Issue link: http://read.dmtmag.com/i/613635
I DA U N I V E R S A L N ove m b e r - D e ce m b e r 2 0 1 5 78 LEGAL LINE Continued from page 11 Today, however, this business model is completely paralyzed by a new form of risk: cyber security. is risk has been publicized with the rash of massive data breaches in credit cards, HR databases, government agencies and similar "big data" environ- ments. is new world crisis now is fi ltering down to businesses like those of IDA members, many of whom now heavily rely upon credit cards for both domestic and international transac- tions and perform virtually all business transactions electronically. In this context, banks, credit card exchanges/ servicers, vendors and others are demanding that "indem- nities" be incorporated into their agreements with the businesses they communicate with electronically. While the idea of indem- nity is not novel, in the past this merchant obligation has been confi ned substantively to making a bank or servicer "whole" if it remitted to the merchant on a transaction where the card or other form of payment became uncol- lectible. us, the merchant's risk was limited to the uncol- lectible amount, and the buck or euro stopped there. is has changed for the worse for the manufacturers, sellers and/or distributors – be it downstream to their customers, upstream to their vendors, to OEMs and affi li- ated customers, or to servicers and banks. For example, some vendors to our industry and IDA members have required (or are considering requiring) indem- nity, not for conventional risks or problems with products, but against the member-customers who might become conduits for cyber invasion of the vendors' data systems. Essen- tially, this could mean that if a member sells a product to its customer via the Internet, it is re-sold via the Internet, and this series of transactions – each of which also could involve electronic intermediaries for payment, shipping, and so on – inadvertently creates a hacking conduit that damages the upstream vendor, payment of damages is required. How can this risk be evalu- ated? What if an innocent sale to a customer in Cameroon results in the drop shipment of parts from a vendor's warehouse in Europe, where a worm hole is used by a hacker in Burundi to crash the billion- dollar vendor's system? If there is a cyber-risk/loss indemnity in the agreement with the vendor, pay up or go broke. Not unexpectedly, the insurance industry is just as ill-equipped as the possible insureds to both evaluate and "price"' this risk – if you can even fi nd an insurer who will place this risk, and at an aff ordable price. Since the useful personal experience and judgment of people like the famous Lloyd's 'Names' no longer exist, insurance companies are scrambling to determine whether cyber- security is something they even want to insure, with whom they can re-insure the risk, and of course, how much they can squeeze from the policy holder and still sell the insurance. Coupled with this genuine mess is the fact that the insur- ance companies' boots on the ground, their agents, don't really have ready answers. us, an experienced corpo- rate insurance agent will have a diffi cult time even fi nding a market to insure your new indemnity obligations. is also brings up the inconve- nient topic of price, which presently cannot be deter- mined reliably by conventional underwriting protocols, in part because of the multiple paths that the hypothetical risk can take into and out of somebody's computer system. From information recently provided by several major insurers, the "answer" o en has been, "We price each policy based on the situa- tion." Also, one factor seems to be the size of the insured's business, basically a combina- tion of the scope of the risk and the tolerance for premium pain. In one example, a $500,000 policy with enough exceptions to resemble invisible ink could cost a $10,000,000 company $75,000 per year. Also implicit in this equation is that if any kind of claim is made or a signifi cant loss is paid, regardless of the cause, the annual renewal, if any, will have an astronomic price tag. is situation poses an incredible dilemma for a business. First, should this type of risk be assumed internally? Simply put, if your system is hacked, or connected systems (with no defi ned indemnity obligations) are compromised, you pay for your own problems. Second, even if this is not an accept- able risk, what is price protec- tion, and what do you really get for the money? ird, if a customer or vendor demands indemnity, then "Part 2" of such a demand is always the establishment of an insurance policy that not only insures you, but your vendor/customer, as well. is can drive a decision to do business with an entity or not, or at what price. e last thing anyone needs is another so cost against profi t margins, and one that cannot be passed on easily. Lastly, in many reported instances, to even obtain and keep "cyber insurance," the insured must install and maintain new, and possibly costly and cumber- some, security sub-systems. If those become obsolete, or fail through "fault"' of the insured, coverage may not apply. In essence, instead of seeking insurance for known or even remotely possible risks, you are seeking insur- ance for situations that have not even occurred yet, as countless people all over the world are developing cyber threats. Indeed, in addition to the expected the of money or political reasons, in many instances of hacking, o en the only motive is simply to defeat some notable system for personal satisfaction. What is the answer to the problem? It is certainly not clear, but the fi rst step should be to start evaluating the problem with your advisers and insurers. is way, you have a chance to get in front of the situation NOW, so that you will have the tools THEN to make what indeed might be an inevitable business decision about key parts of your enter- prise in the near future. ●