The following contains the minimum acceptable requirements that must be included in a Cyber and Data Breach insurance policy for the Company providing the product or service.
Coverage must be secured for losses incurred for both Cyber and Data Breach events and the liability and expense that could be incurred by a Company from a range of threats and incidents including:
The term “Cyber Breach” implies coverage only for incidents that involve electronic hacking or online activities and “Data Breach” is in reference to coverage of any private data and communications in other different formats including paper. As such a Company must maintain a policy from an authorized insurance carrier that provides acceptable levels of coverage for both Cyber and Data Breach events.
Company should not disclose in an unsecure environment details about the company, (other than publicly available information such as name, address, contact information, etc.) or any information about past cyber and data breach events or losses, as well as the Company’s current cyber security processes or procedures, (other than to answer basic underwriting questions which should not exceed 5 pertaining to past events or losses, and 5 pertaining to current cyber security processes and procedures, for a total of no more than 10 questions). Examples of basic underwriting questions would include:
PAST EVENTS OR LOSSES
CURRENT CYBER SECURITY PROCESSES AND PROCEDURES
If the underwriting insurance company asks for more detailed questions as part of the application process, (i.e. More than 10 basic underwriting questions) or requires that the Company provide details to fully answer the basic underwriting questions, then the application for the purchase of the insurance must be done in a “secure” format. Secure is defined as the application must be conducted and stored in a Fed Ramp Certified cloud storage system.
The Insurance carrier issuing the policy to the Company to be insured must be domiciled in the USA, UK or an approved US ally.
Insurance carrier issuing the policy to the Company must provide the Company with access to a call center or other telephone support that is staffed and available 24/7/365 that the Company may call to notify the insurance carrier of a security breach (suspected or known). The call center or hotline provided by the insurance carrier must provide access to the Company to breach response council and breach response team(s) and access to other resources provided by the insurance carrier to promptly develop a response plan, and to begin recovery and response activities.
Any Insurance policy must meet minimum coverage limits of no less than $1,000,000.00 USD per claim or in the aggregate of no less than $1,000,000.00 USD (limits should be set based on the revenue / size of the Company to be insured) with no sublimit for any coverage unless noted as such below. Coverage should extend to the following:
a) SECURITY BREACH RESPONSE COVERAGE
Coverage for costs incurred to respond as a result of a Security Breach event. Breach Response Costs include the costs of fees, costs, charges or expenses incurred after the discovery of a Security Breach to include:
b) PRIVACY LIABILITY (INCLUDING EMPLOYEE PRIVACY)
Coverage for a claim arising out of any privacy wrongful act that causes harm to any third (3rd) party or Employee. The coverage must provide liability protection for the Company for the losses due to the unauthorized release of Controlled Unclassified Information (CUI), Personally Identifiable Information (PII), Protected Health Information(PHI), and any corporate confidential information of third parties and employees, and for any privacy breach violation of a person’s right to privacy regardless of State or Federal specific definitions of CUI, PII or PHI.
c) PRIVACY REGULATORY CLAIMS COVERAGE
Provides coverage for both legal defense and the resulting fines/penalties emanating from a regulatory claim, alleging a privacy breach or a violation of a Federal, State, local or foreign statute or regulation, (including GDRP) with respect to privacy regulations.
d) SECURITY LIABILITY COVERAGE
Coverage for the Company for allegations of a security wrongful act, including the inability of a third-party, who is authorized to do so, to gain access to the Company’s computer systems due to the failure to prevent unauthorized access to or use of a computer system, and/or the failure to prevent false communications such as phishing that results in corruption, deletion of or damage to electronic data, theft of data and denial of service attacks against websites or computer systems of a third party. This coverage protects against liability associated with the Company’s failure to prevent transmission of malicious code from their system to a third party’s computer system.
e) MULTIMEDIA LIABILITY COVERAGE
Coverage for defamation, libel, slander, emotional distress, invasion of the right to privacy, copyright and other forms of intellectual property infringement (patent excluded) in the course of the Company’s communication of media in electronic (website, social media, etc.) or non-electronic forms.
f) CYBER EXTORTION COVERAGE
Coverage for expenses and payments (including ransom payments if necessary) to a third party to avert potential damage threatened against the Company such as the introduction of malicious code, system interruption, data corruption or destruction or dissemination of personal or confidential corporate information
g) BUSINESS INCOME AND DIGITAL ASSET COVERAGE
Coverage for lost earnings and expenses incurred because of an authorized third-party’s inability to access the Company network due to disruption of the Company’s computer system(s) including restoration costs from the alteration, destruction, damage or loss of digital assets.
h) PCI-DSS ASSESSMENT COVERAGE
If the Company maintains or processes credit or payment cards, then the Company must maintain at least $100,000 of PCI-DSS fines and assessment coverage to respond to any fines, penalties or other costs to respond to or levied by the Payment Card Industry Security Standards Council, under the Payment Card Industry Data Security Standards, as well as have coverage for expenses associated with a mandatory audit performed by a Qualified Security Assessor (QSA), certified by the PCI Security Standards Council, after a data breach event.
i) CYBER DECEPTION COVERAGE
Company must maintain at least $100,000 of cyber deception coverage for losses from the intentional misleading of the Company by means of a dishonest misrepresentation of a material fact contained or conveyed within an electronic or telephonic communication(s) and which is relied upon by the Company believing it to be genuine which results in a financial loss to the company.
j) FUNDS TRANSFER FRAUD COVERAGE
Company must maintain coverage of no less than $100,000 for losses incurred from unauthorized electronic funds transfer, theft of Company money or other financial assets from the insured Company’s bank by electronic means, or theft of money or other financial assets by electronic means, or any fraudulent manipulation of electronic documentation while stored on Company computer system(s) that lead to a transfer of funds based on the fraudulent electronic documentation.
k) DUTY TO DEFEND AND DEFENSE, SETTLEMENT, AND INVESTIGATION COST COVERAGE
Policy must have coverage and wording that notes that the insurance carrier must defend (duty to defend), the Company for any claim made against the Company seeking damages which are potentially payable under the terms of the insurance policy, even if any of the allegations of the claim are groundless, false, or fraudulent.
l) TRIA / ACTS OF TERRORISM COVERAGE
The policy must include coverage for any act certified as an “Act Of Terrorism” pursuant to the federal Terrorism Risk Insurance Act of 2002 or otherwise declared an “Act Of Terrorism” by any government or; any act committed by any person or group of persons designated by any government as a terrorist or terrorist group or any act committed by any person or group of persons acting on behalf of or in connection with any organization designated by any government as a terrorist organization; or the use of force or violence and/or the threat thereof by any person or group of persons, whether acting alone or on behalf of or in connection with any organization or government, committed for political, religious, ideological, or similar purposes, including the intention to influence any government and/or put the public, or any section of the public, in fear.
This document is for small and mid-sized businesses who are considering acquiring “cyber and data breach liability insurance” to protect themselves against the increasing velocity and complexity of cyber and data breach attacks.
There is a appendix for the CMMC
It is also for larger businesses and governments to help them understand the value of the insurance for their contractors and extended supply chain members.
Some may wish to require subcontractors and suppliers to have proper Insurance in place, as a stipulation to providing goods or services to them.
This white paper is a living document.
We are looking for germane contributions associated with the following topics contained in the body of work.
We would also like to hear of new topics associated with insurance.
Please send comments to insurance@rightexposure.com