January 1, 2017 by Greg Meckbach, Associate Editor
Insurance professionals who are concerned about exposure to cyber claims might lie awake at night wondering about their insureds’ weakest links, such as the front-line workers who actually handle sensitive data. Underwriters might consider asking commercial insurance applicants how much they pay their front-line workers, compared to the directors and officers who could actually be held accountable by regulators or plaintiffs for cyber breaches.
Cyber underwriters might also do well to ask prospective clients for an exhaustive list of all types of sensitive personal information in the possession of the organization, and for a list of all types of sensitive personal information over which it is anticipated the organization will have control.
Is it fair to ask for such an exhaustive list, or for details on the compensation package of the lowest-paid worker with access to potentially sensitive data? It is kind of like asking an entity applying for fire insurance for details on the building construction and the local fire department.
The answers may not be readily available and, therefore, the questions may be frustrating to the buyer.
However, the answers are important for pricing risk and assessing whether or not the risk is actually insurable. To put it another way, is the risk of a breach of data – that the organization’s insurance buyer was unaware the organization even had in its possession – really unforeseen?
A commercial insurance buyer who is unable to answer basic questions on what sensitive data the organization controls and who within the organization has access, could hardly be said to have a good understanding of the organization’s cyber risk exposure. After all, directors and officers of employers make decisions on how much to pay themselves and their employees, and what responsibilities their employees should have.
Paying a person minimum wage does not by itself make that employee irresponsible. But if a minimum wage earner’s mistake – or lack of training – could give rise to a multi-million-dollar class-action lawsuit, it raises questions on the overall management of an organization.
Questions of this nature could give rise to some risk assessment on the part of an applicant. What if the organization – and its directors and officers – are named in a lawsuit after an employee sends a snail-mail letter or email to the wrong recipient? What if it turns out that a breach was attributable to a person making $30,000 a year, but the application for cyber insurance indicated that the lowest-paid worker with access to sensitive data was actually making $45,000 a year?
Would the claim be denied due to incorrect information being provided with the insurance application?
What if an employee leaves sensitive information on his or her desk in an area where physical access is not controlled – where customers, suppliers or even the general public has access? Blaming
a breach on a front-line worker will probably not get a lawsuit against an organization dismissed.
When considering the type of information that people expect to be kept private – such as social insurance numbers, credit card numbers, banking information and health data – it would be difficult to come up with an example of an organization that is not in the market for cyber insurance.
Asking cyber insurance applicants to determine the remuneration of the lowest-paid employee with access to sensitive data could help senior managers learn more about their exposures. It could also raise questions on the selection and training of the people who are responsible for preventing data breaches.
Having care and control of sensitive personal information is not a responsibility to be taken lightly. Managing an organization that handles sensitive personal information is not an easy job and it is not for everyone.
Cyber coverage may be new for some, but like any other line of property and casualty insurance, it only makes commercial sense if it covers sudden and unforeseen risk.