Airmic Review of Recent Developments in the Cyber Insurance Market & commentary on the increased availability of cyber insurance products GUIDE
1. Executive summary Airmic members have become increasingly aware of the cyber risk exposures faced by their organisation. However, in order to open a discussion with the IT specialists, Airmic members need to understand the range of cyber risks faced by the IT systems and networks in their organisation and the availability of suitable insurance for cyber risks. This report presents an overview of the range of cyber risks faced by organisations and a review of the cyber risk insurance market. It provides a commentary on the significant developments that have occurred within the last two to five years. In summary, this research into the scope and availability of cyber insurance was undertaken by Airmic in order to provide the following: 1. an overview of the range of cyber risks exposures that can materialise and encourage risk managers to evaluate all cyber risks, including data security 2. an insight into the questions that they should ask about the need for cyber risk insurance within the risk manger s own organisation 3. an account of the developments that have taken place in the availability, relevance and cost of cyber risk insurance during the past two to five years 4. a description of the coverage currently available in cyber insurance products in terms of the scope and possible costs associated with this insurance 5. a list of the questions that are asked in a typical cyber risk proposal form as a means of undertaking a preliminary check on the status of IT risks in the organisation. In undertaking this review, Airmic has become aware of the considerable developments in the availability of cyber insurance in recent times. Airmic intends to undertake further research into cyber risk insurance and will continue to encourage the insurance market to develop relevant insurance products. In summary, the following conclusions have been drawn by Airmic about cyber risk exposures, the cyber insurance market and recent developments: organisations are looking more carefully at the range of cyber risks they face, both in terms of first party risk exposures and third-party liability exposures there has been rapid development in the range of cyber insurance products that are available and these cover both first-party and third-party risk exposures the cost of cyber insurance has become more competitive and cyber insurance is now a more cost-effective risk transfer mechanism than was previously the case i nsurance solutions continue to develop and it is in the interests of both insurance buyers and the insurance market to continue these developments. 2
2. Contents of report and acknowledgements 1. Executive summary 2. Contents of report and acknowledgements 3. Scope of review undertaken by Airmic 3.1 Background to the research 3.2 Review of cyber exposures 3.3 Management of cyber risks 4. Nature of cyber exposures 4.1 Review of cyber exposures 4.2 First-party cyber risk exposures 4.3 Third-party cyber liability exposures 5. Cyber insurance proposal forms 5.1 Profile of the insured 5.2 Analysis of existing controls 5.3 Completed proposal form 6. Insurance currently available 6.1 Typical policy terms and conditions 6.2 Indication of cost for cyber insurance 6.3 State of the cyber insurance market 7. Checklist of actions for risk managers 8. Airmic plans for the future Appendix A: Typical questions in a cyber and data security proposal form Appendix B: Summary of typical cover offered in a cyber and data security policy Airmic is grateful to the partners and associate partners that assisted with this review. However, it should be noted that the examples, analysis, costs and opinions offered are exclusively those of Airmic. None of the analysis, costs, commentary or the contents of any list or table in this report should be assigned to any individual organisation. The following organisations provided significant support and/or their websites were used as sources of information: Chartis Europe Limited Lockton Gallagher Heath Marsh JLT Specialty QBE Willis 3
3. Scope of review undertaken by Airmic 3.1 Background to the research Historically, insurance policies such as property, liability and crime have not fully covered the risks associated with the IT infrastructure of the organisation or the risks associated with non-tangible assets, such as data. However, with the growing dependency on technology and the heightened threat of unauthorised access to information, cyber risks have increased significantly and the insurance market has responded to these changes. Many consider that cyber insurance is a relatively new, although fairly well-established, product in the insurance market. Whilst this may be true, cyber insurance products are developing rapidly to address the evolving nature of cyber risks. It is often suggested that there is a similarity between the way in which cyber risk policies are developing and the development of Directors and Officers Liability (D&O) insurance during the 1980s and beyond. There is increasing awareness in organisations of their liability for cyber risk exposures. As awareness increases, organisations are realising that cyber risks are not solely concerned with the loss or unauthorised disclosure of personal data or information. There is a wide range of cyber risks, including those associated with business interruption and denial of service. Organisations need to take account of a broad agenda of cyber risks and then evaluate the potential for using insurance as a control mechanism. 