Cyber coverage Part 1
What are examples of federal statutes that could be violated?
1) Health Insurance Portability and Accountability Act (HIPAA) 2) The Health Information Technology for Economic and Clinical Health (HITECH) Act 3) Graham-Leach-Bliley Act
What are the types of liability coverage that this policy will provide protection for?
1) Infringement or violation of another's copyright, title, slogan, trademark, trade name, trade dress, service mark or service name. Not limited to advertisements. a) Example: Unauthorized use of images or music when creating a web site 2) Disparagement or defamation (Libel or Slander) Examples: a) Negative comments are posted on the insured's web site about a competitor's product - if your insured is hosting a chat room that they exercise true control. There is potential of a suit if there are post talking bad about other products of businesses. b) Libelous information or incorrect information is posted on the web site or sent to others via email c) The business owner hosts, owns or exercises control of chatrooms or bulletin boards where disparaging comments about products or other people are posted
What types of products/services does cyber coverage provide protection for?
1. Computer systems 2. Websites 3. Business Transactions 4. Online Sales 5. Blogging 6. Bulletin boards 7. Collect/ transmit/ store private info 8. Send/receive emails 9. Electronic advertisements 10. Download info 11. Conduct webinars 12. Social media 13. Contract Bidding 14. CCC of Data
What are examples that could lead to a third party liability loss under the cyber policy?
1. Employees make mistakes and send emails and data to others than the intended individual(s). a. Send email to the wrong party 2. Employees intentionally send emails to others; however, sometimes the emails contain incorrect, damaging information, or information that violates the privacy of others. 3. Businesses create web sites that contain unauthorized use (infringement) of images, music, and/or documents belonging to others. 4. Businesses create web pages, bulletin boards, chatrooms, and/or post testimonials with content that defames others. 5. Businesses may receive and transmit information that contains a virus that may cause damage to another's computer system or the business enterprises' computer system may be involved in denial of service attacks on third party computer systems and web sites 6. Employees lose or have stolen laptops, PDA's, smart phones, tablets, flash drives, and/or other electronic devices that contain personal information or confidential client information both on business owned devices and employee personal devices. [Should have a Mobile Device Management Plan in place.] 7. An unauthorized user (hacker), former employee, or a rogue employee may break into a computer system with intent to steal data, steal intellectual property, and/or distribute information that may hurt other people/businesses. Commonly known as a cyber attack. 8. A business that suffers a denial of service (DoS) attack or a distributed denial of services (DDoS) attack can be accused of breach of contract if clients are denied access to the web site. 9. Bad programming, poor quality control of source coding, or incorrect data entry may cause the loss of information that triggers the release of non-public private information. It could also cause machine language to fail and cause product or installation failures causing damages. 10. Violation of state, federal and other country statutes, especially those associated with non-public personally identifiable financial, health or other sensitive information
How can you provide coverage for an insured to address the cyber liability risk?
1. ISO 2. Package policies w/multi insuring agreements 3. Speciallized Cyber Insurance Policy Types 4. Executive liability policy 5. Combination with other coverage forms.
How is advertisements defined in the cgl policy?
Advertisement means a notice that is broadcast or published to the general public or specific market segments about your goods, products or services for the purpose of attracting customers or supporters. notices that are pubhised on the internet or other electronic communication. Regarding web sites, only that part of a web site that is about your goods, products or services for the purposes of attracting customers or supporters is considered an advertisement.
What giveback is given from the CG 21 06 Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability - With Limited Bodily Injury Exception in the CGL policy
This giveback gives coverage when the damage of the data causes bodily injury. EX: Data at the doc office removes your allergies and the doctor gives you a shot that he shoudnt have and wouldnt have if the records were undamaged. Giving penecilin shot when you are alergic to penecilin.
What is the Electronic Data Liability Coverage Form CG 00 65 04 13 that can be added to the CGL?
This is a claims made form. 1) Provides liability coverage for loss of electronic data caused by an 'electronic data incident". ( A single type of loss event response). • Broader than CG 04 37 in that there is no requirement that loss of data must be caused by physical injury to tangible property 2) Exclusions in this coverage form are problematic and still do not provide coverage for many cyber exposures. • Types of exclusions that are in this endorsement are
What are the two criteria to determine which policy will activate to cover a loss?
a. Claim made during the policy period or during the applicable Extended Reporting Period. AND b. Wrongful acts must have occurred after the retroactive date, if any, shown on Declaration and before the end of the policy period Essentially the claim needs to fall between the retroactive date and the extended reporting period. the most current policy will activate for payment.
