0111 0000 01110 010011 01001 01110110 01100001 0110 0111 0000 011100 10 01101 001 01110110 01100001 01100 1 011 1011 0 011 0000 1 011 0001 1 011 1011 0 011 0000 1 011 0001 11 1111 001 0 0100 000 0 1110 0000 ```001 0010 1 011 1001 1 011 1001 1
CYBER & PRIVACY
LIABILITY INSURANCE
GUIDE
Author
Table of contents
What are the most important factors to consider before purchasing Cyber & Privacy Liability Insurance?
What is the current state of the Cyber & Privacy Liability Insurance Marketplace?
What does Cyber & Privacy Liability Insurance Cover?
3
Why do businesses need Cyber & Privacy Liability Insurance?
Why is the application process so important?
Policy Terms, Conditions & Exclusions
5
8
4
9
7
6
Why should an organization’s incident response plan be synced to the insurance policy?
This document includes confidential and proprietary information of and regarding Privacy
Professionals LLC and Privacy Professionals Insurance Services LLC (PRIPRO®). You may not
use this document except for informational purposes, and you may not reproduce this
3
What are the most
important factors
to consider before
purchasing Cyber &
Privacy Liability
Insurance?
The most important factors to consider when purchasing Cyber & Privacy Liability Insurance are the expertise and sophistication of the insurance broker and insurer. Selecting an insurance brokerage with professional liability expertise, cyber and privacy risk competence and risk management service offerings is crucial. Equally important is selecting an insurer with experience managing claims involving data breaches, digital disasters, network security compromises,
regulatory actions and third party privacy liability claims.
The Cyber & Privacy Liability claims management process needs to begin before a data breach or security incident occurs, which requires a
“partnership” with the insurance broker and insurer. In the wake of a data breach, businesses must be able to quickly determine the nature and scope of the incident, take immediate steps to contain it, ensure that forensic evidence is not accidentally ruined, notify regulators, law enforcement officials and affected individuals, and the impacted users of the compromised data. The essential element of effective incident
response planning is building the right team. Developing the necessary relationships with expert third-party partners, including the
insurance broker and insurer, prior to an incident occurring is critical to rapidly contain data
4
What is the current state of
the Cyber & Privacy Liability
Insurance Marketplace?
4
Why do businesses need Cyber
& Privacy Liability Insurance?
Cyber & Privacy Liability
Insurance assists in funding
potential breach response expenses,
defense costs for regaulatory actions
and other liabilities that arise in the
wake of a data breach or security
incident.
5
Data breaches can be costly disastrous events on par with natural disasters, fires, physical security compromises and terrorist attacks that can strike without notice. Developing Disaster Recovery Plans (DRP) or Business Continuity Plans (BCP) without anticipating exposures to data privacy and security related risks puts the organizational assets and its reputation at harm.
Considering the financial impact and the swift yet orchestrated response required in managing data breaches and cyber related incidents, an
integrated incident response plan must be included in disaster recovery and business continuity planning processes. It should be an integral part of the organization’s overall Enterprise Risk Management (ERM) program.
Data breaches are traumatic events that can paralyze the entire organization, damage relationships with vendors and partners and severely diminish consumer trust. Brand damage, response costs and other financial losses
6
What does Cyber & Privacy
Liability Insurance Cover?
Cyber & Privacy Liability Insurance Policies include Third-Party and First-Party
Coverage Parts.
Network Security Liability:
Affords legal defense costs and indemnity for third-party claims alleging failure to protect against transmission of malicious code, denial of service attacks and unautho-rized access and/or use of computer systems.
Data Breach Fund/Costs: Data Breach Legal Advisor Forensics Investigation Expenses Notification and Call Center Services
Public Relations/Crisis Communications Costs Credit Monitoring/Credit-Fraud Remediation Services
PCI DSS Violation Coverage:
Covers monetary fines or penalties resulting from the failure to comply with PCI DSS requirements.
Regulatory Fines & Penalties:
Covers monetary fines or penalties resulting from the failure to comply with state or federal laws.
Network Extortion:
Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive information or bring down a network unless such consid-eration is paid.
Business Interruption:
Indemnification for loss of income and incurred extra expenses that arise directly out of a network security breach that occurs on the insured’s systems.
Digital Asset Loss: Indemnification for costs to recreate, rebuild or recollect
digital information assets that were directly damaged as a result of a network security breach that occurs on the policyholders’ systems.