3.2 Review of cyber exposures Against this background, Airmic has undertaken a review of the state of the cyber insurance market to provide Airmic members with a status report of that market. This initial report is not intended to be a detailed analysis of the market or provide benchmarking information for the use of insurance buyers. The primary purpose of the report is to provide an overview of developments in cyber insurance that have occurred during the past two to five years, as well as provide a commentary on the current state of the cyber insurance market. In order to undertake this review, Airmic held discussions with several insurance broker and insurer partners. Additionally, Airmic reviewed the information available on a number of partner and associate partner websites. The discussions focused on the cyber threats that currently exist and the status of the cyber insurance market. During these discussions, Airmic became aware that significant developments have occurred in the cyber insurance market over the past two to five years and these developments are continuing. Airmic undertook a brief review of the range of risks faced by organisations, both first party and third party, and these are set out in Table 1 (first-party risks) and Table 2 (third-party risks). Also, an analysis was undertaken of the questions asked in a typical cyber risk proposal form and this analysis is shown in summary in Appendix A. Finally, the extent and scope of insurance cover offered by a typical insurance product was evaluated and the results of this analysis are summarised in Appendix B. 3.3 Management of cyber risks At the same time as the IT infrastructure of an organisation has become more important, there appears to be an increasing reluctance on the part of non-it managers to ask questions about the IT infrastructure. It is, perhaps, feared that asking questions would challenge the professionalism and technical knowledge of IT specialists. Airmic believes that, whilst the role of IT specialists is fundamentally important, risk managers should seek to introduce the well-established three lines of defence model to the management of IT risks. Risk managers will be familiar with the three lines of defence model. It is a structure whereby (1) operational management are responsible for the particular risk (in this case cyber risk); (2) specialist functions such as the risk management department provide technical support; and (3) the internal audit 4
function ensures that appropriate controls are in place. It is, perhaps, the case in many organisations that the IT department / manager provide and are responsible for all three lines of defence. Many Airmic members have found it challenging to discuss cyber risk issues with their IT specialist colleague or (perhaps outsourced) service providers and then explore the relevance of insurance to the control of these risks. Part of the purpose of this report is to provide Airmic members with the basis on which they can open a dialogue with their IT departments. This dialogue should then lead to: 1. an assessment of the risks associated with the IT infrastructure in the organisation and the nature of the functions and data managed by that IT infrastructure 2. evaluation of the controls that are currently in place to mitigate these risks, including the existence of Disaster Recovery Plans (DRP); and 3. analysis of the relevance and cost-effectiveness of insurance to contain the cost of adverse events, possibly as part of the Business Continuity Plans (BCP). Given that cyber risk exposures are increasingly important for organisations and given that the insurance market is keen to develop new products, this is an important time for Airmic to be undertaking this work. Also, there is an over-riding need for insurance buyers to liaise more closely with insurance providers to ensure that the products developed are fully relevant to the needs of large insurance buyers, such as Airmic members. 5
4. Nature of cyber exposures 4.1 Review of cyber exposures The importance of the information technology (IT) infrastructure and the associated issue of information security has increased considerably for many organisations. There is significant reliance on the IT infrastructure to handle management information within most organisations. For some organisations, such as Internet trading companies, the IT infrastructure is fundamentally important to the operation of the company. Without the IT infrastructure, the organisation would not be able to transact any business. Almost every organisation is exposed to loss resulting from damage or destruction of its computers and computer networks, including any resulting loss of income or business interruption and/or increased cost of operation. Risks and potential losses associated with the use of computers can arise from first-party exposures and third-party exposures. Table 1 provides examples of the most likely first-party cyber risk exposures and Table 2 provides examples of third-party cyber liability exposures. When investigating possible insurance cover, an extension to an existing insurance policy may provide adequate cyber cover. The lines of insurance potentially applicable to cyber-related claims include firstparty commercial property and business interruption policies, and third-party commercial general liability and errors and omissions or professional indemnity policies. However, it is becoming more common for organisations to purchase specialised cyber risk policies to supplement their existing insurances. Risk managers will be familiar with the concepts of first-party and third-party risks. Therefore, the starting point for the risk manager, when considering cyber risk exposures, will be to identify the firstparty risk exposures and the third-party liability exposures. The risk manager will also be aware that a wide range of cyber risk controls may already be in place, including Disaster Recovery Plans (DRP) and Business Continuity Plans (BCP). 4.2 First-party cyber risk exposures First-party insurance is a policy that provides protection for the property owned by the insured organisation. First-party protection is provided by way of payment when property suffers damage or loss. Theft insurance, fire insurance and protection against losses caused by earthquake or flood are the most common forms of first-party insurance. First-party insurance is also relevant to cyber risks and will provide protection against the financial consequences of events such as those listed in Table 1. Comprehensive insurance products are available to cover the full range of first-party cyber risk exposures listed in Table 1. The risk manager should initiate the identification of the first-party cyber risk exposures faced by the organisation and then facilitate the evaluation of the extent to which insurance represents a cost-effective control mechanism. 6
