Requirements for securing Cyber and Data Breach Insurance

The following contains the minimum acceptable requirements that must be included in a Cyber and Data Breach insurance policy for the Company providing the product or service.

Coverage for Cyber and Data Breach Loses

Coverage must be secured for losses incurred for both Cyber and Data Breach events and the liability and expense that could be incurred by a Company from a range of threats and incidents including:

1. Liability claims involving the unauthorized release of information for which the Company has a legal obligation to keep private;
2. Liability claims alleging invasion of privacy and/or copyright/trademark violations in a digital, online or social media environment;
3. Liability claims alleging failures of computer security that result in deletion/alteration of data, transmission of malicious code, denial of service, etc.
4. Defense costs in State or Federal regulatory proceedings that involve violations of privacy law;
5. The provision of expert resources and monetary reimbursement to the insured company for the out-of-pocket (1st Party) expenses.

The term “Cyber Breach” implies coverage only for incidents that involve electronic hacking or online activities and “Data Breach” is in reference to coverage of any private data and communications in other different formats including paper.  As such a Company must maintain a policy from an authorized insurance carrier that provides acceptable levels of coverage for both Cyber and Data Breach events.

Application process

Company should not disclose in an unsecure environment details about the company, (other than publicly available information such as name, address, contact information, etc.) or any information about past cyber and data breach events or losses, as well as the Company’s current cyber security processes or procedures, (other than to answer basic underwriting questions which should not exceed 5 pertaining to past events or losses, and 5 pertaining to current cyber security processes and procedures, for a total of no more than 10 questions).    Examples of basic underwriting questions would include:  

PAST EVENTS OR LOSSES

• Is your Company aware of any current or past circumstances which may indicate that your company has suffered a cyber or data breach?
• Has your Company ever experienced a cyber or data breach that resulted in a state, federal or other regulatory fine or penalty?
• Has your Company ever been sued or had other litigation that resulted from a cyber or other form of data breach?
• Has a subcontractor under the direct supervision of your Company ever reported to you a cyber or other form of data breach that may have comprised data provided by your Company to the subcontractor?
• Has your Company ever experienced any system intrusions, tampering, viruses or malicious code attacks that resulted in loss of data, or had any hacking incidents, extortion attempts, or other forms of data theft?

CURRENT CYBER SECURITY PROCESSES AND PROCEDURES

• Is your company in compliance with NIST 800-171?
• Does your company back up your data and systems?
• Does your company store these backups in an offsite location?
• Does your company utilize firewalls and anti-virus applications?
• Does your company have a process for dual authorizations for the electronic payments or transfer of funds over $10,000.00?

If the underwriting insurance company asks for more detailed questions as part of the application process, (i.e. More than 10 basic underwriting questions) or requires that the Company provide details to fully answer the basic underwriting questions, then the application for the purchase of the insurance must be done in a “secure” format.  Secure is defined as the application must be conducted and stored in a Fed Ramp Certified cloud storage system.

Domicile of Insurance Carrier

The Insurance carrier issuing the policy to the Company to be insured must be domiciled in the USA, UK or an approved US ally. 

Security Breach Hotline

Insurance carrier issuing the policy to the Company must provide the Company with access to a call center or other telephone support that is staffed and available 24/7/365 that the Company may call to notify the insurance carrier of a security breach (suspected or known).   The call center or hotline provided by the insurance carrier must provide access to the Company to breach response council and breach response team(s) and access to other resources provided by the insurance carrier to promptly develop a response plan, and to begin recovery and response activities.

Minimum Coverage Limits

Any Insurance policy must meet minimum coverage limits of no less than $1,000,000.00 USD per claim or in the aggregate of no less than $1,000,000.00 USD  (limits should be set based on the revenue / size of the Company to be insured) with no sublimit for any coverage unless noted as such below.  Coverage should extend to the following:

a) SECURITY BREACH RESPONSE COVERAGE

Coverage for costs incurred to respond as a result of a Security Breach event. Breach Response Costs include the costs of fees, costs, charges or expenses incurred after the discovery of a Security Breach to include:

• • computer forensic professional fees and expenses to determine the cause and extent of the Security Breach;
  • costs to notify any company, client, subcontractor or persons affected or reasonably believed to be affected, including printing costs, publishing costs, postage expenses, call center costs or costs of notification via phone or e-mail;
  • legal fees and expenses
  • Credit Monitoring Expenses of those affected by the Security Breach

b) PRIVACY LIABILITY (INCLUDING EMPLOYEE PRIVACY)

