Cyber policies may not cover third-party risk

CA broker says companies relying on the cloud for data storage probably need insurance that will cover them if the vendor is hacked

Cyber

By

With cyber liability insurance, the devil is in the details.

Galen Hayes, owner of Hayes Insurance Agency, El Sobrante, CA, said he is seeing significant third-party claim activity in his cyber practice.

He said many cyber liability policies are premises-specific and do not cover losses suffered as a result of a third-party being hacked, so that companies that store data on the cloud or with an off-site vendor may not be covered if that data is compromised.

“When you think of cyber liability, most people think of something in their office, a server that has information that needs to be protected in some central location,” Hayes said. “But what happens is that companies are storing their customer information in the cloud or somewhere else, and the client doesn’t actually get hacked but the storage provider does. Somebody could have a huge loss and not have it insured even though they have insurance. I’ve seen this happen. Everybody we talk to, we talk about this,” he said.

As a result of this trend, Hayes said all the cyber policies he writes today include coverage for liability resulting from a third-party being hacked.

“I won’t sell cyber liability without coverage for third-party losses, or the client will come looking for me,” he said.

Hayes said that the third-party vendor storing the data should be liable, and should have insurance to cover that liability but that all too often, cloud storage vendors are underinsured.

Hayes said that a client with 5000 identities to protect would have a risk of $1 million at $200 per identity, which he said is the approximate cost to comply with regulations that require companies to notify everyone whose identity has been accessed, and in most states to provide them with 2 years of credit monitoring. That doesn’t include money for reputation restoration, forensics, attorney fees, extortion payments, or to bring in experts to stop or control the breach.

“$200 per record just covers Identity theft itself. That is how we calculate risk. How many records to you have times $200. There’s your risk.  You might get it for $140 to $160 if you are huge like Target.  I have clients, for whom $200 per identity adds up to $15 million in risk, and they listen to me, and pay for the insurance.

“What we find is the cloud provider might need $100 million of coverage because they have 100 clients, who each have an average of $1 million in risk. But the cloud provider might only have $10 million in coverage, so if they have a big hack that takes out everything, and they have $100 million in claims, they only get 10 cents on the dollar on the claims. The remainder comes from my client who has to pay for the cloud provider’s mistake. It usually works out, but a lot of people think ‘hey it’s on the cloud. I don’t have anything to worry about,’ but they do. They don’t understand the concept until you explain it to them.”

Hayes said that when a cloud provider is hacked, everyone storing data with that vendor is probably hacked.

He said he has met with cloud providers but has been unable to sell coverage to any of them. “We don’t cover cloud providers because they are--what’s a polite word--too cheap?

“I’ve taken a run at a few of them, but then I do a risk management analysis and I say ‘you have $75 million in risk. If everyone got hacked, it would take $75 million to tell everyone and protect their identity.’ And they say ‘how much is $75 million in coverage?’ and I tell them, and they hit the floor and they pass out,” he said.
“But then they say ‘no, we have such good defense, if anyone hacked in, we’d get them out before they got past 2 or 3 clients, so how much is $10 million?’ I tell them, and they say ‘no, no, give me $5 million. And I say, ‘you know, if you have a $20 million problem and have $5 million in coverage you will probably sue me for not making you buy the right insurance.’

“We have that discussion,” Hayes said. “They are aware of their risk, because I educate them, or because they are smart tech guys and they understand it, but they want to roll the dice and not pay for insurance. With insurance, you either use it or you don’t. If you don’t, it is a waste of money. If you use it, it is the best investment you ever made.

“So, I actually have talked to several cloud providers but none of them want to pay the price for the proper coverage. So I always write them a CYA letter. They don’t like that because they want me to be exposed while they are exposed, but I am too smart for that after 32 years.”

Keep up with the latest news and events

Join our mailing list, it’s free!