Table 1: First-party cyber risk exposures 1. Loss or damage to digital assets loss or damage to data or software programs, resulting in cost being incurred in restoring, updating, recreating or replacing these assets to the same condition they were in prior to the loss or damage 2. Business interruption from network downtime interruption, degradation in service or failure of the network, resulting in loss of income, increased cost of operation and/or cost being incurred in mitigating and investigating the loss 3. Cyber extortion attempt to extort money by threatening to damage or restrict the network, release data obtained from the network and/or communicate with the customer base under false pretences to obtain personal information 4. Reputational damage arising from a data protection breach being reported (whether factually correct or not), that results in loss of intellectual property, income, loss of customers and/or increased cost of operation 5. Theft of money and digital assets direct monetary losses and associated disruption from theft of computer equipment, as well as electronic theft of funds / money from the organisation by hacking or other type of cyber crime 4.3 Third-party cyber liability exposures There are a wide range of third-party risks associated with the operation of IT systems. Organisations need to undertake a risk assessment of the third-party cyber risks faced by their IT systems and networks. As with first-party risks, it is important for the risk manager to facilitate the discussion with IT specialists and other stakeholders in order to identify the third-party liability exposures, such as those listed in Table 2. A wide range of cyber insurance policies are available that address the risks listed in Table 2. In some cases, the policy coverage includes assistance with or even management of the incident itself, as well as financial compensation for the cost of the incident. As with first-party covers, the inclusion of incident management or claims assistance services within the policy may be important for the organisation. This will be especially true where the incident has the potential for damage to reputation and/or result in regulatory enforcement. For some organisations, there is the risk of data loss or corruption arising from the performance of professional services for others. The most obvious example is designing, creating and/or installing a computer-related network or system for a third party. There is a risk of damaging or corrupting data on customer computers. 7
Given the interdependency of many computer networks and the frequent use of outsourced services, organisations should take a careful look at their risk exposures. These risk exposures will arise from their own activities, as well as the activities of third-party service providers, such as cloud data management companies. There will be a need to ensure that strict contract terms and conditions are in place and these may include the requirement on the service provider to purchase adequate insurance cover. Table 2: Third-party cyber liability exposures 1. Security and privacy breaches investigation, defence cost and civil damages associated with security breach, transmission of malicious code, or breach of third-party or employee privacy rights or confidentiality, including failure by outsourced service provider 2. Investigation of privacy breach investigation, defence cost, awards and fines (may not be insurable in certain territories) resulting from an investigation or enforcement action by a regulator as a result of security and privacy liability 3. Customer notification expenses legal, postage and advertising expenses where there is a legal or regulatory requirement to notify individuals of a security or privacy breach, including associated reputational expenses 4. Multi-media liability investigation, defence cost and civil damages arising from defamation, breach of privacy, negligence in publication of any content in electronic or print media, as well as infringement of the intellectual property of a third party 5. Loss of third party data liability for damage to or corruption / loss of third-party data or information, including payment of compensation to customers for denial of access, failure of software, data errors and system security failure 8
