During 2015, an increasing number of small and medium businesses are now accessing most of their business applications over the internet.
Hosted environments have some unique advantages over internally hosted solutions. One key factor is the software solutions are secured and maintained by application experts, not by IT generalists. This approach delivers the best availability and lowest cost possible and the hosted solution provides security, backup, maintenance and support to companies who use the selected applications.
While these are distinct advantages for companies, it’s important to note that current business controls and insurance policies do not adequately cover cloud-based IT solutions. In other words, many of the security risks remain the same as on premise, but accountability and business insurance models for cloud-based solutions can be quite different.
As a reminder, common IT risks could include:
- Identity theft as a result of security breaches where sensitive information is stolen by a hacker or inadvertently disclosed including such data elements as Social Security numbers, credit card numbers, employee identification numbers, drivers’ license numbers, birth dates, personal health information, and PIN numbers.
- Business interruption from a hacker shutting down a network.
- Damage to the firm’s reputation.
- Costs associated with damage to data caused by a hacker.
- Theft of valuable digital assets, including customer lists, business trade secrets and other similar electronic business assets.
- Introduction of malware, worms and other malicious computer code.
- Human error leading to inadvertent disclosure of sensitive information, such as an email from an employee to unintended recipients containing sensitive business information or personal identifying information.
- The cost of credit monitoring services for people impacted by a security breach.
- Lawsuits alleging trademark or copyright infringement.
Reviewing Insurance Policies and Controls
Once companies start using cloud-based applications, they must first look to adapt a strong vendor management policy. This includes reviewing an application hoster’s and application service provider’s security controls to ensure their company is adequately protected from risk.
After examining the controls, a company may want to adjust contract language or supplement the solutions with additional services which might include adding controls on the company’s side of the network.
Additionally, companies using cloud-based applications should look at insurance. Many companies don’t realize that the hoster’s insurance does not protect the customer, it protects the hoster. To ensure a company has adequate protection, they must perform a comprehensive review of their insurance policies to address their IT risks.
What Is Cyber Liability Insurance?
Managing “cyber” risks through insurance is relatively new. As the market for cyber liability insurance continues to evolve, it is expected to grow dramatically over time as businesses gradually become more aware that current business policies do not adequately cover cyber risks. (Source: NAIC) With each announcement of a system failure or breach leading to a significant business loss, the awareness grows.
Far more frequently, individual companies are impacted and nothing is shared by the media. Security experts also agree that attacks are becoming more frequent. Unfortunately for most companies, they only take action once they experience an issue and then only to address the particular vulnerability that was exposed. This has led the government to step in with legislation that adds pressure for business to step up efforts to protect the personal information in their possession.
Cyberattacks may come from criminals, activists, external opportunists, terrorists and company insiders (both intentional and unintentional). Cyber criminals attack to gain some type of political, military or economic advantage. They usually steal money or information that can eventually be monetized, such as credit card numbers, health records, personal identification information and tax returns.
Purchasing Cyber Liability Insurance
Most businesses are familiar with their commercial insurance policies providing general liability coverage to protect the business from injury or property damage. However, most standard commercial lines policies do not cover many of the cyber risks mentioned above. To cover these unique cyber risks through insurance requires the purchase of a special cyber liability policy.
Note that cyber risk remains difficult for insurance underwriters to quantify due in large part due to a lack of actuarial data (remember those who don’t report the attack). Insurers compensate by relying on qualitative assessments of an applicant’s risk management procedures and risk culture. As a result, policies for cyber risk are more customized than other risk insurers taken on, and, therefore, more costly. The type of business operation will dictate the type and cost of cyber liability coverage. The size and scope of the business will play a role in coverage needs and pricing, as will the number of customers, the presence on the web, the type of data collected and stored, and other factors.
What Should a Policy Include?
According to the National Association of Insurance Commissioners (NAIC), cyber liability policies might include one or more of the following types of coverage:
- Liability for security or privacy breaches. This would include loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems.
- The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.
- The costs associated with restoring, updating or replacing business assets stored electronically.
- Business interruption and extra expense related to a security or privacy breach.
- Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.
- Expenses related to cyber extortion or cyber terrorism.
- Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.
Securing a cyber liability policy will not be a simple task. Insurers writing this coverage will be interested in the risk-management techniques applied by the business to protect its network and its assets as well as those actions taken to manage application hosting providers and their security controls. The insurer will probably want to see the business’ disaster response plan (note: not the hoster’s DR plan) and evaluate it with respect to the business’ risk management of its networks, its website, its physical assets and its intellectual property. The insurer will be keenly interested in how employees are trained to avoid security breaches.
But there is good news: Myappsanywhere’s data center has an SSAE16 attestation that provides key controls to customers who subscribe to Microsoft Dynamics in our cloud. From risk management, to vendor management, to the protection of IT assets, controls have been put in place to help customers address cyber risks.
Have additional questions about cyber liability insurance? You can reach out to Myappsanywhere Chief Strategist John Leek here.
