CYBER & PRIVACY LIABILITY INSURANCE GUIDE 01110000 01110010 011010010111011001100001 01100 01110000 01110010 011010010111011001100001 0110 Author Gamelah Palagonia, Founder CIPM, CIPT, CIPP/US, CIPP/G, ARM, RPLU + 1 01110110 01100001 01100011 01110110 01100001 011000111 111001 00100000 011100000 0100101 01110011 01110011
Table of contents 3 What are the most important factors to consider before purchasing Cyber & Privacy Liability Insurance? 4 What is the current state of the Cyber & Privacy Liability Insurance Marketplace? 5 Why do businesses need Cyber & Privacy Liability Insurance? 6 What does Cyber & Privacy Liability Insurance Cover? 7 Why should an organization s incident response plan be synced to the insurance policy? 8 Why is the application process so important? 9 Policy Terms, Conditions & Exclusions This document includes confidential and proprietary information of and regarding Privacy Professionals LLC and Privacy Professionals Insurance Services LLC (PRIPRO ). You may not use this document except for informational purposes, and you may not reproduce this document in whole or in part, without the prior written consent of PRIPRO.
What are the most important factors to consider before purchasing Cyber & Privacy Liability Insurance? The most important factors to consider when purchasing Cyber & Privacy Liability Insurance are the expertise and sophistication of the insurance broker and insurer. Selecting an insurance brokerage with professional liability expertise, cyber and privacy risk competence and risk management service offerings is crucial. Equally important is selecting an insurer with experience managing claims involving data breaches, digital disasters, network security compromises, regulatory actions and third party privacy liability claims. The Cyber & Privacy Liability claims management process needs to begin before a data breach or security incident occurs, which requires a partnership with the insurance broker and insurer. In the wake of a data breach, businesses must be able to quickly determine the nature and scope of the incident, take immediate steps to contain it, ensure that forensic evidence is not accidentally ruined, notify regulators, law enforcement officials and affected individuals, and the impacted users of the compromised data. The essential element of effective incident response planning is building the right team. Developing the necessary relationships with expert third-party partners, including the insurance broker and insurer, prior to an incident occurring is critical to rapidly contain data breaches and security incidents. 3
What is the current state of the Cyber & Privacy Liability Insurance Marketplace? The Cyber & Privacy Liability insurance market has evolved over the past decade but it is still a relatively new market. The current marketplace includes various products that range from standalone Cyber Liability policy forms to products that can incorporate other third party liability coverage parts, such as Technology Errors & Omissions, Medical Malpractice, Managed Care Liability, Professional Liability, Media Liability and Management Liability forms. The marketplace continues to expand in an effort to keep pace with advancing privacy and data security threats, cybercrime and the ever changing regulatory environment. 4 4
Why do businesses need Cyber & Privacy Liability Insurance? Data breaches can be costly disastrous events on par with natural disasters, fires, physical security compromises and terrorist attacks that can strike without notice. Developing Disaster Recovery Plans (DRP) or Business Continuity Plans (BCP) without anticipating exposures to data privacy and security related risks puts the organizational assets and its reputation at harm. Considering the financial impact and the swift yet orchestrated response required in managing data breaches and cyber related incidents, an integrated incident response plan must be included in disaster recovery and business continuity planning processes. It should be an integral part of the organization s overall Enterprise Risk Management (ERM) program. Data breaches are traumatic events that can paralyze the entire organization, damage relationships with vendors and partners and severely diminish consumer trust. Brand damage, response costs and other financial losses associated with data breaches, depending on the size of the organization, can be significant and may take years to recover from. The organizational trauma can be compounded by lack of a unified data breach incident response plan and the necessary funding. Cyber & Privacy Liability Insurance assists in funding potential breach response expenses, defense costs for regaulatory actions and other liabilities that arise in the wake of a data breach or security incident. 5
What does Cyber & Privacy Liability Insurance Cover? Cyber & Privacy Liability Insurance Policies include Third-Party and First-Party Coverage Parts. Third-Party Coverage First-Party Coverage Network Security Liability: Affords legal defense costs and indemnity for third-party claims alleging failure to protect against transmission of malicious code, denial of service attacks and unauthorized access and/or use of computer systems. Privacy Liability: Affords legal defense costs and indemnity for third-party claims alleging negligent use or disclosure of non-public personally identifiable information including: Protected Health Information Employee Personally Identifiable Information Third-Party Corporate Confidential Information Internet Media Liability: Affords legal defense costs and indemnity for third-party claims alleging wrongful acts in the dissemination of internet content and media. Regulatory Actions: Affords legal defense costs for regulatory actions brought by federal regulators such as HIPAA/HITECH, COPPA, FTC or State Attorneys General (SAG). Data Breach Fund/Costs: Data Breach Legal Advisor Forensics Investigation Expenses Notification and Call Center Services Public Relations/Crisis Communications Costs Credit Monitoring/Credit-Fraud Remediation Services PCI DSS Violation Coverage: Covers monetary fines or penalties resulting from the failure to comply with PCI DSS requirements. Regulatory Fines & Penalties: Covers monetary fines or penalties resulting from the failure to comply with state or federal laws. Network Extortion: Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive information or bring down a network unless such consideration is paid. Business Interruption: Indemnification for loss of income and incurred extra expenses that arise directly out of a network security breach that occurs on the insured s systems. Digital Asset Loss: Indemnification for costs to recreate, rebuild or recollect digital information assets that were directly damaged as a result of a network security breach that occurs on the policyholders systems. 6
