Malicious hack attacks that target millions of customers tend to make the news when they affect industry titans, like Equifax or Boeing, but these are not the only businesses that need insurance coverage for data breaches.
“When it comes to companies involved in the placement or administration of employee benefits, they’re finding that they have vendors that are requiring them to carry the separate cyber privacy coverage, so that is where we have divided out from the E&O and also concentrated a focus on making sure they’re aware of the product,” said Rachel Coughlin, senior account executive at Capitol Special Risks and one of Insurance Business’s top specialist brokers for 2018.
“In a lot of cases, we just sell it as an add-on. Even if they don’t ask for it, we make sure they’re aware because, sooner than later, they’re going to get a contract requirement for them to have the coverage.”
E&O policies are not built to deal with this developing threat, which is where the need for additional coverages for third party claims administrators comes from.
“Typically, somewhere built into that E&O form, there is an exclusion for failure to protect private information, so the E&O policy itself was never designed to pick up that exposure,” said Coughlin, adding that crime policies are similar in that regard. “They’re for criminal acts, for theft, so they were not initially designed to pick up the exposure of the theft of information, just theft of funds. If you don’t have either one of those policies endorsed to address a cyber privacy exposure, there’s your gap.”
Coughlin is approaching her thirteenth year with Capitol Special Risks, and has seen firsthand the developments in cyber privacy coverage.
“When I first started 12 years ago, I don’t think that we even saw privacy coverage endorsed on to E&O policies, and that was kind of how it started,” she told Insurance Business. “When we all started transacting business online, then you started to see these losses that weren’t insurable because privacy coverage didn’t exist.”
While third party claims administrators, who handle a lot of private information, might not be targeted by sophisticated cyber criminals, they do need add-on policies that protect them in case of accidental disclosure.
“Because so much of what they do is sharing that data with their vendors, they can have accidental privacy cyber claims,” Coughlin explained. “Somebody mails a disk to the wrong address, or somebody leaves a voice message about someone’s medical condition at the wrong phone number and now you’ve disclosed healthcare information to the wrong party.”
As companies start transferring data into the cloud, many are left with one foot in each camp: storing stacks of paper files as well as gigabytes of digital files. This comes into play when Coughlin is quoting third party claims administrators.
“We have to make sure that we’re providing coverage for those digital files as well as the paper files because they store them for any number of years,” she said. “We use number of records as underwriting criteria, so if they’re hanging on to records that are more than 20 years old, it often starts a conversation with themselves [of], ‘OK, we need to purge our data, we need to find a secure way to store what we need and then get rid of what we no longer require to house.’”