Cyber Risk is first and third-party risk associated with e-business, the Internet, networks and informational assets. Cyber Risk has two primary components:

• The risk of lawsuits due to Copyright, Defamation, etc.
• The risk of extra expense due to Virus, Hackers, etc.

As business becomes more dependent on information technology, especially the Internet, they expose themselves to new risks that are not covered by traditional business insurance.

The Cyber Security and Privacy policy can insure you against claims by third parties and extra expenses brought about by your use of and dependence on technology.

• Business Owners who operate a website.
• Business Owners who accept credit card payments.
• Business Owners who are aware of the risks associated with computer hackers, viruses and other damaging computer programs.
• Business Owners who are concerned about copyright/trademark infringement.
• Business Owners who keep electronic records of clients names, addresses, phone numbers, social security numbers, credit card numbers and other sensitive information.
• Business Owners who use laptops, Blackberries or other portable devices that store client information.
• Business Owners who understand the importance of upholding and preserving their professional reputation should an incident occur.
• Business Owners who are concerned with their clients’ and employee’s information being compromised.
• Business Owners who may have employees that could compromise sensitive customer information or do something illegal to make some money.

In January 2008, the FTC passed the Red Flag Rule – businesses and organizations must develop, implement, and administer Identity Theft Prevention Programs.

On December 18, 2010, President Obama signed into law the Red Flag Program Clarification Act. The new law limits the circumstances in which creditors are covered by the Red Flags Rule. The FTC is revising the materials on their site to reflect the change in the law.

The Red Flag Program Clarification Act reads as folows:

(4) DEFINITIONS.—As used in this subsection, the term ‘creditor’—

• (A) means a creditor, as defined in section 702 of the Equal Credit Opportunity Act (15 U.S.C. 1691a), that regularly and in the ordinary course of business:
• • (i) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
  • (ii) furnishes information to consumer reporting agencies, as described in section 623, in connection with a credit transaction; or
  • (iii) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person;
• (B) does not include a creditor described in subparagraph (A)(iii) that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person; and
• (C) includes any other type of creditor, as defined in that section 702, as the agency described in paragraph (1) having authority over that creditor may determine appropriate by rule promulgated by that agency, based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.

In a nutshell those that are effected by the Red Flag Rule has been limited by the Act.

Your are definitely covered by the red flag rule if:

• Your company obtains consumer reports prior to accepting a credit transaction.
• Your company furnishes information to consumer reporting agencies in connection with a credit transaction.
• Your company advances money to or on behalf of someone, based on an obligation to repay.
• Your company maintains any kind of record of credit transactions subject to a reasonably foreseeable risk of identity theft.

The last item above is a catchall that will force many companies to comply with the Red Flag Rule.

Merchants and processors both face suits from consumers and issuing financial institutions when credit information is stolen. Studies show that the total average cost to the victim of a data breach in 2007 was $197 per record, and as much as $239 per record for financial services companies.

If your client requests Cyber Liability cover, the Insurance company will ultimately look at your client's Formal Written Procedures document. This should be the same document that you are required to develop as a result of the Red Flag Rule. This Formal Written Procedure document will be heavily influenced by the Red Flag Rule. Depending on the nature of your client's business, their Formal Written Procedure document may need to address additional items not required by the Red Flag Rule, (see below).

A business requesting Cyber Liability cover without attaching their Formal Written Procedures to their application will have a more difficult time obtaining coverage at an affordable rate.

Develop a Formal Written Procedure, unfortunately, is the only real answer.

The FTC has developed a How To guide. It's very comprehensive but rather daunting for the small business owner.

A Formal Written Procedure manual does not have to be the nightmare it may seem, but it must be comprehensive and specific to the business. Many small businesses have an employee manual, which is an obvious place to start. Businesses should consider adding a 'Security Plan' section to their existing Employee Manual. Once completed, they should have all their employees read it and sign it.

As an example, take a hypothetical small business, with a simple static Web site that does no e-commerce. They routinely invoice for their services net 30, but on occasion will accept credit card payments for special cases. They process the credit card transaction electronically from their office via an on-line credit card merchant account. The credit card transaction IS NOT processed via their Web site. The business's customer fills out a credit card charge authorization form and faxes it to a representative of the business.