Coverage for a claim arising out of any privacy wrongful act that causes harm to any third (3rd) party or Employee.  The coverage must provide liability protection for the Company for the losses due to the unauthorized release of Controlled Unclassified Information (CUI), Personally Identifiable Information (PII), Protected Health Information(PHI), and any corporate confidential information of third parties and employees, and for any privacy breach violation of a person’s right to privacy regardless of  State or Federal specific definitions of CUI, PII or PHI.

c) PRIVACY REGULATORY CLAIMS COVERAGE

Provides coverage for both legal defense and the resulting fines/penalties emanating from a regulatory claim, alleging a privacy breach or a violation of a Federal, State, local or foreign statute or regulation, (including GDRP) with respect to privacy regulations.

d) SECURITY LIABILITY COVERAGE

Coverage for the Company for allegations of a security wrongful act, including the inability of a third-party, who is authorized to do so, to gain access to the Company’s computer systems due to the failure to prevent unauthorized access to or use of a computer system, and/or the failure to prevent false communications such as phishing that results in corruption, deletion of or damage to electronic data, theft of data and denial of service attacks against websites or computer systems of a third party.   This coverage protects against liability associated with the Company’s failure to prevent transmission of malicious code from their system to a third party’s computer system.

e) MULTIMEDIA LIABILITY COVERAGE

Coverage for defamation, libel, slander, emotional distress, invasion of the right to privacy, copyright and other forms of intellectual property infringement (patent excluded) in the course of the Company’s communication of media in electronic (website, social media, etc.) or non-electronic forms.

f) CYBER EXTORTION COVERAGE

Coverage for expenses and payments (including ransom payments if necessary) to a third party to avert potential damage threatened against the Company such as the introduction of malicious code, system interruption, data corruption or destruction or dissemination of personal or confidential corporate information

g) BUSINESS INCOME AND DIGITAL ASSET COVERAGE

Coverage for lost earnings and expenses incurred because of an authorized third-party’s inability to access the Company network due to disruption of the Company’s computer system(s) including restoration costs from the alteration, destruction, damage or loss of digital assets.

h) PCI-DSS ASSESSMENT COVERAGE

If the Company maintains or processes credit or payment cards, then the Company must maintain at least $100,000 of PCI-DSS fines and assessment coverage to respond to any fines, penalties or other costs to respond to or levied by the Payment Card Industry Security Standards Council, under the Payment Card Industry Data Security Standards, as well as have coverage for expenses associated with a mandatory audit performed by a Qualified Security Assessor (QSA), certified by the PCI Security Standards Council, after a data breach event.

i) CYBER DECEPTION COVERAGE

Company must maintain at least $100,000 of cyber deception coverage for losses from the intentional misleading of the Company by means of a dishonest misrepresentation of a material fact contained or conveyed within an electronic or telephonic communication(s) and which is relied upon by the Company believing it to be genuine which results in a financial loss to the company.

j) FUNDS TRANSFER FRAUD COVERAGE

Company must maintain coverage of no less than $100,000 for losses incurred from unauthorized electronic funds transfer, theft of Company money or other financial assets from the insured Company’s bank by electronic means, or theft of money or other financial assets by electronic means, or any fraudulent manipulation of electronic documentation while stored on Company computer system(s) that lead to a transfer of funds based on the fraudulent electronic documentation.

k) DUTY TO DEFEND AND DEFENSE, SETTLEMENT, AND INVESTIGATION COST COVERAGE

Policy must have coverage and wording that notes that the insurance carrier must defend (duty to defend), the Company for any claim made against the Company seeking damages which are potentially payable under the terms of the insurance policy, even if any of the allegations of the claim are groundless, false, or fraudulent.

l) TRIA / ACTS OF TERRORISM COVERAGE

The policy must include coverage for any act certified as an “Act Of Terrorism” pursuant to the federal Terrorism Risk Insurance Act of 2002 or otherwise declared an “Act Of Terrorism” by any government or; any act committed by any person or group of persons designated by any government as a terrorist or terrorist group or any act committed by any person or group of persons acting on behalf of or in connection with any organization designated by any government as a terrorist organization; or the use of force or violence and/or the threat thereof by any person or group of persons, whether acting alone or on behalf of or in connection with any organization or government, committed for political, religious, ideological, or similar purposes, including the intention to influence any government and/or put the public, or any section of the public, in fear.