Many companies are seeking network security and privacy liability coverage
By Joan Tupponce
In the 30 years Northrop Grumman has been working in cyber security, the threat of a breach or other disabling attack has never been more dangerous.
“Cyber security threats are increasing rapidly in sophistication, breadth and speed,” says Robert Brammer, chief technology officer for Northrop Grumman Information Systems, the defense giant’s IT division, which is based in Falls Church.
“Those of us who have been in this business for a large number of years have seen the incidents go from defaced websites to theft of large volumes of intellectual property and money, military actions and so forth.”
Northrop Grumman, a consultant on cyber security to many federal agencies, including the Department of Defense, believes it’s imperative for companies to secure their entire enterprise: data, information, communications channels and mission.
Any company can be victimized by cyber crimes. That’s why a growing number of businesses are looking to network security and privacy liability insurance coverage to help identify risks and to guard against a breach.
“We’re seeing an increased interest because anybody that has a website has the exposure,” says Kris McCue, commercial line supervisor at Scott Insurance, an insurance brokerage firm based in Lynchburg.
Companies also are worried about cyber security because serveral federal laws carry penalties for firms that don’t have established practices for safeguarding confidential and/or customer information. For instance, the Gramm-Leach-Bliley Act requires financial institutions to explain how they are safeguarding sensitive information, while the Health Insurance Portability and Accountability Act guards access to patient information.
“Many of our health-care clients — managed-care as well as acute-care — have purchased network security and privacy liability coverage,” says Chris Schutt, managing director of Richmond-based Marsh Virginia, a unit of Marsh Inc., an international insurance brokerage and risk management company. “They have been interested in the past, but pricing, as well as thinking of it only as an IT product, kept them from purchasing.”
Many state and federal laws require companies to notify customers of a privacy breach. Those laws vary from state to state, as do the fines and penalties. “The privacy liability policy provides coverage for fines and penalties where allowed by law,” Schutt says. “Most clients do not realize the amount of private information they have on current as well as former clients and employees, and that they need to adhere to the notification requirements of the state where the person currently lives.”
For example, if a privacy breach affects a former Virginia employee who has retired and moved to California, the employer must follow California guidelines.
A number of industries carry significant cyber and privacy risks such as financial institutions, health-care facilities, law firms, retailers, investment advisers and Web-based e-commerce companies. Businesses are looking for coverage that is broad in scope. That’s one reason they’re interested in privacy liability since the coverage typically includes privacy, security, IT, intellectual property and media/content breaches (loss of data via media outlets, for example).
In offering this type of coverage, many insurers have debunked popular notions about how breaches occur. For instance, hackers are not responsible for most IT breaches. In reality, the majority of these incidents involve an employee not following standard procedures. Some breaches occur after an employee loses a laptop or flash drive that contains confidential information. “Everyone used to go back to the ‘our IT system has adequate firewalls’ [reasoning] but that’s not usually where the breaches come from,” Schutt says. “You have to change your mindset and get them thinking about the types of breaches that do not involve hacking.”
Chubb Group of Insurance Companies reports that half of the companies that suffer data breaches have fewer than 1,000 employees. While the number of businesses wanting coverage is on the rise, 65 percent of small businesses are doing very little to guard against a data breach, according to the 2009 National Small Business Cyber security Study.
“Cyber security is not a nice thing to have for American businesses; it is critical to their survival,” says Michael Kaiser, executive director of the National Cyber Security Alliance, which co-sponsored the survey with security software company Symantec Corp. “Our nation’s online health is critical to our economic prosperity and national security.”
When the coverage first became available in the past decade, it was costly, with minimum premiums of up to $20,000 a year. Today, the minimum premium is about $3,000. Insurers typically provide liability coverage when hackers infiltrate a company’s system and private information is disclosed. Coverage also is available for lost business if a computer virus interrupts operations.
McCue is starting to see more claims coming across her desk. “Technology is more portable,” she says, noting that many people who carry “smart” phones with vital information lose or misplace them. “Also, systems are easier to hack into.”
She also credits increased interest in privacy coverage to the “soft” commercial insurance market in place for the past seven years. Rates for network security and privacy liability coverage are priced more competitively in a “soft” market and more carriers are offering it, hoping to gain more business. “Carriers are hungry for business now,” McCue says.
The seven-year soft market stretch isn’t typical, and insurance companies are looking for ways to add more business to the books. “Historically you have a soft market and then a hard market for one or two years,” notes Steve Deal, USI’s regional CEO of the Mid-Atlantic Region, who is based in Richmond. “This cycle has had a more protracted length to it.”
As a result, there’s intense competition for customers. “It’s a food fight for market share,” says John Middleton, managing director of Wells Fargo Insurance Services in Richmond. “I don’t see anything on the horizon that tells me anything will change.”
The fierce competition, though, is a plus for businesses. Premium rates are either declining or remaining steady. In the third quarter, property insurance rates declined an average of 6.1 percent and general liability rates declined an average of 6.7 percent compared with the same period last year, according to a market report published by Marsh.
Casualty insurance, which includes workers’ compensation and general liability, is a buyer’s market, brokers say. “Premiums are down, based on risk exposures,” says Middleton. “Payrolls took a big hit and other exposures such as the value of buildings or equipment are stagnant. We are not seeing growth in our clients’ values and exposures.”
Even with rates declining, insurance companies continue to be profitable. Many have expanded the types of risks they are willing to write — classes of business they may not have written before — and broadening coverages. That’s been good for businesses. “This additional interest and competition has benefitted buyers’ cost of insuring their business,” says Alexander Green, president of AH&T Insurance in Leesburg. “The soft market has provided the opportunity to improve coverage for our clients.”
When profits do start to decline, those companies will start raising rates, heralding a turn in the marketplace. Walker Sydnor, president of Scott Insurance, points out that the last hard market was in 2001, the same year as 9/11. “We had a catastrophic event that impacted the industry,” he explains.
While catastrophes have struck this year, such as the earthquakes in Haiti and Chile, they haven’t affected rates. “It’s not like it’s been a loss-free year,” says Schutt. “We have had some hurricanes and earthquakes but we are still in a severe soft market.”