Standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn’t tangible says Network World. The ruling that data is not tangible goes back to a 2000 ruling by a U.S. District Court. The article explains the ruling arose from an Arizona case, American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc.. In that case, the court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee.
“
After that, the insurance firms changed their policies to state that data is not considered tangible property,” Kevin Kalinich, national managing director for network risk at Aon Risk Solutions told Network World. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.
Larry Ponemon, chairman of the Ponemon Institute, told Network World that the resulting complexity is a major source of push-back by potential buyers. “The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are.” Mr. Ponemon told the author, “Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want.”
Network World describes the types of cyber coverage available.
Data breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center, credit monitoring, and credit restoration services for the victims, and other crisis management services, Ken Goldstein, vice president at the Chubb Group, told Network World. “You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts.”
Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach, or from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA) or similar regulations. Some policies only cover the cost of defending against the action, while others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.
Cyber extortion coverage: For cases where a hacker steals data from the policyholder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the cost of offering a reward leading to the arrest of the perpetrator, Chubb’s Goldstein says.
Virus liability: Pays in cases where the policyholder is sued by someone who claims to have gotten a virus from the policy holder’s system.
Content liability: Covers lawsuits filed by people angered over something posted on the Web site of the policyholder. Such coverage should also cover copyright claims and domain name disputes, INSUREtrust’s Haase told Network World.
Lost income coverage: Replaces revenue lost while the policy holder’s computer system or Web site is down. But Aon’s Kalinich notes that insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses, “They’ll say that, after all, the customers who did not get through (during the outage) could have come back later.”
Loss of data coverage: Pays for the cost of replacing the policy holder’s data in case of loss, “Backup policies are not always effective, and accidents and sabotage happen,” Mr. Haase says.
Errors and omissions coverage: Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software, Haase says.
As for what coverage costs, Aon’s Kalinich told Network World that firms smaller than $100 million in annual revenue can expect to pay $5,000 to $15,000 per million of coverage, while larger firms would pay $10,000 to $25,000. For those over a billion, the price can be in the $20,000 to $50,000 range. Robert Parisi, senior vice president with Marsh, an insurance broker, and risk advisory firm put it simpler, saying the cost is between $7,000 and $35,000 per million. Of course, the lower ranges are for buyers who look like better risks — and deciding who is a better risk is another factor that makes cyber insurance a complex topic.
“You cannot get good insurance unless you have good security practices,” VP Kalinich says. “Due diligence underwriting has become more streamlined as the insurers have learned what to look for. They will typically benchmark you against other members of your industry.”
INSUREtrust’s Haase explained the cyber insurance purchase process to the author, “This is a complex purchase and you need a professional helping you. Most policies are highly customizable, and there are a lot of endorsements.” Typically the buyer goes to their local agent, and the local agent uses a specialist, Haase says. Both the local agent and the specialist get commissions ranging from 7.5% to 10% so that 15% to 10% of the premium goes to commissions.
Finally, Toby Merrill, vice president of insurer Ace Professional Risk cautions that cyber insurance buyers must understand that if they are outsourcing their data handling, they are not at the same time outsourcing their liability if there is a data breach. The onus of the various breach notification laws is on the organization that gathered the data, not on the organization that was storing it when it was exposed, he notes.
“Cyber insurance is not there to replace sound risk management,” VP Merrill told Network World, “It is there to supplement it.”
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Cyber-insurer Ace Group recently published data they say predicts a data breach. Based on their data (and the need to sell premiums) the insurer claims that all firms are at risk for a data breach. Matthew Prevost, vice president, ACE Professional Risk recently claimed data breaches are inevitable.
ACE has a unique position to speculate, according to ClaimsJournal ACE has over 15 years of experience with cyber-risk. The firm has cataloged a considerable amount of lost data. They recently shared several key insights from their proprietary data. FierceITSecurity explains that based on cyber insurance provider ACE data, the top triggers for data breaches are:
Network security attacks – 25%
Former employees accounted for 25 percent of insider attacks, and financial incentive was the motive in 72 percent of insider attacks, according to ACE.
John Moccia with 
