Am I Exposed to Cyber Liability Losses?
Yes. If you utilize the convenience of digital records or the Internet, your operation has an exposure to privacy and security losses.
What is Cyber Liability Coverage?
An insurance product, providing a set of coverages to protect online activities, private data, and communications in many formats—paper, digital, or otherwise.
Why Should I Consider Cyber Liability Coverage?
- 43% Chance of cyber-related loss facing American businesses during the two-year period from 2012 to 2014
- $201 Average cost paid for each lost or stolen record containing sensitive information
- $5.9 million Average total cost to American organizations sustaining a privacy breach loss
- 44% Cyber-related losses stemming from malicious or criminal activity
- 40% Percentage of all data breaches in 2012 targeting small- to medium- sized businesses (100 or fewer employees)
- 60% Percentage of small businesses who are out of business within 6 months after sustaining a cyber-related loss
- (Sources: Ponemon Institute: Cost of a Data Breach 2014: United States; 2012 Verizon Security Threat Report)
Am I Protected if we Outsource our IT Functions?
Outsourcing management and security of your company's network or data does not transfer all risk or limit liability. If a cyber-related event results in damages to your customers or employees, your company possesses the primary responsibility, and will be the first to be sued. As the original data owner, your organization is ultimately responsible for any attack on or breach of its network, systems and information. Courts have consistently affirmed that the relationship exists between a business and their customers, not their customers and third-party vendors. In most jurisdictions, the company will be the one responsible for legal liabilities, notification, and ultimate loss remediation.
Do I Have Cyber Liability Coverage in any of my Other Insurance Policies?
Protection for cyber liability exposures are excluded from nearly all general liability, crime, and directors and officers policies. If coverage is included in one of these policies, it is most likely limited in scope, with low limits, and does not include the expert loss remediation and crisis response expertise, or the first-party coverage, of a stand-alone form. Furthermore, carriers are taking great measures to include exclusionary cyber liability language in future form updates—if you previously had coverage, there is a great chance that it may be excluded going forward.
What Does Cyber Liability Protect? What are Some Claims Examples?
Network Security Liability – liability coverage for damages and claims expenses arising out of an actual or alleged act, error or omission resulting in:
- Failure to prevent unauthorized access or use of system, resulting in destruction, deletion, or corruption of electronic data, theft or loss of data, or denial of service
- Inability of a third party, who has authorization to do so, to gain access to your system
- Failure to prevent transmission of malicious code from your system to third-party CPUs and systems
Claim Example - Computer Virus
A computer virus directs infected computers to launch a denial of service attack against a regional medical center. The infection caused an 18-hour shutdown of the center's computer systems. The center incurred extensive costs and expenses to restore their system, as well as business interruption expenses totaling approximately $875,000.
When reviewing confidential project plans, an architect's system is breached, resulting in the plans being released to the general public. The architecture firm is sued by the general contractor and the client for damages. Fortunately, the firm carried cyber liability coverage and was able to use policy limits to settle for an undisclosed amount.
A disgruntled employee deletes records and changes administrator passwords in a system prior to his departure. Repairing the problem required $500,000 worth of IT security consulting to resolve access and restore data.
Privacy Liability – provides coverage if an organization fails to protect electronic or non-electronic, personably identifiable information (PII), protected health information (PHI), or otherwise, confidential information in their care, custody or control.
Claim Example - Private Information
A nonprofit community action corporation printed two 1099 forms on one piece of paper. An employee was supposed to separate the forms and send each to its rightful owner. Instead, one person received both copies. The mistake sent tax forms and social security numbers to strangers. Approximately 50% of the landlords who work with the community action corporation received their forms in addition to the private information of the others.
Privacy Regulatory Claims Coverage – provides coverage for both legal defense and resulting fines/ penalties from a regulatory claim made against the insured. Claim can result from privacy breach, or a violation of governing statute or regulation.
Claim Example - Misplaced Storage Devices
A healthcare provider misplaced multiple storage devices which contained sensitive information for over one million patients. The provider could not determine whether the devices were lost, stolen or destroyed.
Lawyers advised the company to notify the affected individuals and assisted the company to address a regulatory investigation into the incident which saw the company ﬁned for failing to adequately protect the information.
Cover under this section allowed for the payment of legal fees incurred by the company in connection with responding to the investigation. It also provided coverage for a $75,000 fine. Legal costs were covered and totaled just over $1 million, including costs incurred in defending claims brought by affected individuals, costs associated with regulatory inquiries, and for miscellaneous notification related work. This type of breach triggers multiple insuring agreements, and overall costs were $5,000,000.
Security Breach Response Coverage – First-party coverage reimburses an insured for costs incurred in the event of a security breach of personal, non-public information of their employees or customers. Coverage may include
- The hiring of a public relations consultant to help avert or mitigate damage to the Insured's brand
- IT forensics, customer notification and first-party legal expenses to determine the Insured's obligations under applicable Privacy Regulations
- Credit monitoring expenses for those affected
Claim Example - 3rd Party Service Provider
A regional retailer contracted with a third-party service provider. A burglar stole two laptops from the service provider containing the data of over 800,000 clients of the retailer. Under applicable notification laws, the retailer—not the service provider—was required to notify affected individuals. Total expenses incurred for notification and crisis management to customers was nearly $5 million.
A home healthcare organization had backup tapes, laptops, and disks containing social security numbers, clinical and demographic information, and in a small number of cases, patient financial data that was stolen. In total, over 365,000 patient records were exposed. The organization settled with the state attorney general, providing patients with free credit monitoring, credit restoration to patients that were victims of identity fraud, and reimbursement to patients for direct losses that resulted from the data breach. The organization was also required to revamp its security policies, implement technical safeguards, and conduct random compliance audits.
Multimedia/Media Liability – provides coverage against allegations that include:
Defamation, libel, slander, emotional distress, invasion of the right to privacy, copyright and other forms of intellectual property infringement (patent excluded) in the course of the Insured's communication of media content in electronic (Website, social media, etc.) or non-electronic forms.
Claim Example - Cyber Extortion
An employee, whose husband was running for public office, utilized her employer's social media platform to publicize her husband's campaign and publish disparaging remarks about his opponent. The opponent sued the company for libel following his election loss. The company was forced to settle for an undisclosed amount.
Cyber Extortion – provides coverage relating to the expense and payments to a harmful third party to avert potential damage threatened against the Insured, such as the introduction of malicious code, system interruption, data corruption or destruction or dissemination of personal or confidential corporate information.
Claim Example - Hacker for Hire
A U.S.-based information technology company contracted with an overseas software vendor. The contracted vendor left universal "administrator" defaults installed on the company's server and a "Hacker for Hire" was paid $20,000 to exploit such vulnerability. The hacker advised if the requested payment was not made he would post the records of millions of registered users on a blog available for all to see. Th extortion expenses and extortion costs are expected to exceed $2 million.
Business Interruption & Digital Asset Restoration – provides for lost earning and expenses incurred because of a security compromise that leads to the failure or disruption of a system, or, an authorized third-party's inability to access a computer system. Restoration costs to restore or recreate digital (not hardware) assets to their pre-loss state.
Claim Example - Data Recovery and Business Income Loss
A leading provider of managed services, including IT platform hosting and infrastructure and support services suffered a sophisticated electronic security breach. The company had an extensive mainframe platform with partitions configured to customer requirements. A hacker employed malicious software tools and used masking techniques on the company's mainframe, concealing their IP address to gain unauthorized access to the network. The security breach cost over $1 million to resolve, including $600,000 for data recovery and business income loss.