Cyber & Privacy Insurance
Coverage Made Simple(r)
Bob Bregman, CPCU, MLIS, RPLU Senior Research Analyst
The Policies Are Both COMPLEX and DIFFER from Insurer to Insurer !
In fact, they are so different that insurers use different names for what are essentially (but not exactly!) the same type of coverage:
• Information Security & Privacy Insurance (Beazley) • CyberEdge (Chartis)
• CyberRisk (Travelers)
• Security and Privacy Protection (Zurich) • CyberSecurity (Chubb)
• PrivaSure (AXIS Pro)
• Enterprise Professional Solutions (CNA)
Today’s Road Map
Part I: “The 10 Basic Cyber & Privacy Policy Insuring Agreements” Brief Interlude: “A Word about Technology E&O Insurance”
Part II: “Selling Cyber & Privacy Coverage: Tips for Risk Managers, Insurance Agents/Brokers, and Underwriters”
Part III: “Materials for Further Study: Becoming a Cyber & Privacy Insurance Coverage Expert”
Part I: The 10 Basic Insuring Agreements
Cyber & Privacy Liability Coverages: the
“Core” Coverages • Privacy Notification and Crisis Management Expense
• Regulatory Defense and Penalties
• Information Security & Privacy Liability • Website Media Liability
Cyber-Related Time Element Coverages • Business Interruption
• Extra Expense
Cyber-Related Theft of Property
Coverages • Data Assets • Cyber Extortion • Computer Fraud • Funds Transfer
Conceptualizing the “3 Core” Cyber & Privacy Coverages
Regulatory Defense and Penalties Coverage
Covers the cost of “dealing with” the regulators and paying applicable fines/penalties; another component of loss
that is unique to data breaches
Information Security and Privacy Liability Coverage Covers the “pure liability component” of the loss—
including the cost of defending the claims
Regulatory Defense and Penalties Coverage
Covers the cost of dealing with regulators and paying applicable
fines/penalties; another loss component unique to data
breaches .
Privacy Notification and Crisis Management Expense Coverage
Covers the costs of services that are unique to a data breach. This is the “loss
containment” component of cyber & privacy liability coverage
A Loss Scenario Involving the 3 “Core” Cyber & Privacy Liability
Coverages
A hacker gains access to a retailer’s computer system and obtains
Names, Addresses, Social Security #s , and Driver’s License #s of
100,000 customers, all of which constitute PII or “personally
identifiable information.” A class action lawsuit is eventually
brought by 5,000 of the customers against the retailer.
Privacy Notification and Crisis Management Expense: Loss Containment Coverage
Covers the direct expenses required to:
• Hire a forensics expert to determine the cause of the breach and suggest measures to secure the site and prevent future breaches
• Hire a PR agency to assist the insured in dealing with the crisis • Set up a post-breach call center
• Notify individuals whose PII has been compromised • Monitor these individuals’ credit (usually for 1 year)
• Pay costs needed to “restore” stolen identity (e.g., costs to notify banks and credit card companies)
Privacy Notification and Crisis
Management Expense Coverage: Key Points
• Some insurers SPLIT: (1) Notification, (2) PR, and (3) Forensics into separate insuring agreements!
• This coverage affords the insured access to the insurer’s cadre of experts who can provide the hands-on expertise to work an insured through a data breach. (Rick
Betterley calls this “breach coaching.”)
• Immediately after a data breach, an insured will benefit immensely by having an insurance company partner.
• If a business is able to purchase just ONE of the 10 Insuring Agreements— this is the one to buy. It is the “core” of the 3 “core coverages.”
Regulatory Defense and Penalties Coverage: Regulatory “Headache” Coverage
Covers the costs of dealing with regulatory agencies who oversee state and federal data breach laws and regulations:
• Costs of hiring attorneys to deal with regulators during investigations.
• Costs of fines and penalties that are levied against the insured as a result of the breach
• “Regulatory defense” means that only the legal costs of dealing with regulators— not claimants—are covered by this insuring agreement
Regulatory Defense and Penalties Coverage: Key Points
• One of the rare types of insurance policies that pays fines and penalties; items otherwise considered uninsurable under most coverages. BUT: some insurers DO NOT COVER fines and penalties. Others cover these items BY ENDORSEMENT.
• Especially valuable when dealing with regulators in multiple states. The laws are varied, complex, and downright byzantine (one of my favorite words!).
• Anyone who works in the D&O arena knows how expensive it is to respond to regulatory investigations.
