This post explains the coverage available under a cyber insurance policy.
Some policies don’t offer all of the coverages listed below, and some coverage, i.e., for funds transfer fraud, may be subject to a sub-limit, i.e., a lower limit than the policy offers for the other risks that it covers. Further, many law firms may not need all of these coverages, i.e., a firm that doesn’t have a management committee, doesn’t need Management Liability coverage.
Further, the coverage and pricing varies widely among policies, so it’s imperative to obtain quotes from at least several insurers, and make sure that you understand what your firm is buying, before making the purchase.
Introduction
The coverages in a cyber policy are divided into ‘1st-party’, which refers to damage or costs incurred by the insured law firm, and ‘3rd-party’, which refers to the firm’s liability for injury it causes others. It’s analogous to an auto policy, which has collision/comprehensive (1st-party) and liability (3rd-party) coverage.
1st-Party Coverages
I. Cyber Incident Response
A “cyber incident” is defined as any actual or suspected unauthorized system access, electronic attack or privacy breach, including denial of service attack, cyber terrorism, hacking attack, Trojan horse, phishing attack, man-in-the-middle attack, application-layer attack, compromised key attack, malware infection (including spyware or Ransomware) or computer virus, direct at a law firm’s “computer systems”: its operating systems, software, hardware, computer and communication networks, data and back-up data, websites, media libraries, data back-ups, and mobile devices.
If a law firm’s computer systems incur a cyber incident, the policy will pay:
A. Incident Response Costs
Advice from the insurer’s cyber incident team, to help you develop a response to the incident, including threat intelligence.
B. Legal and Regulatory Costs
- 1. legal advice to determine the correct course of action;
- 2. draft privacy breach notification letters, substitute notices, website notices or e-mail notification templates;
- 3. notify any appropriate governmental, regulatory, law enforcement, professional or statutory body;
- 4. respond to any regulatory investigation;
- 5. defend any regulatory action
C. IT Security and Forensic Costs
- 1. engage with an IT security consultant to identify the source and scope of the cyber incident;
- 2. obtain initial advice to remediate its impact;
- 3. conduct a forensic investigation of your computer systems where reasonable and necessary or as required by law or a regulatory body;
- 4. contain and remove any malware discovered on your computer systems
D. Crisis Communication Costs
- engage with a crisis communications consultant;
- coordinate media relations in response to the cyber incident
- receive training for relevant spokespeople with respect to media communications about the cyber incident;
- formulate a crisis communications plan, to reduce damage to your firm’s brand and reputation, due to the cyber incident.
E. Privacy Breach Management Costs
- print and post appropriate notices for any individual affected by the actual or suspected cyber incident or to send e- mail notices or issue substitute notices;
- provide credit monitoring services, identity monitoring services, identity restoration services or identity theft insurance to affected individuals;
- set up a call center to manage inbound and outbound calls relating to the cyber incident;
- provide translation services to manage communications with affected individuals
The same coverage will also be provided to any 3rd party provided that you have contractually indemnified against this cyber event and they have a legal obligation to notify affected individuals.
G. Post-breach Remediation of Costs
- complete an information security risk assessment;
- conduct an information security gap analysis;
- develop an information security document set; and
- deliver an information security awareness training
II. Cyber Crime
A. Theft of Funds
Reimbursement of your firm for loss due to a third party committing:
- any unauthorized electronic transfer of funds from your firm’s bank;
- theft of money or other financial assets from your firm’s bank by electronic means;
- theft of money or other financial assets from your firm’s corporate credit cards by electronic means.
B. Theft of Funds Held in Escrow
Reimbursement of your firm, if it has to reimburse a third party for theft of their money or other financial assets from a bank account held by your firm on their behalf, committed by a hacker via electronic means
C. Extortion
Reimbursement of your firm for any ransom it pays in response to an extortion demand resulting from a threat threat to:
- introduce malware, or the actual introduction of malware, including Ransomware, into your firm’s computer systems;
- prevent access to your firm’s computer systems or data or any third party systems hosting your firm’s applications or data;
- reveal your firm’s confidential information or confidential information entrusted to it; or
- damage your firm’s brand or reputation by posting false or misleading comments about it on social media
D. Corporate Identity Theft
Reimbursement of your firm for any loss arising out of the fraudulent use or misuse of its electronic identity, including the establishment of credit in its name, the electronic signing of any contract, the creation of any website designed to impersonate it, or the reliance by any third party on a fraudulent version of your firm’s digital identity.
E. Telephone Hacking
Reimburse of your firm for any loss due to its telephone system being hacked by a third-party, including the cost of unauthorized calls or unauthorized use of bandwidth.
H. Unauthorized Use of Computer Resources
Reimburse of your firm for any loss due to cryptojacking or or botnetting (using your systems to hack a third-party’s systems).
III. System Damage and Business Interruption
A. System Damage and Rectification Costs
Reimbursement of your firm for reasonable and necessary expenses pertaining to:
- contract staff or overtime costs for employees to rebuild your firm’s data, including the cost of data re-entry or data re- creation;
- IT consultants to recover your firm’s data or applications; and
- IT consultants or overtime costs for employees working in your IT department to reconstitute your firm’s computer systems to the position they were in immediately prior to the cyber event;
B. Income Loss and Extra Expense
Reimbursement of your firm for income loss and extra expense during the indemnity period, due to an interruption to its operations caused by computer systems downtime that lasts longer than the waiting period and arises out of a cyber incident.
“Extra expense”: your reasonable sums necessarily incurred in addition to your normal operating expenses to mitigate an interruption to and continue your business operations, provided that the costs are less than your expected income loss sustained had these measures not been taken.
