Cyber Risk Insurance – Why?

We have been asked by our clients to explain Cyber Risk Insurance in simple terms, and in a way that they can explain the coverage to their customers.  Our clients have found this useful:

What is it?  Cyber Risk insurance provides protection from loss or inadvertent disclosure of confidential information such as clients’ or employees’ social security numbers, bank account numbers or credit card numbers, and from damage to or destruction of computer systems from computer viruses or hacking.  Additional protection may be provided for electronic theft of money and liability from electronic media.

What does it cover?  The obvious exposure is a data breach, an unintended loss or release of confidential data.  Breaches can occur because of hacking, but the majority of breaches are the result of employee errors – lost laptops & password releases. 

What does a breach cost?  Because of state regulation, notices are required for breaches involving specific types of personal information.  So breaches can be expensive due to the volume of data and the notice requirements.  Cyber Risk policies typically cover the direct costs to address a breach, plus legal expenses and settlements if you are sued.

Who needs it?  All organizations with confidential information or whose operations may be subject to disruption from the failure of technology should buy this coverage.  Who buys the coverage? – here are some examples of Cyber Risk accounts:

Doctors’ Office
Escrow Company
Contractor
Insurance Agency
Grocery Store
Museum
Bank
Restaurant
Zoo
Claims Administrator
Library
Medical Service Company
Communications Company

Is it already covered?  Cyber Risk coverage is not typically provided in standard policies.  In some cases Cyber Risk coverage is added (as an endorsement) to standard policies, but typically the limit is not adequate and the coverage is not as comprehensive as a standalone policy. 

How much does it cost?  Costs vary depending on the size and type of business, and the amount and type of information stored.  The process to get Cyber Risk coverage is (or can be) simple, and the cost is not expensive. 

Specialty Insurance Expertise: Tennant Risk Services
Supporting Insurance Entrepreneurship: Tennant Capital Partners

 

Insurance Coverage for Hiring Illegal Aliens

We were recently asked if we had ever come across coverage for unintentionally hiring illegal aliens.  Our client had been approached by a customer that hires employees in different locations on short notice, and typically has high turnover.  The employment procedures are designed to prevent this, but errors in the employment process were possible.

We have a number of markets that will provide coverage for immigration claims on a limited basis via endorsement on Employment Practices Liability Insurance (EPL).  The idea is to provide limited coverage for unintentional employment errors, such as incomplete verification that may result in violations of the Immigration Reform Act.

While your customer may never have a need for coverage from unintentionally hiring illegal aliens, you should know the coverage is available for many accounts.

Specialty Insurance Expertise: Tennant Risk Services
Supporting Insurance Entrepreneurship: Tennant Capital Partners 

 

 

Escrow Exposure & Cyber Risk Insurance



Title & escrow companies face Cyber exposures and should be buying Cyber Risk Insurance for protection.  While the cost of Cyber Risk insurance is not high, the consequences of being without can be.  Most Cyber Risk commentary focuses on the risk of data breach, which is a real exposure for many organizations including real estate companies.  However, a data breach is not the only risk.  Two recent lawsuits involving the theft of money from escrow companies using online banking systems demonstrate the threat and need for coverage:

Choice Escrow recently fell victim to the Zeus virus, and lost a significant sum of money from one of its escrow accounts.  According to reports and the lawsuit, hackers used the Zeus virus to steal Choice Escrow’s online banking access information, and wired $440,000 out of the escrow account to a foreign bank account.  Choice had to scramble to cover the stolen escrow monies, and is now suing its bank for the amount lost.

In a similar situation, Village View Escrow has sued a bank for the loss of $465,000 (see here, here, here).  Hackers used its online banking access information to initiate a series of wire transfers out of its accounts.  The escrow company had an email verification service, but it was disabled by hackers.

The exposure to theft of money is real, and with the right policy, theft of money by hackers can be covered through Cyber Risk Insurance. 

Cyber Risk insurance coverage provides protection from various risks associated with technology, including data breaches, but policy forms are not all the same.  Cyber Risk insurance is easy to obtain, provides broad protection and is inexpensive (see here, and our prior post here). 

