An increase in spearfishing and ransomware, coupled with weakened data security due to more connected and mobile devices, means businesses, insurers and their agents need to understand and protect against these threats, according to experts at a recent American Bar Association insurance coverage and litigation program.
Lisa Phillips, a national practice advisor for Wells Fargo Insurance Errors & Omissions Cyber Group, told attendees it’s important for business owners to understand cyber coverage and how different policies respond to varied exposures. Some important factors to consider in investigating a cyber breach include how it occurred, whether it was accidental versus intentional, internal versus external; and whether the breach occurred as a result of a lost device versus a disgruntled employee, according to Phillips.
Cyber underwriter for Amercian International Group’s (AIG) western region, James Patterson, said his job is to educate agents and brokers. According to Patterson, AIG is seeing an increase in cyber claims across every industry class.
Patterson offered key questions that agents and insurers should be asking potential policyholders:
- What type of information does the applicant collect?
• PII – personally identifiable information
• PHI – protected health information
• PCI – payment card information
- What type of data does the applicant have and where is it located?
- Does the applicant limit access to data?
- How does the applicant know who they are letting in?
- How is access removed from those that don’t need it?
- How effective is the applicant at getting rid of data it doesn’t need?
- Has the applicant experienced prior breaches?
He said emerging threats include ransomware, bring your own device programs (BYOD) and IoT, which leads to more mobile, connected devices and weaker security.
Wells Fargo’s Phillips said the structure of cyber policies varies according to the party protected. Third party liability policies cover privacy liability, network security, media liability and regulatory action and they may carry a sublimit. First party coverage includes reimbursement coverage, privacy notification, crisis management expenses and, often, credit monitoring services. In addition, other first party reimbursement coverages may include cyber extortion, business interruption and data restoration.
More insurers are offering loss mitigation and loss prevention services, Phillips added.
Insurers offering cyber coverage in the U.S. include AIG, Beazley, Travelers, Chubb and XL Catlin.
Carrie Raver, a Forth Wayne, Indiana-based partner with Barnes & Thornburg, said that other policies might respond to a cyber loss. She explained that commercial general liability, crime, errors and omissions, directors and officers and first party property policies may include coverage for cyber breaches.
The program, hosted by the Torts and Insurance Practice Committee, was held recently at the Arizona Biltmore Resort in Phoenix, Ariz.