Decisions need to be made about the most pressing exposures to risk that may impact an organization. Consider “Cyber Risk” and related “Cyber Liability”, it is indisputable that this type of risk is significant but how to address it beyond a technology and behavioral controls can be a confusing question. How and where does an organization begin?

• Cyber Risk as defined for the purpose of this dialog is risk based upon the harmful use and manipulation of digital instructions and information which has the potential to cause: financial loss to intangible and tangible property, compliance expenses, reputational damage and business continuity issues.
• Cyber Liabilities as defined for the purposes of this dialog are the financial losses an organizations faces when Cyber Risk manifests. Cyber Liability losses include 3rd party (money due others based upon your misstep in managing Cyber Risk) and 1st party losses (direct and indirect losses to your assets and the continuity of your operations including reputation damage and a reduction in the value of Good Will).

Questions are the most effective place to begin although the wrong questions may lead down a path to poor decision making. This article is designed to provide some guidance for organizations to think about exposures to “Cyber Risk” and “Cyber Liabilities” in order to determine an effective way to address them.

Age and development plays an important role in the exposures that an organizations faces; a natural starting point to review “Cyber Risk” and related liability is to consider it in the context of a business’s Life Cycle.

The table below is a visual guide through which this process can begin.

The Life Cycle of Business – Risk and Insurance

Most Start Up organizations have more optimism than money making conservation of cash and business development a priority over any consideration of Risk and Liability. Business development brings risks, which include client perceptions about Start Up organizations – the ability to complete a project to existence post project in order address any errors, omissions, additions or future needs. Clients will address these concerns through dialog and through contract; the latter is where most Start Up’s are forced to consider a variety insurance coverage. If the work brings the Start Up in close proximity or direct contact with client technologies and/or information, or the client faces compliance requirements as respects the management of personally identifiable information (PII) or personal health information (PHI), then a requirement to address Cyber Risk via insurance and indemnification should be expected. Thus, while a Start Up may be able to avoid buying insurance as a risk management tool it is likely to need insurance to meet contractual requirements in order to further business development goals.

Growing organizations are making practical decisions with an eye on the future; developing cash flow allows the business to have more flexibility than a Start Up, yet a conflict remains when it comes to risk management and insurance; does cash flow get put into marketing and business development or into risk management and insurance. These decisions often appear to exclude each other, in reality they are closely tied together as appropriate risk management and insurance are tools for business development; particularly to the extent a client believes that these things mitigate the risk of doing business and address due diligence needs (i.e. supply chain risk management). In addition, decisions are likely to be driven by risk management, capital infusions and supply chain risk. Supply chain risk deserves special attention as it is often overlooked but critical to growing organizations which may use independent contractors to avoid the expense and uncertainty of hiring additional employees.

As an organization reaches Maturity, risk management and insurance decision making processes moves from business development, contractual risk, capital driven recommendations and supply chain risk to include decisions based upon business continuity, compliance, reputation and good will. In a world where information and news are readily available and competition for consumer dollars is intense, reputation risk management equals or exceeds the need to protect physical assets from peril.

For a visual perspective on “Cyber Risk” and “Cyber Liabilities” see the graphic below

How does the Business Life Cycle relate to “Cyber Risk” and “Cyber Liability” Decision Making?

Keep in mind the risk management and insurance concerns outlined above while reviewing them in more detail:

Business Development and Contractual Liability – Client risk concerns which manifest thru Business Development will be spelled out in contract terms as indemnification agreements and insurance requirements. Where PII (personally identifiable information), PHI (personal health information) or direct or indirect contact with technology systems and critical data are involved, expect related indemnification and insurance provisions. While insurance requirements may not directly address “Cyber Liabilities” the indemnification will certainly capture these liabilities. If contract requirements broadly require “Cyber Liability” Insurance it is critical to determine the specific coverage parts that are necessary to meet this need. (See the discussion below Insurance to Address Cyber Liabilities – 3rd Party and 1st Party)

Compliance Risk – Beyond addressing business development and contractual needs this is the primary driver of Cyber Risk decision making. Compliance risk faces any organization that is required to meet the terms of various data breach notification and information protection standards / laws – a potentially daunting task for the unprepared.

External Risk– See the table above

Internal Risk – See the table above

Risk Management Process – A proactive organization, most likely an organization in the Growth or Mature phase, will typically opt to manage a variety risks and associated Cyber Liability. The Cyber Risks may include reputational damage, good will, and property damage and business continuity. Addressing these risks may require a combination of Cyber and Traditional Insurance coverage.

Private or Venture Capital Recommendations – With increasing frequency investors are becoming knowledgeable about Cyber Risks and requiring related Cyber Liability insurance coverage in order to round out investment risk management.

Supply Chain Risk – While many organizations manage the risks they face in a relatively effect way, most fall short on making sure their suppliers, contractors and consultants meet the same standard. This is often to their detriment and can create significant gaps in addressing risks and in meeting contract requirements that (often) drill down to the suppliers, contractors and consultants whose services are used.

Insurance to Address Cyber Liabilities – 3rd Party and 1st Party

Insurance to address Cyber Liability can take several forms depending upon the specific exposures that need to be addressed; thus the value of understanding such needs in advance of considering insurance. Cyber Insurance goes by a number of names although the description which may best describe the coverage is Privacy, Network Security and Data Breach Insurance.

Coverage parts that are generally available include the following:

Privacy Liability – Funds for 3rd party liability that result from a Data Breach Event

Network Security Liability – Funds for liability resulting from Network Security failures including unauthorized access, denial of services, transmission of malware and more. It is likely that all organizations have a Network Security Liability exposure but not all have a Data Breach exposure.

Data Breach Fund – Funds for those costs necessary to: determine scope of a security failure that led to the Data Breach; comply with privacy regulations; notify individuals of breached information; provide public relations / crisis management; address credit monitoring.

Regulatory Proceeding & Regulatory Fines – Funds to respond to: a request for information or, demand, suit, civil investigation civil proceeding by or on behalf of a government agency; funds to pay ‘defined’ regulatory fines.

Electronic Media Activities – Funds for liability resulting from electronic media activities, coverage may include: trade libel, disclosure of private facts, commercial appropriation of a name or likeness, plagiarism, piracy (other than patent infringement), misappropriation of others’ ideas, infringement of copyright; domain name or trademark or service mark, negligent dissemination of electronic content.

Asset Protection and Business Income – Funds for a business interruption resulting from ‘defined’ technology perils such a malware and more including expenses for data restoration.

Network Extortion Threat – Coverage for kidnap and extortion specific to data and computer systems.

Computer Crime and Computer Fraud – Coverage for theft and fraud committed by computer.

Socially Engineered Crimes – The peril of ‘trickery’ through social engineering is on the rise and a number of insurers now include coverage on a crime policy (by specific endorsement).

A Comment on Supplier Risk Management

Many organizations will take the time to evaluate and address the “Cyber Risks’ which directly confront them; an often overlooked exposure is that brought by Suppliers. This exposure requires the same attention and evaluation as unmanaged supply chain risk (risks created by suppliers, contractors and consultants) can be significant.