Few corporate risks are asamorphous as cyber liability, and few insurance products are as complex ascyber insurance. Small wonder why so many different insurancepolicies present a modicum of cyber coverage, but none offercomprehensive protection.

The problem can be traced to the word “cyber,” so broad that itencompasses a multitude of financial exposures, from denial of service attacks to computer viruses to a cup ofcoffee destroying a laptop. Other cyber risks include stolen orcorrupted digital information, Internet-based libel and slander,and even such extraordinary hazards as an office building'scomputer-operated HVAC system shut down by a hacker.

The insurance industry has responded to these wide-ranging riskswith a variety of insurance policies picking up differentexposures. Errors and omissions liability, commercial crime andgeneral liability insurance policies all offer some protections.For third party liability risks—a hacker breaching a company'sdatabase to steal the personally identifiable information ofcustomers and/or employees (the third parties)—insurers haveaddressed this peril with cyber liability insurance.

While cyber liability insurance would seem a necessity,particularly in the wake of two recent major corporate databreaches involving potential identity theft—Target and Snapchat—notmany companies buy the coverage. The reason is that differentindustries confront different levels of cyber liability risk.

“Clearly, this is an issue for retailers, financialinstitutions, health care and the hospitality industry,” said KevinKalinich, global practice leader, cyber, at insurance broker AonRisk Solutions. “The majority companies in these sectors buy theinsurance. But, for other sectors, the purchase rates are muchlower, even though every industry from automotive to pharmaceuticalis leveraging technology in profound ways.”

Read more: Application process off-putting…

Building the Customer Base

Insurance broker Marsh estimates that the market penetration forcyber liability insurance across all industries is about 25 percentto 35 percent, “give or take a 5 percent deviation,” according toBob Parisi, network security and privacy practice leader. “Weexpect this to change now that many carriers are streamlining theunderwriting process, providing truncated insurance policies andturnkey solutions to enterprises where interest has been less thanrobust.”

A key challenge for potential buyers, particularly smallerbusinesses without a corporate risk manager, is the cyber insuranceapplication process. In many cases, the insurer wants detailedinformation on the organization's technology infrastructure andsecurity protocols, which can be both time-consuming and expensive.“The process is very off-putting,” Parisi said.

This is changing, however. The insurance industry's plan totailor policies to specific industries and types of businesses isexpected to increase purchase rates. Another factor likely to spurgreater interest is the high publicity surrounding the databreaches at Target and Snapchat. The retail giant was attacked fromNovember to December last year, while Snapchat, a video and photosharing service, was hit in January. The data breaches exposedmillions of their customers' personally identifiable information toidentity theft risks.

Read more: Why a bank and a college purchased cyberinsurance …

Hopping on the Bandwagon

Making the decision to buy cyber liability insurance recently isConcordia University in Montreal, which tallies more than 7,000employees and 45,000 students, all potentially vulnerable toidentity theft. “We have private, personal information on everysingle student and employee, including bank account numbers in somecases,” said Jean-Francois Baril, the university's corporate riskmanager.

Concordia, a research-driven institution, also has in itspossession a storehouse of intellectual property, including theR&D of the many large corporations that provide funding forspecific research conducted at the university on their behalf. “Itis our responsibility to protect this information,” Baril said.

This wealth of data, were it to fall into the wrong hands, couldbe financially and strategically devastating, insofar asConcordia's academic reputation. For several years, the universityweighed the purchase of cyber liability insurance, but ruled itout, primarily for costs reasons. No longer is this the case. “Weare in the process of buying cyber insurance,” Baril said.

This process first required the hiring of consulting firm PwC toexamine the school's existing IT infrastructure and recommendmeasures to strengthen security and reduce overall risks. More than$500,000 has now been budgeted to improve the IT system, and inFebruary insurer AIG will assess these controls. Once approved,Concordia will be provided an all-inclusive cyber liability policy,with a $100,000 self-insured retention.

Bank of New York Mellon purchased its first cyber liabilityinsurance five years ago. “At the time, our perception of risksemanating from the Internet had grown,” according to CarmeloCasella, managing director corporate insurance, at the NewYork-based bank. “I also was reading these stories about companiesthat had lost customer data because an employee left a laptop onthe subway.”

Since purchasing that initial policy, the bank has added to thelimits of financial protection, from $10 million originally to whatis now $50 million in insurance. The policy's coverage terms andconditions have also broadened. “The big expense is victimnotification of a breach, which is broadly covered to include allout-of-pocket extra expenses like phone calls, letters, and so on,”he said.

The risk manager agrees that the initial underwriting process isonerous, as are subsequent annual policy renewals. “What I do ishave my chief information security officer here with me when theunderwriter visits,” Casella said. “Technology is a foreignlanguage to me, packed with acronyms. Rather than be a messengerbetween the insurer and our IT people, I find it best to have usall in one room.”

Read more: Some find cyber insurance too expensive…

Some businesses like The Lincoln Electric Company continue tomull the purchase of cyber liability insurance, but find it tooexpensive. “We've given it a close look the last three years as weevaluated our cyber exposures, and determined to self-insure therisk for the time being,” said John Hach, risk manager of theEuclid, Ohio-based $3 billion manufacturer of welding products, arcwelding equipment, welding consumables, and robotic weldingsystems.

The company's risk evaluation included the creation of a modelpinpointing the financial and reputational impact of a data breach.“The findings indicated that the average cost to rectify databreach losses of victims was roughly the same as the deductibleoffered by the insurer,” Hach said. “Consequently, it made no senseto buy the insurance. Rather, we're managing the risks by investingin our IT infrastructure. For instance, we recently went through an`ethical hacking' of our system to assess if there were anyholes.”

In between these examples is the State of Washington, whichawaits direction from its Chief Information Officer on whether ornot to purchase cyber liability insurance. “Right now, weself-insure (our cyber liability risks) and purchase reinsuranceabove it,” says Drew Zavatsky, loss prevention section manager inthe state's Office of Risk Management. “Given the volume ofpersonal data we possess, and the criminal skills of the hackingcommunity, our CIO is undertaking a gap analysis to assess oursecurity strength against the potential threat.”

It's a “huge” project, he notes, one that will not conclude forat least another year, due to the state numerous agencies anddepartments. “The CIO could come back to us and say, `Buy thepolicy now,'” Zavatsky said.

Three years ago, this was not the case, however. “We stuck ourtoe in the water in 2011 to really give this some thought, but feltthe premium was prohibitively expensive,” he recalls. “Still, thisis one risk that just won't go away.”

Breach Bonanzas

Several well-publicized data breaches in recent years highlightthe scale of potential financial impact, including:

• TJX Companies' direct costs (2007 breach) have exceeded $250million.
• Heartland Payment Systems (2009 breach) reported more than $140million in direct costs.
• Sony (2011 breach) has booked $171 million in direct costs todate.