Cyber & Privacy Insurance Coverage Made Simple(r) Bob Bregman, CPCU, MLIS, RPLU Senior Research Analyst International Risk Management Institute, Inc.
The Policies Are Both COMPLEX and DIFFER from Insurer to Insurer! In fact, they are so different that insurers use different names for what are essentially (but not exactly!) the same type of coverage: Information Security & Privacy Insurance (Beazley) CyberEdge (Chartis) CyberRisk (Travelers) Security and Privacy Protection (Zurich) CyberSecurity (Chubb) PrivaSure (AXIS Pro) Enterprise Professional Solutions (CNA) ClickStream 2.0 (Euclid Managers) after which, I stopped counting
Today s Road Map Part I: The 10 Basic Cyber & Privacy Policy Insuring Agreements Brief Interlude: A Word about Technology E&O Insurance Part II: Selling Cyber & Privacy Coverage: Tips for Risk Managers, Insurance Agents/Brokers, and Underwriters Part III: Materials for Further Study: Becoming a Cyber & Privacy Insurance Coverage Expert
Part I: The 10 Basic Insuring Agreements Cyber & Privacy Liability Coverages: the Core Coverages Privacy Notification and Crisis Management Expense Regulatory Defense and Penalties Information Security & Privacy Liability Website Media Liability Cyber-Related Time Element Coverages Business Interruption Extra Expense Cyber-Related Theft of Property Coverages Data Assets Cyber Extortion Computer Fraud Funds Transfer
Information Security and Privacy Liability Coverage Covers the pure liability component of the loss including the cost of defending the claims Regulatory Defense and Penalties Coverage Covers the cost of dealing with regulators and paying applicable fines/penalties; another loss component unique to data breaches. Regulatory Defense and Penalties Coverage Covers the cost of dealing with the regulators and paying applicable fines/penalties; another component of loss that is unique to data breaches Privacy Notification and Crisis Management Expense Coverage Covers the costs of services that are unique to a data breach. This is the loss containment component of cyber & privacy liability coverage Conceptualizing the 3 Core Cyber & Privacy Coverages
A Loss Scenario Involving the 3 Core Cyber & Privacy Liability Coverages A hacker gains access to a retailer s computer system and obtains Names, Addresses, Social Security #s, and Driver s License #s of 100,000 customers, all of which constitute PII or personally identifiable information. A class action lawsuit is eventually brought by 5,000 of the customers against the retailer.
Privacy Notification and Crisis Management Expense: Loss Containment Coverage Covers the direct expenses required to: Hire a forensics expert to determine the cause of the breach and suggest measures to secure the site and prevent future breaches Hire a PR agency to assist the insured in dealing with the crisis Set up a post-breach call center Notify individuals whose PII has been compromised Monitor these individuals credit (usually for 1 year) Pay costs needed to restore stolen identity (e.g., costs to notify banks and credit card companies)
Privacy Notification and Crisis Management Expense Coverage: Key Points Some insurers SPLIT: (1) Notification, (2) PR, and (3) Forensics into separate insuring agreements! This coverage affords the insured access to the insurer s cadre of experts who can provide the hands-on expertise to work an insured through a data breach. (Rick Betterley calls this breach coaching. ) Immediately after a data breach, an insured will benefit immensely by having an insurance company partner. If a business is able to purchase just ONE of the 10 Insuring Agreements this is the one to buy. It is the core of the 3 core coverages.
Regulatory Defense and Penalties Coverage: Regulatory Headache Coverage Covers the costs of dealing with regulatory agencies who oversee state and federal data breach laws and regulations: Costs of hiring attorneys to deal with regulators during investigations. Costs of fines and penalties that are levied against the insured as a result of the breach Regulatory defense means that only the legal costs of dealing with regulators not claimants are covered by this insuring agreement
Regulatory Defense and Penalties Coverage: Key Points One of the rare types of insurance policies that pays fines and penalties; items otherwise considered uninsurable under most coverages. BUT: some insurers DO NOT COVER fines and penalties. Others cover these items BY ENDORSEMENT. Especially valuable when dealing with regulators in multiple states. The laws are varied, complex, and downright byzantine (one of my favorite words!). Anyone who works in the D&O arena knows how expensive it is to respond to regulatory investigations. Navigating the post-breach regulatory maze requires the kind of specialized legal expertise to which most insureds do not have ready access even if an insured has the funds to hire experienced counsel.
