Section 4: Cyber Coverage

Question 1

The Need for Cyber Insurance

Answer 1

• Anything internet related has exposure
• Might have exposure through connections to other companies that are taking your personal info

Question 2

Common Cyber Exposures (6)

Answer 2

RISC WC
- Regulation: Can have losses in multiple jurisdictions
- Internet of Things: Variety of devices are now connecting to the internet and allowing access to your network
- Storage of Data: Data located in a # of different places
- Credit Card Transactions
- Websites and Social Media
- Collection of Private information

Question 3

Limitations of Traditional Policies (Why Not GL / BOP / CRIME?)

Answer 3

CGL: electronic data is not considered tangible property. Usually contains explicit cyber exclusion

Property: Very limited coverage for Electronic Data and Interruption of Computer Operations

Crime: Not as robust coverage. Not much more than the Computer and Funds Transfer and Fraudulent Impersonation coverages

Question 4

Cyber Decs (Limits shown, retroactive date, aggregate)

Answer 4

Limits shown indicate that there is coverage. if no limits shown then no coverage for that section

If no retroactive date listed, then the policy may cover full prior acts

Limits may be subject to annual aggregate

Question 5

Application Definition (3)

Answer 5

Gathers info necessary for underwriter to make a decision

Must be signed by insured
‘
Can include a warranty statement that will cease coverage if misrepresented

Question 6

Card Company Definition

Answer 6

Any credit card company that requires its merchants to adhere to the Payment Card Industry Data Security Standards

Question 7

Claim Definition

Answer 7

Written demands for monetary and nonmonetary damages, civil proceedings, requests for mediation or demands for arbitration, and subpoenas seeking content or content-source information.

Question 8

Computer Program Definition

Answer 8

Set of related electronic instructions, which direct the operation and function of a computer or devices connected to it, which enables toe computer or devices to receive, process, store or send the organization’s electronic data

Question 9

Computer System Definition

Answer 9

any computer, including transportable or handheld devices, electronic storage devices and related peripheral components

Question 10

Defense Costs Definition (2)

Answer 10

All reasonable costs, charges, fees, and expenses incurred in investigating, defending, opposing or appealing any claim and the premium for appeal, attachment or similar bonds

Defense costs shall not include any salaries, wages, fees or benefits of employees

Question 11

Electronic Data Definition of what it doesn’t include

Answer 11

Doesn’t include the organization’s electronic data that is licensed, leased, rented or loaned to others (better covered under a Tech E&O policy

Question 12

Employee Definition what it doesn’t include

Answer 12

Doesn’t include independent contractors. This may be bad for 1099’d employees that are using company devices

Question 13

Liability Loss vs Loss

Answer 13

Liability Loss refers to 3rd party claims. Usually excludes expense items because money being paid to a third party

Loss refers to 1st party claims. Usually include expense

Question 14

Organizations Computer Systems Definition (3 types of computer systems included)

Answer 14

Owned by the organization

Leased by the organization and operated by any insured

Owned and operated by an employee who has agreed in writing to the orgs personal device use policy

Question 15

Personal Information Definition (6 Types that are included but not limited to)

Answer 15

SPF ABS (sunscreen your abs)
- Social security, DL# or state ID
- Protected Health Information
- Financial account #’s
- Any other nonpublic information as defined in privacy regulations
- Biometric data
- Security codes, passwords, PINS associated with credit, debit or charge card #’s that would allow access to financial institution funds

Question 16

Privacy Regulations Definition (broadening statement at end of the list of regulations)

Answer 16

Any other similar state, federal or foreign identity theft or privacy statute or regulation

Question 17

Subsidiary Definition (2 Types qualify)

Answer 17

More than 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors or an equivalent position is owned, in any combination, by the organization

OR

written contract to elect, appoint or designate a majority of the board of directors or equivalent executives

Question 18

Suit Definition (Definition and what it doesn’t include)

Answer 18

Civil proceeding, not criminal

does not include a civil proceeding seeking recognition and/or enforcement of a foreign money judgment