• Navigating the post-breach regulatory maze requires the kind of specialized legal
expertise to which most insureds do not have ready access—even if an insured has the funds to hire experienced counsel.
Information Security and Privacy Liability: Traditional Liability
Coverage
Covers the insured’s liability for damages resulting from a data breach, arising from:
• Loss, theft, or unauthorized disclosure of PII in the insured’s care, custody & control • Damage to data stored in insured’s computer systems belonging to a 3rd party
• Transmission of malicious code or denial of service to a 3rd party’s computer system • Failure to timely disclose a data breach
• Failure of insured to comply with own privacy policy prohibiting disclosure/sharing of PII
• Failure to administer an identity theft program required by governmental regulation or to take necessary actions to prevent identity theft
Information Security and Privacy Liability Coverage: Key Points
• This is the true “liability” coverage element of a cyber & privacy policy
• Pays actual liability losses sustained by various claimants (UNLIKE the first two insuring agreements)
• Contrast with Privacy Notification and Crisis Management Coverage, which pays without admission of liability (like “medical payments” coverage under a
homeowners or personal auto policy)
• Pays actual defense costs required to defend claims alleging loss by claimants (but NOT legal costs required to deal with regulators)
Where It Gets Even Trickier …
• Some insurers combine 2 of these “core” coverages into a single insuringagreement with a single limit (e.g., Regulatory Defense + Information Security and Privacy Notification).
• Some insurers offer privacy notification and crisis management expenses as separate insuring agreements (with separate limits): THIS IS NOT GOOD.
• Several insurers provide liability coverage only when there is a THEFT of data (i.e., a Target-type data breach) but NOT when there is merely an INTRUSION without theft, as in the case of WEBSITE VANDALISM.
• And “of course,” insurers often refer to the 3 “core” insuring agreements by
different names. (e.g., one insurer uses the term “Information Security and Privacy Liability” and another calls it “Network and Information Security Liability.”
Website Media Content Liability Coverage
Covers insured’s liability for material published on its website (only) for claims alleging:
• Personal Injury: (e.g., invasion of privacy, libel, slander, defamation) Claim Scenario: a health insurance company posts pictures of its subscribers w/o obtaining permission, violating their privacy
• Commercial Violations: (e.g., plagiarism, infringement of: copyright, trademark, logo) Claim
Scenarios: an online publisher publishes an article that does not attribute material appearing in the
article, from its original, actual source; an online retailer introduces its new logo that is very similar to that of another company
• Other Improper Web-Based Acts: (e.g., improper deep linking) Claim Scenario: a publishing firm publishes model HR policies and procedures, including links to an HR consulting firm. The
consulting firm sues, alleging that the links enhance the publisher’s website BUT WITHOUT
Website Media Content Liability Coverage: Key Points
• Covers Losses NOT caused by data breaches/intrusions—why I don’t consider it one of the 3 “core” coverages
• Much like a “traditional,” stand-alone media liability policy, but with one big difference: it ONLY covers media-type liability incurred from website activities
• Provides no coverage for non-website-based media activities (e.g., paper publishing, broadcast media)
• Many cyber insurers do not offer such coverage because it is available under “traditional,” stand-alone media policies
• Best solution: buy a comprehensive media liability policy that includes liability incurred for website activity, under a “traditional” (i.e., ALL media forms) media policy
Cyber-Related Time Element Loss Coverages: Business Interruption
and Extra Expense
Business Interruption (BI): covers losses incurred during the “period of recovery”
resulting from a “computer system disruption” 3 Types of Covered Losses and Loss Scenarios
• Income Loss (e.g., income lost when an insured cannot take online orders for its products) • Dependent Business Interruption (e.g., loss sustained when an insured retailer’s wholesale
supplier is unable to receive orders because the wholesaler’s website is shut down and can’t ship products to the retailer)
• Extended Business Interruption (e.g., even after restoration following a shut down, it will require some period of time for the volume of business to return to normal—covers loss sustained until business returns to “normal”)
Extra Expense Coverage
Extra Expense (EE): covers additional costs required to expedite recovery, such as:
overtime labor, express parts shipping, hiring special experts
• Under some policies, EE coverage applies only if the extra expense reduces the loss
• Both BI and EE Coverage are triggered ONLY by an “electronic disruption” (as defined by the policy), but NOT by other types of physical damage such as: fire, windstorm, flood, etc., as under standard property insurance policies
• Both BI and EE coverages are usually (but not always) subject to a “time” deductible (rather than a “dollar” deductible) before coverage applies
• Standard property insurance won’t cover data breach-related BI or EE loss because the policies require physical damage to trigger a covered loss
Complications, Caveats, and a Recommendation
• Many insurers do not offer cyber-related property coverage because, philosophically, they view cyber & privacy insurance as a liability coverage ONLY. Others offer it but by endorsement—not within their
standard form.
• Under some forms, a covered “computer system disruption” MUST be a data breach; under others, this is not required (e.g., can be introduction of a virus).
• Some insurers “bundle” BI and EE under a single insuring agreement; others separate them; still others offer BI but not EE.
• Some insurers do not offer “Dependent BI” coverage OR “Extended BI” coverage within their BI coverage wording.
• If insured has purchased BI coverage, insurer has added incentive to handle the privacy notification and crisis management aspects of a data breach MORE EXPEDITIOUSLY! So consider buying BI coverage for that reason.
Cyber-Related Theft of Property Coverages
• Data Asset Coverage
• Cyber Extortion
• Computer Fraud
• Funds Transfer Fraud
Data Asset Coverage
Covers the cost of restoring and recovering the data lost from the “failure of an insured’s computer system”
Loss Scenarios: (a) A hacker gains access to an insured’s customer database and
erases it from the company’s computer system. (b) An employee accidentally erases the company’s customer database.
In both instances, this insuring agreement pays the cost of restoring the customer database.
Data Asset Coverage
(continued)
Restrictions:
• Coverage usually does not apply when loss of data assets caused by intentional employee acts
• No coverage for upgrading software or other programs during restoration process • No coverage for the cost of research to recover lost data (only coverage for
“electronic” recovery methods)
• Insurer must (usually) pre-approve costs for all expenditures
• Some policies only provide coverage for loss caused by a data breach (but not from other causes, such as accidental erasure)
Cyber Extortion Coverage
K&R Coverage for Cyber Events (AKA “E-Commerce Extortion”)
Loss Scenario: insured receives an e-mail from an individual who threatens to: shut
down/damage/introduce a virus into/disclose confidential information from/block access to/attack the company’s website in some other way UNLESS the insured pays $10 million.
What’s Covered:
(1) Monies paid to meet the extortion demands
(2) Monies paid to computer security experts on how to prevent future extortion attempts (3) Cost of expert assistance to deal/negotiate with cyber extortionists
Computer Fraud Coverage
Covers loss from fraudulent, unauthorized entry into a computer system resulting in a theft of money or data.
Loss Scenario: a cyber thief accesses a bank customer’s savings account number
and password, then uses this data to withdraw $25,000 from various ATMs.
Key Points: NO COVERAGE for: (1) employee acts (it’s NOT a fidelity cover), (2)
independent contractor acts, or (3) acts of persons under insured’s supervision. In effect, insurers won’t cover “inside jobs.”
Funds Transfer Fraud Coverage
Covers loss sustained when funds are fraudulently transferred from one financial institution to another
Loss Scenario: stock brokerage firm receives e-mail “appearing” to be from a U.S. bank
(but is not). The broker’s employee opens the e-mail, which activates a virus, allowing the thief to access the brokerage account number and password, which she uses to transfer funds to her bank in Eastern Europe. (“Girl With the Dragon Tattoo,” by Stieg Larsson)
Funds Transfer Fraud vs. Computer Fraud: the previous scenario (i.e., the “computer
fraud”) did not involve the transfer of monies between financial institutions, whereas funds transfer fraud does.
