Insuring a Good Reputation

Data security is a problem for companies across the globe. Any business using the Internet to transmit personal information, credit card or debit payments and other sensitive information is exposed to risk. Businesses, large or small, face similar risk exposures: the loss of proprietary and confidential information through mishandling, hacking or stolen equipment requires companies to be prepared for customer resentment, damage to their reputation and possible lawsuits. Lawsuits related to data security issues are costly for any company’s bottom line.

As the ease of information sharing continues to develop at warp speed, so too does the chance of a security breach. Cyber liability risks, typically not covered under property or general liability policies, require their own unique policies,
tailored to each company’s vulnerabilities.  

The insurance industry has addressed the need for coverage for privacy breaches, network security breaches, and technology errors and omissions, but thus far these policies (cyber, privacy, NetAdvantage and Digitech) have yet to develop sufficient coverage for the loss of a company’s biggest asset – its reputation. A digital information loss, compliance or product failures, corporate slander and numerous other unwanted events can have a disastrous impact on a corporation’s image, reputation and bottom line, requiring the company to manage the crisis quickly and efficiently.

As Berkshire Hathaway Inc. CEO Warren Buffett once said: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” A company’s reputation should be considered one of its most valuable, yet most vulnerable assets. In a study The Economist conducted in 2005, 84% of the executives surveyed said their company’s reputational risks had increased significantly over the past five years.1 Dr. Leslie Games-Ross, in her book, Corporate Reputation: 12 Steps to Safeguarding and Recovering Reputation, wrote: “Three facts are indisputable: no reputation is bulletproof; no company can afford to be reputation-blind; and no suit of armor is impenetrable to completely and indefinitely protect reputation.” Companies must be vigilant about protecting their reputation and stakeholder trust, so that when a crisis does occur, an action plan is in place to handle repercussions and minimize losses.  

In recent years, the media and general public have become increasingly unforgiving of the errors and misfortunes of corporations and celebrities in all areas of commerce – in many instances, with just cause. However, the negative effects of the public’s indignation can be traumatic. As evidenced by what happened to golfer Tiger Woods, Toyota, BP and other scandals, when a reputation comes under fire it can often be irreparably damaged or take years to be repaired. In 2009, for instance, Tiger Woods had several endorsement contracts pulled after news of his extramarital affairs. Toyota had to recall 270,000 vehicles in Canada to address faulty pedals, resulting in the halt of production at seven factories. And after an oilrig explosion killed 11 workers and dumped almost 5 million barrels of oil into the Gulf of Mexico, BP saw its company share price plunge from almost $60 per share before the explosion in April 2010 to nearly $30 per share in June 2010. These unexpected situations no doubt resulted in other, untold financial consequences that, while discussed less often, also have a negative effect on employees, brokers, underwriters, CEOs, lawyers and other stakeholders.

General insurance policies do not cover reputational harm, although more specialized policies protecting a company against reputational harm are available and can be attached to an umbrella policy by way of endorsement. Traditional business interruption or product liability recall policies do not provide first party revenue protection following a loss. In light of this gap, a more responsive reputational risk insurance policy is needed to provide coverage in the event of an adverse media blitz that could damage the policyholder’s ability to exploit their products and brands.

Businesses today run on technology. E-mails sent every second disclose confidential company information around the world. Online retailers rely on middlemen (payment processors) for all credit card transactions. Social insurance numbers, no longer stored in a locked file room, are stored digitally
on a network that may or may not be safeguarded.  Loss of sensitive and private information caused by misplaced laptops, stolen USB cards and other portable devices is becoming an everyday ordeal.

Privacy Commissioner of Canada Jennifer Stoddart concluded in an October 2010 report that Google, when it developed its Street View feature, violated Canada’s Personal Information and Protection and Electronic Documents Act (PIPEDA) by retrieving e-mail addresses, passwords, usernames and other personal information from unsecured wireless networks in Canadian neighbourhoods. Google informed the privacy commissioner that its lawyers were reviewing policies and procedures with the company’s engineers to make sure such breaches would not happen again.

Compounding the potential damage of identity theft related to data breaches, Canada has yet to implement notification laws, leaving consumers unable to protect themselves. Hopefully it’s only a matter of time before Canada adopts similar laws to the ones in place in the United States. Given the rapid development of technology and the related emergence of the relentless cyber hacker, some insurance companies have been quick to develop more up-to-date privacy policies that protect businesses from lawsuits arising out of privacy breaches.

Computer attacks, operational errors, network outages and data breaches can completely paralyse an organization by bringing down the information infrastructure and communication lines. This breakdown can damage relations with clients, suppliers and regulators. Also, it can seriously erode financial performance, causing investor concern. Standard property, liability or crime policies typically do not cover damage to or loss of intangible assets (data and systems), so there can be a significant gap in coverage. This exposure is made worse by the increasing corporate dependency on technology. Similar to the new privacy policies, well-timed data and network security insurance policies have been developed to address hacker attacks and security issues.

The role of insurance is changing rapidly. Although many technology and privacy (cyber) policies in the industry do not currently address a company’s
financial loss due to a security breach or privacy loss, a select few are introducing important data and network security policies and privacy policies designed to fill this void.  Equally important is the advent of reputational risk insurance designed to protect the very valuable, but somewhat intangible, corporate reputation. With improved coverage, corporations can react faster to adverse issues, be more effective in protecting the organization and secure the trust and confidence of clients while at the same time securing the bottom line.

1  Economist Intelligence Unit 2005.