Question 19

First Party Loss Exposures (9)

Answer 19

FPWINNDER

• Forensic Analysis
• PCIDSS: must go through the Data Security standard to get certification again after a credit card data is compromised
• Website Vandalism
• Income (business Income): Lost income because data or systems have been compromised
• Notification costs
• Negative publicity
• Denial of service attacks: Hacker pinging system so much that the vendor can’t sell anything through ecommerce portals
• Extortion (cyber) and ransomeware
• ## Repairing or restoring data

Question 20

4 Available 1st Party Insuring Agreements under “Info Security Protection”

Answer 20

CCyBeR

• Cyber Incident or Info Security Breach Expense
• Cyber Extortion Events
• Replacement or Restoration of Electronic Data
• Business Income and Extra Expense

Question 21

Cyber Incident Definition

Answer 21

Unauthorized access,

Malicious Code,

Denial of service attack

Question 22

Information Security Breach Definition (2 types and 1 condition)

Answer 22

Unauthorized access, acquisition, retention or use of

• personal information
• any confidential corporate or proprietary information of any third party that is not available to the general public and which the “insured” has legal obligation to maintain in confidence

Needs to be in care custody or control or org under terms of written contract

Question 23

Cyber Incident or information security breach expense - Coverage Inclusions (5)

Answer 23

FP NOC

• Forensic Costs
• Public relations firm costs to protect the reputation of the company
• Notification expenses to affected parties in accordance to privacy regulations
• Overtime salaries for employees or fees and costs to hire a call center
• Credit monitoring service

Question 24

Cyber Extortion Event Definition (2)

Answer 24

Demand for ransom payments made to the organization with the actual or threat of:
- Perpetration of a cyber incident or informed security breach OR
- Theft or use of personal or confidential info

Question 25

Cyber Extortion Expenses (3)

Answer 25

- Interest costs - Reward Payments - Any other reasonable expenses incurred with written consent of insurer

Question 26

Data Restoration Expense Definition (1 definition and 3 exclusions)

Answer 26

- Costs to replace or restore the orgs electronic data or computer programs stored within the orgs computer system to previous condition as well as costs of data entry, reprogramming and computer consultation services Does not include - Research duplication that lead to data (should be stored in back-up) - Security Improvements - System improvements / repairs

Question 27

Period of Restoration for Cyber BI

Answer 27

180 Days

Question 28

3rd Party Exposures (5)

Answer 28

WWIRE - Wrong recipient - Website Infected - Infringement issues (copyright and intellectual property rights) - Regulatory issues - Emails infected

Question 29

4 Third Party Insuring Agreements Under Information Security Protection Cyber Policy

Answer 29

CybeR Money Payments (to others) Cyber Incident or Information Security Breach Liability Regulatory Proceeding Liability Media Liability Payment Card Industry Liability

Question 30

Cyber Incident or Information Security Breach Liability (What 3rd Covers and Interrelated Wrongful Acts Def)

Answer 30

Forensic and other expenses for wrongful acts that insured legally obligated to pay Interrelated wrongful acts means all casually connected wrongful acts arising out of the same or substantially the same facts, circumstances or allegations which are the subject of or the basis for any claim

Question 31

Regulatory Proceeding Liability (Includes 2 and excludes 3)

Answer 31

- Sum of money an org is legally obligated to DEPOSIT IN A FUND as equitable relief for the payment of consumer claims due to a settlement or an adverse judgment resulting from a claim OR - FINES or penalties against org from gov agency Doesn't include - UNINSURABLE: Any amounts that are uninsurable under the law pursuant to which this policy shall be construed - PROFITS: or advantage the org was not legally entitled to - FEES - Chargebacks, interchange fees or rates, discount fees, processing fess or any costs to replace payment cards

Question 32

Payment Card industry Costs (4 things it pays, 4 things it doesn't pay)