Information Security and Privacy Liability: Traditional Liability Coverage Covers the insured s liability for damages resulting from a data breach, arising from: Loss, theft, or unauthorized disclosure of PII in the insured s care, custody & control Damage to data stored in insured s computer systems belonging to a 3rd party Transmission of malicious code or denial of service to a 3rd party s computer system Failure to timely disclose a data breach Failure of insured to comply with own privacy policy prohibiting disclosure/sharing of PII Failure to administer an identity theft program required by governmental regulation or to take necessary actions to prevent identity theft Defense costs associated with all of the above items
Information Security and Privacy Liability Coverage: Key Points This is the true liability coverage element of a cyber & privacy policy Pays actual liability losses sustained by various claimants (UNLIKE the first two insuring agreements) Contrast with Privacy Notification and Crisis Management Coverage, which pays without admission of liability (like medical payments coverage under a homeowners or personal auto policy) Pays actual defense costs required to defend claims alleging loss by claimants (but NOT legal costs required to deal with regulators)
Where It Gets Even Trickier Some insurers combine 2 of these core coverages into a single insuring agreement with a single limit (e.g., Regulatory Defense + Information Security and Privacy Notification). Some insurers offer privacy notification and crisis management expenses as separate insuring agreements (with separate limits): THIS IS NOT GOOD. Several insurers provide liability coverage only when there is a THEFT of data (i.e., a Target-type data breach) but NOT when there is merely an INTRUSION without theft, as in the case of WEBSITE VANDALISM. And of course, insurers often refer to the 3 core insuring agreements by different names. (e.g., one insurer uses the term Information Security and Privacy Liability and another calls it Network and Information Security Liability.
Website Media Content Liability Coverage Covers insured s liability for material published on its website (only) for claims alleging: Personal Injury: (e.g., invasion of privacy, libel, slander, defamation) Claim Scenario: a health insurance company posts pictures of its subscribers w/o obtaining permission, violating their privacy Commercial Violations: (e.g., plagiarism, infringement of: copyright, trademark, logo) Claim Scenarios: an online publisher publishes an article that does not attribute material appearing in the article, from its original, actual source; an online retailer introduces its new logo that is very similar to that of another company Other Improper Web-Based Acts: (e.g., improper deep linking) Claim Scenario: a publishing firm publishes model HR policies and procedures, including links to an HR consulting firm. The consulting firm sues, alleging that the links enhance the publisher s website BUT WITHOUT BENEFIT TO the consulting firm
Website Media Content Liability Coverage: Key Points Covers Losses NOT caused by data breaches/intrusions why I don t consider it one of the 3 core coverages Much like a traditional, stand-alone media liability policy, but with one big difference: it ONLY covers media-type liability incurred from website activities Provides no coverage for non-website-based media activities (e.g., paper publishing, broadcast media) Many cyber insurers do not offer such coverage because it is available under traditional, stand-alone media policies Best solution: buy a comprehensive media liability policy that includes liability incurred for website activity, under a traditional (i.e., ALL media forms) media policy
Cyber-Related Time Element Loss Coverages: Business Interruption and Extra Expense Business Interruption (BI): covers losses incurred during the period of recovery resulting from a computer system disruption 3 Types of Covered Losses and Loss Scenarios Income Loss (e.g., income lost when an insured cannot take online orders for its products) Dependent Business Interruption (e.g., loss sustained when an insured retailer s wholesale supplier is unable to receive orders because the wholesaler s website is shut down and can t ship products to the retailer) Extended Business Interruption (e.g., even after restoration following a shut down, it will require some period of time for the volume of business to return to normal covers loss sustained until business returns to normal )
Extra Expense Coverage Extra Expense (EE): covers additional costs required to expedite recovery, such as: overtime labor, express parts shipping, hiring special experts Under some policies, EE coverage applies only if the extra expense reduces the loss Both BI and EE Coverage are triggered ONLY by an electronic disruption (as defined by the policy), but NOT by other types of physical damage such as: fire, windstorm, flood, etc., as under standard property insurance policies Both BI and EE coverages are usually (but not always) subject to a time deductible (rather than a dollar deductible) before coverage applies Standard property insurance won t cover data breach-related BI or EE loss because the policies require physical damage to trigger a covered loss
Complications, Caveats, and a Recommendation Many insurers do not offer cyber-related property coverage because, philosophically, they view cyber & privacy insurance as a liability coverage ONLY. Others offer it but by endorsement not within their standard form. Under some forms, a covered computer system disruption MUST be a data breach; under others, this is not required (e.g., can be introduction of a virus). Some insurers bundle BI and EE under a single insuring agreement; others separate them; still others offer BI but not EE. Some insurers do not offer Dependent BI coverage OR Extended BI coverage within their BI coverage wording. If insured has purchased BI coverage, insurer has added incentive to handle the privacy notification and crisis management aspects of a data breach MORE EXPEDITIOUSLY! So consider buying BI coverage for that reason.
