Data Loss Not Insured
Insured for data loss? (possibly not)
Sony’s recent data breaches look like costing around $178 million this year alone (that’s before compensation). One of their insurers has refused to cover Sony under its general liability insurance policy.
Zurich is arguing that the policy it set up for Sony does not cover the part of the business that suffered the breach or the sort of damage the data theft has caused. It also said that specific clauses in the policy rule out it providing cover
Sony is one of the world’s biggest brands with massive technical and legal resources. What does this mean for normal companies?
Simply put businesses of any size, in any sector could face the same challenges that Sony currently is which are;
- What IT/data issues will my current insurance cover?
- What won’t it cover and what are the related costs (time/money/reputation)
KS Services has looked at seven general insurance policies from top UK insurance companies 4 of the 7 so not offer any cover for E-risks, Virus or Hacking. The remaining three policies only offer it as an option not as standard.
An answer could be to have a separate Computer/Cyber Liability Policy which does typically cover data loss, virus impact and unauthorised access. Like any policy there are limitations and exclusions that need to be considered as part of your commercial decision.
The key points are;
- Understand exactly what the IT cover and limitation your insurance provides.
- Understand exactly what you need to do, how long and how much would it be to get back to ‘Business as Usual’ if you had an equipment loss or security breach.
Whilst insurance policies may cover some commercial impact such as replacement of equipment and some legal cost one thing that they will not cover are fines!
Regulatory bodies in many cases have the power to fine their members large sums, remember Zurich being fined £2.3 million by the FSA for losing policy holders personal detail.
The Information Commissioners Office (ICO) also has the power to fine companies up to £500k for Data Protection Act (DPA) breaches and recently fined Surrey County Council £120k when a member of staff e-mailed sensitive data to the wrong email group
Fines aside, a loss of data or services could have a major financial impact on if client service levels and contracts are put in jeopardy
Having an insurance policy in place is very important, but prevention should hopefully in most cases prevent the need for a cure or at least lessen any impact. Make sure that you have strict security policies and measures in place.
These should include;
- Ensure all portable devices (smartphones, USB drives, laptops) are both physically and logically (password protected and encrypted) secure.
- Employ a managed firewall
- Have up to date Anti-Virus software
- Ensure system security patches are updated
- Have a strong password policy in place with forced changes
- Do regular, secure data and system back-ups
- Restrict non-company equipment (smartphones/laptops) from having access to your network