Printed from

Strategies for buying cyber liability insurance

Posted On: May. 21, 2011 7:11 AM CST

Strategies for buying cyber liability insurance

CHICAGO—Buyers of cyber liability insurance enjoy a competitive marketplace, but risk managers need a complete understanding of their organization's exposures to fully benefit from the coverage, panelists said during the 2011 Harold H. Hines Jr. Memorial Symposium.

Three panelists explored cyber risks facing organizations and ways to manage them effectively during last week's symposium in Chicago, “Cyber Risk: Protecting Your Assets.”

Carla Johnson, vp and assistant risk manager at Inland Risk & Insurance Management Services Inc., a unit of Inland Real Estate Group of Cos. Inc., said Inland's risk management team did not focus on cyber risks initially. But with nearly 500,000 individuals' data and records that the Oak Brook, Ill.-based company maintained, “we did recognize that we had exposures,” Ms. Johnson said.

“We decided to purchase the coverage because we have a lot of investors, dealers and brokers that sell our products that were inquiring about us carrying the coverage,” Ms. Johnson said.

In the event of a data breach where clients' personal information has been compromised, the notification process—mandated by various state laws—was a major concern for Ms. Johnson when considering the coverage.

“One of the things that our policy is covering that really is a big cost factor is the notification when there's a breach,” she said. “It's a huge cost and that's what we were really looking at.”

Cyber liability costs are quite broad and can compound quickly, said Christopher DiIenno, an attorney in the complex litigation group at law firm Nelson Levine de Luca & Horst P.C. in Philadelphia.

Insurers “are starting to realize that this is an untapped market and they want to get this product out there, so they want to show people what it can do,” Mr. DiIenno said.

“The appetites of these insurance carriers to modify the forms are also still very strong,” said David Garrigus, vp and client adviser at broker Marsh USA Inc. in Chicago. “As such, they are very willing to work with you, for the most part, on modifying the coverage to work in the way you need it to work.”

To gain the full benefit of the insurance, risk managers need to construct the policies around their organization's risk, the panelists said.

“Understanding the various components of the policy, which can or cannot be included depending on the needs of the organization, is critical,” Mr. Garrigus said. Policies need to be structured so they are “consistent with the organization and its priorities,” he said.

The first steps, Mr. DiIenno said, are for an organization to understand what kind of data it collects, how long it is kept and how it is destroyed. Also, if a breach occurred, organizations would need to assess whether or not data was exposed and implement a process to respond.

Once these questions are answered, organizations can tailor a policy that fits their cyber exposures, he said.

Once the policy is purchased, insurers often offer a suite of risk management services, such as access to various professional organizations or third-party audits, to assess cyber exposures, Mr. Garrigus said. “Part of the value of this type of insurance policy is that service value. It's gaining access to all of these resources which you might not otherwise have access to or, frankly, might not have budgetary resources to fund.”

Initially, Ms. Johnson said Inland Risk & Insurance Management Services purchased small limits and minimum cyber risk insurance. But after re-evaluating their exposures, she increased those limits and coverage at minimal cost.

At the most recent renewal, “we were able to get a lot of things negotiated for very little cost increases,” Ms. Johnson said. Insurers “are willing to work with you and add on coverages and make the form more compatible with your business.”

The annual Hines Symposium—honoring the late Harold H. Hines Jr., former president and CEO of Rollins Burdick Hunter Co., a predecessor company to Aon Corp.—was presented by the Chicago chapter of the Risk & Insurance Management Society Inc. and Business Insurance.

Gavin Souter, editor of Business Insurance, moderated the panel.