Cyber Liability Insurance Policy Information
Cyber Liability Insurance. Most businesses these days make use of electronic data in some form or another. Electronic data keeps a record of their customers and employees, and often electronic data puts them in touch with their customers.
Everything that has to do with data takes place either on a computer or on the internet: And this means that data is susceptible to being accessed or stolen.
Cyber liability insurance is a type of insurance that protects businesses and organizations from the financial consequences of cyber attacks, data breaches, and other types of cyber-related incidents. It can cover the costs of responding to a cyber attack, such as legal fees, notification and credit monitoring services for affected individuals, and damages resulting from the loss or theft of data.
It can also cover the costs of recovering from a cyber attack, such as rebuilding systems, replacing lost data, and restoring business operations. Cyber liability insurance is particularly important for businesses and organizations that handle sensitive personal or financial information, as well as those that rely heavily on technology and the internet for their operations.
For cyber liability definitions and terms see the: Insurance Online And Cyber Terms Glossary.
Cyber liability insurance protects your business from data breaches with rates as low as $27/mo. Get a fast quote and protect your customers privacy now."
Below are some answers to commonly asked cyber liability insurance questions:
- What Is Cyber Liability Insurance?
- How Much Does Cyber Liability Insurance Cost?
- What Does Cyber Liability Insurance Cover?
- What Is First Party Cyber Liability Coverage?
- What Is Third Party Cyber Liability Coverage?
- What Does Cyber Liability Insurance Cover & Pay For?
What Is Cyber Liability Insurance?
Cyber liability insurance is a type of insurance that protects businesses and organizations against financial losses due to cyber attacks, data breaches, and other cyber-related incidents.
This type of insurance typically covers costs associated with responding to and recovering from a cyber attack, such as legal fees, forensic investigations, public relations, and credit monitoring services for affected customers. It can also provide coverage for lost income and expenses incurred as a result of the attack, such as lost business and data recovery costs.
Cyber liability insurance is becoming increasingly important as the number of cyber attacks continues to rise and the potential for financial losses from these attacks becomes more severe.
How Much Does Cyber Liability Insurance Cost?
The average price of a standard Cyber Liability Insurance policy for small businesses ranges from $27 to $59 per month based on location, number of customers, data security procedures in place and more.
What Does Cyber Liability Insurance Cover?
Cyber coverage may be endorsed to a package policy, it may be written as a standalone policy, or it may be written under an independent specialty or company program. Coverages may vary substantially, so it's important to understand the options available to meet a given entity's risk management requirements.
It's typical under a cyber policy that defense costs are included in the aggregate limit, rather than as an additional limit. Once a given policy's aggregate limit has been exhausted, the obligations of the insurance company have been fulfilled.
Cyber liability insurance helps your business deal with the costs of data breach and recovery by helping to pay for:
- Security Breach Expense
- Extortion Threats
- Replacement Or Restoration of Electronic Data
- Business Income And Extra Expense
- Public Relations Expense
- Security Breach Liability
- Programming Errors And Omissions Liability
- Website Publishing
- Media Liability
- Consent To Settle
Security Breach Expense
Security Breach Expense responds when personal information of others is in the care, custody, or control of the insured (including authorized third parties) is obtained by an unauthorized person and disclosed to others.
Security Breach Expense concerns costs associated with a breach, such as forensics which is used to determine if a breach has or is taking place. It provides payment to address the cost to investigate how much damage has been done, who has been affected, and to determine what action is needed to correct the breach.
It reimburses the cost to send notifications to parties affected by the breach and overtime salaries of employees dealing with the breach. It extends to the cost for a Call Center to handle questions from breach victims.
It includes post event monitoring to individuals for credit and identity monitoring services, monitoring could be one year or longer depending on the situation. Finally, it includes other expenses incurred with the insurer's approval.
The next coverage is for Extortion Threats, in which electronic data, information, or services are held hostage until demands are met. The demands are usually monetary (cash or cryptocurrency). Cryptocurrency is digital (such as bitcoin) or virtual currency and may be requested because it is difficult to trace.
