Cyber risk policies are a growing trend among insurance carriers. We have found such a significant difference between these policies that warrant some discussion. Cyber risk E&O Insurance polices are designed to cover claims relating to doing business over the net or having information (data) stored on a computer or other technological devise. Companies can be sued for the unauthorized disclosure of customer data ( third party exposure) and are also subject to fines, penalties and reporting requirements (First Party Exposure) relating to such disclosure. In this post we will just discuss the First Party exposure (cost to the insured to rectify the disclosure)
An example of an unauthorized disclosure is if an employee leaves a laptop on a train that contains personal and confidential information. Another, example would be if a disgruntled employee were to copy such information onto a disc or jump stick and finally an example would be a simple breach of your computer systems.
Each state has its own rules on what to do in the event an unauthorized disclosure. In general they require that in the event of the unauthorized disclosure of certain information (credit card numbers, social security numbers or birthdates) that the company notify those parties affected and in many cases provide at least a year’s worth of credit reporting. Such costs to a company can include:
1. Cost of forensic accountants/IT professionals to identify the scope of the problem
2. Cost of notification to all parties which can include certified mail. Imagine the staff and mailing costs of sending 100,000 certified letters, plus the cost of following up and maintaining lists of those that responded
3. Cost of personnel to field phone calls and letters
4. Cost providing credit reporting services to those affected
5. Marketing costs associated with defusing the situation and repairing the company's image
Every insurance carrier handles the costs noted above differently. We will address in other posts the significance of each.