Cyber Liability Insurance: Why HR Professionals Should Drive the Purchasing Decisions

White Paper

The success of a Human Resources department is measured in a lot of ways. None more important than the level of trust that the HR department has with its employees. Employees must feel as though they can trust the HR department with: 

  1. Challenges that they are facing with colleagues, direct reports, or managers.
  2. Areas of improvement and long term career goals summarized in performance appraisals.
  3. Honest and ethical practices with regards to hiring, promotion, and termination.
  4. Treatment plans including prescribed medications that are needed due to work place injuries.
  5. Personally identifiable information, including their address, date of birth, social security number, and driver's license number (for them and their spouse / dependents).

Employees will claim that they were unfairly passed over for promotion, subjected to discrimination, or terminated unjustly even if an HR department handles items 1, 2, 3, and 4 in a "best in class manner".

The same goes with item 5. No matter how hard your IT department tries to prevent a cyber-event, your company, and your employees, are a target. Every. Single. Day.

Among many other things, a cyber-event will result in a significant breach of trust with your current and past employees. That's why we believe that decision makers in the HR department should insert themselves in the Cyber Liability discussion.

Whether or not to purchase Cyber Liability is not a priced based decision. Policies are inexpensive compared to the cost of coverages like Medical or even Dental insurance. Most Cyber policies cost $8,000 - $12,000 annually for a $1.0 million limit of liability. The major hurdle to purchasing the coverage is acceptance that it can happen to you, and understanding the value that the product can bring when a cyber-event occurs.  Here are some other factors to consider:

Breaches can occur anywhere 

Insurable data breaches can occur on laptops, tablets, phones, thumb drives, data sites, cloud storage, printed paper, and even printers. That means that a realistic origin of a major data breach could be something as simple as leaving a smart phone in a taxi, a manila folder containing sensitive documents in a seat back pocket in an airplane, or a laptop computer in a hotel room.  

Current and past employees will demand action and answers

Your company has legal responsibilities when the personal information of your employees is compromised, but it also has a moral obligation.  Failure to move promptly when a cyber-event occurs can hurt employee morale and productivity. 

A Cyber Liability policy would cover defense costs and third party damages associated with resulting litigation from a data breach.  More importantly, the insurer will assemble a team of experienced professionals that will walk you through the process and ensure that you are compliant.  The types of services that are included as part of your premium are as follows:

  • A breach coach will be assigned. This person is more than likely a partner at a prominent law firm. Their team will ensure that you are complying with the law, which is different by state and country.
  • A call center will be arranged so your employees can conveniently learn more about the services that will be provided to them.
  • The insurer will draft communications to the affected individuals explaining what happened and the services that will be made available to them.
  • Ongoing credit monitoring services will be provided.

Imagine trying to form this team and find vendors for these services in real time?  By the time all of those things were figured out, the "event" could be completely out of your control. 

Assume that your third-party vendors probably do not have enough insurance to cover you  

Most people think, "if my ________ vendor has a data breach, they will cover me because we don't store the information - they do."

This thought process could be applied to vendors providing cloud storage, HRIS systems, or medical insurer systems.

The fact is that you own the data in the eyes of the law no matter where you choose to store it. This issue led many employers to violate the law during the Anthem breach because, in California, the employers needed to report under state law - not Anthem.

Managing your data through a third-party vendor is convenient and inexpensive. These providers can offer strong passwords and SSL encryption, which some consider to be a "sufficient" level of security and makes unauthorized or unintended activity inconvenient enough. However, bad things still happen to even the most heavily guarded companies.  

Look at the vendor's loss calculation this way: 

             200 = Your total number of current and past employees 

+ 5,000,000 = The total number of people that utilize that vendor across all of their customers (Anthem had 80 million customer records)

X         $221 = The national average cost per lost or stolen record

= $1.1 BILLION 

This type of catastrophic event is uninsurable! The market place only has capacity to place programs with total limits of around $500.0 million. That's why it is important to purchase your own coverage and not be dependent on your vendor's limits.  

New workplaces create dynamic exposures  

A cyber-event would be less likely to occur if all of your employees worked within the four walls of your office, only opened emails from co-workers, didn't shop online at their desk, and never checked their social media accounts.  

That's just not how work is performed in 2017. Your employees work from home, in coffee shops, in hotels, and on airplanes. They use webcams, screen sharing, tablets, and authorized and unauthorized collaboration tools that allow employees to work more efficiently and smarter. Multi-platform environments are now the norm: smart phones, thumb drives, laptops, bluetooth technology, tablets, and wireless printers. All of these items present opportunities to widen existing security gaps.  

Claim Examples

Follow this link in order to read some summaries of actual Cyber Liability claims. http://www.equityrisk.com/cyber 

Conclusion 

Liability policies are not something that HR professionals typically consider or purchase. Those decisions are almost always made by someone else.  However, we encourage HR professionals to become a part of the Cyber Liability conversation. 


Josh Warren - Executive Vice President - Property & Casualty 

Josh Warren has more than 15 years of experience developing insurance coverage programs and specializes in the design and implementation of alternative risk finance techniques and transactional insurance products. His role focuses on client service, due diligence consulting and claims, in addition to leading the firm's Equity Risk Partners Global initiative.

Mr. Warren is a past board member for the Canadian U.S. Business Council Chicago. He also serves as the Co-Chair of the Millikin University Football Alumni Advisory Board.

Prior to joining Equity Risk Partners, he was an account executive specializing in the real estate industry at Mesirow Financial, and a sales professional at a suburban Chicago insurance agency. Mr. Warren earned an undergraduate degree in secondary education from Millikin University. He is also past co-chair of the Illinois Young Agents Committee, which was awarded the National Young Agents Committee of the Year Award in 2004.

Contact Information: jwarren@equityrisk.com
Phone: (312) 980-7853


originalMichael Marcon - President, HUB International and Founder, Equity Risk Partners

Michael Marcon has more than 30 years of insurance experience, pioneering the delivery of insurance due diligence to private equity firms and specializing in alternative risk financing and transactional insurance products. Before launching Equity Risk Partners, Mr. Marcon was Executive Vice President of Aon Risk Services - Mergers and Acquisitions Group and he was instrumental in creating the Private Equity practice for Aon's predecessor company, Rollins Hudig Hall. He served as Regional Manager - Finance for Transamerica Corporation, as well as positions in Special Risk Financial and Capital Management for CIGNA Corporation. 

Mr. Marcon holds an undergraduate degree in economics from Ursinus College (where he was the former chairman of the board of trustees) and an MBA in finance from Drexel University. Mr. Marcon tweets from @mcm7464 and can also be reached through his blog, Michael Marcon Tweets, where he writes about business, tradition, and life. 

Contact Information: mmarcon@equityrisk.com
Phone: (415) 874-7101