Some companies specializing in cybercrime coverage have cryptocurrency on hand to meet these demands.
Bad actors usually penetrate systems by using ransomware or denial of service (DoS). Ransomware comes in the form of phishing emails, or luring employees to visit infected websites or online ads.
DoS is an attack that disrupts the normal function of a website or a network. A routine DoS method is to flood a site with service requests which substantially slows or prevents access.
With regard to insurance, extortion refers to one or more related threats resulting from unauthorized access to a computer system. Incidents may involve the following perils:
- Use or disclosure of proprietary information
- Disclosure of a weakness in the source code found in a computer system
- Using knowledge of a system weakness to destroy, corrupt or prevent access to a computer system and/or electronic data
- Introducing introduce ransomware into a computer system
- Publishing personal information belonging to employees and/or customers
This coverage includes expenses associated with the extortion threat such as the costs to hire a security firm, person, or organization in consultation with the insurance company, but only for the amounts needed to determine a threat's validity and severity.
It also includes the interest charged on a loan which an insured secures to pay a ransom demand.
Also, it includes rewards and payments the named insured pays for information that leads to the arrest and conviction of the person responsible for the loss. Payments are ineligible for reimbursement if they don't result in both the arrest and conviction of the responsible parties.
Excepting employees, an informant is any person who shares information not available from other sources.
Additionally, extortion expense includes other reasonable costs. They are conditional upon an agreement with the insurer. The stipulations must be documented in writing prior to the incurred expense. One example is the cost charged by independent negotiators to recommend a company that assists with protecting electronic data from future threats.
This is first-party coverage only and will not cover third party extortion threats.
Replacement Or Restoration Of Electronic Data
This coverage will help when there is a loss to computer programs or electronic data stored within a computer system from a cyber event. It includes restoring or replacing the electronic data, computer programs, or the services related to data entry, reprogramming, and computer consultation.
The cost of research needed to rebuild the insured's electronic data or computer programs is not considered a loss under this coverage. There is an exception, though. Any media on which electronic data was stored will be replaced with blank media as close to identical as the media that was damaged or destroyed.
So, what is a computer program? In insurance terms, it is a set of related electronic instructions that direct how a computer (or a device) connects to it, operates and functions. It allows the computer or connected device to receive, process, store, retrieve, and send data.
Lastly, electronic data is information, facts, or programs that interact with a computer's software. The software is located in some fashion on the computer and used to send out or receive data. Electronic data is not tangible property, and it does not include the insured's data that has been licensed, leased, rented, or loaned to others.
The data must be stored on hard or floppy discs, CD-ROMs, tapes, drives, cells, and data processing devices or other such media that can be used with electronically controlled equipment.
Business Income and Extra Expense
This coverage is available when there is an interruption in business operations because of a cyber incident or extortion threat. It includes the loss of business income sustained and the extra expense costs associated with the loss.
Business income is considered the net income that would have been earned during the period of restoration, and net income is either the net profit or the net loss. It also includes operating expenses that continue after a loss, including payroll. Each of these components is calculated separately and then added together.
Extra expenses are costs incurred during an interruption that are not regular operating expenses as they result directly from a loss. They are also costs incurred in order to prevent e-commerce activities from being suspended or to reduce the downtime.
This coverage does not include costs made to computer systems to improve, maintain, remediate, upgrade, or maintain system performance. Finally, it does not include any of the extortion expenses that are covered within the Extortion Threats Insuring Agreement.
Public Relations Expense
A cyber loss can mar the reputation of a business, especially if personal or employee data is stolen. It can result in negative publicity. Public relations expense helps mitigate negative publicity when it is a direct result of a cyber incident or security breach.
The coverage includes fees for a public relations firms. In addition, other related expenses may be paid when they are reasonable and accompanied by the insurer's written approval.
Negative publicity requires that the information has become public, and the reputation of the named insured or its product/services either has or is expected to decline.