Privacy Liability:
Affords legal defense costs and indemnity for third-party claims alleging negligent use or disclosure of non-public personally identifiable information including:
Protected Health Information
Employee Personally Identifiable Information Third-Party Corporate Confidential Information Internet Media Liability:
Affords legal defense costs and indemnity for third-party claims alleging wrongful acts in the dissemination of internet content and media.
Regulatory Actions:
Affords legal defense costs for regulatory actions brought by federal regulators such as HIPAA/HITECH, COPPA, FTC or State Attorneys General (SAG).
7
Why should an organization’s incident
response plan be synced to the insurance
policy?
Many insurers have pre-arranged incident response services offered as a data breach team, a group of pre-approved vendors that must be utilized in the event of a breach. Other insurers offer their
policyholders the choice of vendors with their prior written consent. Failure to properly provide notice of claim to the insurer and gain their prior written consent to utilize response vendors can lead to uninsured claims and compromised coverage.
The solution is to sync the incident response plan into the insurance program and gain the insurer’s prior written consent as part of the application process before coverage
is purchased.
Teamwork
A seamless incident response plan incorporates all stakeholders, internal and external, including the insurance broker, insurer and its service providers. The Data Breach or Incident Response Team includes pre-arranged incident response service providers including:
Data Breach Legal Advisor
Provides immediate legal triage and direction, typically offered at no retention or deductible.
Forensic Investigator
Determines the nature and scope of the incident, take immediate steps to contain it, ensure that forensic evidence is not
accidentally ruined.
Public Relations and/or Crisis Management Services
Assists with brand damage containment, media communications and press releases
Notification and Call Center Vendors
Assists with providing notice to affected individuals and handle customer service calls from impacted users of the compromised data
Credit Monitoring or Credit-Fraud Remediation Services
Provides impacted individuals with Credit Monitoring or Credit Remediation Services
8
Why is the application process
so important?
An experienced insurance
broker should be capable
of running table top breach
simulations and data
breach drills to illustrate
how the insurance policy
would respond to breach
response costs, notification
laws, regulatory actions
and other liabilities
The application for insurance includes many questions relative to organizational compliance, internal procedures, hiring processes, employee privacy training/awareness programs, physical security, IT security protocols, claims history and many other items. The reasons for including privacy and finance leadership are obvious; however, involvement of all stakeholders includ-ing Information Technology, Human Resources, Audit, Compliance and Marketing is necessary.
The application becomes part of the insurance contract and in most cases; it is considered a warranty or a guarantee that the statements made by the organization on the application are true and correct. The application serves as the underwriter’s “risk assessment” since the insurer accepts risk based on representations made by the applicant, in exchange for a premium. If the application does not reflect the proper risk or the insured’s representations were not correct,
insurers have the right to deny coverage, rescind the policy or charge additional premium. For example, certain policies may contain the following type of exclusion:
“Any Security Breach resulting from the knowing and intentional failure of the Insured to maintain Security Systems equal or superior to those disclosed in the Application for insurance, or the failure of the Insured to use best efforts to install or implement commercially available updates to such Security Systems.”
This exclusion would preclude coverage for any
9
Policy Terms, Conditions
& Exclusions
Take Away
There is no “one-size fits all” Cyber & Privacy Liability insurance product. A Cyber & Privacy Liability Insurance program should be tailored to the size of the organization, its industry sector and particular compliance requirements.There is presently no industry standard; each Cyber & Privacy Liability insurer has their proprietary policy form. The policy terms, conditions and exclusions can differ drastically among insurers. That is another reason why the expertise of the insurance broker is so important. An experienced insurance broker should be capable of comparing each insurer’s proposal, policy terms, conditions and exclusions to determine which option is best for their clients’ specific exposures, and data security and privacy compliance requirements.
Businesses can no longer take the reactive approach to cyber and privacy risk management. In light of escalating cybercrime, privacy threats and evolving legislation, businesses of all sizes should prepare for data breaches in advance and have an executable incident response plan of action in place. Buyers need to be aware of the potential pitfalls of buying insurance “shelf-products” at the lowest premiums, as doing so may lead to major unanticipated expenses, delays and problems when claims are made and breaches occur.
About Us
Our Solutions
New York
California
Copyright © 2013 Privacy Professionals LLC/Privacy Professionals Insurance Services LLC (PRIPRO®) All Rights Reserved.