Cyber Security Liability:

Size: px

Start display at page:

Download "Cyber Security Liability:"

Amie Murphy
5 years ago
Views:

www.mcgrathinsurance.com Cyber Security Liability: How to protect your business from a cyber security threat or breach.

00100000010010010110111001100011001011100100110101100011010001110111001001100001011101000110 10000010000001001001011011100111001101110101011100100110000101101110011000110110010100100000

01100001011011100110001101100101001000000100011101110010011011110111010101110000001000000100 10010110111001100011001011100100110101100011010001110111001001100001011101000110100000100000

1 Cyber Security Liability: How to protect your business from a cyber security threat or breach

2 Table of Contents: Introduction to Cyber Liability Insurance... 3 The Six Key Areas of Cyber Liability... 4 Third Party Liability Agreements... 4 First Party Agreements... 5 Coverage Triggers... 6 Types of Data Covered... 6 Remediation Costs Covered... 6 Remediation Coverage Services... 6 Seven Steps to Establish or Improve your Cyber Security Program... 7 The Future of Cyber Liability...8 2

3 Introduction to Cyber Liability Insurance: There is a common saying in the cyber security industry. There are two types of business in this world: those that experience a breach and realize it, and those that experience a breach and do not. Businesses of all sizes are vulnerable to a cyber security breach, and although larger corporations receive more widespread recognition when a breach occurs, the aftermath of one for a small business can have extremely damaging effects. You might be asking yourself how your business is at risk for a cyber security breach if no business is conducted online. Every business has the potential for exposure when storing an individual s personally identifiable information (PII), either electronically or with paper files. Traditional liability products do not address the exposure and risk concerns of cyber security. As businesses across the globe begin to increasingly rely on technology to accomplish daily business operations, their risk for a cyber breach increases. A cyber security liability policy protects businesses from a breach regarding the private information of clients such as credit card numbers, Social Security numbers, medical information, etc. Cyber crime, espionage and other malicious cyber activity cost the United States anywhere from $24 billion to $120 billion annually. Report conducted by McAfee and the Center for Strategic and International Studies1. 3

4 The Six Key Areas of Cyber Liability: Coverage for a cyber liability policy can be separated into two sections: Third Party Liability Agreements and First Party Agreements. Currently, the market for cyber security primarily focuses on the response efforts of a data breach, coverage that is primarily found on all cyber policies. In summary, a cyber liability policy protects an organization in relation to three areas: liability, remediation efforts, and fines and/or penalties. There are six key areas to consider when looking to purchase a cyber security policy2: Third Party Liability Agreements First Party Agreements Coverage Triggers Types of Data Covered Remediation Costs Covered Remediation Coverage Services 1. Third Party Liability Agreements: Network and Information Security Liability Services provided by or through the facilities of any electronic or computer communication system, interbank payment or settlement systems, automated teller machines (ATM), and point of sale terminals. Includes coverage of any shared networks, Internet access facilities, etc. where the insured allows the input, output, examination or transfer of data or programs to a computer system. Communication and Media Liability Unauthorized use or infringement of, copyright, title, slogan, trademark, trade dress, domain name, logo or service name in company materials. Plagiarism or unauthorized use of a literacy or artistic format or character in company materials. Invasion or interface with an individual s right to publicity, including commercial appropriation of name, persona, voice or likeness in company materials. Defamation, libel, slander, trade libel, or other tort related to disparagement or harm to the reputation or character of any person or organization in company materials. Regulatory Defense Expenses Costs associated with defense, such as the investigation, defense settlement and appeal of a claim. Includes the cost of expert consultants and witnesses, premiums for appeal, injunction, etc. Costs of regulatory claims brought by, or on behalf of, any state attorney s general, the Federal Trade Commission, the Federal Communications Commission, or any federal, state, local, or foreign government entity in such entity s regulatory or official capacity. 4

5 2. First Party Agreements: Crisis Management Event Expenses: Reasonable fees, costs, and expenses incurred for public relations services to mitigate any actual or potential negative publicity. Security Breach Remediation and Notification Expenses: Reasonable fees, costs and expenses which can be directly attributed to a security breach, such as determining whose identity information was compromised, developing documents or materials to notify affected persons, costs of mailings or other communication notifications required, and costs of credit monitoring services and call centers. Includes fees, costs or expenses of purchasing an identity fraud insurance policy in order to provide reimbursement of identity fraud related expenses. Computer Program and Electronic Data Restoration Expenses: Restoration expenses directly caused by a computer virus or damage to, or destruction of, computer programs, software, or other electronic data stored within a computer system by an employee who has gained unauthorized access or authorized access used to cause damage or destruction to a computer system. Computer Fraud: Costs resulting from a computer fraud loss directly caused by an intentional, unauthorized and fraudulent entry or change of data and/or computer instructions by a person other than an employee, independent contractor or an individual working under the supervision of the insured organization Funds Transfer Fraud: An intentional, unauthorized, and fraudulent instruction transmitted by electronic means to a financial institution to debit an account and to transfer, pay or deliver money or securities from an account without the knowledge or consent of the insured organization. E-Commerce Extortion: Threats made to the insured by an individual other than an employee with intention to 1) transfer, pay or deliver any funds or property without consent; 2) sell or disclose information about a customer which is unique to the relationship of the customer and not publicly available; 3) alter, damage, or destroy any computer program, software, or data; 4) maliciously or fraudulently introduce a computer virus; 5) initiate an intentional attack on a computer system that depletes system resources or access to the Internet. Business Interruption and Additional Expenses: The sum of business income loss and extra expenses directly resulting from a computer system disruption. Usually based on the actual business interruption loss the insured sustains per hour. 5

