Cyber Insurance Coverage
It’s not a matter of if your organization will experience a data breach, but when.
Ill-intentioned hackers across the globe are looking for ways to get rich quick by defrauding organizations. And those organizations’ most valuable assets—people—frequently fall prey to such criminals. With cyber insurance, you’ll be better positioned to mitigate the impacts of a cybersecurity incident.
You may be thinking, “if a data breach is inevitable, what’s the point of cyber insurance?” Or you may think this insurance isn’t relevant to your industry and the data you manage. But the truth is: cyber insurance coverage is relevant to most businesses and data types, and it makes a significant difference in the event of a cybersecurity incident.
1. Cybercriminals are after all types of data.
Cybercriminals find value in almost everything. A recent cyber claims study indicates the following data is at risk:
- Payment Card Industry (PCI) (14%)
- Protected Health Information (PHI) (15%)
- Critical files (15%)
- Personally Identifiable Information (PII) (26%)
- All others (30%)
As you can see, personal information like Identity Numbers, birthdates, bank account information, credit card information and addresses are highly sought after. Cybercriminals’ main goal is usually identity theft of individuals and businesses.
2. Recovering from a cybercrime is expensive.
Managing the impact of a cybercrime can get expensive in a hurry.
First, you’ll need incident response and forensic analysis to discover what data was lost. Then, you must handle any mandatory notifications and reports. Further, you’ll likely need to manage public relations and your reputation, and you may lose customers or have diminished customer acquisition rates. On top of that, expect costs associated with counsel and litigation.
3. Nearly all industries are at risk for cybercrime.
When it comes to cybercrime, small and large businesses of all industries are at risk.
Smaller companies are not spared due to the expected vulnerabilities of smaller companies. Hackers can assume that smaller companies have fewer protective measures in place, and they can assume similar trends based on industry. For instance, hackers target industrial companies because they tend to have less invested in their security and valuable intellectual property at their fingertips.
Data Breach Mitigation Tools to Consider
Cybercriminals have stepped up their phishing, spoofing and social engineering game and made it more difficult to distinguish fraud from reality. They’re working hard to deceive others using nefarious business email addresses and ransomware. External threats attempt to penetrate your organization daily, and the criminals’ plan often involves compromising people and computer networks.
Some of the most common sources of cybersecurity incidents are hackers, malware, lost or stolen devices, mistakes made by staff, paper records and rogue employees. Humans tend to be the weakest links, unwittingly opening doors for cybercriminals. Even if you have well-executed plans for cybersecurity, there’s always a chance of an incident.
Organizations of all sizes have considered the following tools in the past several years:
- Improved, secure hardware and software
- Network security vulnerability and penetration testing
- Pre-breach consultation
- Incident response plan assessments
- Cybersecurity awareness training for employees
- Cybercrime insurance coverage
Proactive cybersecurity assessments identify weaknesses and opportunities to strengthen your network as well as formal incident response plans help companies to respond quickly and effectively—critical factors in the event of a breach or attack.
Even if you have cyber insurance, you may not know what is and isn’t covered in your policy.
Many organizations only learn that their policies don’t match their needs when it’s already too late.
Here’s how to make sure you get the right coverage for your business.
Understand why you need cyber security coverage.
Consider factors such the type of data you have and what value it holds, notification requirements you must comply with and specific risks others in your industry have reported. Construct and consider a list of common expenses associated with a cybersecurity incident. If you can foresee those costs, you can select cyber coverage to mitigate them.
As an insurance broker, Intasure makes use of a number of service providers who offer their various products in this cyber arena.
The information that follows is in respect of the offering from iToo which we believe to be a very good offering. Obviously, we will engage with other insurers as well, should you so instruct.
Why get your clients’ Cyber Insurance covered by iTOO?
Designed to cover the resultant costs and damages from a privacy breach or a network security breach, a cyber insurance policy covers what has previously been uninsurable providing comprehensive first and third-party coverages with an expert incident response process.
Far broader than the name Cyber would imply, our policy extends to cover numerous incidents including but not limited to:
- Cyber extortion and malware (viruses, ransomware, or publishing of stolen data).
- Denial of service (disruption to operations).
- Downstream attack (a compromise of your environment resulting in damages to others).
- Insider and privilege misuse (unauthorised access and use of systems and data by employees and service providers).
- Physical theft and loss (both devices and physical hard copy data).
- Threats posed by third party access into a client environment.
iToo’s comprehensive cyber insurance policy can be tailored to your requirements and provides the following coverages:
1ST PARTY ( YOUR OWN DAMAGES)
Regulatory fines: Fines imposed by a government regulatory body due to an information privacy breach.
Business interruption: Loss of income and increased cost of working as a result of a systems security incident.
Data restoration: Costs to restore, re-collect or replace data lost, stolen or corrupted due to a systems security incident.
Cyber extortion: Costs to restore, re-collect or replace data lost, stolen or corrupted due to a systems security incident.
Outsourced service provider: Cover for exposure to named outsourced service providers including:
- Defence and settlement of liability claims resulting from your data being compromised from an outsourced service provider;
- Business interruption losses resulting from a systems security incident at an outsourced service provider; and
- Costs to change to an alternate outsourced service provider if required.
E-Financial loss: Unrecoverable loss of money, belonging to or for which you are legally responsible, as a direct result of a system security incident by a third party. Cryptocurrency losses are excluded.
Payment card industry fines and penalties: Cover for direct monetary fines, penalties, assessments, chargebacks, reimbursements and fraud recoveries which you become legally obligated to pay in terms of a merchant services agreement as a direct result of a network security breach resulting from non-compliance with PCI-DSS. Reasonable costs to demonstrate your ability to prevent a future breach as required by your merchant services agreement.
Phone phreaking: Call and/or bandwidth usage costs you are legally obligated to pay as a result of unauthorised use of your telecommunications system by a third party.
Physical damage: Costs to replace or repair direct physical damage of tangible property belonging to or rented, leased or hired by you as a direct result of a system security incident.
3RD PARTY ( YOUR LIABILITIES TO OTHERS )
Privacy liability: Defence and settlement of liability claims arising from compromised information.
Network security liability: Defence and settlement of liability claims resulting from a system security incident affecting systems and data as well as causing harm to third-party systems and data.
Media liability: Defence and settlement of liability claims resulting from disseminated content (including social media content) including:
- Unintentional copyright infringement; or
- Unintentional infringement of right to privacy.
INCIDENT RESPONSE (WHAT NEEDS TO HAPPEN IMMEDIATELY)
Incident response costs: Costs to respond to a system’s security incident, including:
- to obtain professional (legal, public relations and IT forensics) advice, including assistance in managing the incident, co-ordinating response activities, making representation to regulatory bodies and coordination with law enforcement;
- to perform incident triage and forensic investigations, including IT experts to confirm and determine the cause of the incident, the extent of the damage including the nature and volume of data compromised, how to contain, mitigate and repair the damage, and guidance on measures to prevent reoccurrence;
- for crisis communications and public relations costs to manage a reputational crisis, including spokesperson training and social media monitoring;
- for communications to notify affected parties; and
- for remediation services such as credit and identity theft monitoring to protect affected parties from suffering further damages.
Itoo also offers the following:
- Tried and tested incident response, we have a really great claims process and providers
- Local, experienced underwriters backed by industry leading reinsurance markets
- Underwriters who come from an IT security background
- Risk management options and guidance
- The ability and willingness to assist brokers in the sales cycle including getting on calls to discuss the cover
- Our #ITOO GO offering brings a full blown cyber insurance offering to clients with targeted and simplified underwriting. In addition clients are able to get an indication on premium before completing proposal forms
If your revenue is R5M per annum, then the premiums and deductible are shown in the purple block above, whereas if your revenue is R105M per annum then the premium and deductible is shown in the orange block above.
Example: Should your turnover be R9M and you determine that you want a Limit of Indemnity of R10M, your annual premium would be R 18 805.00You will appreciate that this is complex cover and insurers have stringent requirements with regard to the efforts taken by their policyholders in protecting their own networks and data.
In order to qualify for the product, you will have to be able to comply with iToo’s security requirements which can be assessed in the below document:
The proposal form in respect of the GO offering is available below:
An extended version of this GO offering is also available via the completion of the below proposal form:
The extended version of the Go offering entails the following additions to the basic policy:
The premiums and requirements referred to above are only applicable to businesses with a turnover of less than R 250,000,000 per annum.
Businesses who have turnovers in excess of this amount can request a quotation via the completion of the appropriate proposal form:
NB – Commercial Crime type cover and differences.
Crime Insurance has been around for decades with a focus on protecting companies from employee and vendor theft, fraud and forgery.
By contrast, Cyber Insurance was created to protect companies from damages occurring from cybercrime. The first cyber policies covered such things as customer notification, credit monitoring and other related services, as well as third-party liability.
Today, the lines are blurred. In a highly connected business landscape, ransom, embezzlement, and many other types of loss now have a different criminal face. Some are covered under a crime policy; others are covered by cyber insurance. So how do you determine what constitutes a crime loss versus a cyber loss? Alliant Insurance Services offers this guidance:
- Is it a direct or indirect loss? One of the primary purposes of cyber insurance is to protect companies whose customers’ personal information has been compromised. In this case, you may be responsible or liable for damages incurred by those connected to you – an indirect loss. A crime policy, however, covers losses such as theft of your money or securities – a direct loss.
- Is it a tangible or intangible loss? Cyber insurance covers the loss of intangible property such as data files, proprietary formulas, sensitive financial information, and personal data of customers or employees – an intangible loss. Crime coverage comes into play when there’s a physical loss of securities, money, or merchandise – a tangible loss.
- Is it a third party or first party loss? Under a cyber policy, the initial loss is to another person, company or other entity – a third party loss. A crime policy, however, covers losses you incur – a first party loss.
While this guidance helps, these policies are more complicated in real life, especially as cybercrime and insurance protection both continue to evolve.
For example, cyber insurance policies not only include coverage to reimburse for expenses associated with a data breach. They now include coverage for:
- Private data breach
- Systems and data restoration
- Social engineering
- Cyber extortion
- Media coverage
Cyber insurance gets a lot of attention; however, crime insurance should not be overlooked. Though crime insurance covers the loss or theft of money, securities, or other property, it can include computer fraud insurance, which covers the loss of company assets transferred by use of a computer to an unauthorized person or place.
Should you need further advice or assistance, please contact your Intasure representative. If you are not an Intasure client please reach out to us here, and we will be in touch.