Often, insurers will offer their insureds a risk audit. A risk audit can include training, education, and network testing. The outside perspectives provided through risk consultation services can help uncover threats that would otherwise be undetected. The risk consultation team is an added resource for the IT department.
There are now forty-seven states that have enacted legislation requiring the notification of individuals of a potential breach of their personally identifiable information (PII). Notification requirements are expensive and vary by circumstance and state. A properly written cyber policy will cover the hard dollar costs associated with notification, credit monitoring, identity theft resolution, legal consultation, civil fines and the services of a forensic team.
Cyber polices vary greatly in terms of insurance coverage provisions. From a custom built policy to a “throw in” coverage on a commercial package policy. Insureds need to be particularly careful to fully understand what is, and most importantly, what is not, covered.
Unlike many other lines of coverage, there is no industry standard form for cyber liability. As a result, the terminology used by each carrier differs from one policy form to the next. This can easily lead to confusion amongst insureds and inexperienced agents.
A well-crafted cyber policy should include the following coverages:
- Information Security and Privacy Liability – Protects you against theft, loss or unauthorized disclosure of personally identifiable information or third party information that is in your care, custody or control. This also provides protection against failure of computer security to prevent a security breach (i.e. computer virus, malware, denial of service attack).
- Privacy Notification Costs – Pays costs associated with breach notice laws that you are legally obligated to comply with because of an incident. These costs include computer expert services, legal services, notification costs, call center services and credit monitoring.
- Regulatory Defense and Penalties – Pays claims expenses and penalties due to a regulatory proceeding for a violation of a privacy law.
- Multimedia and Advertising Liability – Protects against claims alleging; defamation, libel, slander, product disparagement, infliction of emotional distress, outrage, invasion of the right to privacy, misappropriation of any name or likeness for commercial advantage, false arrest, detention or imprisonment, plagiarism, copyright infringement, infringement of trade dress, domain name, title, slogan or trademark. Also protects against any negligence regarding the content of any media communication.
- Payment Card Industry (PCI) Fines, Expenses and Costs – Pays for any PCI fines, expenses and costs which you become legally obligated to pay.
- First Party Data Protection – Pays for data protection loss as a result of alteration, corruption, destruction, deletion or damage to a data asset, or for an inability to access a data asset, that is directly caused by a failure of computer security to prevent a security breach.
- First Party Network Business Interruption – Pays for income loss and extra expenses as a direct result of your business being interrupted which was caused by a failure of computer security to prevent a security breach.
- Cyber Extortion Loss – Pays for costs incurred as a direct result of an extortion threat first made against the insured organization by a person other than an employee, director, officer, principal, trustee, governor, member, management committee, management board, partner, contractor, outsourcer, or any person in collusion with any of the foregoing.