What is Cyber Liability Insurance?
What does Privacy Liability Insurance cover?
What does Privacy Regulatory Claims Coverage cover?
What does Security Breach Response Coverage cover?
What does Security Liability cover?
What does Multimedia Liability cover?
What does Cyber Extortion cover?
What does Business Income and Digital Asset Restoration cover?
What is “PCI-DSS Assessment” coverage?
What does Deceptive Transfer Fraud cover?
What is the cost of not securing coverage and self-insuring a data breach?
Isn’t cyber already covered under most business insurance plans?
Are businesses required to carry this coverage?
Do small businesses need this coverage?
If e-commerce functions such as payment processing or data storage are outsourced, do I still need this coverage?
Cyber Liability insurance coverage
protects a business or organization from:
- Liability claims involving the unauthorized release of information for which the organization has a legal obligation to keep private
- Liability claims alleging personal injury and/or intellectual property violations in a digital, online or social media environment
- Liability claims alleging computer security failures that result in data deletion/alteration, transmission of malicious code, denial of service, etc.
- Defense costs in state or federal regulatory proceedings that involve violations of privacy law; and
- The provision of expert resources and monetary reimbursement for out-of-pocket (1st party) expenses associated with the appropriate handling of the types of incidents listed above
In addition to electronic hacking or online activities, Cyber Liability Insurance provides coverage for private data and communications in many different formats – paper, digital or otherwise.
The Privacy Liability insuring agreement must go beyond providing liability protection against the unauthorized release of personally identifiable information (PII), protected health information (PHI), and corporate confidential information like most popular “data breach” policies. Privacy liability should provide true “privacy” protection in that the definition of privacy breach includes violations of a person’s right to privacy, privacy breach publicity, etc. Because information lost in every data breach may not fit state or federal definitions of PII or PHI, the policy should broaden coverage to help fill these potentially costly gaps.
The Privacy Regulatory Claims Coverage insuring agreement provides coverage for both legal defense and the resulting fines/penalties from a regulatory claim made against the insured. It provides for allegations of a privacy breach or a violation of a federal, state, local or foreign statute or regulation with respect to privacy regulations.
This 1st party coverage reimburses an Insured for costs incurred in the event of a security breach of personal, confidential information of their customers or employees. Examples include:
- The hiring of a public relations consultant to help avert or mitigate damage to the insured’s brand.
- IT forensics, customer notification and 1st party legal expenses to determine the insured’s obligations under applicable privacy regulations.
- Credit monitoring expenses for affected customers.
In instances where there is no legal duty to notify, but the insured believes notification will mitigate potential brand damage, the policy may extend coverage. Such voluntary notification requires prior written consent by the insurance company.
The Security Liability insuring agreement provides coverage for the insured for “security wrongful act” allegations, including:
- The inability of a third-party, who is authorized to do so, to gain access to the insured’s computer systems
- The failure to prevent unauthorized access to or use of a computer system; and/or the failure to prevent false communications such as “phishing” that results in corruption, deletion and/or damage to electronic data; theft of data; and denial of service attacks against third party websites or computer systems
- Protects against liability associated with the insured’s failure to prevent malicious code transmission from their computer system to a third party’s computer system
The Multimedia Liability insuring agreement provides broad coverage against allegations including:
Defamation, libels, slander, emotional distress, invasion of the right to privacy, copyright and other forms of intellectual property infringement (patent excluded) in the course of the insured’s communication of media content in electronic (website, social media, etc.) or non-electronic forms
The Cyber Extortion insuring agreement provides expense and payments to a harmful third party to avert potential damage threatened against the insured such as the introduction of malicious code, system interruption, data corruption, or destruction/dissemination of personal or confidential corporate information.
The Business Income and Digital Asset Restoration insuring agreement provides for lost earnings and expenses incurred because of a security compromise that leads to computer system failure or disruption, or, an authorized third-party’s inability to access a computer system. Restoration costs to reinstate or recreate digital (not hardware) assets to their pre-loss state are also covered. What’s more, the definition of computer system includes not only systems under the insured’s direct control, but also systems under the control of a service provider with whom the insured contracts to hold or process their digital assets.