Cyber-Related Theft of Property Coverages Data Asset Coverage Cyber Extortion Computer Fraud Funds Transfer Fraud IRMI.com
Data Asset Coverage Covers the cost of restoring and recovering the data lost from the failure of an insured s computer system Loss Scenarios: (a) A hacker gains access to an insured s customer database and erases it from the company s computer system. (b) An employee accidentally erases the company s customer database. In both instances, this insuring agreement pays the cost of restoring the customer database.
Restrictions: Data Asset Coverage (continued) Coverage usually does not apply when loss of data assets caused by intentional employee acts No coverage for upgrading software or other programs during restoration process No coverage for the cost of research to recover lost data (only coverage for electronic recovery methods) Insurer must (usually) pre-approve costs for all expenditures Some policies only provide coverage for loss caused by a data breach (but not from other causes, such as accidental erasure)
K&R Coverage for Cyber Events (AKA E-Commerce Extortion ) Cyber Extortion Coverage Loss Scenario: insured receives an e-mail from an individual who threatens to: shut down/damage/introduce a virus into/disclose confidential information from/block access to/attack the company s website in some other way UNLESS the insured pays $10 million. What s Covered: (1) Monies paid to meet the extortion demands (2) Monies paid to computer security experts on how to prevent future extortion attempts (3) Cost of expert assistance to deal/negotiate with cyber extortionists (perhaps more important than #1 and #2)
Computer Fraud Coverage Covers loss from fraudulent, unauthorized entry into a computer system resulting in a theft of money or data. Loss Scenario: a cyber thief accesses a bank customer s savings account number and password, then uses this data to withdraw $25,000 from various ATMs. Key Points: NO COVERAGE for: (1) employee acts (it s NOT a fidelity cover), (2) independent contractor acts, or (3) acts of persons under insured s supervision. In effect, insurers won t cover inside jobs.
Funds Transfer Fraud Coverage Covers loss sustained when funds are fraudulently transferred from one financial institution to another Loss Scenario: stock brokerage firm receives e-mail appearing to be from a U.S. bank (but is not). The broker s employee opens the e-mail, which activates a virus, allowing the thief to access the brokerage account number and password, which she uses to transfer funds to her bank in Eastern Europe. ( Girl With the Dragon Tattoo, by Stieg Larsson) Funds Transfer Fraud vs. Computer Fraud: the previous scenario (i.e., the computer fraud ) did not involve the transfer of monies between financial institutions, whereas funds transfer fraud does.