So where would the Red Flag rule come in? First, because of the on-line access to their credit card merchant account, this business is square in the cross hairs of the FTC. There are significant security issues that are now their responsibility, simply because someone in their office uses a PC connected to the Internet to transact credit card charges.

The good news is that most credit card merchant accounts have automated the technical security verification process, and most now require customers verify their security periodically. It's a relatively painless process.

The technical security of your physical Internet connection is only one small part though of what the Red Flag Rule requires. For example, if a merchant account requires changes to the password every two months, and there are several representaives of a business that process credit card charges, how is the ever changing password communicated to the group? There are secure ways to handle this, and dangerous ways.

Another example is what happens to the faxes sent to the representatives of the business, they contain credit card numbers and information ripe for security theft. How are those faxes disposed of once the credit card has been charged?

A good Formal Written Procedure will identify all of the business' risks of ANY kind, and create processes and procedures to mitigate those risks. Many of the procedures in the Formal document will be inspired by Red Flag Rule compliance, but many may NOT, (see below).

YES, the key to obtaining sound Cyber Liability coverage lies in comprehensive Formal Written Procedures. These Formal Written Procedures will serve to satisfy the FTC Red Flag Rule, but they should address far more.

Red Flag Rule compliance will only address one component of Cyber Liability Cover, Extra Expense due to careless handling of the business' or client's private financial information. The Red Flag Rule doesn't address a major component of Cyber Liability, risk of Third Party suit due to the content of a business' Web site.

Formal Written Procedures should identify these Third Party Risks, and define steps that must be taken to mitigate them.

For example, a restaurant has a Web site with a guest registry where dinners can post comments about their recent experiences.

• Are these posts reviewed prior to being allowed on the site?
• If an objectionable post ends up on the site, can it be taken down quickly?
• Is the site periodically reviewed for objectionable content, hacks, etc.?

Click here for a sample Formal Written Procedures addressing the above.

Third Party Liability

• Disclosure Injury - Including lawsuits alleging unauthorized access to or dissemination of the plaintiff’s private information. (Can be extended to outsourced data processing and data storage services.)
• Content Injury – Including suits arising from intellectual property infringement, trademark infringement, and copyright infringement.
• Reputational Injury – Including suits alleging disparagement of products or services, libel, slander, defamation, and invasion of privacy.
• Conduit Injury – Including suits arising from system security failures that result in harm to third-party systems.
• Impaired-Access Injury – Including suits, civil fines and penalties arising from system security failure resulting in your customer’s systems being unavailable to its customers.

First Party Cyber Crime Expenses

• Privacy Notification Expenses – Including printing, drafting, postage, call center costs and advertisements, cost of credit-monitoring services, credit freezes and fraud alerts for affected customers (even when state law doesn’t require notification). Estimated at $30 per person.
• Forensic Costs – Costs to determining how the breach occurred.
• Crisis Management and Reward Expenses – Including the cost of public relations consultants to maintain the reputation of the business.
• E-Business Interruption – Including first-dollar extra expense.
• E-Theft and E-Communication Loss – Extended to networks outside of your company’s system.
• E-Threat or Cyber Extortion - Including the cost of a professional negotiator and ransom payment to stop cyber attacks caused by malicious hackers.
• E-Vandalism Expenses – Even when the vandalism is caused by an employee.

A manufacturer hosted a site banner for a key vendor. The manufacturer was unaware that the vendor's slogan was similar to a slogan of a company based in France. The manufacturer was dragged into an international trademark infringement lawsuit for $700,000

During a national trade convention, the CFO of a prominent company read from a media kit about its products and those of competitors, including defamatory comments about the executive officers of a competitor. The competitor sued for libel and slander for $1.5 Million

A bookseller created a Web site to promote itself. The Web site included passages from books. The publisher and author of one of the books quoted on the Web site sued the bookseller, alleging copyright infringement and theft of intellectual property. The case settled for approximately $60,000. The bookseller incurred defense costs close to $35,000.