Security Breach Liability
Security Breach Liability coverage focuses on the legal obligations the insured has to third parties from a cyber incident and expenses required to defend against the actions.
This coverage is for cyber incidents caused by wrongful acts which trigger a legal obligation for harm caused to third parties. A wrongful act is the neglect, omission, or breach of duty attributed to an insured. The action then has to result in the computer system-related transmission of a virus to a person or organization.
The delivery can be by email or another means. It may also involve a security breach. An obligation to others could also be due to interrelated wrongful acts.
A regulatory proceeding is an investigation or demand brought by or on behalf of a commission or regulatory agency such as the Federal Trade Commission, Federal Communication Commission, or a governmental agency operating within its official or regulatory capacity.
Besides federal actions, regulatory proceedings may be brought by state, local or even foreign governments.
A loss resulting from a regulatory proceeding claim may qualify for coverage. Eligibility depends on discovering it during the policy period and if it was due to a wrongful act taking place before the end of the policy period. The obligation could also arise because of a series of interrelated wrongful acts.
The defense expense resulting from the claim is also covered if the insurer exercises its right to defend the claim. A duty to do so does not exist.
Normally, such coverage includes the necessary expenses incurred to defend a claim. However, there are a few expenses that are not included, such as the wages, salaries, benefits, or expenses of the insured employees, and court bonds.
Programming Errors And Omissions Liability
This protection is meant to address a loss that is the result of a programming error or omission that discloses client's personal information that is maintained on a computer system. Again, eligibility depends on an incident being discovered during the policy period or after the retroactive date.
It must also be connected to a wrongful act which creates a legal obligation. An obligation could also be due to a series of interrelated wrongful acts. Defense expenses would also qualify for coverage should an insurer exercise its right to defend such claims.
This coverage is for an error, misstatement or misleading statement that is posted or published by an insured on their website. It includes infringement, defamation, or a violation of a person's right to privacy.
This coverage also includes security breach or electronically transmitting a virus to another party. The insured must be legally obligated to pay, and it includes defense costs. The loss must result be connected to a wrongful act or a series of interrelated wrongful acts for coverage to apply.
This coverage addresses harm to others caused by an actual or alleged error, misstatement or misleading statement. Such incidents may be committed by or on behalf of an insured party. Protection extends to invasions of rights to either privacy or publicity.
Coverage may also apply to security breaches or computer virus transmitted electronically to another party. Eligible incidents have to be related to wrongful acts (including interrelated wrongful acts) that happen during a policy period.
The defense expenses resulting from the claim are also covered. Media Liability coverage applies regardless of when the claim is made. Generally, the insurer has both the right and duty to defend such claims.
It is important to understand how defense is provided under policies that guard against security breach liability. It is a two-part coverage. The first part covers loss when the insured is legally obligated for harm to another party.
In such instances, the insurer has the right and the duty to defend the insured. This coverage is granted even when allegations are considered to be groundless, false or fraudulent.
The second part involves regulatory penalties and fines. The insurance company does not have a duty to defend a claim under this coverage. It only has the right.
Consent To Settle
Our coverage review has found that offerings include a consideration regarding settlement, specifically that it requires the consent of the insured party. An insurance company may recommend a settlement to the insured, which it believes will be acceptable to the claimant; however, the insured has the right to say no, though a consequence accompanies any rejection.
Should a claim be settled above the amount suggested by the insurer, that excess portion ineligible for payment. The additional amount becomes the sole financial obligation of the insured.
An additional penalty may exist for not consenting to settle. The insurer may cease providing a legal defense following a settlement rejection. The insured is then burdened with all aspects of defending itself, including additional loss investigation and settlement.
This provision feature also creates an incentive to the insurance company to settle as quickly as possible to prevent further defense costs.
What Is The Difference Between First Party vs. Third Party Cyber Insurance Coverage
What Is First Party Cyber Liability Coverage?
