- June 01, 2015
By Bill Lydon, Editor
A single cyber security incident can lead to significant losses for any company. It is unclear to me and I am sure many readers what the insurance possibilities are for manufacturers. Insurance companies are working to ban cyber coverage under the commercial general liability (CGL) policies but are also offering separate cyber security insurance policies.
By Bill Lydon, Editor
Cyber security risk is the “elephant in the room” for many manufacturing companies. A single cyber security incident can lead to significant losses for any company. It is unclear to me and I am sure many readers what the insurance possibilities are for manufacturers. Insurance companies are working to ban cyber coverage under the commercial general liability (CGL) policies but are also offering separate cyber security insurance policies. I had the opportunity to explore this issue with Assurance Agency experts Jay Shelton, SVP of Risk Management and Tony Chimino, CEO and Manufacturing Practice Leader.
Jay Shelton (left), SVP of Risk Management and Tony Chimino(right), CEO and Manufacturing Practice Leader
What is the background of your company?
Assurance is among the largest and most awarded independent insurance brokerages in the U.S. We create value for our clients by minimizing risk and maximizing health for 6,000 businesses and individuals nationwide.
How do you describe the cyber security risk situation that manufacturing clients face?
Most manufacturing companies don’t think of themselves in the world of cyber being an issue. They don’t understand what a breach is and its implications. Manufacturing companies don’t always face the conventional types of cyber breaches you see in the headlines. For mid-size manufacturing companies, the cyber risk is more about loss of critical data through data corruption or cyber ransom and loss of confidential customer and employee information, such as billing and payroll files. Every company that utilizes technology and the Internet should take preventive steps to assess their exposure to cyber-attacks and data loss, and then create response measures to minimize the fallout from such an attack. The cost for not having protection can be high. The loss of data, network system replacement, business downtime, defense costs, lawsuits, victim theft monitoring and reputational damage can severely impact an organization’s bottom line.
What does the future look like for cyber security risks faced by manufacturing companies?
Cyber-attacks continue to increase across every industry, both in frequency and sophistication, and manufacturing is no exception. The investment in cyber defense will continue to be a significant expense to companies and government oversight and regulations will move to a national level. Since 2013, President Obama has enacted several executive orders aimed at creating federal standards in cyber security. Additionally, Congress is currently working on legislation that would require companies to protect network infrastructure. Currently, every state has their own reporting requirements, and there’s very little consistency.
How is the insurance industry responding to cyber-attacks?
The insurance industry is responding to cyber-attacks on two fronts. The first front is by pushing the issue to ban cyber coverage under the commercial general liability (CGL) policies through the courts. This new coverage battle between carriers and policyholders is significant as many companies are relying on their CGL policy to provide coverage for a data breach. Secondly, the Insurance Services Office (ISO) recently revised its standard commercial general liability policy forms to exclude cyber coverage. It’ll take time for this exclusion to be widely adopted by the insurance industry, but as long as data breaches continue to increase along with the cost, it’ll be an industry standard exclusion for all.
How can a manufacturer determine the cyber insurance coverage needed?
When determining what kind or how much cyber insurance to buy, always start by asking “what do I need?” One of the most important issues in purchasing cyber insurance is determining the appropriate limits of liability. The costs of responding to a data breach can be substantial. Estimates vary, but the Poneman Institute’s 2014 Cost of Data Breach Study estimated the average organizational cost of a data breach was $201 per electronic record. Next, be sure to get retroactive coverage, most cyber insurance policies limit coverage to breaches that occur after a specified “retroactive date.” In some policies, this date is the same as the policy’s inception date, which means there may not be coverage provided for claims made due to breaches that occurred before the policy period, even if the insured didn’t know about the breach when it bought the policy. Because breaches may go undiscovered for some time before claims are made, companies should always ask for a retroactive date that’s earlier than the inception date. This will ensure the coverage includes unknown breaches that occurred before the policy incepted, but first give rise to a claim after the purchase of the policy. Finally, companies should not forego purchasing a separate cyber policy because they think there’s coverage under the CGL policy. It’s important that a company understands how each policy will respond to a cyber claim.
Does a typical business liability policy cover cyber security losses?
It’s important to consider that traditional business liability policies typically don’t protect against most cyber exposures. Standard commercial policies are written to insure against injury or physical loss and will do little, if anything, to shield you from electronic damages and the associated costs that may incur.
The majority of traditional commercial liability (CGL) policies will not cover business interruption losses due to a cyber event. Luckily, cyber liability coverage can fill that void. Understanding how your manufacturing business can be impacted by cyber loss is a critical component of matching the correct coverage program to your greatest risk.
Another major concern is the loss of intellectual property due to a cyber-attack. Can this be insured?
Intellectual property can be insured but with every policy, you need to make sure it’s included in the policy purchased.
Does Business Interruption insurance cover cyber security attacks that limit or prevent normal business operations?
Many businesses maintain this coverage for losses resulting from fire, natural disaster, etc. Most policies won’t provide coverage for loss of use of your computer system due to data breach, virus or other cyber issues that can shut the business down.
Are there other cyber risks to consider?
Cyber Extortion is an area of increasing risk where hackers can control websites or networks and demand payment to restore your systems to working order. The easiest way to understand this is by thinking of it as a “cyber hostage” situation. This may impact the ability to conduct business and can result in significant direct and indirect financial loss.
Can manufacturers purchase cyber liability insurance?
Absolutely, many carriers offer a wide variety of cyber coverages. The key is to make sure you partner with an insurance professional that understands the variety and complexity to the cyber market. A big value of having cyber insurance is the provider has experts and a knowledge base that can assist you in understanding risks and dealing with cyber events.
Fire insurance rates can be lowered with investments such as installation of sprinkler and Halon systems. Are there things a manufacturer can do to get a lower cyber liability insurance rate?
Filling out an application for cyber insurance is fairly extensive. The application process is fairly extensive and it’s a great process that requires you and your staff to walk through all the ways of protecting data. Depending on what you do as an organization will raise or lower rates. The way you manage data such as privacy settings, protections, backups, and other items create a profile of your company that is used to determine rates. The application process is a real benefit because most mid-sized manufacturing companies have not done a real analysis of their susceptibility to cyber-attacks.
What are the first steps a manufacturer should take to explore cyber insurance?
The first step is to discuss with an insurance professional the range of costs for cyber insurance. The reason we suggest that is they soon discover it is not a super expensive coverage and once that fear is taken away they move on to the next step.
- Industrial Cyber Security Compliance & Enforcement
- Cyber Security Lessons from a Military Leader
- Cyber Attacks on Industrial Systems Increasing Rapidly
- Cybersecurity strategy and actions
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe