Cyber Risk

Camargue’s Cyber Risks policy covers organisations against the risks arising out of operating a computer network. Depending on what options have been selected it can also -

  • Cover liability arising from on-line publishing (such as a web site) as well as from traditional media such as brochures
  • Provide professional indemnity cover appropriate to technology companies
  • Provide a form of specialised business interruption cover which covers the Insured’s loss of income arising out of computer down-time
  • Cover the cost of recovering the Insured’s lost data.
Question: What is the difference between applied electronics insurance and a cyber risks policy?
Answer:
  • The applied electronics policy specifically excludes the cost of
    • restoring data, or
    • down-time due to viruses and hacking, or
    • the costs caused by computer software defects (bugs).
  • The abovementioned items are generally covered by covered by the cyber risks policy.
  • By contrast, the cyber risks policy excludes cover for physical damage to computer hardware. This is generally covered by the electronics insurance.
  • A cyber risks also covers other risks not normally found on an electronics policy such as third party liability caused by the Insured’s failure to protect third party personal information.
Question: What is considered ‘personal information’ in terms of PoPI?
Answer:
  • Popi states that personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
    • Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
    • Information relating to the education or the medical, financial, criminal or employment history of the person;
    • Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
    • The biometric information of the person;
    • The personal opinions, views or preferences of the person;
    • Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
    • The views or opinions of another individual about the person;
    • The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person; and
    • Consumer or purchasing preferences or patterns.
Question: What is PoPI (Protection of Personal Information Bill)? Detailed answer
Answer:
  • The purpose of this legislation, due to be promulgated during the course of 2012, is to
    • Promote the protection of personal information processed by public and private bodies;
    • Introduce certain conditions so as to establish minimum requirements for the processing of personal information;
    • Provide for the establishment of an Information Regulator;
    • Provide for the issuing of codes of conduct;
    • Provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
    • Regulate the flow of personal information across the borders of the Republic; and
    • Provide for matters connected therewith.
      • The Bill goes on to note that its intention is to “regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests...”
      • Of significance is the requirement in respect of notification of security compromises.
    • Where there are reasonable grounds to believe the personal information has been accessed or acquired by any unauthorized person, the reasonable party must notify the regulator and the data subject (unless the identity of the data subject cannot be identified).
    • The regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.
Question: What is PoPI (Protection of Personal Information Bill)? Short answer
Answer:

This is a piece of South African legislation designed to protect personal information. 

Question: Is there an overlap in the Defamation and Plagiarism cover?
Answer:
  • Defamation and plagiarism appear to be covered under both Insuring Agreement 1 (Professional Services) and Insuring Agreement 2 (Multimedia Liability). What is the difference in cover between these two?
  • Professional Services covers the insured against their liability to the customer for liability which the customer may incur as a result of the insured’s wrongdoing.
    • Example: The insured is a PR company that develops a brochure for the bank. The brochure wrongfully claims that the bank’s competitors are dishonest. As a result the bank is sued for defamation. The bank in turn sues the PR company. That claim would fall under the Professional Services section of the insured’s policy.
  • Multimedia Liability covers the insured against their liability to third parties.
    • Example: The insured’s brochure wrongfully claims that its competitors are dishonest. 
Question: Does the policy also cover members of a CC?
Answer:

Yes, the definition of the Insured includes any officer of the Insured. 

