Cyber Liability Insurance Overview
- Multimedia Liability: Covers third party liability related to your online advertising and media activities.
Claim example: An apparel manufacturer has been sued by another apparel manufacturer alleging that their online content has been plagiarized and their logos have been infringed upon.
- Network Security and Privacy Liability: Covers third party liability lawsuits from individuals who suffered a financial loss due to a breach of their personally identifiable information.
Claim example: A personal financial planner loses his laptop with confidential client information. The information is posted on the Internet, and he is sued by multiple clients.
- Privacy Regulatory Defense and Penalties: Covers defense costs, fines and penalties (where insurable) associated with a governmental or regulatory action.
Claim example: A New York physician’s practice was investigated by the New York State Office of the Attorney General after being alerted to claims of improperly stored patient records. The investigation revealed HIPAA violations in connection with over 8,000 patient records. The practice’s cyber liability insurance policy covered fines and penalties imposed against the practice and defense costs incurred to respond to the investigation.
- Breach Event Costs: Covers the cost to notify individuals whose personally identifiable information has been breached when legally required by law. Coverage extends to the operation of a call center to field legally required credit monitoring redemptions. Also, covers the cost to monitor the credit of individuals whose personally identifiable information has been breached.
Claim example: A restaurant chain that accepts credits cards is hacked. Sensitive credit card data is stolen. All of the individuals who had their data stolen will have to be notified, and credit monitoring services must be provided.
- Proactive Privacy Breach Response: Covers necessary costs associated with hiring a PR firm to minimize the PR effects of a breach of personally identifiable information.
Claim example: A law firm has their system breached and confidential client information is breached. They incur crisis management and public relations costs to minimize the effect that the breach will have on their current and future clients.
- Voluntary Notification Expenses: Covers the cost to notify individuals whose personally identifiable information has been breached where there is no specific legal requirement mandating notification of individuals whose information has been breached.
Claim example: A human resources employee for a large manufacturing company improperly throws out client records that contain Social security numbers, medical information, names, etc. The manufacturing facility is in a state that does not require notification of individuals, but the facility still wants to notify the individual employees to let them know that their information was breached.
- BrandGuard: Provides coverage for lost income due to attacks from a cyber breach
Claim example: Our insured is a hospital. Our insured’s firewall is breached by a criminal and all financial records for clients across the county have possibly been compromised including name, social security number, bank account information and address. As a result, surgeries are cancelled for the next month. This creates a loss of revenue for our insured.
- Network Asset Protection: Covers costs to investigate the cause of a breach and restore data to the same state and with the same content immediately before the breach. Coverage is also included for business interruption because of a breach, and other special expenses related to minimizing the breach.
Claim Example: An accounting firm’s computer system was hit with a virus that caused their network to be down for two days, in addition to causing the loss of unsaved work from the time spent since their most recent back up. Their insurance paid $22,000 for the work required to restore their system, eliminate the virus. Income loss was also paid for the time the firm could not operate.
- Cyber Extortion: First party coverage to pay extortion fees to a hacker who has taken control and is holding for ransom your systems or network.
Claim example: The manager at a popular local tavern inadvertently downloaded an email attachment that appeared to be from his bookkeeper. The file contained the 'CryptoLocker' virus that encrypted files on his computer, including the QuickBooks files that are used to manage the restaurants finances and payroll. When he tried to access an encrypted file, a message appeared that notified him that all files have been encrypted and will only be unlocked if he paid a ‘ransom’ using BitCoin. After consulting with his insurance agent and their insurer, they were informed that this type of ‘cyber extortion’ is covered by the cyber liability insurance policy. The restaurant manager engaged an IT expert referred by the insurance company and determined that the threat was real and that the best course of action was to pay the ransom and assess further exposure and/or loss.
- PCI DSS Liability: PCI stands for Payment Card Industry. PCI regulates how personally identifiable information should be stored. This module covers any fines and penalties associated with the failure to comply with the appropriate PCI-DSS (Data Security Standard) level.
Claim example: A group of hotels has their system breached and credit card information is stolen. After an audit, it is discovered that the hotel group is not PCI compliant, so fines are levied by the credit card companies. Also, systems must be updated to become PCI compliant.
- Cyber Crime: Provides a sublimit for cyber crime caused by:
- Financial fraud – Insured receives fraudulent wire instructions and wires funds to a hacker.
- Telecommunications fraud – Fraudulently gaining access to outgoing telephone service through fraud.
- Phishing attack – Use of fraudulent communications or malicious web sites to impersonate an insured or an insured’s products or services in order to solicit private information.
Claim example: The accounting department at an electronic component manufacturer had recently discovered a series of unusual wire transfer requests during their quarterly audit.
After further investigation, it was determined that the email accounts of several executives had been compromised and wire transfer requests to the finance department were not actually sent by the executive, but rather from a ‘spoofed’ account. Over $600,000 in funds had been transferred to unknown bank accounts in four countries.
IT forensic investigations, legal fees, and loss of funds totaled $822,000.
- Computer Forensics Costs: Covers the cost for a forensics expert to investigate what information has been breached, in addition to pinpointing the cause of said breach.
Claim example: A logistics firm has their system hacked, and locks out all of their employees so no one can access the system. Computer forensics are required in order to investigate the cause of the shutdown and update systems to prevent it from happening in the future.