GUEST POST: Can Your Cyber Policy Handle The Truth (About Your Employees)?

Jack Nicholson - 1976.jpg

Because all of the images of Colonel Jessup ordering a Code Red are copyright protected, you get this one of Jack. But, better than Jack, today you get Wednesday’s Powerball jackpot numbers a guest post from my colleague, Jordan Rand. In addition to having a half-decent jump shot, Jordan is developing a niche practice in cyber insurance, which could come in handy for many of you given the data breach risks that your employees present.

Anyway, check out Jordan’s post below. And, if you’re in or around Denver on February 17, check him out at the University Risk Management and Insurance Association’s Western Regional Conference, where he’s presenting “Cyber 2.0: What We’ve Learned So Far and What We Haven’t.”

If you want to connect with Jordan, you can email him


Do you want answers?  Do you want the truth?

Between 10% – 20% of data breaches are caused by your own employees.  On purpose.

You already knew that?  Did you know that your cyberinsurance policy may not cover a loss under those circumstances?

A typical feature of many traditional insurance policies (CGL, E&O, D&O) is that losses caused by an employee’s intentional wrongful acts are excluded unless Employee Dishonesty (or Commercial Crime) coverage is added by endorsement.  There are even separate policies available to cover these types of losses.  Like many other traditional approaches to policy underwriting, this trend has made its way into stand-alone cyberinsurance policies.

Not having this coverage is a risky proposition.

On September 23, 2014, the Department of Homeland Security (DHS) issued a Public Service Announcement titled, “Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and Proprietary Information.”   DHS found that “an increase in network exploitation and disruption by disgruntled and/or former employees … pose[d] a significant cyber threat to US businesses due to their authorized access to sensitive information and the networks business rely on.”  Rut-roh. [Editor’s Note: I once attended a deposition where the witness was asked to explain his use of “rut-roh” in email. Pure hilarity.]

Does your policy cover a data breach caused by the intentional wrongful acts of an employee?  Maybe.  To beat a really dead horse, there’s a lot of inconsistency in the forms.  Some carriers exclude this coverage, others offer it as an add-on, and some policies contain only limited exclusions applicable to the highest level corporate officers while covering criminal acts by lower level employees.  With this broad range of treatment, this issue must be carefully scrutinized during the policy procurement process.

Even if you can handle the truth, consider implementing some of the recommendations in DHS’ PSA.  After all, we live in a world where data has to be guarded by men with guns.  Or at least secure passwords, network segmentation and other should-be-standard data security measures.

Image Credit: “Jack Nicholson – 1976” by AP Wire Photo – ebay. Licensed under Public Domain via Commons.
Updated: