Click here to read the complete illustrated article as originally published or scroll down to read the text article.
It seems like every day there is another cyber breach impacting hundreds of thousands of people and costing businesses millions of dollars. Cyber-attacks are not just limited to large scale companies though. In fact, a report by Symantec on internet security found that 61 percent of small and midsize businesses experienced a cyber-attack in 2013.
Manufacturers and companies in similar industries are exposed to cyber-attacks and in unique ways. For example, a mid-size pallet recycling company with four plant locations and 300 employees had standard information stored on their network including engineering diagrams, payroll, account data and business documents. Standard firewall security was in place. However, when the company’s owner was working remotely, he opened an email from what he perceived as a recognizable address. Within a few seconds the screen went blank and the owner received a message that if he wanted access to the computer, he needed to pay a ransom. All of the data on the computer was already corrupted causing several production delays.
So when a cyber-attack like this happens who’s actually paying for all the defense, personal data monitoring, forensic investigation and network equipment replacement? Traditionally, it has been the companies impacted, and if covered, insurance carriers. In the case above, the company did not have insurance to cover the event.
Most companies rely on their commercial general liability (CGL) policy to provide that coverage. But, that’s about to change. The Insurance Services Office (ISO) recently revised its standard commercial general liability policy forms to exclude cyber coverage. It will take time for this exclusion to be widely adopted by the insurance industry, but as long as data breaches continue to increase along with the cost, it will be an industry standard exclusion for all.
Technology and network security are important for manufacturers; therefore, Cyber Liability insurance has become an essential component of a facility’s risk management strategy. Exposures to cyber loss are vast, ranging from the content you put on your website to stored customer data. Awareness of the potential cyber liabilities your facility faces is essential to managing risk through proper coverage.
Types of Cyber Liabilities for Manufacturers
- Data Breaches
Companies are responsible for protecting the personal information of their employees as well as clients. Exposures to a data breach can happen through hacking, loss of a laptop, unauthorized employee access among other means.
- Third Party Damages
These damages can have various forms. Transmitting a virus to another company or a data breach for companies responsible for protecting or maintaining data can result in third party damages.
- Business Interruption
Many businesses maintain this coverage for losses resulting from fire, natural disaster, etc. Most policies won’t provide coverage for loss of use of your computer system due to data breach, virus or other cyber issues that can shut the business down.
- Cyber Extortion
This is an area of increasing risk where hackers can control websites or networks and demand payment to restore your systems to working order. This may impact the ability to conduct business and can result in significant direct and indirect financial loss. Cyber extortion occurred in the above example.
- Intellectual Property
An organization with various online presences can inadvertently violate copyright or trademark protection resulting in legal costs and damages. Social media can also create exposure for an organization resulting in liability.
- So what should your facility do to make sure cyber liabilities are covered? First, consult with your insurance broker to determine if or what kind of Cyber Liability insurance is needed. With policies sold under names like “cyber insurance,” “privacy breach insurance” and “network security insurance” – the market for this coverage can be chaotic with a wide variety of premiums and terms from one insurer to the next. Before you buy or renew a cyber policy, be sure you understand what it is you are actually purchasing.
Guidelines for Purchasing Cyber Insurance
- Buy What You Need
With all the bells and whistles now offered by some insurers, it is important to stick to basics. The cyber insurance market is highly competitive with many insurers currently focused on building market share, so one might be willing to give you coverage or terms that another will not.
- Limits of Liability
One of the most important issues in negotiating cyber insurance is determining the appropriate limits of liability. Because cyber insurance is not particularly expensive, you should choose limits of liability in line with your total potential liability exposure in the event of a breach.
- Get Retroactive Coverage
Most cyber insurance policies limit coverage to breaches that occur after a specified “retroactive date.” This could mean there may be no coverage provided for claims made due to breaches that occurred before the policy period, even if the insured did not know about the breach when it bought the policy. Because breaches may go undiscovered for some time before claims are made, you should always ask for a retroactive date that is earlier than the inception date. This will ensure the coverage includes unknown breaches that occurred before the policy incepted but first give rise to a claim after it did.
- Be Aware of Broadly Worded Exclusions
It is not uncommon to find cyber insurance provisions that contradict the basic purpose in buying the coverage. Some policies broadly exclude coverage for any liability arising from a breach of contract.
- Be Aware of Panel and Consent Provisions
Many cyber insurance policies require that any investigators, consultants or attorneys used by you to respond to a claim or potential claim be drawn from a list of professionals that have been preapproved by the insurer. If you have consultants or attorneys you want to use in the event of a loss because they already know the business operations, it is a good idea to ask to add these professionals to the insurer’s preapproved list during underwriting.
- Allocation of Defense Cost
Where both covered and non-covered claims are asserted in the same lawsuit against you, an issue often arises regarding the proper allocation of defense costs: what portion of your defense costs must the insurer pay? There are a number of ways that insurance policies can respond in this situation, with some policy provisions being more advantageous than others.
- Obtain Coverage for Vendor Acts and Omission
Chances are that at least a portion of your organization’s data processing and storage is outsourced to a third-party vendor. Therefore, it is important your cyber insurance policy cover claims that result from breaches caused by your data management vendors.
There are a few other guidelines for protecting your manufacturing business from cyber-attacks and purchasing the right amount of coverage, including the use of indemnity agreements. Ensure your company is protected from all the different cyber exposures and consult appropriate insurance and legal advisors.
Tony Chimino is Chief Executive Officer, Assurance.