Cyber Liability

from Southern Colorado Insurance Center

Protecting your Business with Cyber Liability Insurance in Colorado

With everyone doing business online it is critically important to protect your business with a cyber-liability insurance policy.

A type of insurance designed to cover consumers of technology services or products. More specifically, the policies are intended to cover a variety of both liability and property losses that may result when a business engages in various electronic activities, such as selling on the Internet or collecting data within its internal electronic network.

Most notably, but not exclusively, cyber and privacy policies cover a business' liability for a data breach in which the firm's customers' personal information, such as Social Security or credit card numbers, is exposed or stolen by a hacker or other criminal who has gained access to the firm's electronic network. The policies cover a variety of expenses associated with data breaches, including: notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft.

In addition, the policies cover liability arising from website media content, as well as property exposures from: (a) business interruption, (b) data loss/destruction, (c) computer fraud, (d) funds transfer loss, and (e) cyber extortion.

Cyber and privacy insurance is often confused with technology errors and omissions (tech E&O) insurance. In contrast to cyber and privacy insurance, tech E&O coverage is intended to protect providers of technology products and services, such as computer software and hardware manufacturers, website designers, and firms that store corporate data on an off-site basis. Nevertheless, tech E&O insurance policies do contain a number of the same insuring agreements as cyber and privacy policies.

Cyberextorsion

A type of online crime in which a criminal threatens to damage or shut down a company's website, e-mail server, or computer system or threatens to expose electronic data or information belonging to the company unless the company pays the criminal a specific ransom amount.

Cyberextortion coverage

An insuring agreement contained within some policies written to cover claims associated with data breaches. Such policies are most often termed "cyber and privacy insurance," "information security and privacy insurance," and "cybersecurity insurance."

This insuring agreement covers the costs associated with a cyberextortion event (e.g., an insured receives an e-mail stating that the extortionist will introduce a virus into the insured company's website unless the company pays a $10 million ransom). The costs covered by this insuring agreement include (1) monies paid to meet extortion demands, (2) the cost of hiring computer security experts to prevent future extortion attempts, and (3) the expenses charged by professionals to deal/negotiate with cyberextortionists.

A few insurers do not offer cyberextortion coverage (also known as "e-commerce extortion coverage") because similar protection is available under kidnap and ransom insurance policies.

Similar to other cyber and privacy insurance policies, cyberextortion coverage is subject to an annual aggregate limit and an annual aggregate deductible. See also Cyber and privacy insurance; Kidnap/ransom insurance.

With experts predicting losses of nearly $10 billion for this year alone incidents of credit card fraud and related costs are on the rise.

These growing costs have prompted the credit card industry to reduce in-person counterfeit credit and debit card fraud by implementing CHIP or EMV (EuroPay, MasterCard and Visa) technology.

In addition to enhanced consumer protections, the introduction of CHIP/EMV technology protects the industry from a pending shift in the payment networks’ liability framework, which affects who is responsible for compensation costs for in-person fraudulent credit card transactions.

“Under federal law, if a card holder’s credit card number is stolen, but not the card, the consumer is not liable for any unauthorized use. The responsibility currently falls on the bank or financial institution that issued the payment card,” explains David Derigiotis, Corporate Vice President and Director, Professional Liability Center of Excellence, at southern Co insurance center “However once the new policy comes into effect this October, retail merchants will also be liable for fraudulent charges if they are not supporting EMV technology.”

According to Derigiotis, this could have a significant effect on cyber liability policies held by many retail merchants. Derigiotis has outlined three ways the shift to EMV cards will affect cyber liability:

1. Online purchases

As EMV cards are more difficult to replicate and use for in-store purchases, experts predict an influx of fraudulent online purchase attempts in the near future. Businesses therefore need to be mindful of their online presence and their capacity to accept online payments. To address this increased risk, brokers and agents should work with their retail merchant clients to ensure their e-ecommerce system has the right protections and adequate limits in place.

2. Payment Card Industry Data Security Standards (PCI DSS)

The PCI Data Security Standard is followed by many global payment brands to enhance control over cardholder data. Should a retail merchant be found non-compliant with these standards, they may receive a fine and/or penalty from the payment card brands they have partnered with. This fine can be covered under a cyber liability policy, however if the organization has not updated their technology to accept EMV cards, the insurance company may be unwilling to cover the cost. To ensure any incurred fines or penalties continue to be covered by a cyber liability policy, organizations should update their technology to accept EMV cards.

3. Insurance Premiums

Updating the point of sale (POS) technology to read EMV cards not only mitigates the risk of credit and debit card fraud, it demonstrates to insurers that an organization has a strong approach to risk management and cyber security. From an underwriting standpoint this positions the organization as a “better” risk and can result in more affordable insurance premiums on their cyber liability policy.

Without EMV technology, retail merchants are not only placing their customers at risk for counterfeit fraud, but placing themselves at risk of being held responsible for compensation costs. Worst still, without the proper insurance in place they may incur significant out-of-pocket losses if found liable. By adopting EMV technology and having a strong cyber liability policy in place retail merchant clients can be sufficiently armed to fight credit card fraud.

Like all business owners, you’ve invested a lot into making your business successful. Let the local independent insurance experts at Southern Colorado Insurance Center in Colorado Springs assist you with protecting your professional business with a Cyber Liability Insurance policy that is just right for you. As an independent agent, Southern Colorado Insurance Center can search the top commercial carriers for the best policy for your needs and budget.