“Income loss”: your income that, had the cyber event or system failure which gave rise to the claim not occurred, would have been generated directly from your business operations (less sales tax) during the indemnity period or reputational harm period, less:
“Indemnity period”: the period starting from the first occurrence of: the computer systems downtime; or the downtime of computer systems used directly by a supply chain partner; and lasting for the period stated as the indemnity period in the Declarations
C. Additional Extra Expense
Reimbursement of your firm for any reasonable sums necessarily incurred during the indemnity period that are in addition to its normal operating expenses and the extra expense recoverable under part B. above:
- to source your firm’s services from alternative sources, to meet contractual obligations to supply your customers;
- to employ contract staff or overtime costs for employees to continue your business operations;
- to employ specialist consultants, including IT forensic consultants to diagnose the source of the computer systems downtime; and
- for employees working overtime within your IT department to diagnose and fix the source of the computer systems
D. Dependent Business Interruption
Reimbursement of your firm for income loss and extra expense sustained during the indemnity period, due to interruption of its arising out of any sudden, unexpected and continuous outage of computer systems used directly by a supply chain partner, if the computer systems downtime lasts longer than the waiting period and arises directly out of any cyber incident or system failure.
“Supply chain partner”: any third party that provides you with hosted computing services including infrastructure, platform, file storage and application level services.
“System failure”: any sudden, unexpected and continuous downtime of computer systems used directly by a supply chain partner which renders them incapable of supporting their normal business function and is caused by an application bug, an internal network failure or hardware failure. (If your own systems fail, that’s not covered.)
E. Consequential Reputational Harm
Reimbursement of your firm for income loss sustained during the “reputational harm period”, due to the loss of current or future customers caused by damage to its reputation, due to cyber incident.
“Reputational harm period”: the period starting from when the cyber event is first discovered and lasting for the period stated as the reputational harm period in the Declarations page.
F. Claim Preparation Costs
Payment of any reasonable sums necessarily incurred to determine the amount of your income loss, following an interruption to your business operations covered under sections A-E above.
G. Hardware Replacement Costs – the cost to replace any computer hardware or other tangible equipment that’s part of your computer systems, and has been damaged by a cyber event, unless it’s more efficient and cost effective to install new firmware or software onto your existing hardware.
3rd Party Liability Coverages
I. Network Security & Privacy Liability
A. Network Security
Pays all sums which your firm becomes legally obligated to pay due to a claims arising out of a cyber incident, which causes:
- the transmission of malware from your firm’s computer systems to a third party’s computer system;
- your firm’s computer systems being used to carry out a denial of service attack;
- your firm’s failure to prevent unauthorized access to its information stored or applications hosted on its computer systems or a third party’s computer systems; and
- identity theft, experienced by any third party.
B. Privacy Liability
Pays all sums which your firm become legally obligated to pay due to a claim arising out of a cyber incident, which causes:
- an actual or suspected disclosure of or unauthorized access to any Personally Identifiable Information (PII), including payment card information or Protected Health Information (PHI);
- your firm’s failure to adequately warn affected individuals of a “privacy breach”, including the failure to provide a data breach notification in a timely manner;
- a breach of any rights of confidentiality, due to of your firm’s failure to maintain the confidentiality of any data pertaining to your employees;
- a breach of any rights of confidentiality, including a breach of any provisions of a non-disclosure agreement or breach of a contractual warranty relating to the confidentiality of commercial information, PII, or PHI;
- a breach of any part of your firm’s privacy policy; or
- actual or suspected disclosure of or unauthorized access to your firm’s data or data for which it is responsible.
“Privacy breach”: an actual or suspected unauthorized disclosure of information arising out of an electronic attack, accidental disclosure, theft or the deliberate actions of a rogue employee or third party.
C. Management Liability
Pays all sums which your firm’s senior officers become legally obliged to pay, due a claim arising out of a cyber event, if your firm has a management committee, but doesn’t have Directors & Officers insurance.
D. Regulatory Fines
Pays fines and penalties resulting from a regulatory investigation arising out of a cyber incident that affects your firm’s computer systems.
E. PCI Fines, Penalties, and Assessments
fines, penalties and card brand assessments including fraud recoveries, operational reimbursements, non-cooperation costs and case management fees which you become legally obliged to pay your bank or payment processor as a direct result of a payment card breach.
“Payment card breach”: an actual or suspected unauthorized disclosure of payment card data stored or processed by you arising out of an electronic attack, accidental disclosure or the deliberate actions of a rogue employee.
II. Media Liability
A. Defamation
Pay all sums which your firm becomes legally obliged to pay due to a claim for
- defamation, including but not limited to libel, slander, trade libel, product disparagement and injurious falsehood; or
- emotional distress or outrage based on harm to the character or reputation of any person or entity; arising out of any media content.
Media Content is: any content created or disseminated by your firm or on its behalf, including content disseminated through books, magazines, brochures, social media, billboards, websites, mobile applications, television and radio.
B. Intellectual Property Infringement
Pays all sums which your firm become legally obliged to pay, arising out of media content, due to a claim for:
- infringement of any intellectual property rights, including, copyright, trademark, trade dilution, trade dress, commercial rights, design rights, domain name rights, image rights, moral rights, service mark or service name;
- act of passing-off, piracy or plagiarism or any misappropriation of content, concepts, format rights or ideas or breach of a contractual warranty relating to intellectual property rights;
- breach of any intellectual property rights license acquired by your firm; or
- failure to attribute authorship or provide credit; arising out of any media content.