Willis calls 2011 the “Year of the Breach,” and says that while companies are rightfully concerned about their cyber exposures, they need to carefully examine their insurance coverages and risk-management strategies to ensure they are adequately prepared and protected.
“Cyber exposure and reputational risk are among the top three concerns of board members across industry lines, says Ann Longmore, executive vice president of FINEX, Willis’ financial, executive risk and professional liability business. “The major assets of any Fortune 500 company, whether held in credit card data or the proprietary recipe for a soda, are intellectual, and attacking the operating system containing this information could bring a company to its knees.”
She adds, “The boardroom is full of intelligent people, but hackers are endlessly innovative, making this a constantly evolving duel between good and evil over assets and knowledge.”
The average size of a data breach in the U.S. last year was $5.5 million, states the Identity Theft Resource Center (ITRC). Already, 105 breaches have exposed almost 4.5 million records in just the first quarter of 2012.
Data breaks cost card-systems companies Visa, MasterCard and Amex $40 million in 2005; the U.S. Department of Veterans Affairs $26.5 million in 2006; and Sony $100 million in 2011.
The Sony incident occurred when computer hacktavists accessed Sony PlayStation Network (PSN) last April to steal the personal and financial information of about 77 million Sony customers, causing Sony to spend millions to prosecute class action lawsuits on behalf of the PSN victims.
And companies are finding that insurers aren’t paying up willingly for cyber attacks. For example, Sony was sued by Zurich America, its commercial general liability (CGL) insurer. The insurer stated that it never extended its general liability policies to data breaches.
According to Willis, a typical CGL policy defines “property damage” as a physical injury to tangible property. However, it does not always refer to electronic data, which is why it is important for companies to set policies and budgets offsetting the financial losses of cyber breaches. It could also benefit insurance managers to pick up endorsements for data breach, cyber extortion, and digital asset losses.
And because company directors and officers are often sued in derivative suits for failure to disclose and manage customer exposure, both public and private companies should ensure that D&O liability are flexible to cyber claims.
The U.S. Securities and Exchange Commission’s (SEC) Division of Corporate Finance (DCF) has issued an advisory that recommends disclosure steps related to cyber-security risks, but the SEC maintains that compliance is beneficial, not mandatory.
“Companies should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” states Willis in its third annual guide on executive boardroom risks, released August 2012.
Appropriate disclosures should discuss aspects of business and operations, including outsourced ones, which expose the company to cyber risks as well as the steps taken to mitigate them. An appropriate disclosure should also include the timeline of short- and long-term costs and consequences of breaches and descriptions of relevant insurance coverages.
“Cyber exposure and reputational risk are among the top three concerns of board members across industry lines, says Ann Longmore, executive vice president of FINEX, Willis’ financial, executive risk and professional liability business. “The major assets of any Fortune 500 company, whether held in credit card data or the proprietary recipe for a soda, are intellectual, and attacking the operating system containing this information could bring a company to its knees.”
She adds, “The boardroom is full of intelligent people, but hackers are endlessly innovative, making this a constantly evolving duel between good and evil over assets and knowledge.”
The average size of a data breach in the U.S. last year was $5.5 million, states the Identity Theft Resource Center (ITRC). Already, 105 breaches have exposed almost 4.5 million records in just the first quarter of 2012.
Data breaks cost card-systems companies Visa, MasterCard and Amex $40 million in 2005; the U.S. Department of Veterans Affairs $26.5 million in 2006; and Sony $100 million in 2011.
The Sony incident occurred when computer hacktavists accessed Sony PlayStation Network (PSN) last April to steal the personal and financial information of about 77 million Sony customers, causing Sony to spend millions to prosecute class action lawsuits on behalf of the PSN victims.
And companies are finding that insurers aren’t paying up willingly for cyber attacks. For example, Sony was sued by Zurich America, its commercial general liability (CGL) insurer. The insurer stated that it never extended its general liability policies to data breaches.
According to Willis, a typical CGL policy defines “property damage” as a physical injury to tangible property. However, it does not always refer to electronic data, which is why it is important for companies to set policies and budgets offsetting the financial losses of cyber breaches. It could also benefit insurance managers to pick up endorsements for data breach, cyber extortion, and digital asset losses.
And because company directors and officers are often sued in derivative suits for failure to disclose and manage customer exposure, both public and private companies should ensure that D&O liability are flexible to cyber claims.
The U.S. Securities and Exchange Commission’s (SEC) Division of Corporate Finance (DCF) has issued an advisory that recommends disclosure steps related to cyber-security risks, but the SEC maintains that compliance is beneficial, not mandatory.
“Companies should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” states Willis in its third annual guide on executive boardroom risks, released August 2012.
Appropriate disclosures should discuss aspects of business and operations, including outsourced ones, which expose the company to cyber risks as well as the steps taken to mitigate them. An appropriate disclosure should also include the timeline of short- and long-term costs and consequences of breaches and descriptions of relevant insurance coverages.
