— By Doug Groves —
Is your retail business insured for a cyber attack?
A critical piece of information for retail businesses and franchisees to consider is the exclusion of cyber liability from standard insurance policies. In fact, most don’t even sell or offer cyber coverage. As reports of cyber incidents increase by the day, now is the time for every business owner to review their insurance coverage with their provider. The upside of this 21st century risk is the growing availability of tailored coverages and policies offering protection should a cyber-attack become a reality.
Doug Groves, Program Insurance Group
For reference, here’s a quick review of what is and isn’t covered under typical property and casualty insurance packages* for retail operations:
Most traditional property insurance will exclude digital assets.
Regular property insurance is not designed for digital assets. Extended or fire coverage for the property is normally carried for real, physical assets such as furniture, office supplies, materials used in business operations, etc. Digital assets include items like documents, videos, logos, spreadsheets and websites — any item that is stored digitally and has value.
Liability coverage is primarily designed to cover bodily injuries or damages to a third party, not a cyber occurrence.
General liability coverage is designed to pay on your behalf if your business is legally responsible for something done or not done that causes bodily injury or damages to a third party. Specifically, it covers the legal liability of a business for injuries or damage to any item of value, including anyone injured on your property or individuals who may require medical payments.
General liability insurance is also designed to cover personal and advertising injury, but not cyber-attacks.
Libel, slander, malicious prosecution and copyright infringement are examples of personal or advertising injury and are typically covered under general liability insurance policies. However, cyber-attacks are excluded from the list.
* It’s important to note that a package policy or a business owner’s policy is comprised of more than one coverage in a package.
No matter the size, all businesses are at risk of these exposures, and there has never been a more crucial time to understand them and research available options for protection. Cyber liability insurance is a specialized product designed specifically with cyber exposures in mind. Modern policies cover damages related to destructive cyber activity and are more comprehensive than ever before.
Commercial general liability insurance can pay for both first- and third-party costs associated with a cyber breach. First-party include costs associated with notifying affected customers and employees of a data breach, as well as investigating the source and effects of the breach.
Examples of first-party costs include:
- IT forensics
- Notification systems
- Credit protection
- Crisis management
- Crime and social engineering
Third-party costs cover the legal aspects of a data breach, including legal fees and settlement costs, civil awards or judgments resulting from a lawsuit.
Examples of third-party costs include:
- Breach of contract
- Negligent protection of data
- Network security breaches
- Transmission of software viruses
- Denial of service attacks
- Defense of regulatory actions related to a breach
- Fines, penalties and assessments
Here are four examples of actual losses paid by cyber insurance on cyber claims — examples most every retail business can find relatable:
Compromised Credit Card Data
Credit card data from several thousand cardholders was exposed through point-of-sale equipment. Cardholder information was stolen by hackers ‘skimming’ payment terminals and then sold on the illegal market. When investigated, it was determined the business failed to maintain data security controls required under the Payment Card Industry Data Security Standard (PCI-DSS). As a result, the bank-imposed fines and assessments against the chain totaled $275,000.
Employee-Activated Malware
In another instance, a network security breach of a credit union’s computer network was compromised when a hacking group emailed a malware program to several employees. The malicious software allowed the hackers access to confidential data stored on the credit union’s network and capture banking information for 20,000 customers and account holders. The total cost of customer notification, credit monitoring, digital forensics and legal consultation was $357,000.
Hacking a Stolen Laptop
A law firm partner had a laptop stolen from their car and the unencrypted laptop contained more than 10,000 client records that contained sensitive data, including social security numbers, medical records and billing information. All individuals impacted had to be notified and were offered 2 years of identity monitoring. A total of $105,000 in expenses was incurred as a result of the stolen laptop.
Ransomware and Cyber Extortion
This type of combined attack recently happened to a medical office when a hacker entered the practice’s network through unknown vulnerabilities, allowing them to install malicious software and encrypt personal health information, including patient medical records. The hacker demanded a ransom payment of five bitcoin to unlock the data. After a digital forensics investigation was conducted and the threat was deemed credible, the ransom payment was paid.
Today, most businesses are computer-reliant with files, information and data stored digitally. To protect your business and customers, a review of your cyber exposures with a qualified provider is critical to ensuring your total risk is explained, mitigated and covered should a cyber event occur.
— Doug Groves is founder of Program Insurance Group. Additional research and information have been supplied by Ashley Ganne, insurance broker with Brown and Riding. For more information, visit www.pigbcs.com.