5. Cyber insurance proposal forms 5.1 Profile of the insured Appendix A provides a list of questions typically included in a cyber and data security insurance proposal form. As with any proposal form, the objective is for the underwriter to gain an accurate and comprehensive view of the insured. The proposal form requests information about the company and the details of the cyber risk insurance that is required. Details of the nature of the information held by the organisation will also be required. In particular, details of sensitive information held by the company will need to be supplied, including whether the data includes: credit card or debit card information healthcare or sensitive personal information trade or commercial secrets and/or intellectual property other sensitive personal data, including: o date of birth o national insurance number o driver s licence details o passport number. Details of the nature, size and complexity of the network, and the data structure will be required by the underwriter. The proposal form will also seek information about the controls that are in place and the arrangements for network and data security. If the organisation is seeking first-party business interruption insurance, then information on the business impact, incident response and crisis containment arrangements will be required. Finally, information will be required under the heading historical information. This will include details of previous insurance arrangements and significant interruption or suspension of computer systems incidents that have previously occurred. Information will also be required on any previous breach of IT security, previous claims and any instances where sensitive data has been compromised. Information is also likely to be requested on any legal, disciplinary or regulatory action taken against directors of the company. 5.2 Analysis of existing controls An important consideration for both the insured and the insurer is the level of cyber controls that are currently in place. For IT networks handling sensitive information, underwriters will require details of the controls, so that they can gain assurance that the controls are suitable. Providing assurance on the effectiveness of the controls can represent a difficulty for large organisations handling large amounts of sensitive data. Even if requested, such companies would be unwilling to allow an underwriter to undertake an audit of their controls, because this would involve access to the sensitive data. The controls in place may be complex and sophisticated, but also represent a degree of commercial confidentiality. There may be a need for negotiation between the insured and potential underwriters regarding information on the controls. There have been cases of underwriters requesting an audit of the IT controls as a condition of providing insurance and this request will be rejected because of commercial confidentiality reasons. 9
From an Airmic member point of view, evaluation of existing controls to understand the efficiency and effectiveness of these controls is important. Airmic intends to undertake further investigation into the types of cyber controls that are in place in organisations and how these controls are viewed by underwriters. This is an important area where greater understanding is probably required on the part of both underwriters and risk managers. 5.3 Completed proposal form When completing a proposal form, the insured will evaluate the relevance of the questions and the information that is requested. This evaluation is best undertaken when the risk manager has a clear idea of the type of cyber insurance that needs to be purchased. Many Airmic members have completed the exercise of mapping IT risks against existing and additional insurance policies to produce a spreadsheet. This approach results in identification of the level of cover that is required, the extent to which existing insurance policies provide that cover and the level of cover that is likely to be offered by the additional cyber insurance. The range of questions asked on proposal forms has become simpler and more relevant in recent times. Appendix A provides a comprehensive set of issues that could be covered in a typical proposal form. Although proposal forms are becoming simpler, many organisations feel that, just as with Directors and Officers Liability (D&O) insurance, a more informal presentation to underwriters of the cyber risk exposures is appropriate. For many risk managers, there are benefits associated with compiling the information that is required to complete the proposal form. Collecting this information will enable the risk manager to gain a detailed understanding of the extent of the IT network, the extent of the data stored and the levels of data security that are currently in place. Also, the risk manager will gain information on the potential business impact and the existing incident response and crisis containment arrangements. The risk manager is likely to discover that the values involved and/or the magnitude of the exposures are difficult to compile and surprisingly large. 10
6. Availability of cyber insurance 6.1 Typical terms and conditions Appendix B provides an overview or summary of the typical cover offered in a cyber and data security policy. This summary refers to a policy that provides insurance cover for both first-party and third-party exposures. Part 1 of Appendix B gives an outline of the coverage offered. As with all insurances, it is important for the risk manager to cross-reference the cyber exposures identified during the risk assessment with the coverage provided by the policy. The range of insurance cover available has expanded considerably in the last two to five years. In general, insurance coverage is available for all of the first-party and third-party exposures described in Table 1 and Table 2. Definitions and exclusions tend to restrict cover, and the risk manager needs to evaluate the impact of definitions and exclusions. Particular attention should also be paid to the claims notification procedures set out in the insurance policy. It should be noted that, generally speaking, cyber risk policies are written on a claims made basis. Decisions will need to be taken on the limit of indemnity that is required and the level of deductible(s) that is acceptable. For many of the risk exposures described in Table 1 and Table 2, there will be a sub-limit quoted in most policies. It is important to bear in mind that the limit of indemnity that is appropriate may not have a direct relationship to the turnover of the company. When making decisions on the level of cover, a review of the risk register for the organisation may be appropriate to ensure that the insurance cover addresses the IT risks and exposures that have been identified, analysed and evaluated. 