Privacy Breach

Coverage against third party claims/lawsuits for loss of: Personal Information, Commercially Confidential Information Employee Information and Information held by Service Providers.

Data Recovery & System Damage

Cover for lost, damaged or destroyed IT systems, records, and data. This can include the retrieving, repairing, restoring or replacing of data, systems or hardware.

Cyber Extortion

Cyber extortion is defined as a threat against the insured computer system to provide ransom in order to prevent a Cyber Attack. Coverage for this can include: the payment of a ransom, negotiation & mediation costs, crisis management costs & costs to resolve a security threat, and investigation costs to determine the cause of the extortion threat.

Privacy Breach Notification Costs

Cover for costs incurred to notify the regulatory body or relative parties when a Privacy Breach occurs. This includes costs incurred for Mandatory Data Breach Notifications, where laws are in force for companies of a certain size (i.e. with a turnover of $3M+).

Regulatory Defence and Fines

Cover for the Defence Costs and Penalties that occur when there is a Privacy Breach (see above).

Business Interruption

Coverage for “indirect” or “consequential loss”. This can include cover for loss of profits and additional expenses incurred because of a Cyber loss.

Cyber Incident Response & Crisis Management Costs

Access to 24/7 emergency incident response immediately following/during a Cyber Attack.

Cyber Crime

Social Engineering

Social Engineering Fraud generally involves a cyber criminal using a phishing scheme (usually in the form of fraudulent emails) to deceive a target into voluntarily giving away funds to a third party.

Contingent Business Interruption

Coverage that reimburses lost profits and extra expenses resulting from an interruption to the business of a customer or supplier, caused by a Cyber Event.

Payment Card Data Security Liability

Coverage against third party claims/lawsuits from a breach to the Payment Card Industry Data Security Standard.

Disclosure

Someone applying for insurance must disclose any matter they know to be relevant to the insurer’s decision to accept the risk. Continuous disclosure is also very important: If there is any material change to the company during the policy period, the insured needs to keep the broker/insurer informed of the change.

Claims Made Policy

Cyber Liability Insurance policies are written on a Claims Made policy form, which means the loss/claim must be reported and indemnity granted during the period of insurance to trigger a claim. If a policy is lapsed and a claim is reported after the policy period, the claim will be denied.

Retroactive Date & Known Claims

The retroactive date determines if a policy will provide cover for past acts that have only been discovered after the fact – in the policy period. If this date is either “unlimited” or states a specific date, there is cover for claims that had occurred in the past and reported during the policy period, as long as they were not previously known by the insured. If this date is “inception”, then cover is only provided for acts occurring after the policy is put in place while it is in force.

Social Engineering & Cyber Crime

These are important coverage sections but are typically excluded from a policy unless specifically added to the policy schedule – usually for an extra premium. (Read more about Cyber Crime here)

Social Engineering – Vendor Email Hacked

The controller for a distributor of component parts was responsible for making regular payments to overseas vendors from which the distributor purchased products for resale in the United States. After many months of working with one particular vendor and receiving regular shipments, the controller received an email that appeared to come from his vendor contact, indicating that the vendor’s bank was having issues with accepting payments, and asking if the next payment could be made to a new bank. Due to the vendor’s overseas location, verification was a challenge. After the supposed vendor applied some pressure, the controller paid the invoice via wire transfer.

The following month, when the real vendor realised that its best customer’s payment was overdue, an investigation determined that the vendor’s email had been hacked, and an imposter had been socially engineering the company into believing that the change in bank information was authentic. In the end, the fraudster finagled almost $250,000 from the distributor.

** This claims example has been provided by Chubb Insurance Company of Australia Limited **

Employee Error (First Party & Third-Party Claim)

A retailer emailed a group of customers to promote a sale with special discounts available to them. The retailer
intended to attach a copy of the flyer detailing the discounts but instead attached a copy of a spreadsheet
that contained a customer list, including customer names, addresses and credit card information.

The retailer was required to notify all affected customers of the error and offered credit monitoring services.
Several of the affected individuals began legal proceedings against the retailer. The notification and credit monitoring costs totalled $50,000, and the amount to settle the legal proceedings with the retailer’s customers combined with the associated legal costs and expenses totalled $100,000.

Most Cyber Risk Insurance policies provide coverage for breach of privacy which includes legal costs, indemnification of third parties and crisis management costs.

** This claims example has been provided by Insurance Australia Group Limited **

Privacy Breach, Fines & Investigation (First Party & Third-Party Claim )

An IT company misplaced multiple drives that contained personal information for over one million customers. It was unknown whether the drives were lost, stolen or destroyed. The IT company was required to notify the affected individuals, as well as the privacy regulator. The regulator investigated the incident and fined the company for failing to have appropriate safeguards in place to protect customer information.

The company incurred legal fees of $1,000,000 in connection with the regulatory investigation and defending legal actions brought by affected customers and for the costs and expenses in notifying customers their personal

information had been lost, stolen or destroyed. The company was also fined $75,000 by the privacy regulator. The total loss to the company exceeded $5,000,000.

This type of scenario triggers multiple Insuring Clauses under a typically Cyber Insurance policy, including privacy fines and investigations.

Ransomware

A professional services company was affected by cryptolocker virus identified as the Lockey virus. A network of 20 computers were affected with users unable to access files, which had been encrypted. Investigations revealed the virus entered the computer network via an infected email attachment which had been inadvertently opened by an employee.

An IT specialist was brought in to re-build and restore lost data from the back-up server. The IT costs involved in containing and recovering from the incident were claimed under the Cyber Insurance policy. No ransom was paid as a result of the data recovery efforts.

DDoS – Distributed Denial of Service

An online service provided was hit by a Distributed Denial of Service (DDoS) attack. The DDoS attacks effectively starved the web site host system of resources by flooding it with malicious traffic and preventing legitimate customers logging on or accessing the website. Account Customers utilising the Internet, Mobile Phones and Mobile Apps were unable to log on, new users were unable to set up accounts.

A specialist forensic IT vendor was appointed to investigate and mitigate the attack. The incident involved serious disruption to the insured’s business and loss of income as a result of its website being down for approximately one week at one of the busiest times of the year. The Cyber Security Insurance policy responded to the costs of the IT investigation and remediation and the loss of profits suffered.

Data Breach

Users of the Insured’s online network had reported that they had received spam emails from an individual they knew to be an ex-employee of the Insured, to a unique email address that they had created exclusively for use on the Insured’s website. Investigations confirmed that while working for the Insured, the ex-employee had access to the relevant customer databases and forensic IT investigations confirmed the data breach.

Steps were taken to ensure that the ex-employee deleted the data and signed an enforceable undertaking not to use the data in future. The quick action to contain the breach and engage with the regulator meant that the regulatory investigation could be responded to in a way that satisfied the regulator and the costs and risk could be contained.

Travis Kenzle

Managing Director

Tyler Speers

Account Manager