Click here to load reader
Upload
christopher-rieser
View
26
Download
1
Embed Size (px)
DESCRIPTION
Cyber Liability Risk and Defending Against It!
Citation preview
A Variety of Capital is Availablefor Acquisition & Rehab Financing
www.multi-housingnews.com August 2013
The Pacifi c Northwest: Record Revenue Growth
Capital Stack
Are You Fully Protected Against Cyber Liability?
Construction Methodsfor Extreme Weather
38 August 2013 | Multi-Housing News
Cyber Liability
Among the many risks that prop-
erty owners must manage is
the risk of cyber liability. Years
ago, privacy of residents’ per-
sonally identifi able data was confi ned to
fi ling cabinets and offi ce computers, but
now this data exists electronically in the
cloud, on laptops, smartphones or tab-
let devices often in addition to the paper
fi les. Access points are everywhere, and
the information can be easily transmitted.
What’s more concerning is that cyber
criminals are on the lookout for this data,
and they are becoming more sophisti-
cated every day. If that is not enough to
worry about, state and federal regulations
are being enacted that require a duty of
care for this data, and complying can
be diffi cult.
Cyber liability insurance is relatively new
and has become the fastest growing line
of coverage over the last 10 years. Few
industries are immune to the risk of data
breaches that can include customer, vendor
or employee data. As with any risk, it is rela-
tive to the type and amount of exposure an
individual company faces.
For property owners and managers, the
amount of data collected on employees,
residents or prospective residents can be
immense, and a breach of this data would
not only be embarrassing but also costly.
Cyber liability insurance can provide a
level of protection from this emerging risk
and should be evaluated as part of any risk
management program.
technology
Cyber liability policiesCyber liability policies are designed to
cover a company for a loss or breach of
personally identifi able information. Tradi-
tional insurance policies were not designed
to cover these types of exposures, so any
coverage you might fi nd under your general
liability, professional liability, crime or prop-
erty policies or even a directors’ & offi cer’s
liability policy written for a privately held
company will either be very limited or simply
accidental. Some carriers might offer you an
endorsement to provide coverage for a spe-
cifi c component of your cyber liability expo-
sure, but it is usually not as comprehensive
as buying a separate policy.
Here are several reasons why your tradi-
tional insurance policies might not respond
to a cyber liability claim:
■ General liability policies do not respond to
claims for damage to intangible property
(there is also typically a specifi c exclusion
for claims arising out of electronic data)
■ General Liability policies typically ex-
clude claims arising out of “blogs” you
own or host
■ Property policies only provide loss of
business income coverage if there was
direct physical damage caused to your
property (not caused by hackers or rogue
employees who shut down your website
or computer systems or the systems of a
service provider you rely upon to conduct
your business)
■ Crime policies do not respond to claims
for damage to intangible property (there
is also typically a specifi c exclusion for
loss of confi dential information)
■ Private company directors’ & offi cers’ li-
ability policies typically exclude claims
arising out of bodily injury (including
emotional distress), property damage
and specifi c types of personal injury
■ No traditional insurance policy currently
provides coverage for the expenses asso-
ciated with notifying affected individuals
when their personally identifi able fi nan-
cial or medical information was breached
while in your care, custody or control
These are just some of the hurdles to over-
come in order to fi nd coverage for cyber liabil-
ity claims under a traditional insurance policy.
Evaluating costsCosts resulting from a breach can vary
greatly, and when you take into account lost
revenue or reputational damage, they can
be signifi cant. The costs associated with the
breach include defense and judgment costs
from lawsuits as well as notifi cation and
credit-monitoring expenses. Consider just
the costs of notifi cation and credit monitor-
ing for a multifamily property manager with
3,000 residents. The cost of notifi cation and
credit monitoring after a breach can range
from $30 to $50 per person. If the data lost
compromised 3,000 records, these costs
alone would be over $100,000.
Policies can be structured to provide limits
anywhere from $1,000,000 to $10,000,000 or
more, with various deductible and coverage
options to tailor the policy to fi t the coverage
Understanding the risk and defending against it
By Kevin D. Smith, CPCU, ARM, The Graham Company
Image by Vertigo3d/iStockphoto.com
www.multi-housingnews.com | August 2013 39
underwriters, which help keep costs down
if insurance is purchased.
It begins with identifying the type of in-
formation collected and putting policies in
place to protect this data. This protection
can range from employment policies to
control employee behavior, such as poli-
cies on downloading unauthorized software
and rules related to personal device usage
to technology solutions such as keeping
anti-virus software up-to-date and complex
password protection measures. Your IT de-
partment should regularly monitor security
measures and look for signs of attempted
breaches. Many companies have used an
outside consultant to perform an audit of
the cyber security systems in place to de-
termine vulnerable areas.
The threat of lost data, the ensuing costs,
and potential liability for property owners
and managers is real and growing each
year. Companies spend a lot of money and
effort on keeping this data safe, but the
sheer number of incidents suggests that it
is only a matter of time before companies
experience some sort of breach. MHN
Kevin D. Smith CPCU, ARM,
is vice president, real estate
division director at The Gra-
ham Company, a property
and casualty brokerage spe-
cializing in the multi-housing.
To comment on this story, e-mail Diana Mosher
reports that identity theft complaints were
up 32 percent in 2012, and over 12 million
people have been a victim of identity theft.
While cyber criminals account for much
of these instances, there is also the threat of
human error of employees that causes data
to be lost. For example, laptops left in cabs,
smartphones lost, USB drives left in the open
and stolen, or simply emailing a fi le with this
data to the wrong address. While encryption
can be a line of defense against the release
of this data, many times it is not sophisticat-
ed enough, or it simply does not exist on ev-
ery computer or device. In 2012, Blue Cross
Blue Shield of Tennessee paid a $1.5 million
settlement for penalties under the HITECH
Act for a breach of over 1 million patient re-
cords after the theft of computer hard drives
(with unencrypted health information).
The use of third parties, such as a rent
payment portal, does not eliminate the
risk. The company that selected the third
party would also be involved in a lawsuit or
breach since they selected and promoted
the third party for resident rent payments.
A lawsuit would examine what level of due
diligence was done by the property man-
ager to select the third-party rent payment
portal and its security measures.
The need for preventionPreventing breaches with security proto-
cols is a no-brainer and often a requirement
of state or federal government. Good se-
curity and prevention measures also make
you a more appealing risk for cyber liability
and cost needs of the insured. Premiums will
vary and will be dependent upon the amount
of coverage, size of your organization, type
of data collected and security measures in
place. Generally, policies will start around
$10,000 for $1,000,000 in limits.
Some of the exposures and costs that
can be covered under a well-structured cy-
ber liability policy include:
■ Information security and privacy liability for
failure to protect personal or corporate in-
formation (like tenant Social Security num-
bers and credit research) held on comput-
ers systems, smartphones, laptops or paper
fi les or entrusted to third-party vendors
■ Costs to notify affected individuals that
their personal information has been
breached, as required by law
■ Other costs associated with data breach-
es, such as public relations, investigative
costs and defense costs from lawsuits
■ Loss of business income when a “hacker”
prevents your customers from accessing
your website or disrupts your systems
■ Loss of business income when your ser-
vice provider’s systems are affected by a
“hacker” (such as a cloud service provider
or credit card processing company)
■ Personal injury (such as libel) that may
result from the use of blogs on your web-
site or other social media
When employees are cyber criminalsBreaches can happen in a variety of
ways, and there is no shortage of news of
examples of signifi cant breaches. The FTC