What is privacy liability coverage under the cyber liability policy?
a. Provides liability coverage due to the release of non-public personal information in violation of person's right to privacy b. Coverage may also include liability due to the release of confidential corporate information (not related to our info but third parties information)
How does the BOP address the interruption of computer operations exposure from the cyber point of view?
a. The BOP coverage extends Business Income and Extra Expense to apply to: 1) Suspension of operations 2) Caused by interruption of computer operations 3) Due to destruction or corruption of electronic data by a Covered Cause of Loss (Specified Causes of Loss as defined and Collapse. A covered cause of loss includes a computer virus, harmful code or similar instruction). b. No coverage for an interruption related to manipulation of a computer system caused by any employee, including a temporary or leased employee, or by an entity retained by the named insured to work on that computer system. c. Most paid under the BOP is $10,000 unless a higher limit is shown in the Declarations. d. The CPP does not provide any coverage for Interruption of Computer Operations unless the policy is endorsed with either CP 00 30 Business Income (And Extra Expense) Coverage Form or CP 00 32 Business Income (Without Extra Expense) Coverage Form. The most paid is $2,500 unless a higher limit is shown on the Declarations.
What does coverage apply to in the BOP in terms of the electronic data and cyber exposure?
a. The named insured's stock of prepackaged software, OR b. Electronic data which is integrated in and operates or controls the building's elevator, lighting, heating, ventilation, air conditioning or security system
What is security breach expense coverage available for first party losses?
a. Typically includes the costs to notify affected parties and may also include the costs to investigate the cause of a security breach (may be referred to as forensic investigation costs) b. May also provide for other reasonable expenses such Identify theft protection or credit monitoring. Examples: 1) Hotel offers discounted rates and provides $1 million in Identify Theft Protection to customers who have been affected by a computer security breach 2) A retail store offers free credit monitoring for a year to customers who have been affected by a computer security breach pays for the things that we do as an insured. EX: Equifax because of the data breach will have to send a notification to all parties of a event taking place in some way, shape, or form. Notification costs, investigation costs, other reasonable expenses would be covered by this.
How is electronic data defined on the BOP?
info stored on computers, software other electronic forms or computer programs.
What is the computer products or services exclusion on the Electronic Data Liability Coverage Form CG 00 65
no coverage for loss of data from negligent act, error or omission, or anyone acting on your behalf in providing computer products or services.
How are cyber liability policies typically written?
they are written on a claims made basis?
What is the performance of a contract exclusion on the Electronic Data Liability Coverage Form CG 00 65
"Loss of electronic data" arising out of a delay or failure by you or anyone acting on your behalf to perform a contract or agreement in accordance with its terms.
What is public relations expense coverage available for first party losses?
(also known as Crisis Management Expense) • Pays for the cost of retaining a public relations firm to protect or restore the named insured's reputation due to negative publicity resulting directly from a cyber-related event or security breach
What is replacement or restoration of electronic data coverage available for first party losses?
(also known as cyber vandalism coverage) • Typically pays for the cost to replace or restore the named insured's electronic data which has been destroyed or corrupted as a result of a cyber-related event
What are the examples of privacy liability?
1) Could be Personally Identifiable Information (PII), Personal Financial Information (PFI), or Protected Health Information (PHI) 2) Example: Employee accidentally emails personal information to wrong individual(s) [PII, PFI,or PHI] Example: Employee loses laptop containing confidential corporate or client information
How does a crime policy address cyber exposure for the insured.
1) Depending on the insuring agreement, there could be some coverage. 2. Some coverage may be provided by an endorsement. 3. Limitations can apply to the policy still.
How does the bop add coverage for cyber liability through its additional coverage for electronic data?