6.2 Indication of cost for cyber insurance Various estimates have been provided of the total cost of cyber crime to the UK economy. It has been estimated that the total cost is in excess of 20 billion per annum. Within that total cost, it has been estimated that intellectual property theft costs 8 billion, industrial espionage costs 7 billion, extortion costs of 2 billion and direct online theft costs in excess of 1 billion. Finally, it has been estimated that about 1 billion is lost through theft of customer data. In order to decide the limit of indemnity that should be purchased, an organisation will need to evaluate the possible cost of foreseeable cyber events. There are various research reports that have estimated the cost of individual cyber risk events, although these will vary considerably between organisations. For example, it has been estimated that a typical business interruption cyber event may cost 250,000. Other estimates have put the total cost of a significant cyber event in the region of 500,000. Airmic partners provided general opinions on typical limits of indemnity purchased and the associated costs. In the United States, a typical premium would be $100,000 for a limit of indemnity of $10 million, covering both first-party and third-party risks. Typically, a limit of indemnity of 1 million to 5 million is more common in the UK, although some organisations may buy up to 10 million. It was stated that an indicative cost for a limit of indemnity of 1 million (with no US exposure) would be about 30,000 or a premium of 150,000 for a 10 million limit. These figures are, of course, only indicative and some organisations may pay more and/or buy higher limits of indemnity. 6.3 State of the cyber insurance market The coverage available for cyber risks and the range of cyber risk insurance policies has increased substantially during the past two to five years. It has been estimated that there is now a total premium spend of about $500 million in the US market. With this level of premium spend in the market, product development is progressing and capacity for cyber risk exposures is increasing. Typically, primary limits of between 5 million and 10 million are purchased, although these can be as much as 20 million. Insurance brokers report that the London market has capacity for excess layers up to a total limit of 100 million, if required. 11
The business sectors of greatest concern are hospitality, financial institutions and, to some extent, retail. It has been reported that some trade associations have negotiated schemes for member companies, with the coverage consolidated into standard policies. It is worth noting that the provision of cyber insurance is seen by many insurers as a revenue driver and therefore an area for product development. Pricing remains a challenge for insurers, with a number of different factors being used to set premium, including the business sector, number of records held by an organisation and whether credit card data is stored. In the US, greater limits are often required of between $200 million and $300 million. In terms of pricing these products, it was noted by some Airmic partners that insurers now have eight years of experience in the cyber market and are able to set premium levels based on claims experience. Insurance brokers also made the observation that the main exclusions within the cyber policies relate to areas where underwriters do not wish to provide cover. These areas will include exposures not under the control of the insured and issues such as vendor actions, including a reluctance to extend cover to outsourced components of the IT network, such as service providers providing cloud computing. 12
7. Checklist of actions for risk managers As awareness of the cyber risks and the potential for losses increases, risk managers need to play a more influential role in the management of these risks. It is important that risk managers develop relationships with the IT specialists in their own organisation. The challenge for risk managers is to ensure that these IT specialists do not design, procure and install the IT systems and networks, and then after installation (1) operate the systems and networks; (2) design the risk controls; and (3) monitor the effectiveness of the risk controls unless there are appropriate checks and balances in place. Having understood the IT systems and networks, and the nature of the data that is handled within their own organisation, the risk manager is in a good position to facilitate the risk assessment to identify the first-party and third-party risks. Knowledge of the controls that are currently in place and the relevance of cyber risk insurance will enable the risk manager to make the best contribution to the successful and safe operation of IT systems and networks within their own organisation. In summary, Airmic members need to undertake a series of actions to achieve the above. In particular, the following steps are likely to be appropriate: identify a team of individuals in the organisation who are stakeholders in the operation of the IT infrastructure and the associated risks evaluate the first-party and third-party risk exposures associated with the IT applications, systems and networks within the organisation analyse the controls that are currently in place, possibly using the headings in the proposal form in Appendix A as an aide memoire discuss the potential for events associated with the IT infrastructure that could cause a first-party and/or third-party risk to materialise collect the information indicated in the sample proposal form in Appendix A and evaluate the quality of the information that has been collected consult with the insurance broker with a view to obtaining suitable responses / quotations from the insurance market decide on the appropriate course of action in terms of enhancement of cyber controls and the purchase of insurance protection continue the process of implementing appropriate controls and monitoring the need for enhanced control of IT risks. 13