Why should an organization s incident response plan be synced to the insurance policy? Many insurers have pre-arranged incident response services offered as a data breach team, a group of pre-approved vendors that must be utilized in the event of a breach. Other insurers offer their policyholders the choice of vendors with their prior written consent. Failure to properly provide notice of claim to the insurer and gain their prior written consent to utilize response vendors can lead to uninsured claims and compromised coverage. The solution is to sync the incident response plan into the insurance program and gain the insurer s prior written consent as part of the application process before coverage is purchased. Teamwork A seamless incident response plan incorporates all stakeholders, internal and external, including the insurance broker, insurer and its service providers. The Data Breach or Incident Response Team includes pre-arranged incident response service providers including: Data Breach Legal Advisor Provides immediate legal triage and direction, typically offered at no retention or deductible. Forensic Investigator Determines the nature and scope of the incident, take immediate steps to contain it, ensure that forensic evidence is not accidentally ruined. Public Relations and/or Crisis Management Services Assists with brand damage containment, media communications and press releases Notification and Call Center Vendors Assists with providing notice to affected individuals and handle customer service calls from impacted users of the compromised data 1234 5677 4930 4324 Credit Monitoring or Credit-Fraud Remediation Services Provides impacted individuals with Credit Monitoring or Credit Remediation Services 7
Why is the application process so important? The application for insurance includes many questions relative to organizational compliance, internal procedures, hiring processes, employee privacy training/awareness programs, physical security, IT security protocols, claims history and many other items. The reasons for including privacy and finance leadership are obvious; however, involvement of all stakeholders including Information Technology, Human Resources, Audit, Compliance and Marketing is necessary. The application becomes part of the insurance contract and in most cases; it is considered a warranty or a guarantee that the statements made by the organization on the application are true and correct. The application serves as the underwriter s risk assessment since the insurer accepts risk based on representations made by the applicant, in exchange for a premium. If the application does not reflect the proper risk or the insured s representations were not correct, insurers have the right to deny coverage, rescind the policy or charge additional premium. For example, certain policies may contain the following type of exclusion: Any Security Breach resulting from the knowing and intentional failure of the Insured to maintain Security Systems equal or superior to those disclosed in the Application for insurance, or the failure of the Insured to use best efforts to install or implement commercially available updates to such Security Systems. claim that stemmed from just missing one patch or update since the application was completed that resulted in a security breach. Knowing and intentional failure is subjective; it is widely known that most businesses do not immediately patch commercially available updates to their systems. While this type of exclusionary language is becoming obsolete among the major writers of Cyber & Privacy Liability insurance, many policy forms contain similar variations. An experienced insurance broker should be capable of running table top breach simulations and data breach drills to illustrate how the insurance policy would respond to breach response costs, notification laws, regulatory actions and other liabilities This exclusion would preclude coverage for any 8
Policy Terms, Conditions & Exclusions There is no one-size fits all Cyber & Privacy Liability insurance product. A Cyber & Privacy Liability Insurance program should be tailored to the size of the organization, its industry sector and particular compliance requirements.there is presently no industry standard; each Cyber & Privacy Liability insurer has their proprietary policy form. The policy terms, conditions and exclusions can differ drastically among insurers. That is another reason why the expertise of the insurance broker is so important. An experienced insurance broker should be capable of comparing each insurer s proposal, policy terms, conditions and exclusions to determine which option is best for their clients specific exposures, and data security and privacy compliance requirements. Take Away Businesses can no longer take the reactive approach to cyber and privacy risk management. In light of escalating cybercrime, privacy threats and evolving legislation, businesses of all sizes should prepare for data breaches in advance and have an executable incident response plan of action in place. Buyers need to be aware of the potential pitfalls of buying insurance shelf-products at the lowest premiums, as doing so may lead to major unanticipated expenses, delays and problems when claims are made and breaches occur. Cyber & Privacy Liability insurance is a specialty product that requires expertise so it is very important to select an insurance broker and insurer that concentrate on cyber and privacy risks with dynamic claims management and risk management service offerings. 9
PRIPRO achieved nominations in Advisen s 2014 Cyber Risk Awards in two categories: Best Cyber Risk Innovation of the Year & Best Cyber Risk Team About Us Privacy Professionals LLC and Privacy Professionals Insurance Services LLC (PRIPRO ) is a risk advisory firm that specializes in Cyber & Privacy Risk management and insurance solutions. PRIPRO was launched in response to the growing demand for businesses to be better protected in reducing and coping with cyber and privacy liability and data breaches. All the members of the PRIPRO team are Certified Information Privacy Professionals (CIPP) and Cyber & Privacy Liability Insurance experts. Our Solutions Customized Cyber & Privacy Liability Insurance Solutions Cyber & Privacy Liability Consulting Services Privacy Risk Management Services Virtual Privacy Office Development Automated Risk Assessments Incident Response Planning Services PCI DSS Compliance Services Data Privacy & Security Employee Training (PCI DSS, HIPAA, GLBA) New York Privacy Professionals LLC 5 Hanover Square, 22nd Floor New York, NY 10004 California License No. 0178970 Privacy Professionals Insurance Services LLC 1460B O Brien Drive Menlo Park, CA 94025 contact@privacyprofessionals.com www.privacyprofessionals.com Copyright 2013 Privacy Professionals LLC/Privacy Professionals Insurance Services LLC (PRIPRO ) All Rights Reserved.