First-party coverage covers you and your business in the event of damages, losses or claims arising from personal data. Cyber Liability insurance covers you on a variety of fronts, and sometimes also covers the recovery costs of the personal data in question.
- Damage or Loss of Electronic Data: These days, most information is stored in electronic form. This means that the information can be damaged or lost in several ways – for example, someone can simply delete the wrong file on the system and lose all the client information for a year, or the breach can be via hacker – and personal client information could be spread illegally in this way.
- Loss of Income or Extra Expenses: A technological breach could affect your business in such a way that it cost your business operating costs while the breach is repaired, or business while the systems are down. A Cyber Liability policy makes provision for this damage, and you are able to claim for the damages or losses experienced. Extra expenses, briefly, are things like the costs of recovering the lost data. This is something that should be covered under your liability insurance policy, too.
- Cyber Extortion: Cyber extortion can happen in several forms, and it can cost your business thousands of dollars – or more. For example, if a hacker held personal information ransom for $250, 000, who would pay for the lost business, the lost time and the necessary investigations? If you have cyber liability insurance, then your insurance will cover losses due to cyber extortion, too.
- Damage to Your Reputation: Cybercrime can cause a lot of damage to your business and its reputation – this can be internal, or it can turn into a scandal that makes its way to the media and costs you serious business. Either way, damage to your reputation that arises from cybercrime should be covered under your cyber liability insurance policy – and, depending on your individual policy, instances of social media damages could also be covered.
What Is Third Party Cyber Liability Coverage?
This refers to damages that may be claimed by a third-party in the case of a cyber liability loss or claim. Some of the instances that are covered:
- Network Security Liability: In short, network security liability becomes an issue when the security of the network is compromised – and usually anyone else's security in the process. This will be covered by your cyber liability insurance policy.
- Network Privacy Liability: With network security, it's just as easy for someone's privacy to be compromised over a network, and in this case it will also be covered by your cyber liability insurance policy.
- Electronic Media Liability: Electronic media liability covers all forms of electronic media from cyber liability, and while not all policies will have this clause, you should check yours to make sure if it does – ask your insurance provider if you aren't sure about the details.
- Errors and Omissions Liability: Errors & Omissions cover will insure you if any mistakes, losses or data breaches take place due to the fact that there is an omission or error from one level of the company to another.
What Does Cyber Liability Insurance Cover & Pay For?
here are some examples of Cyber Liability Insurance claims and how the policy can help pay for the lawsuit:
Data Breach: If a company experiences a data breach that results in the loss or theft of sensitive customer data, Cyber Liability Insurance can help cover the costs associated with the breach. This can include the cost of notifying affected customers, providing credit monitoring services, and defending against lawsuits filed by customers who were affected by the breach.
Cyber Extortion: If a company is targeted by cyber criminals who demand payment in exchange for not releasing sensitive data or disrupting the company's operations, Cyber Liability Insurance can help cover the costs of responding to the extortion attempt. This can include the cost of hiring a professional negotiator, paying the extortion demand, and restoring any damage done to the company's systems.
Business Interruption: If a company experiences a cyber attack that disrupts its operations and causes financial losses, Cyber Liability Insurance can help cover the costs associated with the interruption. This can include lost revenue, extra expenses incurred to restore operations, and other costs associated with the interruption.
Website Liability: If a company's website contains content that infringes on another party's intellectual property rights or is otherwise defamatory, Cyber Liability Insurance can help cover the costs of defending against a lawsuit filed by the affected party.
Network Security Liability: If a company's network security measures are found to be inadequate, resulting in a cyber attack or data breach, Cyber Liability Insurance can help cover the costs associated with defending against a lawsuit filed by affected parties.
It's important to note that the specific coverage and limits of Cyber Liability Insurance policies can vary, so it's important to review your policy carefully to understand what is covered and what is excluded.
Cyber Liability Insurance - The Bottom Line
To find out exactly what type of cyber liability insurance you need and how much coverage you should have, speak to an experienced insurance broker to go over your options.
