Cyber Liability - The Wild West of Insurance

cyber-liability.png

Cyber/Privacy Liability is the risk that is posed by conducting business and collecting and storing personal data on the internet or in paper files. The vast majority of businesses throughout the country and the world will encounter this type of risk and must be informed about the protection that is available. Swingle Collins & Associates recognizes that cyber liability is like the wild west of insurance. Due to technology constantly advancing and the overall increase of hackers and breaches, finding an insurance agent that is trustworthy and capable of providing a sufficient cyber liability policy is increasingly more important. Below is a list of enhancements for every privacy/data breach policy that each business should take into consideration.

cyber liability insurance

  1. Include Prior Acts Coverage – Most insurance companies do not include prior acts coverage for first time buyers.  There are a few carriers now providing full prior acts. This is important as often times hackers can be in an insured’s system for months without the knowledge of the insured.
  2. Include Forensic Expenses - Possibly the most important first party coverage is for expense coverage to include forensic experts expense.  Forensic experts are in high demand, and they are charging “attorney like” hourly rates. If forensic is a sublimit and/or shared with the notification and credit monitoring expenses, then the limit could be eroded very quickly or be inadequate.
  3. Policy should be written on “Pay on Behalf of” - Are the breach response and 1st party coverage’s “pay on behalf” or “reimbursement”. Some carrier’s policy is reimbursement which is a significant disadvantage and could escalate and erode the limits quicker.
  4. Include Reputational Damage Expense Coverage - Few carriers are now offering Reputational Damage Expense as an enhancement which is a nice coverage improvement.
  5. Related Claims need to be Aggregated by Occurrence – Privacy coverage is typically written on a claims made form. Make sure the policy is written so that every claimant does not represent a separate claim and that all related claims are bundled into a single occurrence with only one deductible.
  6. Make Sure 1st Party Expense Coverage is Not Sub Limited - Often professional liability policies are written to include a sublimit for 1st party privacy expense coverage.  Insurance underwriters do this to limit their true exposure. The insured thinks they are buying high limits of liability, but most significant claims come from 1st expense related to a breach.
  7. Coverage Includes Both Electronic and Paper Data - If a company purchases a cyber liability policy there may not be coverage for paper materials. The broadest definition of breach and protected material is key to protecting all of a company’s exposures.
  8. Separate “Towers” of Limits are Key to Broad Coverage – Knowing that defense cost is already typically included in limits of insurance; The Liability limits must be separate from the 1st party limits.  Sharing 1st party expense and 3rd party liability limits can erode coverage limits when claims are brought against a company.
  9. Try to Insure All Liability Coverage with the Same Insurance Company - It is very important to have your professional liability, general liability and employee dishonesty to be written with the same carrier if possible.  Typically, privacy claims may be included as a part of a professional service, especially if you are a system integrator, data storage company, a law firm or software as a service business.  If your professional service includes keeping people’s data secure then your professional liability, general liability (personal injury section) and privacy policy coverage may be triggered.  If you have separate carriers on each line of coverage, you may be in for a very difficult claim experience.
  10.  Stand-Alone Policy Provides Dedicated Coverage Limit - If a business truly has a significant privacy risk, then the company should buy a separate policy to cover the risk.  A separate policy will provide dedicated limits for the privacy exposure.
  11. Make sure the Carrier Provides Loss Control/Mitigation Services – Loss control and mitigation coverage will help determine applicable laws and correct compliance (47 states have different laws).
  12. Include Regulatory Coverage - The Policy must include coverage for regulatory claims for both defense and indemnity.
  13. Policy Covers Business Interruption -   There is a strong chance that if a large data breach occurs, the customers will stop attending the establishment until they know the breach has been fixed.  A well written privacy policy will include coverage for loss of business income.  Kicks in at 10 hours or less.
  14. Include Expense Coverage for Extortion – Many hackers do not hack a business’s network data for the personal data, but instead they use the data to extort the business for money.  Many privacy policies DO NOT include extortion coverage.
  15. Policy must include PCI Coverage - If the insured processes any credit cards they will have exposure for PCI fines and penalties. Fines and penalties are typically excluded from coverage because of moral hazard risk. Make sure the fines and penalties coverage is addressed if your client has PCI risk.
  16. Make sure Rogue Employees are Covered- Make sure claims resulting from employees are not excluded.
  17. Definition of Employee includes IC- Many companies outsource their IT services to 3rd party companies. Coverage needs to include claims resulting from independent contractors.
  18. Report to Top Officers of the Breached Company- Make sure an event is not considered a claim until a top officer becomes aware of the occurrence which will trigger the coverage.