IRMI.com Cyber-Related Theft of Property Coverages: A Wrap-Up A substantial minority of insurers DO NOT offer such coverages They philosophically view Cyber & Privacy Insurance as DATA BREACHdriven, producing third-party liability loss, rather than first-party property loss BUT a number of these losses can be covered elsewhere (K&R policies, crime policies) so insurers seek to avoid duplicating coverage in cyber forms Many insurers seek to avoid such losses because they are often fidelitylinked and don t want to provide such coverage I:\Temporary\MichelleS
A Last Look at the 10 Insuring Agreements Cyber & Privacy Liability Coverages: the Core Coverages Privacy Notification and Crisis Management Expense Regulatory Defense and Penalties Information Security & Privacy Liability Website Media Liability Cyber-Related Time Element Coverages Business Interruption Extra Expense Cyber-Related Theft of Property Coverages Data Assets Cyber Extortion Computer Fraud Funds Transfer
27 Each of the 10 Insuring Agreements Contains Both a Separate Per Claim Limit and a Separate Per Claim Deductible Cyber policies are ALSO written with an Annual Aggregate Limit for claims covered by ALL insuring agreements that have been purchased This approach has several effects: 1. Insured must make multiple DECISIONS 2. The true extent of coverage is CONSTRICTED 3. It adds overall COMPLEXITY to the buying process Limits and Deductibles: Distinctive Features, Special Challenges
28 Selecting Limits and Deductibles: No Easy Answers The application process sheds light on the nature of the insured s exposure Expert broker advice is essential Expert brokers can use other clients with similar: 1. business type 2. # of electronic records 3. size (sales, # of customers, # of transactions) 4. location 5. other factors, to make recommendations Insured s cash position a key to deductible/retention choices
Brief Interlude: A Word about Technology E&O Insurance Technology E&O and Cyber & Privacy Insurance are similar but NOT synonymous Technology E&O = Cyber & Privacy Insurance + (the 3 core insuring agreements + some/all of the other 7) Miscellaneous E&O Insurance (coverage for errors & and omissions in delivering Technology PRODUCTS and SERVICES)
IRMI buys Cyber & Privacy Insurance because IRMI uses technology to deliver products. We don t sell technology PRODUCTS or SERVICES. Rather, we use technology to deliver products and services. In contrast Cyber & Privacy vs. Technology E&O The company that stores IRMI s data on an off-site basis buys Technology E&O because it is providing IRMI with technology products and services (i.e., data storage) Coverage Cyber & Privacy Insurance Technology E&O Insurance Buyer Users of Technology Sellers of Technology
Part II: Selling Cyber & Privacy Insurance Tips for Risk Managers, Agents/Brokers, Insurers The penetration rate for cyber & privacy insurance is still relatively low. In fact, according to an estimate by Marsh, the coverage is purchased by only 25 to 35 percent of all companies (see "Making Sense of Cyber Insurance," PropertyCasualty360.com, January 13, 2014). Here s how to change that
Risk Managers It s Not Just Your Employer s Survival That s on the Line It s Yours! If your company s systems are breached, and you haven t at least obtained a quotation for cyber & privacy coverage, don t let the door hit you on the way out. Sell the Nonindemnification Aspects of the Coverage to Sr. Management Reimbursement from an insurer is only half the story (or maybe even less) No Matter How Much Opposition: Undergo the Application Process Even if the deciders reject the opportunity to buy coverage at least YOU will be covered!
The Value of an Insurance Company Partner when Managing Specialized Claims Companies Covered by a D&O Policy paid an average of $129,625 per claim Companies Not Covered by a D&O Policy paid an average of $408,469 per claim Source: Chubb Insurance Co. 2005 (Private Company D&O Survey) Defending a D&O claim is NOT a do-it-yourself project! Nor is the process of managing a data breach!
Benefits of the Application Process Compels a business to comprehensively (and honestly) assess its risks and vulnerabilities Assists in quantifying potential losses (which will help in selecting limits!) because apps ask about: # s of customer records, sales volumes, locations, etc. Focuses senior management s attention on the importance of cybersecurity. Remember: a Sr. Executive must SIGN the application! Increases support for having an independent audit without which a business will never receive an objective assessment of its cybersecurity program
Trust, but verify (Russian Proverb): The Need for Cyber Audits Insurers don t generally require them as a condition of providing coverage but they do encourage them Insurers will be happy to recommend providers yet another benefit of the application process assuring that you will receive a competent evaluation BUT audits are not submitted with coverage applications, to avoid the findings of the audit being discoverable in the event of a loss Expect internal resistance to an audit from your company s IT department, but this is one battle a risk manager should be able to win If there is a weakness or problem in your company s protection systems, better to find out during an audit than after a data breach!
Agents & Brokers Consider the E&O Possibilities: YOURS! You will be sued if a client suffers an otherwise insurable breach-related loss Sell the Nonindemnification Aspects of the Coverage Reimbursement from an insurer is only half the story (or maybe even less) View It as a Chance To Stand Out from the Crowd True expertise in cyber & privacy coverages is at a premium now
Insurers Sell Cyber & Privacy Insurance as a Management Liability Cover View cyber as the 4 th component of the management liability insurance trio (along with D&O, EPL, and fiduciary). A breach often comes back to D s & O s as a derivative claim. Yet, insurers websites treat cyber & privacy insurance as either: (a) a professional/e&o coverage OR (2) as a separate, stand-alone product
Kevin LaCroix on Cyber & Privacy Risks to D s & O s These two lawsuits (against Target and Wyndham Hotels) highlight the fact that the risks and exposures companies face in connection with cybersecurity issues include potential liability exposures for companies corporate boards. (emphasis added) Source: What to Watch in the World of D&O, Fall 2014; Vol. IX, Issue Three Fall 2014; RT ProExec InSights
Standardize Your Policies They Won t Buy What They Don t Understand! The lack of uniformity in both coverage and terminology between the various insurers policies is a substantial barrier to greater levels of market penetration. If buyers struggle to understand cyber & privacy insurance policies, they won t buy them. Product differentiation is a good thing, but in my opinion, too much differentiation has hampered market penetration. Start by combining the 3 Core Coverages under ONE INSURING AGREEMENT.
