Small firms wanting cyber coverage should “hold an inventory” of personally identifiable information: Chubb

Bodily injury and property damage exclusions in cyber insurance policies means the Internet of Things has “big implications” for organizations, while malware that existed unbeknownst to a user before binding a policy can mean a cyber incident is not covered, speakers suggested at a conference Friday.

“What makes a great risk for a 10,000 employee company is going to be somewhat different from what is going to be a great risk for a 100 employee company,” said Matthew Davies, assistant vice president and professional, media and cyber liability product manager for Chubb Insurance Company of Canada.

For a large organization, “I would expect they would have an employee awareness program of security issues,” Davies said Friday.

“I would want them to have a business continuity plan that they have tested and an incident response plan that they have tested. That may be realistic for a large organization and may not be quite so realistic for a 100-employee organization that is privately held.”

Davies made his comments at the 3rd Annual International Cyber Risk Management Conference, produced by MSA Research Inc. and held Thursday and Friday in Toronto.

“If there is one thing that I would want a 100 employee company to do …. I would want them to have an education program,” Davies said.

He added he would also want a small organization “to at least have an inventory” of personally identifiable information that they hold, “so they know why they are collecting it what they are doing with it and what they do with when they are finished with it.”

Davies was one speaker on a panel, titled The Insurance Gap, at International Cyber Risk Management Conference.

When American International Group writes cyber risk, “we look at the type of data and the amount of data that a client has based on their business model,” suggested Jacqueline Detablan, vice president of financial lines at AIG Canada.

“Do they have a lot of credit card information?” Detablan said. “If they are a manufacturer, what type of data do they have? Are they an engineering firm where the plans might be of value to someone else?”

Also speaking was Joshua Gold, a lawyer and shareholder at New York law firm Anderson Kill, who has represented policyholders in insurance coverage disputes in the U.S.

“A lot of the cyber policies I have seen are for the most part geared towards liability or exposure or notification costs of having to address a breach of sensitive information, whether it’s customer information, or maybe some internal sensitive financial information of the company itself,” Gold said. “But I think we are going to see this whole shift back to what insurance used to insure as the primary focus – property damage and bodily injury coverage. That’s got really big implications, because a lot of cyber policies will have a bodily injury and property damage exclusion.”

With the Internet of Things, Gold suggested, hackers can disable safety mechanisms on vehicles and machinery.

“All of these kinds of catastrophic risk exposures out there that you are hearing about, it’s going to be interesting what the reaction is from the insurance industry,” Gold added.

The lack of retroactive coverage can be a problem for some policyholders, suggested Brian Rosenbaum, senior vice president and national cyber and privacy practice leader at Aon Canada Inc.

“One big dark secret that insurance buyers seem to find out, unfortunately a little too late … that when you typically buy cyber insurance and you may have a piece of latent malware on your system at time you that buy the insurance, and then something happens thereafter, you are not going to be covered, notwithstanding that you didn’t know about the malware in your system,” Rosenbaum told International Cyber Risk Management Conference attendees. “It’s because in the base wording of most cyber policies there is no retroactive coverage, which means that whatever the event was that led to the cyber loss, it has to take place after the inception date of the time that you bought the policy.”

Rosenbaum added he understands the point of view of insurers, who “don’t like to insure a burning buiding, so to speak” but added “the problem that I have is there are a lot of companies that do a decent job of monitoring and protecting their systems and notwithstanding some reasonable efforts, have not been able to detect this piece of malware.”

Rosenbaum also noted that the Court of Appeal for Ontario ruling in Jones v. Tsige has brought in a new “intrusion upon seclusion” tort. Sandra Jones had sued Winnie Tsige, one of her co-workers at the Bank of Montreal (BMO), because Tsige accessed and reviewed Jones’s bank records on 174 occasions in 2006 through 2009. The lawsuit was initially dismissed but the Court of Appeal for Ontario ruled in favour of Jones.

“There is now a body of law coming out of Ontario … that says … more for intentional or reckless conduct – that if your personal privacy has been invaded, even if you haven’t suffered any economic harm, you could still sustain an action,” Rosenbaum said. “In those one-off cases, we have seen awards – very modest – of $2,500 to $10,000 for violation. In a one-off case that is not a big deal but our plaintiff’s bar are thinking, ‘think of the numbers you could generate for a class action on that basis.'”

More coverage of the International Cyber Risk Management Conference

Need for organizations to fill culture gap when it comes to cyber risk: ICRMC speaker

Disruption becoming more of a motivator for cyber attacks: ICRMC panel