•  

Frequently Asked Questions (FAQs)

What is Cyber Liability Insurance?

What does Privacy Liability cover?

What does Privacy Regulatory Claims Coverage cover?

What does Security Breach Response Coverage cover?

What does Security Liability cover?

What does Multimedia Liability cover?

What does Cyber Extortion cover?

What does Business Income and Digital Asset Restoration cover?

What is “PCI-DSS Assessment” coverage?

What does Deceptive Transfer Fraud cover?

What is the cost of not buying the coverage and self-insuring a data breach?

Isn’t this already covered under most business insurance plans?

Are businesses required to carry this coverage?

Do small businesses need this coverage?

If e-commerce functions such as payment processing or data storage are outsourced, do I still need this coverage?

 

What is Cyber Liability Insurance?
“Cyber” Liability insurance coverage protects a business or organization from:

  • Liability claims involving the unauthorized release of information for which the organization has a legal obligation to keep private
  • Liability claims alleging personal injury and/or intellectual property violations in a digital, online or social media environment
  • Liability claims alleging computer security failures that result in data deletion/alteration, transmission of malicious code, denial of service, etc.
  • Defense costs in State or Federal regulatory proceedings that involve violations of privacy law; and
  • The provision of expert resources and monetary reimbursement for out-of-pocket (1st Party) expenses associated with the appropriate handling of the types of incidents listed above

In addition to electronic hacking or online activities, Cyber Liability Insurance provides coverage for private data and communications in many different formats – paper, digital or otherwise.

What does Privacy Liability cover?
The Privacy Liability insuring agreement must go beyond providing liability protection for the Insured against the unauthorized release of Personally Identifiable Information (PII), Protected Health Information (PHI), and corporate confidential information like most popular “Data Breach” policies. The policy should provide true “Privacy” protection in that the definition of Privacy Breach includes violations of a person’s right to privacy, Privacy Breach publicity, etc. Because information lost in every data breach may not fit State or Federal- specific definitions of PII or PHI, the policy should broaden coverage to help fill these potentially costly gaps.

What does Privacy Regulatory Claims Coverage cover?
The Privacy Regulatory Claims Coverage insuring agreement provides coverage for both legal defense and the resulting fines/penalties coming from a regulatory claim made against the Insured, alleging a privacy breach or a violation of a Federal, State, local or foreign statute or regulation with respect to privacy regulations.

What does Security Breach Response Coverage cover?
This 1st Party coverage reimburses an Insured for costs incurred in the event of a security breach of personal, non-public information of their customers or employees. Examples include:

  • The hiring of a public relations consultant to help avert or mitigate damage to the Insured’s brand
  • IT forensics, customer notification and 1st Party legal expenses to determine the Insured’s obligations under applicable Privacy Regulations
  • Credit monitoring expenses for affected customers

In instances where there is no legal duty to notify, but the Insured thinks notification will mitigate potential brand damage, the policy may extend coverage. Such voluntary notification requires prior written consent by the insurance company.

What does Security Liability cover?
The Security Liability insuring agreement provides coverage for the Insured for “Security Wrongful Act” allegations, including:

  • The inability of a third-party, who is authorized to do so, to gain access to the Insured’s computer systems
  • The failure to prevent unauthorized access to or use of a computer system; and/or the failure to prevent false communications such as “phishing” that results in corruption, deletion of or damage to electronic data; theft of data; and denial of service attacks against third party websites or computer systems
  • Protects against liability associated with the Insured’s failure to prevent malicious code transmission from their computer system to a third party’s computer system

What does Multimedia Liability cover?
The Multimedia Liability insuring agreement provides broad coverage against allegations that include:

Defamation, libel, slander, emotional distress, invasion of the right to privacy, copyright and other forms of intellectual property infringement (patent excluded) in the course of the Insured’s communication of media content in electronic (website, social media, etc.) or non-electronic forms

What does Cyber Extortion cover?
The Cyber Extortion insuring agreement provides expense and payments to a harmful third party to avert potential damage threatened against the Insured such as the introduction of malicious code, system interruption, data corruption, or destruction or dissemination of personal or confidential corporate information.

What does Business Income and Digital Asset Restoration cover?
The Business Income and Digital Asset Restoration insuring agreement provides for lost earnings and expenses incurred because of a security compromise that leads to computer system failure or disruption, or, an authorized third-party’s inability to access a computer system. Restoration costs to restore or recreate digital (not hardware) assets to their pre-loss state are also covered. What’s more, the definition of Computer System includes not only systems under the Insured’s direct control, but also systems under the control of a Service Provider with whom the Insured contracts to hold or process their digital assets.