1) The CPP pays for the cost to replace or restore electronic data which has been destroyed or corrupted by a Covered Cause of Loss. - it has to be a covered cause of loss. The BOP has similar wording. A Covered Cause of Loss under an unendorsed ISO BOP is similar to the CP 10 30 Causes of Loss -Special Form. 2) If not replaced or restored, the loss will be valued at the cost of replacement of the media on which the electronic data was stored, with blank media of substantially identical type. 3) No coverage for loss or damage caused by any employee, including a temporary or leased employee, or by an entity retained by the named insured to work on that computer system. x Any employee includes temporary or leased employees. 4) Most paid under the CPP is $2,500 unless a higher limits is shown in the Declarations. Most paid under the BOP is $10,000 unless a higher limits is shown in the Declarations.
What are the three categories of cyber liability coverage?
1. Content liability 2. Privacy Liability 3. Security Breach Liability.
What is the purpose of cyber insurance?
1. Cyber Insurance is designed to protect against liability (third party) and first party claims that occur as a result of damages arising from an insured's cyber exposures. 2. Many Cyber Policies exclude Errors and Omissions due to programming, consulting, and other related services as mentioned in the previous section. It is best to purchase Technology E&O Insurance coverage for those risks in addition to Cyber Insurance.
How does the BOP address the cyber exposure through its limited coverage?
1. Electronic Data, except as provided under Additional Coverage, is not Covered Property under the Building and Personal Property Coverage Form (CP 00 10). The Property section of the Businessowners Coverage Form (BP 00 03) has similar wording.
What are the exclusions that are under electronic the data liability coverage from CG 00 65
1. Expected or intended loss 2. Contractual liability 3. Computer products or sevies exclusion 4. Bodily injury, property damage or personal and advertising injury 5. damage to your data 6. Performance of a contract 7. Infringement of intellectual property rights 8. Unauthorized use of electronic data 9. violation of an antitrust law 10. Criminal or fraudulent acts.
What are some examples of cyber transactions?
1. Manufacturer to wholesaler 2. Doc office to lab 3. Insurance agency to insuring company 4. Online sale to consumer 5. LAw office to court system Business to buisness business to consumer business to government.
What are the types of cyber insurance coverage that is available for first party losses?
1. Security Breach Expense 2. Business income and extra expense 3. Contingent business interruption or dependent entity 4. Extortion threat, ransom payment or rewards payment 5. Public Relations Expense 6. Replacement or Restoration of electronic data
What are examples that could lead to a first party liability loss?
1. Security breaches can result in costly notification expenses, identity theft expenses, defense expenses, regulatory proceeding expenses, fines and penalties, costs to investigate the source of the breach (forensic investigations), cost of public relations, business interruption, extra expenses, and/or costs to repair and replace data, etc. 2. A virus may cause damage to or loss or use of electronic data. Virus damages our data. 3. An unauthorized user (hacker), a former employee, or a rogue employee may alter, manipulate, damage or destroy data. Commonly known as electronic vandalism. 4. An unauthorized user (hacker), former employee or a rogue employee may breach a computer system and steal valuable data including intellectual property owned by the enterprise. Example: credit card, social, or other data housed on the system. 5. Unauthorized use that results in the theft of money, securities and other tangible property through computer fraud by the employee. 6. A Denial of Service or Distributed Denial of Service attack could result in a loss of income generated from the web site or social media platforms. 7. An unauthorized user (hacker) could breach a computer system and demand a ransom in return for not releasing valuable information (cyber extortion). Threatens to encrypt or does encrypt and demands bitcoin as payment for its release. 4 8. Loss of reputation and brand due to a security breach. EX: When Target had the large credit card breach 9. Extra Expenses incurred to re certify the computer system as compliant to the Payment Card Industry Data Security Standard to allow the business to again accept credit cards. In order to accept credit cards the system has to be certified as PCI compliant. If we are hacked or breached, we have to go through the re certification of our system again. 10. Extra Expenses to research and rebuild databases damaged by mechanical breakdown, electrical disturbances, temperature changes, humidity, theft, and other physical causes. 11. Reimbursement for "Social Engineering" business losses for the voluntary parting of money, securities, and other tangible property using a computer system. 12. Extra Expenses to clean up a business enterprise's web site infected with malware that slows the system down and inhibits business sales. Note: Keep in mind that not all of the above exposures, first and third party, will be able to be provided insurance protection or may need to be coordinated with other insurance coverages
Coverage of a cyber policy is intended for what kind of uses?
