Cyber and Privacy Breach Insurance

Transcription

1 Aon Risk Solutions Financial Services Group Cyber and Privacy Breach Insurance A Risk Transfer Solution for a Growing Liability January 2015 Risk. Reinsurance. Human Resources.

2 Introduction The frequency and severity of cyber and privacy breaches are on the rise. New breaches are being reported worldwide on almost a weekly basis, with over 600 million records in the U.S. containing personal information being reported as involved in a security breach since The Ponemon Institute assessed the average cost of a data breach to U.S. companies at more than $200 per compromised record in Although there is a growing awareness of cyber and privacy data risks, and many companies are taking steps to update their IT security systems, the number of data breaches that remain undiscovered for six months or more continues to increase every year 3. As a result, cyber and privacy security has moved to the forefront of corporate risk concerns. The statistics indicate, and a growing number of organizations are recognizing, that even state-ofthe-art security systems are not failsafe. Therefore, organizations are also looking to cyber and privacy insurance policies to assist in transferring their risk. There are a number of different cyber and privacy policies available in the market and each varies in its wording and sometimes in the coverage provided. The following discussion outlines the type of coverage available to an organization purchasing cyber and privacy insurance, including which matters will likely not be covered by these policies, as well as some policy issues to watch out for. 1. A Chronology of Data Breaches, Privacy Rights Clearinghouse, June U.S. Cost of a Data Breach Study, Ponemon Institute, Data Breach Investigations Report (DBIR), Verizon Business, April 2013

3 Basic cyber and privacy coverage First party coverage Cyber and privacy policies will usually provide coverage for an insured s first party losses associated with the loss, theft or unauthorized disclosure of confidential information. This coverage would include expenses related to breach notification, public relations, credit monitoring, call centre and forensic investigation. In reviewing the first party coverage provided by a cyber and privacy policy, an insured should pay close attention to the language that triggers the coverage. It is not uncommon for cyber policies to require that an insured be legally obligated to notify individuals of a privacy data breach before coverage is available. However, this language could be problematic in Canada, as the majority of provincial privacy statutes do not yet contain a mandatory breach notification requirement. In order for cyber policy coverage to be consistent with Canadian legislation, first party coverage should be provided where an insured chooses to notify individuals of a data breach, even if not legally required to do so. Third party coverage Cyber and privacy insurance policies will also typically contain coverage for an insured s third party losses. This would generally include defence costs and the costs of judgments or settlements. Often network security events that result in third party losses involve hacking, intrusions of malware, malicious code or Trojan software. Yet, there have also been documented cases where an insured has faced a claim for third party damages when a USB key, laptop or other device containing confidential information has been lost. In order to capture all of these scenarios, a policy should provide coverage for third party losses where an insured failed to protect confidential information. Policy coverage that is triggered by unauthorized access to confidential information is not adequate, as it may not capture a scenario where a device containing confidential information is lost or paper records are stolen. Additional cyber and privacy policy features Business interruption coverage Some cyber and privacy policies may provide business interruption coverage for losses that result from the disruption or shutdown of the insured s computer system following a network or security breach. This coverage is sometimes subject to a separate retention. In the alternative, some policies will delay coverage until a certain amount of time has passed following the security or network failure. Ideally, an insured will not be subject to both a retention and a waiting period before business interruption coverage is provided. While the length of the coverage period will vary from policy to policy (60 to 90 days is common) better policies will provide coverage until the insured s computer system is fully restored with an outside time limit of up to a year. The key variables to look for in business interruption coverage include the length of the waiting period, the amount of any retention and the period of coverage. The basic business interruption coverage provided in cyber and privacy policies does not include contingent business interruption, which provides coverage for losses that result when an insured suffers a disruption in their business operations because of a breach to a third party service provider s computer system. Some insurers may offer this added coverage as an option, but it generally requires the payment of an additional premium. This coverage is also usually sublimited and can be difficult and/or expensive to obtain because of the risk to insurers that a breach to a large service provider will impact a number of insureds at the same time. Cyber terrorism State-sponsored cyber attacks are one of the fastest growing sources of external cyber and privacy breaches facing corporations today. Unfortunately, not all cyber and privacy policies have evolved to recognize this growing source of risk and many policies still contain war and terrorism exclusions which might impact coverage for losses resulting from these attacks. Where an insured has experienced a breach and suffered losses that fall within the intended areas of coverage of the policy, it should not matter who launched the attack or whether there were ideological goals behind it. 1 Cyber and Privacy Breach Insurance: A Risk Transfer Solution for a Growing Liability

