Insurance Market Source regularly taps into its network of experts for insight into key trends and developments across the insurance landscape. Ken LaBelle, Broker, Burns & Wilcox within the Professional Liability Center of Excellence, breaks down the ins and outs of privacy and network security insurance.
Q: Who needs privacy and network security coverage?
A: Businesses face the risk of an information breach every single day. Smaller companies tend to overlook how much they depend on technology and neglect to secure adequate coverages. If you are connected to the Internet, you are connected to the world, including all the hackers and extortionists. Any organization that operates online, maintains electronic databases for customers and employees, takes electronic payments or holds medical records carries a risk and needs to be protected by an insurance policy.
No matter the size, all companies–from major corporations storing large amounts of sensitive customer and corporate information to small local businesses–are susceptible to a cyber-attack. At minimum, businesses risk theft of employee and customer information and website hacking which can lead to business interruptions, phishing attacks and loss of revenue. It is critical to have a policy in place.
Q: What do privacy and network security policies cover?
A: When an attack happens, there are a number of items that must be accounted for immediately, from credit monitoring and disseminating fraud alerts to enacting systems forensics and rectification, as well as handling any interruption to operations or extortion attempts. Privacy and network security policies support and protect all of these areas and enable the insured to focus on maintaining operations while a response plan is activated and overseen by a dedicated breach response team.
What is excluded from these policies is just as important. For example, social engineering (also known as cyber deception) coverage is not included in a standard cyber liability policy. Rather than an outside data breach, cyber deception involves tricking an employee into stealing sensitive information from the company or committing fraud. With social engineering exposing new vulnerabilities for companies, underwriters are starting to build this new type of risk into specific cyber policies.
Q: How has the recent introduction of EMV (EuroPay, MasterCard and Visa) technology in credit/debit cards in the U.S. impacted privacy and network security policies?
A: The liability shift in response to U.S. EMV chip integration in credit/debit cards is a great example of an adaptation that privacy and network security policies have to make. As of October 1, 2015, all retail merchants are required to install a payment terminal that accepts EMV chip cards. If they do not install the new technology and a data breach occurs, the retail merchants will inherit full liability, rather than the credit card company. While the EMV chip is designed to make payment data more secure, the technology is still new. Retail merchants should continue to protect themselves from any complications or breaches.