Better Understanding of Cyber Threats, Policies Needed
An increase in spearfishing and ransomware, coupled with weakened data security due to more connected and mobile devices, means businesses and insurers need to understand and protect against these threats. That’s according to an expert panel discussion held during the American Bar Association Torts annual insurance coverage litigation mid-year program.
The program, hosted by the Torts and Insurance Practice Committee, was held recently at the Arizona Biltmore Resort in Phoenix, Ariz.
According to Lisa Phillips, a national practice advisor for Wells Fargo Insurance Errors & Omissions Cyber Group located in Irvine, Calif., it’s important for business owners to understand cyber coverage and how different policies respond to varied exposures.
She explained some important factors in investigating a cyber breach include evaluating how it occurred, whether it was accidental versus intentional, internal versus external and whether the breach occurred as a result of a lost device versus a disgruntled employee.
Phillips said the structure of cyber policies varies according to the party protected. Third party liability policies cover privacy liability, network security, media liability, regulatory action and may carry a sublimit. First party coverage includes reimbursement coverage, privacy notification, crisis management expenses and often credit monitoring services. In addition, other first party reimbursement coverages may include cyber extortion, business interruption and data restoration. Some insurers offering cyber coverage in the U.S. include AIG, Beazley, Travelers, Chubb and XL Catlin.
More insurers are offering loss mitigation and loss prevention services, she added.
Cyber underwriter for AIG’s western region, James Patterson, said his job is to educate agents and brokers. He offered key questions insurers should be asking potential policyholders:
- What type of information do you collect?
• PII – personally identifiable information
• PHI – protected health information
• PCI – payment card information - What type of data does the applicant have and where is it located?
- Does the applicant limit access to data?
- How does the applicant know why they are letting in?
- How is access removed from those that don’t need it?
- How effective is the applicant at getting rid of data it doesn’t need?
- Has the applicant experienced prior breaches?
He said emerging threats include ransomware, bring your own device programs (BYOD) and IoT, which leads to more mobile, connected devices and weaker security.
According to Patterson, AIG is seeing an increase in cyber claims across every industry class.
Carrie Raver, a Forth Wayne, Indiana-based partner with Barnes & Thornburg, explained that other policies might respond to a cyber loss. She explained that commercial general liability, crime, errors and omissions, directors and officers and first party property policies may include coverage for cyber breaches.