Risk Management for Electronic Data Loss
Jul 10, 2004 1:30 AM PT
Got Insurance? If your business has a presence on the Internet, you had better have it. Traditional liability insurance will not be adequate, however. Loss of income and data plus lawsuits filed against your business are the expected consequences of hacker and virus attacks. These are potentially more threatening to businesses today than negative cash flow and the threat of buyouts.
Doing business on the Internet -- even maintaining a safe presence online -- can be very costly. But insurance experts say the cost of not being covered for cyber disaster could be even more expensive.
Take, for instance, the worry that visited the business world in August 2003. Three new high-level worms hit the Internet in only 12 days. These digital infections sickened millions of computers worldwide and caused some US$2 billion in damages, according to a recent Symantec Internet Security Threat Report.
Don't forget the mayhem that SQL Slammer attacks brought to financial giants this past January. The virus caused bank ATM machines to freeze. It disrupted the Web sites of credit card companies and financial institutions, and caused problems with some airline ticketing systems.
Given these ever-increasing threats and the liability of human errors, many businesses are starting to reassess their chances for financial survival. To increase their survivability, companies big and small are taking on the cost of premiums for Errors and Omissions (E&O) insurance and "cyber protection" coverage.
One Size Doesn't Fit All
As Jon Pendleton, partner at San Francisco-based law firm of Pillsbury & Levinson sees it, litigation to recoup losses for such damages is on the rise. Increased cyber threats can shut down businesses. E&O and cyber specialty insurance protect companies from claims brought against them for product failures or malfunctions that result from hacker and virus activity.
In much the same way that no one type of automobile insurance will fit every individual, no one type of Internet insurance can safely cover every business. An E&O policy might suit the needs of one business perfectly. But another business adventure might be better served with a cyber policy. Depending on the business experiences and the extent of vulnerability for loss, said Pendleton, a business might actually need both types of insurance protection.
E&O insurance is appropriate for any small, medium or large business whose revenue is based on the performance of a particular product they manufacture. E&O insurance provides protection for claims that occur when a product fails and when there is damage to intangible property, such as proprietary data and trade secrets.
Cyber insurance protects against damages caused by human error or as a result of malicious attacks and crimes, including fraud, unauthorized access, theft of customer information and Web site defacement. "Cyber insurance is for broader business audiences rather than technical Error and Omission insurance," Pendleton told the E-Commerce Times. "Purchasing of cyber insurance is growing rapidly."
Case Law Lacking
Michael Dandini, vice president of the Hartford Financial Products Division of Hartford Insurance, said business owners should develop a risk-management profile to determine exactly what insurance coverage is needed. Consulting with an insurance expert who knows technology concerns is critical in assessing insurable risks.
He compared the acceptance of E&O and cyber insurance today to the unemployment insurance years ago. When the insurance industry began offering policies to protect against financial loss from sudden job loss, such coverage was not popular.
"Now, unemployment coverage is very commonplace," said Dandini. "Technical insurance will cover not just online threats but loss caused by error and omissions in general."
Cyber threats and electronic data loss are relatively new. As a result, judges in liability cases have to apply existing standards and adapt them to new developments. "There is not much case law yet on matters involving Internet-based losses," Dandini said.
Cost Versus Risk
E&O coverage and cyber insurance costs are based on several factors. Dandini said such factors include degree of risk, audience and hardware systems.
According to Dandini, business owners shouldn't accept or reject the need for such technical coverage solely on the likelihood of disaster. It is not so much a case of what events would be exempt from coverage under traditional business insurance. Instead, it is a case of what is the triggering event.
"Most events won't be included in standard policy definitions," he said.
Dandini cited as an example an electronic parts manufacturer forced to recall a problem product. The particular item might not be physically damaged, but just doesn't work. Damage did not cause the recall, so traditional policies would not define the financial loss. As a result, the policy wouldn't cover the loss. An E&O policy would.
Given that reality, E&O insurance and cyber insurance make good business sense. Basic policies cost about $800 annually. For more flexible coverage, said Dandini, "The sky is the limit."
Checklist for Insurability
Lawyer John Pendleton highlighted three essential steps business leaders need to take to be prepared to handle loss.
First, they must establish a communications system. Before any problem occurs, a CIO needs to have a communication system in place so when it looks like a failure has occurred or if a company is getting major complaints from a client, he or she can easily notify the company's risk manager -- CFO, in-house counsel or someone used to handling claims.
"If a company goes into fix mode right away, it may have already compromised the coverage," he said.
Second, companies should notify their insurance broker. It is critical to get the broker involved so that together they can notify the insurer of the potential problem. Whether it is technically a claim or not, CIOs should loop brokers in sooner rather than later to prevent actions that would nullify the coverage.
"The insurer can say the company made a voluntary payment and won't pay what was spent to fix the problem. The broker can make sure coverage is utilized properly and act as an intermediary," explained Pendleton.
Third, company officials must contact the coverage counsel. It is never too early to contact coverage counsel to make sure the company is positioned properly. But Pendleton advises CIO's not to let the insurer know that coverage counsel has been contacted too soon in the process.
"That raises a red flag to the insurer, who may try to find reasons not to provide coverage. However, counsel can at least give advice in the very early stages of a potential failure."