Lose the Bunker Mentality (At Some Point) Reduce the Number of Insuring Agreement Specific Limits and Deductibles Imposing (a) a per loss limit for each insuring agreement, (b) a per loss deductible, and (c) an aggregate limit for all insuring agreements is really shrinking the extent of actual coverage being provided. Consider offering either a single, aggregate limit for all of the insuring agreements being purchased OR a per loss limit for each insuring agreement but NOT both.
Part III: Materials for Further Study: Becoming a Cyber & Privacy Insurance Expert (5 Great IRMI Resources) A Journey of 1,000 Miles Begins With a Single Step Lao-tzu Chinese philosopher (604-531 BC) The Way of Lao-Tzu
IRMI s Online CE Course on Cyber & Privacy Exposures and Insurance Coverage An in-depth, yet easy-to-follow 14-chapter course Includes frequent examples and numerous review questions Delivered online through a user-friendly online interface Study the course material at your own pace Take the multiple choice final exam when you're ready You can take the IRMI Cyber & Privacy Exposures and Insurance Coverage course at any time, from any computer with access to the Internet.
Professional Liability Insurance (PLI) IRMI s 3,500 page reference manual dealing with all types of Professional (medical and nonmedical), EPL, E&O, and D&O liability exposures and insurance coverages. Contains detailed (150+ pages) discussions of Cyber & Privacy and Technology E&O Insurance Coverages and Exposures IRMI Online Cyber and Privacy Loss Exposures Cyber and Privacy Liability Insurance Coverage Technology Errors and Omissions Liability Exposures Technology Errors and Omissions Liability Insurance Coverage ReferenceConnect Cyber and Privacy Loss Exposures Cyber and Privacy Liability Insurance Coverage Technology Errors and Omissions Liability Exposures Technology Errors and Omissions Liability Insurance Coverage
The Betterley Report An authoritative series of Market Survey Reports providing concise market insight and detailed policy comparisons for 6 specialty lines of coverage. Each report is 50-175 pages. Cyber & Privacy Insurance and Technology E&O Insurance are among the 6 lines covered. IRMI Online Cyber/Privacy Insurance Market Survey 2014 Technology Errors & Omissions Market Survey 2014 ReferenceConnect Cyber/Privacy Insurance Market Survey 2014 Technology Errors & Omissions Market Survey 2014
The Risk Report The Risk Report is a monthly, in-depth (8 to 12 pages) report on an important aspect of commercial insurance/risk management. Recent cyber & privacy insurance articles include: IRMI Online Top 10 Tips for Insuring Cyber Risks (12/13) Cyber Endorsements for Traditional Insurance Policies (05/13) Cyber, Tech, Media, and Privacy E&O Insurance (01/12) Digital Risk Management (11/11) ReferenceConnect Top 10 Tips for Insuring Cyber Risks (12/13) Cyber Endorsements for Traditional Insurance Policies (05/13) Cyber, Tech, Media, and Privacy E&O Insurance (01/12) Digital Risk Management (11/11)
IRMI.com: This Is Free! Contains 1,600+ FREE articles in the Expert Commentary section, on various insurance and risk management topics, including 50 articles on Privacy/Cyber/Technology E&O Topics. Most recently: Changes in State Breach Notification Laws (08/14) Guidance for Managing Cybersecurity Risks (5/14) Revisiting Privacy Policies in Light of California Law (10/13) Yawning in the Face of Privacy Risks (05/12) Hacking, Malware, and Social Engineering Definitions of and Statistics about Cyber Threats Contributing to Breaches (01/12)
Please Feel Free To Contact Me Bob Bregman Bob.B@IRMI.com (972) 687-9351