Do You Have Enough Cyber-Security Insurance?

By Peter L. Hedberg and Andy Obuchowski Jr.

Cyber-liability insurance has been around for two decades, yet it’s been widely marketed only during the past few years. This traditional product provides policyholders with coverage for a variety of losses they incur when remediating data breaches.

These include the cost of notifying their customers that a breach has occurred, hiring consultants to perform forensic investigations and data restoration, and mounting legal defenses against lawsuits arising from the breaches.

That may seem like a lot of protection, but there’s a huge gap in today’s cyber-security insurance policies: They provide little or no protection against the physical damage to systems and hardware that results from malware attacks.

Many of today’s traditional property insurance policies contain “sub-limits” of $20,000 or $25,000 per incident to give policyholders a modicum of financial relief for physical damage resulting from the introduction of malware—just as personal auto insurance policies’ “med pay” sub-limits offer modest coverage for no-fault medical claims. Unfortunately, those malware sub-limits come nowhere close to what the loss could be to organizations that have hundreds of computers and other devices that could be physically damaged as the result of a cyber-attack.

Cyber-Attacks Can Result in Significant Losses

Cyber-security insurance policies typically have not covered physical damage to IT systems. It was often thought that malware or a virus could not actually damage hardware, in part because the BIOS is designed to protect the system from physical damage, just as an electronic governor protects an engine from damage caused by excessive speed. However, hackers have shown that they can create viruses able to penetrate the BIOS.

Obviously, losses from physical damage to IT systems can be significant to organizations of all sizes, not just large enterprises. A small law firm that loses six months of work product as the result of physical damage arising from malware can proportionately suffer as much loss as an international telecommunications firm whose relays fail after a virus replicates throughout its system.

Therefore, it’s important that policyholders have an open dialogue with their insurance providers about options that might protect them against physical damage from malware, in addition to any liability claims associated with data breaches.

As hackers continue to infiltrate computers via new and increasingly creative techniques, policyholders need to speak up to ensure they have the necessary coverage.

The earliest data breaches focused on gathering personally identifiable information (PII) for identity theft. As hackers became more sophisticated, they started targeting intellectual property. Today, the highest threat levels involve cyber-terrorism that attacks infrastructure, both public (such as electrical grids and defense systems) and corporate or private networks.

How You Can Protect Your Organization

Most insurers don’t underwrite for losses associated with cyber-attacks on infrastructure. Insurers have decades of data they can use to quantify losses from natural disasters, but it is more challenging to put a number on physical losses from malware intrusion, since this is an emerging threat.

Moreover, policyholders face two types of physical damage risk from cyber-security breaches—the risk of hardware failure and its associated costs, and the risk of data loss. This is especially true if the hardware is destroyed to a point where policyholders cannot recover the electronic information or evidence needed to show that the valuable proprietary information is no longer on the network.

In addition to these losses, policyholders may also face fines from the Office for Civil Rights and, if it is a publicly traded corporation, the U.S. Securities and Exchange Commission. Right now, most cyber-security policies do not offer protection against these financial losses.

Experts have said that it’s not a matter of whether you will be breached, but when. So policyholders must have open lines of communication with agents and brokers to ensure that their businesses are fully covered if they sustain physical damage from malware attacks on IT systems.

Peter L. Hedberg, RPLU, is a senior technology underwriter with Hiscox USA. He can be reached at [email protected].

Andy Obuchowski Jr., is the practice leader for Digital Forensics & Incident Response Services at RSM US LLP. He can be reached at [email protected].