What is “PCI-DSS Assessment” coverage?
The Payment Card Industry Data Security Standard (PCI-DSS) was established in 2006 through a collaboration of the major credit card brands as a means of bringing standardized security best practices for the secure processing of credit card transactions. There are six stated goals and 12 requirements that merchants and service providers must adhere to in order to be “PCI Compliant.”  A Cyber Policy can help offset the cost of damages and claim expenses that the Insured is legally obligated to pay for when there are violations of this agreement due to a breach involving cardholder data.

What does Deceptive Transfer Fraud cover?
The payment for loss of funds resulting directly from funds transfer, payment or delivery from your account as the direct result of intentionally misleading of your employee, through a misrepresentation of a material fact (“Deceptive Transfer”) which is:

  • relied upon by an employee, and
  • sent via a telephone call, email, text, instant message, social media, or any other electronic instruction, including a phishing, spear phishing, social engineering, pretexting, diversion, or other confidence scheme, and,
  • sent by a person purporting to be an employee, customer, client or vendor; and,
  • the authenticity of such transfer request is verified in accordance with your internal procedures

What is the cost of not buying the coverage and self-insuring a data breach?
According to the Ponemon Institute’s annual “Cost of a Data Breach” report, the average cost paid for each lost or stolen record is $221. These numbers reflect both the indirect expenses associated with a breach (time, effort and other organizational resources spent during the data breach resolution, customer churn, etc.), as well as direct expenses (customer notification, credit monitoring, forensics, hiring a law firm, etc.). Because every breach is different, and the per-capita cost of a breach depends largely on the number of records compromised, it may be more accurate for small to mid-sized organizations to start with a lower number of $65/record, (the average direct costs associated with a breach according to the Ponemon study) and multiply this number by the estimated number of records containing PII, PHI or financial account information in the Insured’s control. This simple exercise helps businesses quickly understand the financial value of implementing cyber insurance.

Isn’t this already covered under most business insurance plans?
The short answer is “No.” While liability coverage for data breach and privacy claims has been found in limited instances through General Liability, Commercial Crime and some D&O policies, these forms are not intended to respond to the modern threats posed in today’s 24/7 information environment. Where coverage has been afforded in the past, carriers (and the ISO) are taking great measures to include exclusionary language in form updates clarifying their intentions to not cover these threats. Additionally, in the rare instance that coverage is found through other policies, they lack the expert resources and critical 1st Party coverages that help mitigate the financial, operational and reputational damages a data breach can inflict on an organization.

Are businesses required to carry this coverage?
While there is presently no law that requires a business or organization to carry Cyber Liability, there is a national trend in business contracts for Cyber Liability Insurance coverage proof. In addition, the SEC is encouraging disclosure of this coverage as a way of demonstrating sound information security risk management. Laws such as HIPAA-HITECH, Gramm-Leach-Bliley and state-specific data breach laws are continually driving demand for notification requirements following a data breach, making proper notification more expensive.

Do small businesses need this coverage?
The Symantec 2014 Internet Security Threat Report states that small businesses accounted for 30% of targeted spear-phishing attacks in 2013. In 2012, Verizon reported that approximately 40% of all data breaches that year occurred among companies with fewer than 100 employees. Even more alarming is the fact that 60% of companies that have been a victim of cyber-attacks are out of business within six months. While breaches involving public corporations and government entities garner the vast majority of headlines, small businesses are most at risk due to lower information security budgets, limited personnel and greater system vulnerabilities.

If e-commerce functions such as payment processing or data storage are outsourced, do I still need this coverage?
The responsibility to notify customers of a data breach and the legal liabilities associated with protecting customer data remain the responsibility of the business. Generally speaking, business relationships exist between organizations and their customers, not their customers and the back-office vendors assisting them in their operations. Outsourcing business critical functions, such as payment processing, data storage, website hosting, etc., can help insulate organizations from risk, however, the contractual agreement wording between businesses, their customers and the vendors with whom they do business will govern the extent to which liability is assigned in specific incidents.

 

Share This Page
Print
Are you protected?
Cyber Offense 360

Combat cyber threats with infosec training from our preferred partner, InteProIQ:

Featured Content

CBIZ  Cyber Liability Insurance coverage offers the broadest cyber risk protection available. Learn more about how cyber liability coverage can protect your business.  


Frequently Asked Questions (FAQs) 

Articles & Insights