The Payment Card Industry Data Security Standard (PCI-DSS) was established in 2006 through a collaboration of the major credit card brands as a means of bringing standardized security best practices for the secure processing of credit card transactions. There are six stated goals and 12 requirements that merchants and service providers must adhere to in order to be “PCI Compliant.” A cyber policy can help offset the cost of damages and claim expenses that the insured is legally obligated to pay for when there are violations of this agreement due to a breach involving cardholder data.
The payment for loss of funds resulting directly from funds transfer, payment or delivery from your account as the direct result of intentionally misleading of your employee, through a misrepresentation of a material fact (deceptive transfer) which is:
- Relied upon by an employee.
- Sent via a telephone call, email, text, instant message, social media or any other electronic instruction, including phishing, spear phishing, social engineering, pretexting, diversion or other confidence scheme.
- Sent by a person posing as an employee, customer, client or vendor.
- The authenticity of such transfer request is verified in accordance with your internal procedures
According to the IBM “Cost of a Data Breach Report,” the average cost paid for each lost or stolen record is $180, up 20% from the previous year. These numbers reflect both the indirect expenses associated with a breach (time, effort, other organizational resources spent during the data breach resolution, customer churn, etc.), as well as direct expenses (customer notification, credit monitoring, forensics, hiring a law firm, etc.). Since each breach is different, and the per-capita cost of a breach depends largely on the number of records compromised. It could be more accurate for small to mid-sized organizations to start with a lower number of $85/record, (the average direct costs associated with a breach according to the Ponemon study) and multiply this number by the estimated number of records containing PII, PHI or financial account information in the insured’s control. This simple exercise helps businesses quickly understand the financial value of implementing cyber insurance.
The short answer is, no. While liability coverage for data breach and privacy claims has been found in limited instances through General Liability, Commercial Crime and some D&O policies, these forms are not intended to respond to the modern threats posed in today’s 24/7 information environment. Where coverage has been afforded in the past, carriers (and the ISO) are taking great measures to include exclusionary language in form updates clarifying their intentions to not cover these threats. Additionally, in the rare instance that coverage is found through other policies, they lack the expert resources and critical 1st party coverages that help mitigate the financial, operational and reputational damages a data breach can inflict on an organization.
While there is presently no legal requirement for a business or organization to carry Cyber Liability insurance, a growing national trend requires cyber liability insurance coverage proof in business contracts. In addition, the U.S. Securities and Exchange Commission is encouraging disclosure of this coverage as a way of demonstrating sound information security risk management. Laws (e.g., HIPAA-HITECH, Gramm-Leach-Bliley, state-specific data breach laws) are continually driving demand for notification requirements following a data breach, making proper notification more expensive.
Unfortunately, no organization is safe. In fact, small and medium enterprises (SME) account for 43% of all cyberattacks. Last year alone, small businesses encountered a 424% increase in new cyber breaches.
An estimated 52% of data security breaches can be attributed to human error and system failure While experts recommend employing multi-factor authentication (MFA) as a preventative, it is significantly under-deployed in SMEs (18%) compared to very large businesses (43%).
These figures have led to the average organizational cost of cyberattacks (losses and expenses) totaling $1.2 million in 2020. A strong contributor to these elevating costs, a recent IBM survey discovered most data breaches take an average of 287 days to identify and contain.
More expensive than the average data breach ($4.24 million), a ransomware attack costs an average of $4.62 million. These figures include escalation, notification, lost business and response costs, but not the actual ransom request. Malicious attacks that destroyed data in destructive wiper-style attacks cost an average of $4.69 million.
The responsibility to notify customers of a data breach and the legal liabilities associated with protecting customer data remain the responsibility of the business. Generally speaking, business relationships exist between organizations and their customers, not their customers and the back-office vendors assisting them in their operations. Outsourcing your business' critical functions (e.g., payment processing, data storage, website hosting), can help insulate organizations from risk. However, the contractual agreement wording between businesses, their customers and the vendors with whom they do business will govern the extent to which liability is assigned in specific incidents.