Question: What does the Assumed Liability exclusion mean?
Answer:
  • The Agreed Liability exclusion means that there is no cover if the Insured takes over someone else’s liability (unless the Insured would have been liable anyway).
  • This is best illustrated by way of example:
    • The bank becomes liable when the Insured, who is testing the bank’s software, accidentally deletes customer information. It is acceptable for the Insured to assume this liability because the Insured would inevitably become liable anyway (since the bank would sue the Insured to make its recovery).
    • A bank might require its suppliers to provide them with a blanket indemnity, regardless of whether the supplier’s fault has been proved or not. This would not be covered.
      • Example: The Insured is Greenbank’s IT supplier and as a result of a defect in the software developed jointly by the Insured and Greenbank, many of Greenbank’s customers lost money. Although it is not clear whether the defect was caused by the Insured or by Greenbank, their contract automatically makes the Insured liable for the loss. This would not be covered.
Question: Does a Cyber Liability policy cover liquidated damages?
Answer:
  • No, although liquidated damages are not stated as an exclusion, the definition of Damages does not include liquidated damages.
  • What are liquidated damages?
    • Sometimes it is difficult to quantify a loss in monetary terms. For that reason, the Insured and a third party may agree that if a loss were to occur, then the guilty party’s liability will be a pre-agreed amount.
    • Liquidated damages is an amount of money agreed upon by the parties to a contract which one will pay to the other upon breaching the agreement or failing to perform as stipulated in the contract. 
Question: Is a loss arising out of a physical breach in security covered?
Answer:
  • Yes, the definition of a security breach “includes …non-electronic security failures”.
  • Example: when the Insured’s laptop was stolen, all the customer’s private information was compromised. 
Question: Is there cover if the hack attack came from an employee?
Answer:
  • Yes, this is generally covered. The policy does not exclude cover arising out employee sabotage.
  • There would be no cover for the dishonest employee’s own liability.
Question: Does the Data Recovery section include non-electronic data?
Answer:
  • Does Insuring Agreement 4: (Data Recovery and Loss of Business Income Coverage) also cover lost data which was not stored on computer hardware?
  • No, although loss of data is covered, the cover is limited to machine readable information (which excludes paper copies)
  • Example: The Insured is a data capturing company which captures ‘new business application forms’ on behalf of its customer. However, before being captured many of these forms are accidentally shredded 
Question: Is there cover for the loss of non-electronic data?
Answer:
  • Yes there is, but there are limitations on this cover.
  • Insuring Agreement 4 (Data Recovery and Loss of Income) provides cover for the Insured’s own damage loss. However, the loss must have arisen out of

(i)    the wilful misuse of the Insured’s computer network, or

  • Example: A hacker sends a message to the Insured’s clerical staff which confuses them into shredding the wrong documents. As a result the Insured loses money when it can no longer determine which clients it must bill for its services.

(ii)  human error or a software bug, or

  • The Insured’s paper recycling contractors take the wrong box and client can no longer determine which clients it must bill for its services.

(iii)  physical damage to the Insured computers

  • Insuring Agreement 1 (Professional Services) provides cover for liability arising out of the Insured’s negligence while providing professional services
    • There is no cover for the Insured’s liability under this section because of a policy wide exclusion on claims arising out of property damage.
  • Insuring Agreement 3 (Security and Privacy) provides cover for liability arising when information is destroyed or disclosed to unauthorised parties. This needs to happen in terms of a:
    • Security breach – provided that the damage to non-electronic data arose out of the misuse of a computer network.
    • Privacy breach which means a breach of confidentiality or any right to privacy.
    • There is no cover for the Insured’s liability under this section because of a policy wide exclusion on claims arising out of property damage.
Question: Is there cover for misquoting a price?
Answer:
  • The section on Multimedia Liability provides cover for misleading advertising. Does this cover extend to misquoting a product’s price on a brochure?
  • No, there is a policy-wide exclusion on liability arising out of any incorrect or inadequate description of the price of goods, services or products. 
Question: Is there cover for fines and penalties?
Answer:
  • Yes, the definition of Damages includes fines and penalties, but only to the extent that they are insurable by law.
    • A fine resulting from a negligent late submission of documents, for example, might be insurable.
    • By contrast, a fine intended to punish bad behaviour is not insurable as this would be contra bonos mores (against the public interest). A fine for driving recklessly, for example, is not insurable.
  • There is no cover for fines and penalties arising out of any Payment Card Industry Standard or any Payment Card Company rules.

Example: the fine for late payment of your credit card debt.

Question: Is damage to computer hardware covered?
Answer:
  • Damage to the hardware itself is not covered but the related consequential loss such as the cost of restoring data or legal liability might be covered.
  • In other words, following some loss, damage or theft of hardware, the Insured might be liable to a third party (if negligence on the part of the Insured can be shown) because of what happened to the data of that hardware.
    • Note: The cost of replacing the hardware itself is not covered.
  • Example scenarios where liability could be covered include:
    • The Insured’s laptop is stolen and the thief uses the customer data on it to steal money from those customers.
      • Explanation: The definition of a security breach includes a loss arising from the “physical theft of … hardware …”.
    • A fire at the Insured’s offices destroys the only copy of a customer’s important data.

Explanation: Exclusion N removes cover for loss incurred in the replacement of physical assets arising from fire, but provides cover if the claim is part of the Insured's own financial loss on account of the lost data (termed a first party insured event in this policy). A first party insured event includes the loss of data stored on a machine due to “accidental destruction or loss of hardware, so that the data stored on the machine is not readable.”

