I am sure you have read in the paper or seen on the news the high profile data breach and cyber-attacks that have occurred over the last few years. I ran across a decent article on this subject dated April 24, 2017 from Greg Boop of Business Insurance. I hope the following is helpful in your understanding the problem and its potential solutions.
"Does your firm use electronic data? If the answer is yes, you may need cyber liability insurance? A cyber liability policy protects your business against data losses caused by cyber-attacks, viruses, and other threats. It also covers lawsuits against your company that result from data breaches or your failure to protect sensitive information that belongs to someone else.
Who Needs It?
Cyber liability coverage can benefit any company that uses electronic equipment to conduct its operations.
You may need this coverage if you do any of the following:
- Communicate with customers via email, text messages or social media
- Send or receive documents electronically
- Advertise your company via electronic media, such as a website or social media
- Store your company's data on a computer network. Examples of data include sales projections, accounting records, tax documents, and trade secrets.
- Store data that belongs to others (such as employees or customers) on a computer network. Examples include customer names and addresses, customers' credit card numbers, and employees' birth dates and social security numbers.
- Sell products or services through a company website
These activities may allow your company to operate more efficiently, but they also generate risks. The data you store on your computer system could be breached, resulting in lawsuits against your firm. The data could also be damaged due to a virus, hacker attack or other cause. Restoring or repairing the data could be very costly.
Covers Claims Not Insured by CGL Policy
Cyber liability insurance covers lawsuits stemming from events like data breaches and denial of service attacks. Such lawsuits aren't covered by a standard commercial general liability (CGL) policy.
For one thing, damage to electronic data does not qualify as property damage under a CGL policy.
This is because electronic data is not considered tangible property. Secondly, most CGL policies contain a specific electronic data exclusion. This exclusion eliminates coverage for claims based on the loss, damage, corruption, or inability to use data.
For example, suppose that your company provides bookkeeping services. A virus invades your computer network and damages a client's data. The client is unable to access records he needs to obtain a loan. He sues you for the damage to his data. The suit will not be covered by your CGL policy. Damage to your client's data does not qualify as property damage.
Cyber Liability Policies
Cyber liability policies protect businesses against lawsuits filed by customers and other parties as a result of security or privacy breaches. Policies vary widely from one insurer to the next. Some cover claims alleging libel or slander, invasion of privacy, or infringement of intellectual property rights (such as copyright). Virtually all cyber liability policies apply on a claims-made basis.
In addition to third-party liability, most cyber policies cover various first-party expenses. Here are some examples:
- Business Income and Extra Expense Covers income you lose and expenses you incur due to a full or partial shutdown of your computer system because of a hacker attack, virus or other insured peril. Such losses are not covered under the business income and extra expense insurance that is available under a commercial property policy.
- Loss of Data Covers the cost of restoring or reconstructing data that was lost or damaged due to a virus, hacker attack or other covered cause
- Associated Costs Covers costs you incur due to a data breach. Examples are the cost of notifying affected customers as required by law, and the cost of providing credit monitoring to affected customers.
- Cyber Extortion Covers the costs associated with an extortion threat, including ransomware. For example, an extortionist installs ransomware your computer system. The extortionist refuses to release your data unless you pay him or her a sum of money.
- Crisis Management Covers the cost of hiring public relations, legal, and computer forensics consultants
Some insurers have developed special cyber liability policies for certain types of businesses, such as technology companies or health care organizations.
Many insurers offer coverages on an "a la carte" basis so that customers need buy only the ones they want.
How to Obtain Coverage
Your agent or broker can help you obtain cyber liability insurance by submitting an application on your behalf to an insurer that offers the coverage. The application is likely to ask detailed questions about your firm's computer system and its security. Here is the type of information insurers typically seek:
- Firewall - Does your system have a firewall?
- Virus Scans Do you scan email, downloaded data or portable devices for viruses?
- Responsible Person Who is responsible for network security?
- Security Policy Do you have a written security policy?
- Protection Software Is your system protected by anti-virus software? Do you use intrusion detection software? Do you update your software regularly?
- Remote Access Do employees, customers or others access your system remotely? If so, what system is in place to authenticate users?
- Sensitive Data What types of sensitive data (social security numbers, credit card information etc.) do you store on your computer system? Is the data encrypted?
- Access How do you control access to sensitive data?
- Data Controls Testing Do you periodically test your data control measures?
- Data Backup and Storage Do you back up your data daily? Where are the backups stored?
- Outsourcing Do you outsource any computer functions (such as data storage) to others?
- Recovery Do you have a written disaster recovery plan you would follow in event of a computer-related incident?"
If you are interested in purchasing cyber liability coverage, contact us at BIG.