First and third party liability are what large IT vendors usually look for in cyberinsurance, but with the heavy damage from a large-scale security breach, IT vendors are increasingly looking for privacy extensions and data breach crisis response coverage, industry watchers note.
According to Jody Westby, CEO of Global Cyber Risk Group and adjunct professor at Georgia Institute of Technology's School of Computer Science, IT vendors are increasingly concerned about having adequate first and third party liability coverage.
First-party coverage is for direct losses experienced by the insured such as recovering lost or destroyed data, notification, monitoring and forensic investigation expenses, and business interruption losses, Ian Pollard, Asia-Pacific and Far East regions vice president of Financial Lines at Chartis, explained.
On the other hand, third-party coverage insures policyholders against losses incurred by customers, credit card companies and banks, and any legal damages that is third party liability for privacy breaches such as notification and regulatory costs coverage for fines and penalties, he added.
Their growing concern comes in light of breaches and security incidents involving theft of confidential and propriety data giving companies a "heightened awareness" of these threats, Westby explained. As companies increasingly turn to cloud and outsourcing as a means of controlling costs, they also become the key targets of cybercriminals because they have rich repositories of data, she added.
Demand for privacy, reputation damage coverage
That said, large IT vendors have also become interested in insurance products with privacy extensions, Rick Betterley, president of Betterley Risk Consultants, observed.
This protects the company against the defect, deficiency or inadequacy in their product or service in the contract, Veronica Sommariba, senior vice president and technology manager for commercial insurance at Chubb Group of Insurance Companies, explained.
"They are concerned about protecting their company against lawsuits alleging errors, including those that result in a security breach of their customers' systems," Betterley said.
Such privacy extensions also provide additional coverage for a breach of their own system, which is becoming more important as regulators "crack down" on breaches and as customers ask for insurance protection from IT vendors, he added.
Data crisis response coverage, whereby the insurer has direct access to a public relations specialist and legal firms in the event of a breach, is also becoming increasingly popular, Pollard added.
Betterley agreed crisis management benefits are increasingly becoming a criteria for insurers so they can restore their reputation. The reputation damage from a breach can be "extremely severe", especially for large companies who are keen to preserve their "names within the industry", he explained.
With the proliferation of social media and forums, some IT vendors also look for media content insurance coverage, which responds to online defamation of their brand names and infringement of intellectual property rights, Pollard pointed out.
He was responding to the introduction of an insurance policy aimed at U.K. consumers by information privacy company ALLOW, which pays up to £10,000 (US$16,200) for identity theft, account hijacking and reverse search engine optimization (SEO) to bury negative content.
One recent example of a brand suffering a potential reputation hit from a cyberattack, saw hackers gaining control of Reuters news agency's blogging platform and Twitter account in August posting a false story and a stream of false Tweets over issues in the Middle East.