Cyber Risk is the fastest growing insurance product on the market, that much is true. But what products do your clients need? Matthew Davies of Chubb Insurance Canada takes a look at what is out there, and more importantly, what is needed.
Cyber insurance is designed to be very flexible and easily tailored to an organization’s needs. It has two components - a third party liability coverage which would respond to a demand for damages from someone who has suffered a financial loss due to a network security or privacy breach for which the organization was liable.
The other component is first party coverage that applies to the out of pocket costs that a company must pay in order to investigate and respond to the consequences of a network security or privacy breach that involves personally identifiable information of the organization’s employees or customers.
Cyber insurance also provides some very valuable coverage where other traditional insurance may not respond, such as a business interruption loss due to a cyber attack. Businesses can pick and choose to buy some or all first party coverages that are offered to suit their particular needs. (continued.)
#pb#
What are the loss scenarios for cyber risk?
Cyber coverage responds to more than just a denial of service attack or a hacker leaving malware on an organization's computer - it also responds when an employee has lost a laptop, misplaced a memory stick or had a smart phone stolen. It can be crafted to also respond to the loss of paper files that have confidential client information.
There are plenty of examples of privacy breaches or network security problems in the mainstream media - just type in Privacy Breach Canada 2013 into a search engine and you'll see dozens of well publicized stories about cyber risks.
What types of cyber risk are there? Where does that coverage fit in a policy?
Every organization has a cyber risk - even if they don't collect, store or use a customer's personally identifiable information (PII), such as a credit card or banking information. They will have PII in their data base about their employees that, if breached, could lead to identity theft for the affected employees.
Organizations that have employees or customers outside of Canada may be subject to specific legislation that protects private information in that organization's care, custody or control. That legislation may require mandatory notification of a breach of privacy to those affected and to local regulators, whereas that might not be the case in Canada. (continued.)
#pb#
Who is most at risk as a commercial client?
There are many surveys available on the Internet from organizations that study the spectrum of cyber losses - you should look at those studies done by: The Ponemon Institute, Verizon Security Consultants "2013 Data Breach Investigations Report", Mandiant "M-Trends", the 2013 Telus-Rotman "Joint Study of Canadian IT Security Practices", Net Diligence "Cyber Liability and Data Breach Insurance Claims", Edelman Study on "Privacy & Security: The New Drivers of Brand, Reputation and Action - Feb 2012".
Each of these has detailed information about which industry segments are reporting cyber breaches and the nature of those breaches.
How do you sell cyber risk insurance, explain the necessity of it to a client?
At Chubb, we explain to our clients that cyber risk is not only an issue that is of concern to the IT department or the chief information officer - it is an enterprise risk management issue that can affect the entire organization.
Privacy and network security is a corporate governance issue, it has implications for human resources and employee relations, it has compliance exposures if your company is subject to review by outside regulators, there are implications in respect to vendor selection and vendor management., especially when an organization chooses to outsource its IT services to a Cloud provider or to a sub-contractor for web hosting or application services.
There are aspects of physical security that are important considerations that an organization must think about in terms of who can access its premises and its computer resources. Having privacy and network security liability coverage is increasingly becoming a requirement that many organizations must fulfill when they enter into a contract with customers, especially if that customer is an institution, government entity or a large multinational.
We promote cyber coverage as an important part of the enterprise's overall management of its privacy exposure - it is a very valuable tool that will help an organization respond to a breach by providing the resources that they may not have considered putting in place prior to a breach, such as access to forensic consultants, specialized legal advice, crisis management and public relations firms and vendors that canprovide notification to those affected by a breach. (continued.)
#pb#
How has cyber risk grown in the last 10 years?
Chubb first introduced one of the first Cyber coverages in 2001 for financial iInstitutions. As the regulatory environment changed during the last decade to include mandatory notification of affected parties in various jurisdictions around the world, we expanded our coverage and offered it to a wider commercial audience.
We revised our coverage again in 2009 and at that time began offering it in Canada as we saw there was going to be a need for Canadian clients to be able to buy coverage for the quickly evolving exposures around privacy issues.
We have also invested in services, such as e-Risk Hub, a Web-based risk management portal, to help provide our clients with up-to-date information and other services related to cyber issues.
- Contributed by Matthew Davies, Senior Underwriting Specialist, Canadian Manager | Professional, Media & Cyber Liability, Chubb Insurance Company of Canada
