The Age of the Data Breach

When PHLY first introduced its Cyber Security Liability product in 2009, most interested buyers were firms that held or processed large amounts of sensitive customer, patient, or employee data. Retail and hospitality businesses sought coverage in the event of a credit card breach. Healthcare providers were concerned about disclosures of protected health information and their obligations under HIPAA. Accountants, insurance agents, and other financial service providers worried about unauthorized access to clients' financial and other personally identifiable information. These data breaches could be carried out through physical breaches (physical theft of documents or equipment containing data), electronic breaches (unauthorized access or attack on a system or network where cardholder data is processed, stored, or transmitted), and skimming (the capture and recording of magnetic stripe data on the back of credit cards). Driving much of the concern were the ever-growing number of state breach notification laws. In 2002, California became the first state to pass such legislation, with other states gradually following suit (as of earlier this year, all 50 states, plus the District of Columbia and Puerto Rico, have such laws on the books).

Requiring breached entities to notify regulators and affected customers in a timely manner meant costly first party expenses. Expenses could include everything from attorney fees to help navigate the patchwork of laws from state to state, hiring forensic experts to determine the source and scope of the breach, notification costs, identity theft monitoring, and public relations expenses. The prospect of these security event costs - not to mention the possibility of individual or class action lawsuits from affected customers or other third parties - made cyber coverage a no-brainer for many industries. Numerous high-profile breaches of retailers, healthcare providers, and financial institutions highlighted the fact that no one was invincible and reinforced the need for cyber insurance.

The New Cyber Threat

While data breaches continue to make headlines and remain a major concern for many businesses and organizations, the cyber threat landscape has expanded over the last few years. Ransomware attacks have particularly proven to be a persistent and growing problem in 2017 and 2018, claiming victims worldwide. Ransomware - a data-encrypting malware - typically exploits known software vulnerabilities and locks out users from accessing data and applications unless a sum is paid to the hacker (often in bitcoin or other cryptocurrency). While the extortion amounts alone can be significant, the additional costs may be even greater - network downtime can lead to lost productivity and income, expert forensic advice can be expensive, and publicity of the event can damage the firm's reputation. Even in cases where the business is able to restore from backups to avoid paying the ransom, the data restoration expenses can be substantial.

As a result of this expanded cyber threat landscape and increased public consciousness, there is a growing demand for coverage from industries that may not handle a large volume of personally identifiable information, but instead face potentially devastating business interruption risk given their reliance on computer networks, websites, and other digital assets in their daily operations. Many organizations are increasingly dependent on outsourced data hosting, cloud computing, and software-as-a-service products. An outage or cyberattack against one of these vendors could impact any client that relies on the availability and integrity of their products and services. A compromise of industrial control systems, logistics software, health record systems, or any other aspect of a computer system - whether due to malware, intentional hacking, or operational errors by employees or outsourced service providers - could easily cripple manufacturers, wholesaler distributors, and healthcare providers.

Cyber Insurance - The Best Line of Defense

Awareness of ever-evolving cyber threats has increased the demand for coverage from a much wider range of industries, with organizations now more than ever seeking protection from business interruption, cyber extortion, and data restoration losses. Cyber insurance - including PHLY's Cyber Security Liability product - is designed to not only address the security event costs involved in handling a data or privacy breach, but also many of the other costs, expenses, and losses which can result from cyberattacks and computer system failures. Purchasing a cyber insurance policy also offers access to a network of experienced claim specialists, forensic experts, and data privacy attorneys. In the case of ransomware attacks, PHLY works with the country's top attorneys and forensic experts to contain threats and restore access to critical systems as quickly as possible. There are several steps organizations can take to plan for and mitigate the risk and impact of ransomware attacks, but when an attack does occur, having a Cyber insurance policy and expert resources in place is the best line of defense.

IMPORTANT NOTICE - The information and suggestions presented by Philadelphia Indemnity Insurance Company in this E-Brochure is for your consideration in your loss prevention efforts. They are not intended to be complete or definitive in identifying all hazards associated with your business, preventing workplace accidents, or complying with any safety related, or other, laws or regulations. You are encouraged to alter them to fit the specific hazards of your business and to have your legal counsel review all of your plans and company policies.