'Real Life' Court Cases Involving Cyber Liability Insurance:
Apache Corp. v. Great Am. Ins. Co.
Apache Corporation (Apache) is an oil producing company that principally operates in Houston, Texas, but also operates internationally. Apache was insured by Great American Insurance Company (GAIC) and that policy included a "Computer Fraud" provision as part of their crime coverage. In March 2013, an Apache employee in Scotland received a telephone call from a person who identified him/herself as a representative of Petrofac, a vendor for Apache.
The caller advised Apache to change the bank account information for future payments to Petrofac. The Apache employee informed the caller that a formal request from Petrofac on Petrofac letterhead would be necessary to affect any change.
One week later, the accounts payable department of Apache's received an email from a "petrofacltd.com" address. However, Petrofac's proper email domain is "petrofac.com"; criminals had created a fake domain to send the fraudulent email. The email read "Petrofac's accounts details have now been changed"; and "[t]he new account takes ... immediate effect and all future payments must now be made into this account".
The email included an attachment of a signed notice of the change to the banking information on Petrofac letterhead that included both the old and the new bank account information. The email further informed that the attachment had also been posted (mailed) to Apache.
The responding Apache employee telephoned to confirm the request using the telephone number on the letterhead. Next, a different employee approved and implemented the change. Within days, Apache was transferring funds to the new account based on Petrofac's invoices. However, Petrofac soon informed Apache that it had not received the $7 million. After an investigation determined the criminals were based in Latvia, Apache recovered a substantial portion of the funds. However, Apache had lost $2.4 million. Apache submitted a claim to GAIC under the computer fraud provision which read:
"We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:
- a. to a person (other than a messenger) outside those premises; or
- b. to a place outside those premises."
In its denial letter, GAIC advised Apache's "loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds".
Both entities filed for summary judgment and the court ruled in favor of Apache noting that the email was a "substantial factor" in the loss. GAIC appealed the decision and argued that Apache had requested the email as confirmation of the bank account change following a telephone call. The loss occurred when Apache sent payments to the wrong bank account based on a legitimate invoice. It was a loss but it was not a computer fraud loss.
Judgment was made in favor of GAIC.
(Apache Corp. v. Great Am. Ins. Co., 662 F. App'x 252 (5th Cir. 2016))
Interactive Commc'ns Int'l, Inc. v. Great Am. Ins. Co.
Interactive Communications International, Inc. and HI Technology Corp. (together, "InComm") operate a business that allows customers to put money onto reloadable bank-issued debit cards. The money is added by the customer first buying a chit from a retailer and then calling InComm's 1-800 number which connects to an interactive voice response (IVR) computer system. The consumer enters the debit card number and the PIN located on the chit at which time the IVR credits the value of the chit to the card. The funds become immediately available to the cardholder.
Between November 2013 and May 2014, fraudsters identified a vulnerability within InComm's IVR system that permitted multiple redemptions of a single chit. The vulnerability occurred when two or more calls were made to the IVR system simultaneously for the redemption of the same chit. One call would transfer the funds from the chit to the debit card account, while the other would return the chit to an "unredeemed" state which permitted a future redemption. Over seven months, InComm's system processed 25,553 fraudulent redemptions associated with 1,988 individual chits.
After the loss was discovered, InComm made a claim for $10.7 million against its computer fraud policy underwritten by Great American Insurance Company (GAIC). The policy provides coverage for:
"loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: (a) to a person (other than a messenger) outside those premises; or (b) to a place outside those premises."
GAIC filed for summary judgment as to coverage contending that the policy does not cover InComm's loss because the scam was not executed through the direct use of a computer. It argued that the loss occurred as a result of the misuse of the IVR system. The district court granted the summary judgment and InComm appealed.
The appellate court affirmed the ruling of the district court. It held that the loss was not the result of a computer and that even if it had been due in some way to a computer, the loss remained excluded because the loss was not due to any direct use of a computer.