8. Airmic plans for the future Airmic recognises that there are changing needs in relation to cyber risk insurance. At the same time, the insurance market is changing rapidly as these needs are recognised and new products are developed. Airmic intends to continue to monitor and evaluate these insurance market developments and to liaise with insurance carriers and insurance brokers to ensure that the developments fully take account of the requirements of Airmic members. In order to engage in constructive discussions with the insurance market, Airmic members need a better understanding of the IT risks faced by their own organisation. Airmic members need to have discussions within their own organisation, both with the operational departments and the IT specialists. Risk managers are in the best position to lead discussions, facilitate risk assessments and help develop solutions. Airmic intends to undertake further research into the availability, scope and cost of cyber risk insurance and will organise events, lectures and meetings as appropriate. The intention is to encourage communication between IT specialists, risk managers, insurance brokers and insurance providers to ensure appropriate control of cyber risks and the continuing development of insurance as a relevant and necessary cyber risk control mechanism. 14
Appendix A: Typical questions in a cyber and data security proposal form Part 1: Company information and cover required / provided 1. Company name, postal and e-mail address and website address, together with details of the locations for which cyber insurance is required 2. Description of business activities and date business was established, together with details of the geographical split of turnover, profit and number of employees for recent years 3. Details of the types of cyber insurance covers required, including (perhaps) desired aggregate limit of liability and details desired of sub-limits and deductibles / retentions Part 2: Network and data structure 1. Functions and size of the IT network, including number and types of servers, computers and smartphones and annual IT spend 2. Financial value of the entire IT network, including hardware, software, peripheral equipment as well as connections / cabling 3. Number, types and sensitivity of personally identifiable information records (including employees and customers) held by the company and whether these will change in the next 12 months 4. Extent of outsourcing of the IT network including but not limited to data storage, data hosting and/or data processing of personally identifiable information records 5. Extent of transfer of personally identifiable information records to third parties outside of the region of operation of the company and the territories / contracts involved Part 3: Network and data security 1. Details of the appointed Chief Privacy Officer (or Chief Information Officer) or arrangements for control of the IT network and data / information security 2. Extent of the applicability of data protection legislation / standards, together with confirmation of compliance and details of arrangements to control access to sensitive data 3. Details of firewalls, anti-virus / anti-spyware, back-up arrangements and encryption tools that are in use and confirmation of monitoring and update arrangements 4. Details of checks undertaken on new recruits and arrangements to ensure security when an employee leaves the company 5. Details of Internet and email usage policy for employees and confirmation that restrictions are included in employment contracts and appropriate training given to employees 6. Existence of a data protection policy for handling sensitive data and confirmation that it is clearly communicated to all employees, as well as contractors and visitors on site 7. Details of the document retention and destruction policies and confirmation of the means of disposing of sensitive records and files 8. Nature of the intrusion monitoring detection in force to prevent and monitor unauthorised access, together with details of procedures to be followed in the event of intrusion 15
Part 4: Business impact 1. Details of how soon compromise of the IT network would result in a loss most policies quote ranges of between immediately and more than 48 hours 2. Estimate of the maximum daily loss of profit (net profit before tax) in the event of the IT network being subjected to a non-scheduled closure 3. Information on the use of the website to undertake financial transactions and/or details of the range of other services and activities 4. Existence of a privacy policy on the website and management of opt-in / opt-out marketing requests, including the use / storage of cookies on a browsers system / device 5. Procedure for responding to allegations that content created, displayed or published is libelous, infringes intellectual property rights or is violation of the privacy rights of a third party 6. Details of message boards, chat rooms or forums on the websites (including websites hosted for third parties) and procedures for monitoring or moderating content Part 5: Incident response / crisis containment 1. Details of the security incident response plan in case of a security breach, including breach by third-party, outsourced service provider 2. Details of the disaster recovery plan (DRP) and business continuity plan (BCP) for the computer networks and when these were last tested 3. Indication of how long it would take to restore the IT operation after a computer attack or other loss / corruption of data