Third party liability insurance covers majority of cyber security risks
Fearing class-action lawsuits over the theft and or disclosure of data, businesses that collect or store personal information are buying third party liability insurance, the fastest growing segment of cyber insurance, say industry experts.
Cyber insurance is “particularly important for clients in financial services and healthcare,” says Jan Wleugel, Senior Vice-President at Marsh Canada, the world’s largest brokerage. “Because those clients face exposures to breach of privacy since they collect personally identifiable data on individuals.”
Barb Szychta, National Leader of High-Tech Segment at Aon Reed Stenhouse Canada, agrees, pointing out mid to small sized businesses can also purchase the coverage. “The [policies] we’ve done have been more the third party and they’ve ranged in premium. I know we have one where the premium quoted is over $200,000 and then another one…was around $7,000.”
What’s more, third party liability coverage, also known as security liability insurance is generally easier and cheaper to buy than first party liability, Mr. Wleugel adds. As for companies that rely deeply on conducting “business on the Internet, [they] would need first party coverage as well,” adds Ms. Szychta. First party coverage could be applied against monies lost from a business interruption caused by a computer virus.
For example, “If you’re a manufacturer and you do a lot of your…suppliers or customers orders through an extranet, then if that’s shut down, there’s a lot of business interruption loss.”
The new economy
There was a time when conventional property and liability policies included cyber risk, but data exclusions were “imposed on virtually all property policies that [were] renewed in 2002,” explains Mr. Wleugel.
Spawned in the late 1990s in response to changing business environments, where companies increasingly rely on technology to conduct their operations – the domain of e-commerce – cyber insurance is most popularly known for providing coverage against worms and viruses.
With such pet names as Love Bug, Melissa or Code Red, viruses worldwide cost businesses US$1.5 trillion annually, according to estimates by the Federal Bureau of Investigation (FBI) and the Computer Security Institute (CSI). The CSI is an association for computer security experts.
“Any minute you use the Internet…you have an extranet or an Intranet, you move into the new economy,” says Ms. Szychta. “And once you move into the new economy, you face new economy risks.”
Code Red hit 200,000 computers in July and August 2001, causing $2.5 billion in losses. The Love Bug was even more wicked, setting off $8 billion worth of gloom, says Electronic Data Systems (EDS), an American global information technology (IT) services company.
Importance of data
Earlier this year, a computer hard drive at ISM Canada in Winnipeg, a wholly-owned data management subsidiary of IBM Canada was stolen by an employee. It contained the personal information of hundreds of thousands of Canadians, and police were unable able to determine if the retrieved hard drive, overwritten with software had been copied.
Regina lawyer Tony Merchant of Merchant Law Group, launched a class-action lawsuit on a contingent fee basis for over one million people in the ISM case. Damages are being sought from ISM, The Co-operators Life, Investors Group, SaskPower, as well as the governments of Saskatchewan and Manitoba. All had customer records on the hard drive.
“The risks of the 21st century are not your buildings, your chairs, your tangible property but rather your data,” says Ty Sagalow, Executive Vice-President and COO of the eBusiness Risk Solutions Group of AIG.
The Insurance Journal contacted every party named in the class-action lawsuit. Five of the six replied: The Co-operators, ISM, Investors Group, SaskPower and the Saskatchewan government. However, only Investors Group divulged it had the required private cyber coverage to protect against data theft.
Ron Arnst, Media Relations at Investors, did not reveal the name of its carrier and policy details. The government of Saskatchewan is self insured, says Randy Langgard, Senior Policy Advisor, Cabinet Planning.
Doug Binns, Manager of Risk Management at SaskPower, a crown corporation, was much more guarded. “I don’t think I want to respond to that. I don’t want our insurance discussed in an insurance article,” says Mr. Binns. He says the lawsuit is “probably going to disappear because there are essentially no damages.”
