The Institute of Risk Management defines “cyber risk” as any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems.
As the National Association of Insurance Commissioners has pointed out, problems have grown as individuals have become more reliant on electronic communications. Further, as businesses collect and transmit information electronically, including financial and health information, their exposure grows.
Representative cyber risks include:
• Identity theft
• Business interruption by hacking into a network
• Damage to business reputation
• Costs associated with damage to data records
• Theft of digital assets, such as customer lists and trade secrets
• Malware, computer worms and other harmful computer code
• Human error leading to inadvertent disclosure of sensitive information
• The cost of credit monitoring for people impacted by a security breach
• Lawsuits alleging trademark or copyright infringement
A bigger problem, as reported on March 8, 2016 in Business Insurance is that bad guys are getting much more sophisticated. Before, they may have “just” stolen data and personal information, sometimes to only show that they could. Now, they steal it and resell it creating a whole new dimension to the risk. They can also use it for blackmail and extortion. The possibilities and potential financial impact is virtually limitless. A small(er) enterprise can be easily wiped out and its reputation destroyed.
Most businesses have insurance to cover anticipated risks related to the business, but the owner may not have thought about a bank account being compromised. A common and broad policy is called a Commercial General Liability (CGL) policy. It provides coverage for a wide range of risks. But all insurance policies specify risks and causes of loss that are not covered (exceptions and exclusions). Too, a generic insurance policy, like a CGL may not be right for the very specific risks that your business faces.
Insurance for cyber risk is specialized. It is usually purchased separately, and fills critical gaps left open by a business’ broader coverage. There are choices that a business must make between and among cyber risk policies and the limits of coverage. The guidance of a professional is invaluable.