Cyber Loss: First Party Vs. Third Party Losses
Business insurance leads and clients are starting to wise up to the threat they face each day in the world of cyber security, but there is still a slower rate of adoption than there should be. Either that, or clients are just not obtaining enough coverage to guard against the threats they face. They are, in a word, underestimating the dangers at the door. This is largely because they see it as a tech issue instead of the deeper problem that it really is.
Recently, Marty Frappolli, senior director of Knowledge Resources for The Institutes, stopped by the Claims Journal podcast to discuss the ways in which cyber security breaches can be “hard to understand,” not only for your clients but also for claims adjusters.
Damage to consumer data, complicated analysis on specific technologies involved in data breaches, and keeping up with court case rulings across the country are three areas that can cause confusion, he said.
For claims adjusters, he advised approaching a cyber loss “like any other claim,” which requires knowing coverage, exclusions and exceptions.
“Because it is an evolving risk, there is no typical cyber risk policy,” Frappolli said.
Subrogation of cyber losses can be complicated, “especially where a network breach is related to a vendor’s system” and there aren’t “many cyber expert claim handlers,” he added.
From the insurer’s standpoint, Frappolli believes “having a cyber forensics expert on speed dial” is essential and claims adjusters should brush up on local, state and federal breach notification laws.
As for business insurance customers and claims adjusters alike, it is important to understand the full effects of a cyber breach.
“If we look at cyber risk as a tech only issue we miss the larger point,” he said, adding that a breach is not always “due to a technical flaw in IT security.” One example he shared was that of USB memory sticks that were left in a company’s restroom labeled “confidential salary information”.
“As you might guess, employees picked them up, inserted the USB drives into their own PCs. That allowed the launch of hidden programs that captured and transmitted secured data back to the criminal organization,” Frappolli said.
Other tricks that a hacker might use include pretending to be a high level company executive who is calling to obtain a “forgotten password.”
To really understand the full effects of how cyber breaches can take hold, Frappolli identified two types of losses — first party and third party.
First Party Losses
- Damage to hardware, software and computer networks;
- Cyber extortion;
- Compromised or stolen data;
- Lost revenue and extra expenses due to business interruption;
- Breach investigation costs;
- Post-breach repair costs;
- Costs to notify customers or other stakeholders;
- Reputational damage.
Third Party Losses
- Loss of privacy;
- Damages to network security of trading partner;
- Liability for libel or slander;
- D & O liability for failing to defend against cyber attack;
- E & O liability for when a producer fails to secure adequate cyber coverage for an insured.
While it’s important for claims adjusters to understand all of the above loss types, it’s even more imperative that business insurance clients understand it as well, particularly the part about how mistakes in the “real world” can put the virtual one at risk. Often times, business owners, who are not plugged in to the technology side of things will assume that it’s IT’s fault when something goes astray. But as Frappolli has noted, many cyber breaches emanate from having the wrong people in the wrong positions and good old-fashioned lack of judgment.
While insurance against cyber losses has become more popular, the majority of small business owners still don’t realize the risk they are running every day without proper protection. As an agent, it’s important to know where all the risks are coming from so you can educate your client on how to avoid future catastrophes.