can also lead to huge problems for the business that is not prepared to face the problems that accompany such a reliance.
Cybercrime, cyberterrorism, and cyberdisruptions are problems that exist for businesses and must be addressed. There are various risk management techniques for a business to do so. One of these techniques is the purchase of insurance.
The Insurance Services Office (ISO) has produced an insurance policy that addresses many areas of concern in the e-commerce area. EC 00 10 11 09, the Information Security Protection Policy, provides the insured with insuring agreements in eight separate categories. This article offers an analysis of the policy.
The first insuring agreement declares that the insurer will pay for loss that the insured becomes legally obligated to pay (and defense expenses) for a web site publishing liability. The scope of this coverage includes any actual or alleged error, misstatement, or misleading statement posted or published by an insured on its web site that results in: an infringement of another's copyright, trademark, trade dress, or service mark; any form of defamation against a person or organization; or a violation of a person's right of privacy. So, for example, if the insured exposes a person's private medical records and that person sues the insured, EC 00 10 will provide a defense for the insured and pay the damages for which the insured is liable.
The second insuring agreement pertains to security breach liability. If the insured is held liable for the acquisition of personal information (held within its computer system) by an unauthorized person, this insuring agreement offers insurance coverage to the insured. This agreement also applies to the unauthorized disclosure of such personal information.
The next insuring agreement pertains to programming errors and omissions liability. Any actual or alleged programming error or omission that results in the disclosure of a client's personal information held within the insured's computer system may lead to a claim or a lawsuit against the insured. Insuring agreement three provides coverage for the insured. This agreement acts as complementary coverage for the previous insuring agreement.
Suppose the insured is responsible for the loss of the electronic data or a computer program stored within its computer system? Such a loss could force a shut down in services provided for a client's customers and cause a loss of business for the client. EC 00 10 offers coverage for replacement or restoration of electronic data wherein the policy will pay the cost to replace or restore the data or programs, the cost of data entry, and reprogramming costs.
It is common knowledge that a company can be subject to an extortionist's threat to attack the company's computer system with a virus or some malicious code or a threat to prevent normal access to the system. The fifth insuring agreement in EC 00 10 offers to pay for the costs of hiring an entity to determine the validity and severity of an extortion threat, plus reward money paid to an informant that leads to the arrest and conviction of the extortionist. Any other reasonable expenses incurred by the insured for the fees and costs of negotiators and for the fees and costs of a company hired to protect electronic data from further threats are also covered.
EC 00 10 will pay for the loss of business to a client for which the insured is liable due to breaches of information security. The policy will also pay for a loss of business income the insured itself suffers due to the interruption of the insured's business resulting from an e-commerce incident. If the insured business itself has to cease operations or suspend e-commerce activities because of a threat against it with a computer virus or code, EC 00 10 will pay for the business income loss and for extra expense paid by the insured to get its business activities back in order.
The seventh insuring agreement applies to public relations expense. If the insured has suffered negative publicity because of its responsibility for e-commerce security breaches or programming errors, or because the insured itself has allowed its private information to be publicized, there may be a decline in the reputation of the insured. In order to recapture the public's trust and future business, the insured will need a public relations campaign. EC 00 10 will pay for the fees and costs of a public relations firm to protect and restore the insured's reputation.
The final insuring agreement of EC 00 10 is to pay for loss resulting from a security breach. The payment here would include costs to notify all parties affected by a security breach, the fees and costs of a call center to handle inquiries from parties affected by a security breach, and post-event credit monitoring costs for victims of a security breach. Since laws now require such activities, any insured that suffers a cybersecurity event will need insurance to pay the costs of the activities.
This has been a brief summary of an insurance policy that is available to any business that feels it is subject to cybercrime or terrorism. There are other risk management techniques available to business to counter cyber risks, but whether through insurance or some noninsurance technique, the business has to face the present and future challenges posed by the information age.
*For further information, or to contact this author, please leave a comment and your e-mail address in the forum below.