RiskProNet News

 

Insuring Unauthorized Disclosure of Data

Possible unauthorized disclosure of data  – rather than ransomware that encrypts files – may be a stronger selling point for cyber insurance for clients such as law firms. This was one of the points made at this month’s Cyber Liability Practice Group teleconference.

“We sometimes hear clients say they aren’t worried about ransom demands because everything is backed up,” one person said. “But what if a hacker threatens to make private data public as opposed to just destroying it? The requirements under breach notification laws are expensive. Also, malware could be on the backup tapes as well.”

Here are additional comments from the conference call:

 Working with CIOs

CIOs can be allies or obstacles during the sales process. Some CIOs fear that the decision to buy insurance means they don’t have all their ducks in a row. Or they may feel that liability rests with third party vendors that handle hosting and other functions. “If you have a CIO who ‘gets it,’ it’s awesome to have them involved because they know where possible breaches may occur.”

E-Commerce Vendors

For clients doing e-commerce, using third party vendors such as PayPal offers some protection. There is a distinction between entering credit card information into the insured’s website and redirecting customers to PayPal. PayPal is a more favorable situation for the insured.

Philadelphia Insurance Companies Form Comparison Review

The forms were written in 2012. “In cyber insurance, that might as well be 100 years old. Having said that, it’s not horrible.”

“The breadth of some of their terms is a double-edged sword. It’s good to have broad terns in extending coverage but using the same terms in exclusions is not a good thing. The word ‘you’ is used broadly in some exclusions. It should be limited to ‘knowledgeable people’ or C-suite executives.”

One group member reported that Philadelphia is willing to make some changes in policy language upon request. Recommended requests include the following:

  • Exclusion D addresses “failure to maintain reasonable protection.” “It is difficult to define “reasonable” and the exclusion is not market competitive. Philly is aware of it and ready to remove it upon request.”
  • There is a 150 percent penalty in the event that malicious code re-emerges. This also is not market competitive. They also are aware of this and willing to remove it.
  • A good point is that coverage is extended to third parties. But the exclusion for “reasonable failure to maintain protection” technically could apply to third parties. “I doubt that this is the intent, but it could be read that way. “

In the News

A Seattle seafood company paid $700,00 to the wrong entity as the result of a computer phishing scheme.  Travelers’ denial of the claim, based on an “authorized person” exclusion, was recently upheld by the Ninth Circuit Court of Appeals.

IBM has banned the use of removable storage devices. One reason is that they can be lost; the other is that they are a prime way for hackers to gain access to computers.

New data protection laws in the European Union go into effect May 25.

Cyber criminals have found a new way to bypass the Safe-Link feature in Microsoft Office.

 

RiskProNet Previous Posts
Subscribe to Member’s News