David Parker, Vice President – Executive & Professional Liability
Thirty years ago, the most likely causes of a business interruption were physical threats, like fire, flood or theft. In the event of such a calamity, business owners and managers could find solace in their property policy, which would cover losses due to business interruption and help the company get up and running again.
Today, the risk landscape has become more perilous, as organizations engage in a constant battle against hackers and cybercriminals. Without the right safeguards in place, a business can fall prey to a data breach or denial of service attack and be thrown offline for days at a time, with catastrophic consequences. According to security firm Imprima, half of all businesses that suffer data loss for more than 10 days are forced to file for bankruptcy immediately, and another 43 percent of those organizations go bankrupt within the next 12 months. In short, a significant cyber event can lead to a company’s quick demise.
Unfortunately, it’s not a question of if, but rather when a breach will happen. Companies of all different sizes are being hacked and cybercrime has become a significant exposure. The more data that you have, the bigger the exposure.
A Growing Threat
The number of software security holes exploited by hackers—called zero-day vulnerabilities—doubled in 2015, according to Symantec’s Internet Security Threat Report. Ransomware attacks also quadrupled in the first quarter of 2016, the report noted, reaching an astonishing 4,000 attacks each day since the New Year. Similar to sending a ransom note when a person is kidnapped, hackers will unleash malicious software into a company’s computer network and demand a ransom payment to restore the system. This past February, Hollywood Presbyterian Medical Center paid hackers $17,000 to get the California hospital’s network back online after a ransomware attack, and in April, hackers demanded $19,000 to decrypt company data for MedStar Health, a community-based health system based in Maryland.
The industries with the greatest exposure are healthcare, financial institutions, retail and hospitality, which have both the highest frequency of claims and the most expensive claims. Other cyber events that are on the rise include digital data breach, phishing attacks, and network-disruption events, such as denial of service attacks, according to a recent report sponsored by BitSight Technologies.
Even the government is not immune, as evidenced by the 2015 data breach at the U.S. Office of Personnel Management, the federal agency in charge of security clearances. Government officials believe more than 21.5 million data records were stolen, and perhaps more shockingly, fingerprints from 5.6 million people were compromised. Personnel Agency Director Katherine Archuleta was forced to resign following the incident, a social engineering attack in which the hackers posed as a third-party vendor. More recently, cybercriminals stole the social security numbers of 700,000 U.S. taxpayers after hacking into the data systems for the Internal Revenue Service this February.
For businesses, the financial fallout of these electronic attacks has continued to escalate as well, although the total cost of detection, recovery, investigation and incident-response management remains difficult to quantify. Globally, the average cost of cybercrime per company was $7.7 million in 2015, according to the Ponemon Institute’s yearly Cost of Cyber Crime study. The United States had the highest average, with large companies incurring $15.4 million in costs annually due to cyberattacks.
Steps to Safeguard Your Business
The increase in cyberattacks can be attributed in part to the growing use of mobile technologies, cloud-based servers, and social media, which have created new points of vulnerability for businesses. Consequently, companies in every sector are being hit by hackers daily. These events pose a significant risk not only because of the prolonged downtime for the business and reputational damage with clients and shareholders, but also because most organizations are not protected against the associated financial losses.
Traditional business interruption coverage applies to property loss, not data loss. So, if a tornado takes down your facility and in doing so takes down your network, the property policy will afford business interruption coverage. But the peril of a cyberattack is not covered under a property policy.
To have adequate safeguards against the full range of cyber threats, businesses should have Cyber Liability coverage with a business interruption extension in addition to standard property coverage. In addition, they should select an insurer with considerable experience handling electronic data loss and cyber business interruption claims. An insurer that has experience in this area can advise the client what to say to the public and when to say it, and avoid a gaffe like the one committed by Target following the 2013 data breach that affected roughly 40 million customers. The national retail chain made a major public relations faux pas by announcing the breach to the general public before the forensic investigation was complete and significantly underestimated the number of credit card accounts that had been compromised. Target was pressured to make a follow-up statement with revised figures, which painted a much bleaker picture for the retailer.
A carrier with more experience in cyber liability not only can provide better claims handling, but also has greater insight into how the policy does and does not respond to a security breach incident. Lastly, businesses should ensure that the carrier has access to a panel of leading advisors in the legal, forensic, public relations and credit or identity theft monitoring fields, who can provide sound advice and guidance on how to manage through a breach during the claims process.
In addition to Cyber/Data Liability coverage, companies in certain industries may want to add an endorsement for Dependent Business Interruption to cover any losses that can occur if a key vendor, supplier or SaaS provider goes offline. Having a Cyber Incident Response Plan (CIRP) also can help the business get back on its feet faster in the event of a cyber-attack. Representatives from the IT and human resources departments, as well as the company leadership all should be involved in the development and testing of the response plan.
By monitoring systems for vulnerabilities, investing the time to plan properly for a cyber-event, and putting the appropriate insurance coverages in place, businesses can mitigate the very real threat of a cyberattack and electronic business interruption. A breach doesn’t have to be a disaster, but if you don’t handle it properly, it likely will become one.
This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisors. Any modeling analytics or projections are subject to inherent uncertainty and the analysis could be materially affective if any underlying assumptions, conditions, information or factors are inaccurate or incomplete or should change.
Copyright © 2016 Marsh & McLennan Agency LLC. All rights reserved.