Answer 32

Pays (PCMA) = Payment Card Money Amounts - Punitive, exemplary and multiple damages - Compensatory awards or judgments - Monetary Settlements - Assessments (card reissuance costs and fraud recoveries), and contractual fines or penalties under terms of payment card service agreement Doesn't pay: (TUF P = TUF that Payment card doesn't pay these) - TAXES, fines, penalties or assessments imposed by law, other than punitive - UNINSURABLE(any) amounts that are under the law pursuant - FEES- Interchange fees or rates, discount fees, processing fees - Restitution, disgorgement, royalties, unjust enrichment, PROFITS insured didn't earn

Question 33

Media Liability Definition and 4 things covers

Answer 33

Any errors arising out of the insured's gathering, recording, collecting, writing, editing, publishing, exhibiting, broadcasting, or releasing of content Covers (DEEP = that ad really cut DEEP for me) Defamation / Reputation Harm Emotional Distress / Outrage Infliction E&O Statements Privacy Invasion

Question 34

Social Engineering

Answer 34

Can have coverage under crime policy, but better under cyber for events that relate to online social engineering

Question 35

Bricking or Computer Replacement Definition

Answer 35

Replaces computer systems that are rendered unusable after a cyber attack freezes them

Question 36

Cryptojacking Definition

Answer 36

Pays back utility costs associated with a hacker using the insured's computers to crypto mine.

Question 37

Defense (What type) and Settlement (Similar to what coverage?)

Answer 37

Defense is right and duty to defend Settlement similar to EPLI where you need consent to settle. They have hammer clauses and soft hammer clauses

Question 38

Cyber Exclusions (9)

Answer 38

PIMMP BAWB - Payment Card Industry (exception for the Payment Card Industry coverage. Intended to not duplicate coverage) - Interruption or Failure of Services (doesn't pay for loss of electricity or utilities) - Material Published with Knowledge of Falsity - Music Licensing and Royalties (Only applies to Media Liability - Prior Knowledge, Prior Notice, and Prior or Pending Litigation - Bodily Injury and Property Damage - Act of Nature - War - Breach of Contract and Assumed Liability

Question 39

Merger of Subsidiaries and Cessation of subsidiary 3

Answer 39

Merger - Doesn't continue coverage if covered insured's business is not the surviving entity - Need to have 50% ownership or 50% control over board Cessation of Subsidiary - Extended Reporting period or policy end coverage for subsidiaries that were removed

Question 40

Confidentiality Condition

Answer 40

Can't tell Cyber criminal that you have insurance and what your limits are

Question 41

Other Insurance Condition

Answer 41

Cyber policy is always excess to other coverages unless another insurance is expressly written to be excess over this insurance.

Question 42

Representations and Severability of the Application

Answer 42

- To be separate for each employee. Knowledge of one employee is not imputed to any other employee. - Coverage void if C-level signs a misrepresentation

Question 43

Extended Discovery Period (1st or 3rd party / How many days / how many days to report/ when not applicable)

Answer 43

- 1st party - 60 days after policy ends and no coverage replaced - 60 days to report after discovered in the extended discovery period (can report a claim that happened on Day 60 on Day 120) - Not applicable if coverage cancelled or if you got a replacement policy

Question 44

Extended Reporting Period (1st or 3rd / How many days / how many days to report/ when not applicable)

Answer 44

- 3rd party - 60 days after policy ends and no coverage replaced - 60 days to report after discovered in the extended discovery period (can report a claim that happened on Day 60 on Day 120) - Must occur prior to end of policy period and after retro date

Question 45

Run-Off Coverage Period

Answer 45

For a merger, consolidation or acquisition of the NI or cessation of a subsidiary Applies to claims that are first made against an insured and reported during the Run-Off Coverage period in accordance with the reporting condition of the policy. The claims must also arise from wrongful acts occurring on or after the retroactive date, but prior to the merger, consolidation, or acquisition

Question 46

Business Income and Extra Expense (BI Definition 2 / EE Definition 2 / EE Exclusions (4))

Answer 46

Actual loss of net income Continuing normal operating expesnes Extra Expense Above and beyond personal expenses Extra costs for expediting Recovery EE Doesn't include expenses from the other 3 insuring agreements or repairing systems / data / programs