Specialty Insurance Expertise: Tennant Risk Services

Supporting Insurance Entrepreneurship: Tennant Capital Partners

D&O and Professional Services

We have covered the role of the professional services exclusion in both General Liability (GL) and Directors & Officers (D&O) insurance policies previously (see here, here and here), but a recent client interaction demonstrates the importance of not taking client education for granted.  The insured was not sure why professional services were excluded from the D&O policies they were reviewing, and actually thought there were defects in the policy forms.  As part of our support of our retail insurance agent client, we pointed out:

D&O policies have a professional services exclusion for a reason, and the inclusion of the professional services exclusion is not a defect in the D&O form(s).  With the exception of a few specially targeted forms, D&O policies do not contemplate covering professional liability exposures.  The reason is that the professional liability exposure is typically different from the D&O exposure and can vary widely between insureds.  The thought is that the professional exposure should be underwritten and covered separately – within an E&O policy.  The intention is to motivate a discussion of exposures and cover professional services under a separate E&O policy.

Other sources support this:

• As part of a D&O policy, the intent of the exclusion is similar: to preclude coverage of traditional professional services that are sometimes performed by individuals covered by the D&O policy but should be separately insured. (IRMI: see here)
• A court case summary touched on this as well: The opinion highlights the need to ensure that potential coverage gaps created by the professional services exclusion are bridged by errors and omissions coverage.  (STB Law:  see here)

It is relatively easy to obtain E&O coverage for all types of professional exposures, but the exposures should be underwritten and covered in a policy form designed specifically for the exposure.

Specialty Insurance Expertise: Tennant Risk Services
Supporting Insurance Entrepreneurship: Tennant Capital Partners

 

Risk Management in the Cloud

Good post on risk management considerations when using cloud services from CyberInquirer – The Dos and Don’ts of Navigating The Cloud: A Business Guide For Cloud Computing. Note that the suggestion of changing vendor contracts with more favorable terms may not be available for smaller businesses.

Related, all companies with confidential data should be purchasing Cyber Risk insurance with limits adequate for the exposure and coverage matching the type of account.

Cyber Risk & Encryption: see our prior post and special information on our web site (here) on encryption and underwriters’ perspectives.

Specialty Insurance Expertise: Tennant Risk Services
Supporting Insurance Entrepreneurship: Tennant Capital Partners

The For-Benefit Corporation

There is a new corporate form gaining acceptance, and insurance agents & brokers should be aware of this, particularly when applying for directors & officers (D&O) liability insurance. Wikipedia provides a definition (see here, here, here & here):

A benefit corporation is a class of corporation required by law to create general benefit for society as well as for shareholders.

This new form of corporate entity is called a variety of names, including for-benefit corporation, benefit corporations and B corp. These entities are not to be confused with public benefit corporations, which are quasi-governmental entities.

The purpose of for benefit corporation law is to protect directors and officers from shareholder suits alleging any deviation from maximizing shareholder profits. This provides management with leeway to run a benefit corporation for the benefit of parties in addition to shareholders and for the benefit of the environment.

A number of states have passed benefit corporation legislation. According to the website B Corporation, 7 states have passed the enabling legislation. Maryland was the first, in 2010, and most recently California passed enabling legislation. There is also an organization called B Lab which certifies benefit corporations, and claims 450 certified entities to date.

It is unlikely that all professional liability underwriters will be up to speed on this new corporate form, and some education may be necessary when a for benefit corporation is requesting D&O and other liability insurances. (See here and here for additional information.)

Specialty Insurance Expertise: Tennant Risk Services
Supporting Insurance Entrepreneurship: Tennant Capital Partners

Professional Liability Market Tightening – A Little

After many years of relaxed underwriting and rate declines we are seeing limited signs of tightening in all segments of the professional liability insurance market – E&O, D&O, EPL and Technology/Cyber. Most of this change is tighter underwriting rather than rate increase, but both are occurring – a little. Most importantly, many underwriters are not tightening and increasing rates, leaving competitive options for many accounts.

While there have been isolated changes during the last few years, the current changes impact many more classes. Here are a few examples:

• A private company D&O market is raising rates approximately 10% on all renewals
• Market withdrawals in A&E (architects & engineers)
• Market withdrawals in insurance agents E&O
• A technology/cyber market is looking more closely at security measures utilized
• An E&O market is attempting to get 5-10% increases on all accounts
• One EPL market is restricting terms in certain jurisdictions

Underwriting changes are concentrated in a few segments and markets. This is an opportunity for smart underwriters and also for creative brokers. Competitive underwriters remain, and brokers can find the best client solution with some work.