4 Additional cyber and privacy policy features Some insurers are willing to provide a carveback to these exclusions to clarify that they do not exclude coverage for cyber terrorism. This type of carveback should be included on every cyber and privacy policy containing war, terrorism or other similar exclusions. Sensitive corporate information In the course of business, an insured may store a number of different types of confidential information. This may not be limited to customer and employee personal information and will often include confidential corporate information of the insured s business partners as well. Yet, some cyber and privacy policies will only include personal information in the definition of confidential information. This restrictive definition would preclude an insured from coverage if the sensitive corporate information of third parties is lost. It should be noted that a cyber and privacy policy does not provide first party coverage for losses resulting from the unauthorized disclosure of the insured s own confidential corporate information. Further, it is often a perquisite to coverage that an insured have a contractual obligation to protect third party confidential corporate information (i.e., by way of a non-disclosure agreement). Ideally, policy language will include coverage for confidential corporate information as well as personal information. However, it is common for cyber and privacy policies to contain an exclusion for losses arising from the disclosure of third-party trade secrets, which would act to restrict the scope of confidential corporate information that is covered. Bodily injury and property damage Almost all cyber and privacy policies will contain an exclusion for bodily injury and property damage (BI/PD) related to cyber and privacy breach claims. In some cases, this will exclude coverage for claims arising from, or for, mental anguish and emotional distress. This broad BI/PD exclusion is potentially problematic, as a plaintiff bringing an action against an insured for unauthorized disclosure of personal information might request damages on a number of grounds, including damages for mental anguish and emotional distress. Therefore, it is important that the language in any BI/PD exclusion be worded to provide coverage for mental anguish and emotional distress where it is directly caused by the breach and there is no intervening physical peril. Coverage for regulatory proceedings Some cyber and privacy policies will provide coverage for regulatory investigations and proceedings, but policy language is not consistent, with the result that coverage is more robust under some policies as opposed to others. The majority of policies will include defence costs for regulatory proceedings, typically with a sublimit on these costs. More comprehensive cyber and privacy policies will also provide coverage for fines and penalties, subject to their insurability under the law. The definition of regulatory action often varies among policies and some policies contain a narrow definition that ties the proceedings to a civil lawsuit. Yet, an insured may face a variety of regulatory proceedings under provincial privacy legislation. The powers of the Privacy Commissioner vary from province to province, but in most cases, in addition to bringing a civil lawsuit on behalf of the victims, the Privacy Commissioner can carry out investigations, request documents, conduct audits and make orders that require an insured to improve their technology and security systems or pay money into a consumer redress fund. Policies containing a narrow definition of regulatory action will not likely provide coverage for all of the legal costs that an insured may incur to defend against a regulatory investigation or other measures that the Privacy Commissioner might undertake. In addition, there is often a misconception that coverage for a regulatory action will capture losses resulting from an investigation or enforcement actions related to compliance with payment card industry (PCI) standards. However, associations ensuring PCI compliance derive their authority through contract and would not likely meet the definition of regulator. Coverage for fines, assessments and other expenses that result from compliance with PCI standards must be provided for separately in the policy. 2 Cyber and Privacy Breach Insurance: A Risk Transfer Solution for a Growing Liability

5 Items not included in coverage Cyber and privacy insurance policies are drafted to provide coverage in a number of different privacy and data breach scenarios, but there are some situations and types of losses that these policies generally do not cover. For example, if an insured suffers a breach of its network security system that leads to physical damage, losses related to the physical damage will not likely be covered. Further, computer fraud and fraudulent transfers of funds or money and securities that take place by way of a network security breach will not typically be covered under a cyber and privacy policy. This is a matter that is more likely to be addressed through fidelity insurance coverage. Finally, other items normally excluded from coverage include the cost of installing, upgrading or maintaining a computer system and associated security programs, any consideration owed or paid in connection with an insured s goods, products or services, including the return of payments, any taxes, fines, penalties and liquidated damages, loss resulting from a mechanical failure or errors in programming and loss as a result of controlling, creating, developing or providing content on any third party s website. Although the latter risk could be addressed with the purchase of media liability coverage. 3 Cyber and Privacy Breach Insurance: A Risk Transfer Solution for a Growing Liability

6 Prepared by Jennifer Drake LL.B Financial Services Group Legal and Research Practice 20 Bay St., Toronto, Ontario M5J 2N9 t jennifer.drake@aon.ca Contacts Brian Rosenbaum LL.B and National Director Financial Services Group Legal and Research Practice 20 Bay St., Toronto, Ontario M5J 2N9 t brian.rosenbaum@aon.ca Kathleen R. Cook, MBA, CPCU 400, st Street SE Calgary, Alberta T2S 1B1 t m kathleen.cook@aon.ca Marie-Frédérique Senécal 700, rue De La Gauchetière Ouest, bureau 1800 Montréal, Québec H3B 0A4 t marie-frederique.senecal@aon.ca Denise Hall 20 Bay St., Toronto, Ontario M5J 2N9 t m denise.hall@aon.ca Catherine Richmond, LL.B., CRM and Account Manager 900 Howe St., Vancouver, British Columbia V6B 3X8 t m catherine.richmond@aon.ca Aon Risk Solutions Cyber and Privacy Breach Insurance: A Risk Transfer Solution for a Growing Liability 4

7 About Aon Aon plc (NYSE:AON) is the leading global provider of risk management, insurance and reinsurance brokerage, and human resources solutions and outsourcing services. Through its more than 66,000 colleagues worldwide, Aon unites to empower results for clients in over 120 countries via innovative and effective risk and people solutions and through industry-leading global resources and technical expertise. Aon has been named repeatedly as the world s best broker, best insurance intermediary, best reinsurance intermediary, best captives manager, and best employee benefits consulting firm by multiple industry sources. Visit aon.com for more information on Aon and aon.com/ manchesterunited to learn about Aon s global partnership with Manchester United. Aon Reed Stenhouse All rights reserved. The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. Risk. Reinsurance. Human Resources.