Businesses seem to be adopting cloud computing, e-commerce, and other internet technologies at an ever-accelerating rate, and these technologies continue to evolve and adapt to meet business’ needs. Insurance policies that protect businesses from losses and other liabilities, however, are not always so quick to change. For businesses that rely on various forms of electronic communication and data, this can create a gap in coverage and a risk of catastrophic loss. Some insurers have begun to fill the gap with “cyber risk” policies, and coverage is slowly beginning to appear in general liability policies.
Understanding Conventional Coverage
A standard business liability policy will cover ordinary losses, such as damaged facilities, broken equipment, or ruined inventory. This type of coverage is essential for the sorts of problems businesses have faced for millennia: damage in a storm or other natural disaster; theft or loss of essential business machinery or computers; injury to a customer on the business premises; or loss of inventory, such as spoilage of food during a power outage. Conventional coverage might include loss of electronic data as a result of equipment failure or force majeure, but it most likely will not include some of the newer threats of the internet era.
Unconventional Cyber Risks
Much of the data that a business acquires from its customers has migrated from file cabinets to hard drives, and from there to the “cloud.” Loss of cloud-stored data due to third-party service provider failures might not fall under conventional coverage. Neither would loss of data due to hacker breaches or service interruptions in a business’ website. Social media presents a particular challenge for insurance coverage, as it presents the risk of defamation claims for an ill-conceived tweet, or consumer fraud claims for a poorly-written blog post. Cyber risk policies first appeared about five years ago, and they offer coverage for many of these types of events.
Case Study: Zurich American Insurance Company vs. Sony
In 2011, hackers breached two online communities maintained by Sony: the PlayStation Network and Sony Online Entertainment. The hackers reportedly obtained personal and financial information for millions of Sony customers. Class actions lawsuits against Sony and its subsidiaries were not far behind. Zurich American Insurance Company brought a suit for declaratory judgment to determine exactly what claims, if any, it had to cover. Its complaint alleged that it should not be obligated to cover, indemnify, or defend Sony in any of the class action lawsuits. Sony’s general liability policies with Zurich only covered “bodily injury,” “property damage,” and “personal injury and advertising injury.” Zurich argued that breach of customer data, as claimed in the class action suits, did not fall under any of those categories.
Who Might Need a Cyber Risk Policy?
Cyber risk insurance is such a new area that the industry has established few standards or best practices. Applying for coverage can also be cumbersome and time-consuming. Businesses should carefully review their general liability policies to see what might be covered. They should evaluate their own risk of data breaches and other cyber-related losses, comparing that risk to the cost of obtaining additional coverage and the potential liability to customers and others for breaches. The businesses with the greatest risk and the most to lose from a data breach should be first in line to supplement their insurance.
Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today online or at (512) 901-0070.
Web Resources:
Complaint for Declaratory Judgment (PDF), Zurich American Ins. Co., et al v. Sony Corporation of America, et al, Supreme Court of New York, New York County, July 20, 2011 (CC BY-NC 3.0, via PACER)
Böhme, Rainer, Cyber-Insurance Revisited (PDF), Institute for System Architecture, Technische Universität Dresden, 2005
More Blog Posts:
Global Survey Reveals Problems in Cybersecurity Risk Management, Prism Risk Management Blog, August 17, 2012
FTC Issues Report on Best Privacy Practices for Businesses that Collect Consumers’ Personal Information, Prism Risk Management Blog, May 31, 2012
SEC Disclosure Guidelines Urge Businesses to Disclose Not Only Cyberattacks, but Also Risks, Prism Risk Management Blog, May 21, 2012
Photo credit: ‘Piggy Bank – Dollar’ by asterisco on stock.xchng.
Prism Risk Management, LLC 