Below is an example of how one prominent underwriter segregates between a financial loss and an actual tangible property loss or bodily injury.
Sample coverage for financial loss
Third party loss resulting from a security breach includes:
• Defense costs and damages if the business or its outsource handling firm causes a breach of personal or corporate data.
• Defense costs and damages if the business contaminates someone else’s data with a virus.
• Defense costs and damages if the business suffers a theft of system access code by non electronic means.
Cyber coverage is unique in that carriers offer different products, since it is still a fairly new insurance product. Generally, you purchase coverages like a cafeteria plan, in which you can select various products. It can be a little hard to compare carrier options because they’re not uniform.
Event management costs— There are more coverages with respect to the cyber event management, such as:
• The cost of notification, public relations, and other services to manage/mitigate a cyber incident.
• Expenses to restore, recreate, or recollect lost electronic data.
• Forensic investigations, legal consultations, and identity monitoring costs for breach victims.
Network or business interruption—
• Loss of net profit and extra expense as a result of material interruption to the insured’s network caused by a security breach. Now, you’ll notice that it’s net profit loss, because they’re going to compensate you for your net loss. This would be your gross sales, less expenses.
Cyber and privacy extortion—
• Ransom payments (extortion loss) to third parties incurred in efforts to terminate a security or privacy threat. This is another item a little bit like kidnapping and ransom, for a lack of a better analogy. Someone has your data, and you need an expert to negotiate with them to get that data back.
Digital media liability—
• Damages and defense costs incurred in connection with a breach of third party intellectual property or negligence in connection with electronic content.
Sample coverage for tangible loss
Again, this is high level and broad just to give you the basics.
• Business interruption— This would be coverage for business income and loss expenses to reduce loss as the result of property damage.
• First party property damage— This isn’t provided by all the carriers, so keep that in mind. It can cover your computers and software. Your property forms may or may not provide the level of protection needed in a data breach.
• Third party bodily injury and property damage— As a harbinger of things possibly to come, there’s a new coverage that has been developing over the last three years. It provides bodily injury and property damage to a third party. Your general liability policy should, and probably will, respond to it. Nevertheless, as security breaches expand and become more prevalent, you have to make sure exclusions don’t slip in.
For example, the data is breached at a hospital causing a heart monitoring system to shut down and someone dies as a result. Normally you would lean on your general liability policy. However, in the future it’s possible you’ll see exclusionary wording creep in. Thus, keep in mind going forward, this new coverage is available. Select underwriters will write this coverage on a difference in conditions and excess basis.
• Products and completed operations coverage— This covers bodily injury or property damage caused by a breach of a computer system as part of the insured product. This should be protected by your general liability policy. However, again you should keep it in mind as you go forward, that this specific coverage is available today.
Sample consultancy services—
• Risk consultancy and prevention before a breach— Depending on your company size, you’ll have information made available by the carriers, on their Websites, and other Webinars. If you’re large enough, you’ll see an actual loss control person come out and talk to you about your company.
• IT consultancy for the business during and after a cyber breach– Very important. You’ll need someone to help you navigate through the notification laws of the 48 states, consultation on the best steps to take, and the best ways to mitigate the claim. You’ll also need consultation on safeguarding and rebuilding your company’s reputation after a cyber breach.
Actual claim examples— (From a prominent cyber underwriter.)
1. An email server and external hard drive were stolen from the premises of an outside vendor. Personal information of approximately 175,000 individuals were compromised. The insurance carrier worked closely with the insured and provided reimbursement of one million dollars for notification and retention of professionals.
2. An insured hospital was notified of a potential HIPAA breach involving protected health information of over 40,000 patients. Kind of our worst nightmare, right? The insurance company engaged quickly with the insured to retain breach counsel and the further retention of a forensic investigator… This is where it’s important to work with an expert. Based on the ensuing investigation, they coordinated with the insured and the breach counsel on the selection and retention of vendors to handle the required notification to regulators and patients. They also offered patients access to identity monitoring protection, and established a call center to help inquiries and registration for identity monitoring protection… All very important steps.
Additionally, the insurance company reimbursed the insured $450,000 for credit monitoring and ID theft insurance; $175,000 in notification and call center costs; $25,000 in forensic; and $90,000 in legal costs. The policy also covered $500,000 in regulatory fines assessed on the insured.
View entire Webinar:
Data Breaches and ID Theft – What CFOs and HR Professionals Need to Know