Buying cyber insurance does not necessarily mean the policy covers all forms of damages. There are some grey areas. “In general, netAdvantage Suite (AIG’s cyber insurance) does cover theft of consumer information,” Mr. Sagalow says, not giving a clear cut answer as to whether or not AIG’s cyber products could respond to all forms of data theft.
The reason for that hesitance is because of troublesome policy wordings that “have not been tested by the courts, which is one of the problems,” Mr. Wleugel explains. “One area that needs to be addressed in all cyber polices is the issue of physical theft of electronic data. There’s ambiguity in the language as to respect whether there’s cover for physical theft of electronic data.”
Theft of data through physical methods differs from electronic data theft. This means there are no guarantees that a claim made by an insured in the ISM case will be paid without legal contestation: the courts are the definitive interpreters.
In response, starting April 6, 2003, AIG will provide a new option: coverage for the physical theft of data. “This is an enhancement that AIG is coming out with as a result of requests from the brokers community,” reveals Mr. Sagalow. “It obviously makes the policy go beyond its core, which is cyber attacks, but it’s an acceptable extension of coverage that we feel comfortable with.”
As one of the most successful providers of cyber insurance, AIG entered this niche in January 2000 with its netAdvantage Suite line and now has a 70% worldwide market share with approximately 2,300 polices sold, continues Mr. Sagalow. The insurer may even have a greater grip on the Canadian market. “I would say its [market share] is north of 70%,” Mr. Sagalow states.
Some of that vast AIG market share is a result of various divisions within the federal and provincial government says John Wurzler, Vice-President, eBusiness Risk Solutions Group for Canada at AIG. The insurance juggernaut has issued approximately 12 cyber policies over a three month period, December to February 2003, to select businesses that have contracts with either level of governments.
“The information department within the Canadian government has asked many of their vendors to have Internet liability coverage,” continues Mr. Wurzler. For example, the Canadian Institute for Health Information requires its vendors to possess cyber insurance, as does the soon to be operational Smart Systems for Health, an Ontario government initiative to develop a province-wide, electronic health network.
Despite such positive signs of growth, the product is not as popular as had been reported by the Insurance Information Institute, and other sources. “My early estimate was made nearly three years ago,” for a US$2.5 billion market by 2005, says Robert Hartwig, Senior Vice-President and Chief Economist at the Institute, “probably turned out to be overly optimistic.”
Mr. Hartwig now forecasts cyber insurance to hit US$250 million by 2005 with current worldwide premium volumes sitting under US$100 million. One reason why cyber insurance has not met the III’s initial targets is because there have not been a severity of hacker, denial of service attacks, viruses and SQL worms attacks, he adds.
Obtaining more expansive property insurance that takes cyber risks into account is not easy. Companies typically must first be evaluated and approved by a computer security organization selected by the insurer. AIG uses Unisys Corp., Cable & Wireless and Predictive Systems. The underwriting criterion requires a company to fill out a detailed questionnaire and go through an evaluation of people, process and technology structures continues Mr. Sagalow. Businesses must remedy any weaknesses before insurance can be purchased.
“This is the issue,” Mr. Wleugel says. “Our clients need to show that they are compliant with minimum security standards and that’s often very difficult. Many clients don’t qualify and have to do quite a bit of work in order to qualify, in terms of getting their security house in order.”
The netAdvantage Suite also features a program that pays policyholders public relations fees after a cyber event. In addition, “a reward for information leading to the arrest and conviction of a cyber criminal” of US$50 thousand is posted Mr. Sagalow boasts.
“At AIG we offer up to $25 million in limit and for companies that need more than $25 million we can easily arrange limits in excess of that, many times up to $100 million.” Cost, in terms of premiums can vary from US$1,000 for very limited coverage to policies in the hundreds of thousands of dollars.
Lloyd’s of London and Chubb Insurance also provide cyber insurance, but none have a specialized unit like AIG, says Mr. Sagalow. “They may have it as part of their fidelity department or crime department instead.”