IRMI.com
Cyber-Related Theft of Property
Coverages: A Wrap-Up
• A substantial minority of insurers DO NOT offer such coverages
• They philosophically view Cyber & Privacy Insurance as DATA
BREACH-driven, producing third-party liability loss, rather than first-party property loss
• BUT a number of these losses can be covered elsewhere (K&R policies,
crime policies) so insurers seek to avoid duplicating coverage in cyber forms
• Many insurers seek to avoid such losses because they are often
fidelity-linked and don’t want to provide such coverage
• I:\Temporary\MichelleS
A Last Look at the 10 Insuring Agreements
Cyber & Privacy Liability Coverages: the
“Core” Coverages • Privacy Notification and Crisis Management Expense
• Regulatory Defense and Penalties
• Information Security & Privacy Liability • Website Media Liability
Cyber-Related Time Element Coverages • Business Interruption
• Extra Expense
Cyber-Related Theft of Property
Coverages • Data Assets • Cyber Extortion • Computer Fraud • Funds Transfer
27
• Each of the 10 Insuring Agreements Contains Both a Separate Per Claim Limit and a Separate Per Claim Deductible
• Cyber policies are ALSO written with an Annual Aggregate Limit
for claims covered by ALL insuring agreements that have been purchased • This approach has several effects:
1. Insured must make multiple DECISIONS
2. The true extent of coverage is CONSTRICTED
3. It adds overall COMPLEXITY to the buying process
Limits and Deductibles: Distinctive Features, Special Challenges
28
Selecting Limits and Deductibles: No Easy Answers
• The application process sheds light on the nature of the insured’s exposure • Expert broker advice is essential
• Expert brokers can use other clients with similar: 1. business type
2. # of electronic records
3. size (sales, # of customers, # of transactions) 4. location
5. “other” factors, to make recommendations
Brief Interlude: A Word about Technology E&O Insurance
Technology E&O and Cyber & Privacy Insurance are similar but NOT synonymous
Technology E&O =
Cyber & Privacy Insurance +
(the 3 “core” insuring agreements + some/all of the other 7)
Miscellaneous E&O Insurance
(coverage for errors & and omissions in delivering
IRMI buys Cyber & Privacy Insurance because IRMI uses technology to deliver products. We don’t sell technology PRODUCTS or SERVICES. Rather, we use technology to deliver products and services.
In contrast …
The company that stores IRMI’s data on an off-site basis buys Technology E&O because it is providing IRMI with technology products and services (i.e., data storage)
Cyber & Privacy vs. Technology E&O
Coverage Buyer
Cyber & Privacy Insurance Users of Technology Technology E&O Insurance Sellers of Technology
Part II: Selling Cyber & Privacy
Insurance—
Tips for Risk Managers,
Agents/Brokers, Insurers
The penetration rate for cyber & privacy insurance is still relatively
low. In fact, according to an estimate by Marsh, the coverage is
purchased by only 25 to 35 percent of all companies (see "Making
Sense of Cyber Insurance," PropertyCasualty360.com, January 13,
2014).
Risk Managers
It’s Not Just Your Employer’s Survival That’s on the Line—It’s Yours!
If your company’s systems are breached, and you haven’t at least obtained a quotation for cyber & privacy coverage, don’t let the door hit you on the way out.
Sell the Nonindemnification Aspects of the Coverage to Sr. Management
Reimbursement from an insurer is only half the story (or maybe even less)
No Matter How Much Opposition: Undergo the Application Process
Even if the “deciders” reject the opportunity to buy coverage—at least YOU will be covered!
The Value of an “Insurance Company Partner” when Managing “Specialized”
Claims
• Companies Covered by a D&O Policy paid an average of $129,625 per claim
• Companies Not Covered by a D&O Policy paid an average of $408,469 per claim
Source: Chubb Insurance Co. 2005 (Private Company D&O Survey)
Defending a D&O claim is NOT a
Benefits of the Application Process
• Compels a business to comprehensively (and honestly) assess its risks andvulnerabilities
• Assists in quantifying potential losses (which will help in selecting limits!) because apps ask about: #’s of customer records, sales volumes, locations, etc.
• Focuses senior management’s attention on the importance of cybersecurity. Remember: a Sr. Executive must SIGN the application!
• Increases support for having an independent audit—without which a business will never receive an objective assessment of its cybersecurity program
“Trust, but verify” (Russian Proverb): The Need for Cyber Audits
• Insurers don’t generally require them as a condition of providing coverage—but they do encourage them
• Insurers will be happy to recommend providers—yet another benefit of the application process—assuring that you will receive a competent evaluation
• BUT audits are not submitted with coverage applications, to avoid the findings of the audit being discoverable in the event of a loss
• Expect internal resistance to an audit from your company’s IT department, but this is one battle a risk manager should be able to win
• If there is a weakness or problem in your company’s protection systems, better to find out during an audit than after a data breach!
Agents & Brokers
Consider the E&O Possibilities: YOURS!
You will be sued if a client suffers an otherwise insurable breach-related loss
Sell the Nonindemnification Aspects of the Coverage
Reimbursement from an insurer is only half the story (or maybe even less)View It as a Chance To Stand Out from the Crowd
True expertise in cyber & privacy coverages is at a premium nowInsurers
Sell Cyber & Privacy Insurance as a Management Liability Cover
• View cyber as the 4
thcomponent of the management liability insurance
trio (along with D&O, EPL, and fiduciary).
