Companies looking to purchase network security and privacy insurance for the first time only need to learn a quick three-step dance.
First, know that there are around 25 viable liability markets so most any company should be able to quickly get a quote that will likely have solid coverages and be reasonably priced. Although defendants ultimately do well in data breach litigation, getting there is not usually without significant costs. In other words, this coverage is definitely necessary — especially since it can include regulatory expense and often needs to be purchased in order to get the below two coverages.
Second, determine whether your total exposure is significant enough to merit higher limits or a better coverage grant on remediation expenses such as credit/ID monitoring, call center, notification costs, etc. Companies holding over 50,000 sensitive records should at least evaluate obtaining more robust coverage. The BCBS of Tennessee incident is a stark reminder regarding just how much such first-party expenses can hit the bottom line. During the evaluation process, companies should evaluate relatively new products from Beazley and Chartis that provide coverage tied to a pre-determined number of IDs as well as those insurers, e.g., AWAC, providing full policy limits on this usually sub-limited coverage.
Third, determine whether you want coverage for network failure. A good example of how this coverage works can be gleaned from the headlines. For example, if you go to the Lush corporate website (as of February 3, 2011), you will see the following:
We are very sorry to confirm that our website has been the victim of hackers. 24 hour security monitoring has shown us that we were still being targeted and there were continuing attempts to re-enter. We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website. For complete peace of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.
In addition to liability and remediation expense, there are a growing number of insurers who also provide coverage for lost revenue and added expenses incurred during such “lost downtime” — whether the downtime impacts a corporate website or a firm’s internal network. There are a few London insurance markets, including Barbican, who, in addition to the network security trigger for business interruption, also provide coverage triggers based on employee error and general systems failure. Any broker in the United States can access Barbican and these other London markets using London wholesalers such as Chris Cotterell of Safeonline.
And, that’s the NSAP insurance three-step dance.
Swing Your Partner Do-Se–Do