Part 6: Historical information 1. Information on cancellation or non-renewal by another insurer of any policy that provided the same or similar coverage as the insurance being sought 2. Information on any significant interruption or suspension of computer systems for any reason (not including planned maintenance) during the past three years 3. Details of any breach of IT security, network damage, system corruption, loss of data or significant system intrusion, virus, hacking or similar incident 4. Details of any instances during the last three years where customers have been notified that their information was or may have been compromised 5. Details of any circumstance or incident resulting in a claim against any insurance policy that provides the type of coverage being requested 6. Details of circumstances where any past or present director or employee has been subject to any disciplinary or governmental action or investigation as a result of professional activities 16
Appendix B: Summary of typical cover offered in a cyber and data security policy Part 1: Coverages offered 1. Data liability Loss of corporate or personal information 2. Administrative obligations 3. Reputation and response cost Network security breach caused by virus, denial of access to data, destruction of data, physical theft of the assets or disclosure of data Data administrative investigation and data administrative fines arising out of a breach of data protection legislation Payment of fees to determine whether a breach of data security has occurred and identify the cause of the breach and make recommendations as to how this may be prevented or mitigated Payment of fees for the management of any action required to prevent or mitigate the potential adverse effect of a newsworthy event, including the design and management of a communications strategy Payment of fees to any director, etc. for advice and support to mitigate or prevent damage to their individual (personal and professional) reputation due to a breach of data security or breach of legislation 4. Multi-media liability Payment of multi-media liability arising out of a claim by a third party for defamation; infringement of copyright; plagiarism or theft of ideas; invasion of privacy; or unfair competition 5. Cyber / privacy extortion Payment of monies to prevent or end an extortion threat; and/or professional fees for independent advisors to conduct an investigation to determine the cause of an extortion threat Definitions and limitations 7. Selected definitions Asset means any item of hardware, software or equipment that is or may be used for the purpose of creating, accessing, processing, protecting, monitoring, storing, retrieving, displaying or transmitting electronic data of any type Claim includes data administrative fines and service upon the insured of an enforcement notice or written demand by a regulator Computer system means information technology and communications systems, networks, services and solutions leased or made available to or accessible by the company Corporate information means any confidential information that would be advantageous to a competitor Damages means any amount that an insured shall be legally liable to pay to a third party Data Protection Officer means an employee who is designated as the person responsible to implement, monitor, supervise, report upon and disclose regulatory compliance standards Defence cost means cost and expenses in relation to the investigation, response, defence, appeal and/or settlement of a claim 17
Loss means damages, defence cost, professional fees; data administrative fines and extortion or network loss Newsworthy event means actual or threatened public communication or reporting arising directly out of an actual or potential or alleged breach of data protection legislation 8. Typical exclusions The insurer shall not be liable for loss arising out of: Antitrust violation, restraint of trade or unfair competition. Bodily injury and property damage Contractual liability Criminal acts and disregard of ruling of a court or regulator Intellectual property Intentional acts Prior claims and circumstances Terrorism, war or riot Trading loses and/or unauthorised trading Unauthorised or unlawfully collected data 9. Claims conditions A claim should include details of circumstances of the potential breach; date, time and place of the potential breach; potential claimants and other persons involved; estimate of possible loss; and potential media or regulatory consequences If any insured makes a false or fraudulent claim, the insurer shall have the right to avoid its obligations under or void the policy in its entirety 10. Defence cost The insurer does not assume any duty to defend and the insured must defend any claim unless the insurer takes over the defence 11. Limit of liability and retention The insured must not admit any liability or incur any defence cost or professional fees without the prior written consent of the insurer The insurer may make any settlement of any claim it deems expedient with respect to any insured If the insurer makes any payment, the insurer shall be entitled to pursue and enforce rights of subrogation in the name of the insured The total amount payable under this policy shall not exceed the limit of liability. Sub-limits, extensions, fees and defence cost are part of that amount and are not payable in addition to the limit of liability 12. General provisions The insured will (at own cost) render all reasonable assistance to the insurer and co-operate in the defence of any claim and the assertion of indemnification and contribution rights The insured will take all reasonable steps to maintain data and information security procedures to no lesser standard than disclosed in the proposal form 18
6 Lloyd s Avenue London EC3N 3AX T: +44 (0)20 7680 3088 F: +44 (0)20 7702 3752 www.airmic.com