The headline article in the Insurance Journal last month reads, “Concerns Over Cyber Security Risks Outweigh Traditional Risks for Large Firms.” The article went on to explain that a cyber security breach is more worrisome to most companies than the risk of natural catastrophic loss caused by fire, explosion, and wind damage, because natural disasters are normally covered by property insurance.
Since cyber security breach is currently not insured by the general liability policy, without buying a separate cyber liability policy your company has no coverage. So the question is: Why should you buy a cyber liability policy?
If you are like most propane marketers, you keep personal data on your customers and employees, either in hard copy or on your company’s software program. Customer tank lease agreements many times include the Social Security number of the customer.
Many companies keep employee records on laptops, notebooks, iPads, iPhones, and other devices that can be lost or stolen. The records might include full names, dates of birth, addresses, and Social Security numbers. In addition, companies may have customer records that have credit card numbers that are kept on file so the customer can call in an authorization to utilize the credit card to pay for a propane delivery.
Increasingly, propane companies are moving to pointof-sale credit card terminals to facilitate ease in customer payment options. The trend now is for the bobtail driver to have the ability to have a point-of-sale terminal in his truck.
All of the above situations put your company at risk of a cyber security breach from either a disgruntled employee or an outside hacker.
The news is full of examples. A major grocery chain was hacked in Illinois, putting the company at risk for thousands of customer transactions that the hacker was able to obtain. A disgruntled former employee posted a propane company’s customer list on the Internet.
When we talk to owners of propane companies about the need to purchase cyber liability insurance for their company, many respond that they are PCI (payment card industry) compliant, and therefore do not need to consider the coverage.
PCI compliance is a credit card program designed to safeguard customer information. The Payment Card Industry Data Security Standard (PCI DSS) is a “set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.” However, being PCI compliant does not guarantee security-no business is ever completely secure from security breaches from hackers.
The reason why companies are so concerned about a security breach is the cost of both direct and indirect requirements that they immediately face. Data breach notification to all affected parties (customers and employees) is a requirement in over 38 states.
Other direct costs:
- Required monitoring of the credit reports of all affected parties for two years.
- Notification to the state, which frequently results in a fine.
- May be required to utilize outside experts to determine how the breach occurred and install additional safeguards and firewalls.
- Payments of fraudulent use of the credit information.
- Possibility of other requirements.
So what coverage does a cyber liability insurance policy provide?
- Information security and privacy liability-which provides coverage for theft, loss, or unauthorized disclosure of personally identifiable information. Failure to timely disclose a privacy incident and monetary fines are also included.
- Privacy breach response services
a. Notification to affected parties
b. Hire a computer security expert
c. Legal services (attorney fees)
d. Credit monitoring services
e. Ca11 center services
- Regufatory defense and penalties
- Crisis management and public relations
- Website media contents liability-provides coverage for damages and claims expenses in the course of your media activities.
And there is some optional coverage available.
- Cyber extortion
- Data protection loss
- First-party business interruption
Cyber liability coverage is fairly inexpensive. The premium is based on the annual revenues of the propane marketer. A marketer that has gross revenues of $2.5 million to $5 million could expect an annual premium of $600 for $500,000 of coverage with a regulatory defense and penalties limit of $50,000, based on 25,000 people to notify, and a $2500 deductible. The same coverage for $1 million of coverage is $840 per year.
The propane marketer who buys a cyber liability insurance policy can transfer the financial risk from his company to the insurance company, which makes good risk management sense. Talk to your insurance agent about your company’s need for cyber liability.
Frank B. Thompson, CPCU (chartered property and casualty underwriter), is co-founder of PT Risk Management (Phoenix), an independent insurance agency specializing in writing propane and petroleum risks throughout the entire U.S.