3. Coverage intended for users of the Internet and other technological products and services. a. Includes, but is not limited to businesses that have a computer system, send or receive emails, maintain a web site, use various forms of electronic advertisements, use the Internet to transact business or download information, online sales, conduct webinars, blogging, social media, bulletin boards, contract bidding, etc. b. This can also include the collections, transmission and storage of private information on consumers, employees, vendors, etc. c. Care, custody or control of data exposures for others
How does the CGL coverage B address the cyber risk?
Coverage b provides damages for personal or advertising injury but it only provides coverage for defined offenses like oral or written publication where that libels or slander an organization on a publication on the internet or other electronic communication.
What is the CG 24 13 amendment of personal and advertising injury definition?
It removes oral or written publication, in any manner, of material that violates a persons right of privacy as a covered offense. Beware of this endorsement
What are executive liability polices?
Liability arising from cyber activities may be part of combination policy that includes Directors & Officers, Fiduciary Liability and/or Employment Related Practices
What is Security Breach coverage under the cyber liability policy?
Provides liability coverage (including fines or penalties assessed against the insured) due to any actual or alleged neglect, breach of duty or omission by an insured that could result in the following: a. Security breach of a computer system Example: Theft of credit card information by unauthorized users b. Transmittal, by e-mail or other means, of a virus to another person or organization Example: Unauthorized user transmits a malicious code that infects the insured's computer system and spreads to other computer systems c. Denial of Service attack Example: Hackers prevent authorized users from gaining access to the insured's computer system. Without access those authorized user's own operations/service may fail or suffer.
What is content liability coverage under the cyber liability policy?
Provides liability coverage due to any actual or alleged error, misstatement or misleading statement posted or published by an insured that results in a third party suit. This is broader than what you would get on a CGL policy.
How does the CGL and the BOP handle cyber related exposures?
The CGL Policy is not designed to provide coverage for cyber related exposures. The CGL Policy is virtually useless for protecting an insured against cyber liability exposures. There is very limited protection by endorsement. Plus, many insurers will add exclusionary endorsements to further restrict or limit coverage. The BOP has similar wordage. The mandatory exclusionary endorsement is usually added because the court have found there to be some coverage when the carrier never intended on giving it.
Under coverage A of the CGL, how does the policy treat damages that it would cover which would require you to get a cyber policy?
The CGL requires that there be property damage to tangible property for coverage to take place. But the policy also indicates that electronic data is not considered to be tangible property. Therefor the coverage would not apply to it.
What are some of the exclusions in the CGL policy that discuss cyber liability and their inability to cover it.
The main excluisons on the CGL policy address cyber liability are 1. Infringement Of Copyright, Patent, Trademark Or Trade Secret 2. Insureds In Media And Internet Type Businesses 3. Electronic Chatrooms Or Bulletin Boards
Life situation: Insured has a BOP with 10k in BI limit for electronic loss. Their business income consists of 75% from online sales. What can the insured do to address their exposure?
There are three things you can do. One is nothing. Two is you can increase the 10k limit to what ever you need it to be but it is going to be expensive. Three and the most cost effective way is to by some type of cyber risk policy that includes first party coverage for the business.
What is the Electronic Data Liability Endorsement CG 04 37 05 14 that can be added to a CGL policy?
This is a very limited giveback. 1) Provides BI and PD liability coverage for damages arising from loss or corruption of electronic data as a result of an occurrence that causes physical injury to tangible property Example: A contractor doing work for a customer accidentally causes a fire which damages the computer server (tangible property) that results in the loss of data. With this endorsement, the contractor has coverage for the loss or corruption of the customer's electronic data. 2) Limitations a) NO COVERAGE for damages arising out of loss of use of tangible property that has NOT been physically injured, except for bodily injury • There has to be physical injury to the tangible property b) NO COVERAGE for access or disclosure of confidential or personal information (data breach) c) Sublimit for Loss of Electronic Data Limit applies (Normally $100,000 to $300,000)
What are specialized cyber insurance policy types
While there are various Cyber Liability Policy types, many insurers have specialized policies, such as Technology Errors and Omissions that are designed specifically for technology service providers and technology product providers.