What is the best way to navigate this changing market?

• Make sure submissions are complete and clear. We may request specific information not noted on an application in order to improve the presentation
• Look for market alternatives – there are still many markets
• Prepare clients for the changes
• Utilize an expert wholesale broker (ok, like us!)

Specialty Insurance Expertise: Tennant Risk Services
Supporting Insurance Entrepreneurship: Tennant Capital Partners

 

Small Companies at Risk of Data Breach

Small companies are at risk of hackers and resulting data breach exposure, and should be buying Cyber Risk coverage, according to Markel (see here).

Although the thefts of records at large corporations such as Sony have garnered headlines, hackers are finding it simpler going after small-to-midsize companies

Cyber Risk insurance is easy to obtain, provides broad protection and is inexpensive (see here, and our prior post here).  Our range of markets can provide Cyber Risk and Technology Professional Liability to all types of technology exposures.

Specialty Insurance Expertise: Tennant Risk Services
Supporting Insurance Entrepreneurship: Tennant Capital Partners

 

Encryption & Cyber Risk Insurance

Cyber Risk insurance underwriters have recently become more focused on the data security practices for portable media devices such as laptops, thumb drives and smart phones. Underwriters expect accounts with confidential data to use best practice to help mitigate the exposure, and we are seeing this put into practice as underwriters review encryption needs and use more closely.

Hackers are becoming increasingly successful in breaching security measures at both large and smaller organizations. While encryption is not a silver bullet, it does provide a level of protection from lost or stolen media. In a 2010 study, 46 percent of the lost laptops contained confidential data, only 30 percent of those systems were encrypted, and only 10 percent had other anti-theft technologies (see here). And lost laptops are the leading cause of HIPAA data breaches (see here).

Recent examples:

• BCBS employee loses laptop with info on 850,000 docs (see here)
• Stolen device held 520 patient records from a health office in Michigan
• Theft of laptop from employee home contained sensitive HR information
• Unencrypted flashdrive containing employee information lost during mailing to benefit provider
  Physicians smart phone, containing patient records, stolen from car
• Encrypted computer stolen from employee house, along with paper with password, contained patient records (see here)
• Stolen laptop contained names, social security numbers and credit cards numbers

A complicating and expensive factor is statutory notice requirements. Many jurisdictions have passed laws and regulations requiring notice to regulators and to individuals whose information may be compromised when a breach occurs, and the notifications costs and the adverse publicity are significant.

Underwriters are assessing the need for encryption by asking detailed questions, and for those accounts that do not use encryption underwriters are increasing pricing, declining risks, or carving back coverage (see here).

Please contact us for a Data Security and Encryption brief, and for more information on Cyber Risk and Technology Professional Liability insurance. Cyber Risk insurance is easy to obtain, provides broad protection and is inexpensive (see our prior post here). Our range of markets can provide Cyber Risk and Technology Professional Liability insurance to all types of technology exposures.

Specialty Insurance Expertise: Tennant Risk Services
Supporting Insurance Entrepreneurship: Tennant Capital Partners

 

Cyber Risk Insurance Need

Cyber Risk insurance is widely available and inexpensive, but not enough companies are buying the protection.  As noted in a recent survey by Towers Watson (see here), the majority of companies do not buy the coverage.  The survey of 164 risk and finance managers found that 73% have not purchased network liability policies. 

This survey was focused on larger companies, and we believe the uninsured number is much higher if small companies are included.  One estimate of the percentage of companies without Cyber Risk coverage is 80-90%, but our experience indicates that the number is likely in excess of 90%.

The obvious exposure is loss of data from hackers.  However, the majority of breaches are the result employee errors – lost laptops & thumb drives.  And sometimes these breaches can be extremely expensive due to the large volume of data residing on the lost media.

Technology coverages encompass a range of exposures.  Some are specifically tailored, and others are broader.  More information is available on the Technology page of our web site (see here).  Often these coverages are combined in one policy – which we call Cyber Risk – but sometimes the forms are not quite as comprehensive.

The names used to describe the coverage can be confusing as well, which is why we use the term cyber risk.  Some of the names used to describe these coverages include cyber liability, data breach, privacy, hacker coverage, network liability and technology E&O. 

Specialty Insurance Expertise: Tennant Risk Services
Supporting Insurance Entrepreneurship: Tennant Capital Partners