Cyber Liability and Common Misconceptions

Cyber Liability insurance has been around for 10 years.  However, in the last 24 months, due to ongoing reports of high profile data breaches and cyber-related losses, cybersecurity has become a top priority.  This increased visibility has generated not only awareness of cyber exposures, but of interest in the mitigation techniques and risk transfer insurance products needed for protection.

Though most know and understand that Network Security is now a concern at the Executive Officer and Board of Director’s level, there are still a few common misconceptions of exposure and how it is recognized.

“We Use Third Party Payment Processors for Transactions”:
Often times, when companies utilize third party payment processors there is the misconception that both the job and the risk have been outsourced.  It is important to clarify that a data breach can occur even while data is in transit, not just while sitting with the payment processor.  Further, even if a breach were to occur with sensitive information at the payment processor you are still responsible under privacy breach laws.  This is true, even if the cause of the breach is the payment processors’ fault, and it is very likely they have limited their liability.

“We do not store Personal or Financial Data”:
Cyber criminals have become increasingly effective in accessing customer data whether housed on your company-owned computer servers or otherwise.  In several instances, they have even been able to appropriate data in real time.  This includes skimming credit card information, identifiable keys typed into a device, allowing them to access passwords, and other personal data.  The fact that companies do not house or store client data does not insulate them from Zero Day Malware breaches, Advanced Persist Threats, etc.

“We Have Transferred All Data to a Cloud Provider”:
While most of the major cloud providers have invested in a much higher level of security than most businesses, it is becoming increasingly obvious that nothing is foolproof.  The fact that a cloud service stores such high volume and diverse amounts of data may prove to be a very attractive target for a Level 2 or Level 3 computer criminal to compromise.  This is also another case where most reputable cloud vendors have been deliberate in crafting their contractual language to significantly limit their own liability if a breach were to occur.

In 2014 alone, Beazley, one of the leading Cyber Liability insurance carriers, noted that 85,611,528 records had been exposed.  Alongside those figures the Identity Theft Resource Center lists that there were 783 publically disclosed breaches last year.

It is important to identify and assess your E&O/Cyber exposure completely, work to mitigate exposure, and manuscript these custom insurance policies to specifically transfer and address those risks.