What are some possible solutions that you can implement on a CGL to cover some cyber gaps
You can get the: a. Electronic Data Liability Endorsement CG 04 37 05 14 b. Electronic Data Liability Coverage Form CG 00 65 04 13
How do businesses can experience third and first party losses from cyber exposures?
a. Collection of private information on employees, clients, vendors, etc. b. Data storage both active and at rest • Data can be found on computer systems and/or software, including but not limited to hard drives, flash drives, disks, CD-ROMs, tapes, laptops, tablets, personal device accessories, and third-party locations (i.e., Cloud). c. Access to the Internet d. Web site or social media presence e. Integration, sharing or transmission of data and/or communications with others via the Internet f. E-commerce business transactions g. Credit card transactions h. E&O or Professional liability i. Internet of Things (IOT) and the communication systems through imbedded chips such as Smart Homes, etc. j. State and Federal laws
What is Extortion threat, ransom payment or rewards payment coverage available for first party losses?
a. Pays for loss due an extortion threat b. Examples: 1) Hacker demands money in return for not releasing stolen credit card information or for de-encryption of quarantined data 2) An outside person or organization threatens to shut down the insured's computer system if the insured does not comply with their demands a) Issues that are happening now of peoples iphones being locked until they pay them in bitcoin. b) Threat of a DDOS on a system c) The virus that has been attacking police stations where they lock their system until they pay 100$ in bitcoin.
What is Contingent business interruption or dependent entity coverage available for first party losses?
a. Pays for loss due to an interruption to the named insured's key supplier's computer system resulting from a cyber-related event b. Examples 1) The named insured suffers a business interruption loss because he/she cannot place his/her order with a key supplier whose computer system is shut down due to a virus. 2) Cloud provider fails to protect at rest data and a breach of data occurs. 3) Web site host fails to maintain security on servers for the hosted web sites and entity losses income do to online sales decrease. (not offered by many insurers.)- this is for the loss of income when dependent properties or contingent busniness sustain a cyber related loss which causes you not being able to perform your business. Key supplier or distributor has an oututage so you cannot get materials for your business or you are not able to sell you finished goods to the distributor because their systems are down. EX: a game developer could have this exposure when PSN was down for a while due to DDOS or when it was shut down for over a month. If they can sell their game via the online store, they sustain a BI loss.
What is Business income and Extra expense coverage available for first party losses?
a. Pays for loss due to an interruption to the named insureds computer system resulting from a cyber-related event b. Examples: 4 1) An online retailer's computer system is down due to denial of service attack and there is loss of revenue 2) Insured's computer system is shut down for repairs due to damage of files by a virus and there is a loss of revenue c. The period of indemnity may be limited to 60, 90, or 120 days (may have a need for Extended Period of Indemnity) pays for the loss of income because the computer system sustained a interruption. Example- DDOS, malware, ransomware
To address the cyber exposure, how does the bop address BI and EE losses due to cyber?
a. There is no coverage for business income and extra expense caused by destruction or corruption of electronic data or any loss or damage to electronic data, except as provided under Additional Coverages. 1) Basically carrier is not giving bi or EE from the loss of the electronic data except what is given to us. No hardware coverage and no bi/ee.
What is the CG 21 06 - Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability - With Limited Bodily Injury Exception Endorsement
this is a mandatory endorsement that replaces the excluison P of the CGL policy. Thiis mandatory endorsement provides no coverage from damages arising out of any: 1. access to or disclosure of confidential or personal info. 2. access or disclosure of confidential info. 3. loss of use of corruption, inability to access, or inability to manipulate electronic data.
What is the contractual liability exclusion on the Electronic Data Liability Coverage Form CG 00 65
this policy will not pay for loss of data for which the insured is obligated to pay damages for by assumption of liability in a contract or agreement. This exclusion wont apply to damages in the absence of a contract or agreement.
What is the CG 21 06 - Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability - With Limited Bodily Injury Exception that is added to a cgl policy?
• This endorsement eliminates the access of confidential and personal information from coverage a and b • What all of this is designed to do is to show that the CGL is really just used for the every day issues a business has. Anything cyber related should really be addressed in a separate policy.