• A breach often comes back to D’s & O’s as a derivative claim.
• Yet, insurers’ websites treat cyber & privacy insurance as either: (a) a
professional/E&O coverage OR (2) as a separate, stand-alone product
Kevin LaCroix on Cyber & Privacy
Risks to D’s & O’s
“These two lawsuits (against Target and Wyndham Hotels)
highlight the fact that the risks and exposures companies face in
connection with cybersecurity issues include potential liability
exposures for companies’ corporate boards.” (emphasis added)
Source:
“What to Watch in the World of D&O,” Fall 2014; Vol. IX, Issue
They Won’t Buy What They Don’t
Understand!
Standardize Your Policies
The lack of uniformity in both coverage and terminology between the
various insurers’ policies is a substantial barrier to greater levels of
market penetration. If buyers struggle to understand cyber & privacy
insurance policies, they won’t buy them. Product differentiation is a
good thing, but in my opinion, too much differentiation has hampered
market penetration. Start by combining the 3 Core Coverages under
ONE INSURING AGREEMENT.
Lose the “Bunker Mentality”
(At Some Point) Reduce the Number of Insuring Agreement–
Specific Limits and Deductibles
Imposing (a) a per loss limit for each insuring agreement, (b) a per loss
deductible, and (c) an aggregate limit for all insuring agreements is
really shrinking the extent of actual coverage being provided.
Consider offering either a single, aggregate limit for all of the insuring
agreements being purchased OR a per loss limit for each insuring
Part III: Materials for Further Study: Becoming a Cyber & Privacy Insurance Expert (5 Great IRMI
Resources)
“A Journey of 1,000 Miles Begins With a Single Step”
Lao-tzu
Chinese philosopher (604-531 BC)
IRMI’s Online CE Course on Cyber & Privacy Exposures and Insurance Coverage
• An in-depth, yet easy-to-follow 14-chapter course
• Includes frequent examples and numerous review questions • Delivered online through a user-friendly online interface
• Study the course material at your own pace
• Take the multiple choice final exam when you're ready
You can take the IRMI Cyber & Privacy Exposures and Insurance Coverage course at any time, from any computer with access to the Internet.
Professional Liability Insurance (PLI)
IRMI’s 3,500 page reference manual dealing with all types of Professional (medical and nonmedical), EPL, E&O, and D&O liability exposures and insurance coverages.
Contains detailed (150+ pages) discussions of Cyber & Privacy and Technology E&O Insurance Coverages and Exposures
IRMI Online
Cyber and Privacy Loss Exposures
Cyber and Privacy Liability Insurance Coverage Technology Errors and Omissions Liability Exposures
Technology Errors and Omissions Liability Insurance Coverage
ReferenceConnect
Cyber and Privacy Loss Exposures
Cyber and Privacy Liability Insurance Coverage Technology Errors and Omissions Liability Exposures
The Betterley Report
An authoritative series of Market Survey Reports providing concise market insight and detailed policy comparisons for 6 specialty lines of coverage. Each report is 50-175 pages.
Cyber & Privacy Insurance and Technology E&O Insurance are among the 6 lines covered.
IRMI Online
Cyber/Privacy Insurance Market Survey 2014
Technology Errors & Omissions Market Survey 2014
ReferenceConnect
Cyber/Privacy Insurance Market Survey 2014
The Risk Report
The Risk Report is a monthly, in-depth (8 to 12 pages) report on an
important aspect of commercial insurance/risk management.
Recent cyber & privacy insurance articles include:
IRMI Online
“Top 10 Tips for Insuring Cyber Risks” (12/13)
“Cyber Endorsements for Traditional Insurance Policies” (05/13)
“Cyber, Tech, Media, and Privacy E&O Insurance” (01/12)
“Digital Risk Management” (11/11)
ReferenceConnect
“Top 10 Tips for Insuring Cyber Risks” (12/13)
“Cyber Endorsements for Traditional Insurance Policies” (05/13)
“Cyber, Tech, Media, and Privacy E&O Insurance” (01/12)
IRMI.com: This Is Free!
Contains 1,600+ FREE articles in the Expert Commentary section, on various insurance and risk management topics, including 50 articles on
Privacy/Cyber/Technology E&O Topics. Most recently:
“Changes in State Breach Notification Laws” (08/14)
“Guidance for Managing Cybersecurity Risks” (5/14)
“Revisiting Privacy Policies in Light of California Law” (10/13)
“Yawning in the Face of Privacy Risks” (05/12)