(Interactive Commc'ns Int'l, Inc. v. Great Am. Ins. Co., No. 17-11712, 2018 WL 2149769 (11th Cir. May 10, 2018))
Doctors Direct Insurance, Inc. Plaintiff-Appellee v. David Bochenek, Defendant-Appellant and Beaute 'E'mergente, LLC doing business as McAdoo cosmetic Surgery, Defendant
After receiving an unauthorized solicitation regarding cosmetic surgery services via cell phone text messages, David Bochenek (as a lead plaintiff) filed a class action lawsuit against McAdoo Cosmetic Surgery. The suit alleged that the unauthorized solicitation was a privacy wrongful act, in violation of the Telephone Consumer Protection Act (TCPA) and the Consumer Fraud Act (CFA).
McAdoo filed a claim for coverage with his insurer, Doctors Direct Insurance (Direct). The insurer, which provided McAdoo with a Cosmetic Surgeon's Professional Liability Policy, endorsed with cyber claims coverage, filed for a summary judgment. It argued that the unsolicited texts were not acts eligible for coverage. After a lower court ruled in favor of Direct, Bochenek appealed.
On appeal, Bochenek argued that the texts did qualify as covered, privacy wrongful acts in violation of the two referenced national acts. The allegation was based on the unsolicited texts constituting the control and use of personally identifiable financial, credit or medical information, the same language used in the cyber endorsement's definition of "privacy wrongful act". The information used to distribute the texts were a list of names and phone numbers collected from a spa.
The higher court examined Bochenek's arguments. In its review, the court found that the TCPA and the CFA prohibited certain types of unauthorized contacts and did not involve the mechanics of how call lists were created. It also found that Direct's cyber endorsement language regarding privacy wrongful acts was not, as alleged by Bochenek, ambiguous. Since the texts did not involve abuse of personally identifiable credit, financial or medical information, the court agreed that Direct did not owe a legal defense or coverage for the allegations made by the lawsuit.
The lower court ruling in favor of the insurer was affirmed.
(Doctors Direct Insurance, Inc. Plaintiff-Appellee v. David Bochenek, Defendant-Appellant and Beaute 'E'mergente, LLC doing business as McAdoo cosmetic Surgery, Defendant. Appellate Court of Illinois, First district, first Division. Case No.1-14-2919. August 3, 2015. Affirmed. Westlaw, 38 N.E. 3d.116)
Additional Resources For Small Business Insurance
Protect your company and employees with the right commercial insurance policies. Read informative articles on small business insurance coverages - and how they can help shield your company from legal liabilities.
- Small Business
- Business General Liability
- Business Interruption
- Business Liability
- Business Owners Policy (BOP)
- Certificate of Insurance
- Commercial Auto
- Commercial Crime
- Commercial Package Policy
- Commercial Property
- Commercial Umbrella
- Comprehensive General Liability
- Cyber Liability
- Directors and Officers Liability
- Employment Practices Liability
- Event Cancellation
- Fiduciary Liability
- General Liability
- Home Based Business
- Independent Contractor
- Liability Insurance Certificate
- Liability Insurance
- Ocean Marine
- Professional Liability
- Specialty Directors And Officers Liability
- Specialty Errors And Omissions
- Specialty Excess
Businesses need commercial insurance to protect their assets, employees, and customers. It helps to cover the costs of potential accidents, lawsuits, and other unforeseen events that can result in financial loss.
For example, if a customer slips and falls on a wet floor in a store, the business could be held liable for their injuries. Commercial insurance can help cover the costs of medical bills and legal fees associated with the incident.
Additionally, businesses often have valuable equipment and inventory that need to be protected from theft or damage. Commercial insurance can provide coverage for these items in the event of a disaster, such as a fire or natural disaster.
Furthermore, businesses often have employees that can be injured on the job. Workers compensation insurance can provide coverage for medical bills and lost wages for injured employees.
Overall, commercial insurance is a necessary tool for businesses to protect their assets, employees, and customers. Without it, businesses could face significant financial loss in the event of an unexpected occurrence.