From Sony and Home Depot to the Office of Personnel Management and Ashley Madison - no introduction to cyber threat is needed. Business segment aside, we believe there are three types of organizations:
(i) those that have experienced a breach and are dealing with it,
(ii) those that have experienced a breach and are not aware and
(iii) those that haven’t experienced a breach – but only because they have not been targeted.
To the best of our knowledge, the association community in general has been fortunate in avoiding a large scale, 3rd party induced intrusion, breach and release of data or a threat to do so. That is not to say that associations haven’t been affected. In just the past ninety days, four clients have experienced an unintended breach of data. In three of the four instances – the unintended and unauthorized release of the data (HR records in each instance) came from the inside, a current or former employee. Looking ahead, we believe the incidence of rogue employee release and external intrusion, both resulting in data breach, will rise.
- Coverage & Limits – although not all insureds will require it there are as many as twelve separate coverage elements over which a separate limit selection is required. Coverage may be broken down into two categories.
1st Party Claims - or - 3rd Party Claims*
Computer And Electronic Data Restoration Expense – data restoration (different than property insurance because there may be no physical damage to computer equipment
Computer Fraud – theft of property by use of a computer to fraudulently transfer that property from inside the premises (your office location)
Electronic Theft of Service – denial of service
Electronic Theft of Tangible Property – other property, not money or securities, with intrinsic value
Funds Transfer Fraud – fraudulent instructions transmitted to a Financial Institution directing the Institution to transfer money
E-Commerce Extortion – extortion
Business Interruption Extra Expense – Loss of income and extra expense
Crisis Management Expense - public relations, forensic and other expert consultant expense
Security Breach Remediation and Notification Expense – cost of identifying, notifying victims, credit monitoring & changing account numbers
Network/Cyber/Privacy/Information Security Liability – unauthorized access to or release of personally identifiable information
Communications & Media Liability – personal injury including defamation, libel and slander
Regulatory Defense Expense – regulatory defense expense & penalties if permitted by law
- Expense – the types and limits of coverage selected will naturally influence expense. Gross revenue and the number of records will be the principle premium development factor. For some organizations, the scope of PII (personally identifiable information) and the degree of control will also influence expense. The minimum premium expense for small organizations (under $10M Revenue) may be as low as $1,500 - $2,500. Organizations with revenue between $20M and $100M can anticipate the minimum premium for basic coverage at about $7,500. Minimum premium estimates are generally not applicable for organizations with revenue above $100M.
Additional Information - Follow this link for additional resources, including articles and tips, from Chubb, CNA and Travelers.
*The two parties to an insurance contract are the insured (the 1st party) and the insurer (the 2nd party). As a general statement any other person or entity is referred to as a 3rd party. Where an insurance company owes a duty directly to the insured, a property loss for example, it is referred to as a 1st party claim. Coverage afforded to redress harm to those outside the policy is referred to as 3rd party coverage or liability.
A year ago, Social Engineering was not a part of the insurance and risk management lexicon. A new peril such as this, with the rapid onset of frequent and in some cases significant loss activity and the rapid response by the industry…is extremely rare. While this scam may seem overly simplistic and of a kind that would not circumvent the organization’s control environment, we are aware of claims even among organizations with sophisticated accounting controls.
- Coverage & Limits – limit options range from $250,000 - $10,000,000 depending on carrier and can be no greater than the organization’s employee dishonesty. A key provision of some polices is the requirement that a callback procedure is in place; in the event of a claim, written documentation of the callback is necessary.
- Expense - the amount of coverage offered as a basic extension to the Crime policy is capped in most cases at $250K. As a result, the cost of coverage for most organizations is expected to be in the range of $100 - $1,000 per year.
Additional Information - Follow this link for additional resources from Chubb and Travelers.
Like data breaches, the incidence of workplace violence has become all too frequent an occurrence. Every business is challenged to understand and plan for the possibility of WPV at their business premise(s). Associations often conduct business away from the central office location and must recognize that all these spaces are, in effect, their workplace. Currently, all policies we are aware of limit coverage to incidents occurring at the insured premise (i.e., office and other specifically insured locations). We are working with several carriers to extend coverage to off premise exposures (e.g., exhibit halls, meetings, outdoor or other receptions, etc.)
- Coverage & Limits – it should be clear that WPV coverage is limited and at best supplemental to other policies (e.g., Commercial General Liability, Business Income and Worker Compensation) in the portfolio. There is no coverage for loss of life except for loss to employees which is provided by some but not all carriers. The aggregate limit for all loss is capped at $250,000. WPV is provided by endorsement to another policy, typically a Directors & Officers Liability policy. Depending on the carrier, some or all of the following coverage elements are provided:
- Crisis management, up to 90 days
- Public Relations, up to 90 days
- Mental health, up to 10 days
- Security Guard, up to 90 days
- Forensic analysis
- Salary of victim, up to 90 days
- Reasonable medical expenses for victim
- Rest & Rehabilitation, up to 90 days
- Stalking threat
- Expense – while providing important benefits not found in other policies, the limitations of coverage under the WPV form help explain the nominal cost; premium expense may be anywhere from zero to 10% of the cost of underlying coverage (i.e., if the premium for a Management Liability policy providing D&O and Employment Practice is $10,000, the WPV premium would be $1,000) depending on the carrier.