6 3. Coverage Triggers: Coverage on a cyber liability policy can be triggered by a wrongful act, be it actual or alleged, and includes some of the following: Failure to secure data Loss caused by an employee Acts by persons other than insureds Loss resulting from the theft or disappearance of private property 4. Types of Data Covered: Depending on the carrier, specific types of data covered by the policy may be listed. Covered data can include: An individual s personally identifiable information (PII) Non-public data (i.e. corporate information) Non-electronic data (i.e. paper records, printouts) 5. Remediation Costs Covered: Remediation costs are associated with the costs of responding to a data breach. Businesses may be required to notify customers of the breach and provide additional protective services. Remediation cost coverage can include: Crisis management services Notification of potentially affected customers Credit monitoring Costs to ensure the data is secure once again 6. Remediation Coverage Services: Your business could better benefit from a cyber security policy if the remediation services are prenegotiated and prepackaged. This ensures what steps will be taken in response to the breach. Prepackaged or prenegotiated services sometimes require the use of a designated vendor, written consent of the carrier to use the services, and time limits. 6

7 Seven Steps to Establish or Improve your Cyber Security Program: The National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity, a publication detailing the voluntary industry standards and best practices to prevent cyber attacks. These guidelines should be utilized to complement an organization s existing risk management and cyber security programs. The seven steps outlined in the Framework can be used to create a cyber security program or to improve upon an existing one3: 1. Prioritize and Scope Identify business/mission objectives and high-level organizational priorities. Make strategic decisions regarding cyber security implementations and determine the scope of systems and assets that support the selected business line or process. 2. Orient and Identify Identify related systems and assets, regulatory requirements and overall risk approach. Then identify threats to, and vulnerabilities of, those systems and assets. 3. Create a Current Profile Develop a current profile by indicating which outcomes from the Framework core are currently being achieved. 4. Conduct a Risk Assessment This assessment can be guided by the organization s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cyber security event and the impact that the event could have on the organization. It is important that organizations seek to incorporate emerging risks, threats, and vulnerable data to facilitate a robust understanding of the likelihood and impact of cyber security events. 5. Create a Target Profile Create a target profile that corresponds to desired cyber security outcomes. Consider influences and requirements of external stakeholders such as sector entities, customers, and business partners when creating a target profile. 6. Determine, Analyze, and Prioritize Gaps Compare the current and target profiles. Create a prioritized action plan to address those gaps that draw upon mission drivers, a cost/benefit analysis and understanding of risk to achieve the outcomes in the target profile. 7. Implement an Action Plan Determine which actions to take with regard to the gaps, if any, identified in the previous step. Monitor current cyber security practices against the target profile. 7

8 The Future of Cyber Insurance: In this day and age there is a heavy reliance on technology, both for business and personal use. Technology is rapidly evolving, exposing businesses of all sizes to the risk of cyber threats. This begs the question, as to whether there is more to be concerned about when it comes to cyber risk? With the significant advances in technology, also comes new and unforeseen dangers. Experts in the field believe that cyber threats are just as serious, and possibly more dangerous, than other catastrophic events. Data theft is not the only cyber risk businesses should be preparing for anymore. New cyber concerns are arising and the question is not if they will happen, but when: medical technology advancements, driverless cars, unmanned aircraft systems (UAS), energy and power grids4. Each technological advancement poses a new threat, and as a result, hackers remain determined to find the flaws in a system s security. Cyber risk is a reality, and just like any risk, businesses must find a way of managing this new exposure. By developing policies and procedures to identify and address the vulnerabilities in your system, you are preparing for what all businesses inevitably will face: a cyber security breach. Endnotes: 1 Siegel, Katie. Risk & Insurance, Brokers Balking at Cyber Insurance, February Betterley, Richard S. The Betterley Report, Cyber/Privacy Insurance Market Survey 2013, June National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity. ( 4 Kerr, Michael & Berg, Joel. Risk & Insurance, Cyber: The New CAT, April

www.mcgrathinsurance.com Sturbridge Location: 258 Main Street Sturbridge, MA 01566 (T) 508.347.6850 (F) 508.347.6858 Spencer Location: 130 West Main Street Spencer, MA 01562 (T) 508.885.6545 (F) 508.

9 Sturbridge Location: 258 Main Street Sturbridge, MA (T) (F) Spencer Location: 130 West Main Street Spencer, MA (T) (F) About Us: McGrath Insurance Group, Inc. of Sturbridge, Mass., is a full-service insurance agency that provides business insurance, personal insurance, employee benefits and specialty insurance products to clients throughout New England. An independent agency, McGrath Insurance is not tied to any one insurance carrier and has long-term relationships with the top national carriers of property & casualty insurance, life insurance and other insurance products. This creates an opportunity to provide clients with the best coverage available at a competitive price.

Cyber Risk Insurance. Frequently Asked Questions

Cyber Risk Insurance. Frequently Asked Questions Cyber Risk Insurance Frequently Asked Questions Frequently Asked Questions What is Cyber Risk? Why should I buy Cyber Risk Insurance? What is the cost? Who is Great American Insurance? Why should I buy