Question: What types of Cyber Liability risks are typically declined?
Answer:

Generally the underwriters decline risks which involve companies that operate card or transaction processing facilities due to the amount of payment card data retained within their networks.

Question: What is an Invasion of Privacy?
Answer:

Legally, an invasion of privacy may include any of the following:

  • Publication of private facts
  • Placing a person in a false light
  • Unauthorised appropriation of a person’s name or likeness
  • Intrusion into a person’s sphere e.g. telephone tapping
  • The collection of personal data
  • Example: Mhlongu v Bailey & another. The editor of the magazine knew that the plaintiff shied away from publicity and objected to the use of his photographs and name in the magazine. The court held that the publication of the photographs constituted an invasion of privacy.
Question: What cover is there for intentional acts committed by employees?
Answer:
  • The deliberate acts exclusion does not apply to the company if the liability arises out of a malicious act by an employee acting against the company. There is no cover for that employee, but there is cover for the company.
  • The company will pay that employee’s defence costs but if they are found guilty then they must repay those costs.
Question: How many days does the Insured have to notify the Insurers of a claim?
Answer:
  • The policy does not specify a specific number of days within which the claim must be notified.
  • The policy does require that the Insured notify the Insurers as soon as practicable. Practicable means:
    • When it is possible and practical. If the Insured discovers the loss on Friday evening he would not be expected to notify the Insurers over the weekend unless doing so would materially reduce the quantum of the loss, always assuming the Insurer is contactable.  As with any policy, the Insured must do everything required to mitigate the "damage" without in any way admitting liability.
    • This period is unlikely to ever be more than a few days unless the only person capable of reporting the incident is incapacitated.
Question: Cyber Liability policies are Claims-Made contracts (claims made)
Answer:

Cyber Liability policies are issued on a claims-made basis which means:

  • The event causing the claim must occur on or after the Retroactive Date but before expiry of the policy.
  • The Insured must become aware of the possibility of a claim during the period of insurance. The Insured must immediately notify the Insurers if they become aware of a possible claim.
Question: What is the extent of cover for legal defence costs under Cyber Liability?
Answer:
  • By definition, defence costs include all ‘reasonable and necessary fees, costs and expenses incurred in the investigation, adjustment, defence and appeal of a claim …”
  • The nature of cover for defence costs is mostly as follows:
    • Defence costs against a civil action are covered under insuring agreements 1, 2, 3 and 5.
    • Defence against a regulatory action is covered under insuring agreements 1 and 5.
      • Insuring Agreement 1 example: The insured’s software miscalculates the solvency ratio for insurance companies. As a result the FSB brings charges against the insured.
      • Insuring Agreement 5 example: The insured runs a policy administration system on behalf of brokers. When the system is hacked the information gets out and the FSB brings charges against insured.
  • It is common for liability polies draw a distinction between the legal costs of defending
    • A criminal action - which is prosecuted by the state. E.g. manslaughter.
    • A civil action – which is a matter between two persons. E.g. an unpaid debt.
  • In the case of this policy, these costs are not subject to any sub-limit. They simply form part of the policy’s overall limit.
    • Example: If the indemnity limit is R3m, the Insured could spend R1m on the legal defence costs, leaving R2m to cover the damages award.
  • The following do not form part of defence costs:
    • The Insured’s internal costs such as salaries and overheads.

The legal costs of the third party suing the Insured. Although these are covered, they form part of the damages award and are not defined as Defence Costs.

Question: What are the Cyber Liability territorial limits and jurisdiction?
Answer:
  • Territorial Limits define where in the world the loss can occur. The policy schedule states what the territorial limits are, but often they are worldwide.
  • Jurisdiction defines which courts the third party may use when suing the Insured. The policy provides worldwide jurisdiction.
  • Choice of law defines which court will preside over any disputes between the Insured and the Insurers. The choice of law for this policy is South African Law.
  • Example:
    • The Insured causes financial loss to a Belgian national by allowing a breach of security in the Insured’s operations based in the Netherlands. The Belgian sues the Insured in Belgium. Later, the Insured sues the Insurers in South Africa because they wrongly refused to pay the claim.
    • In this example the Territorial Limits need to include the Netherlands and the jurisdiction needs to include Belgium.
    • The Territorial Limits need be no wider than RSA if the Business is transacted in RSA even though some clients may be domiciled elsewhere.

The Choice of Law would always be South African and subject to the jurisdiction of a competent South African court if the Insured's principal office is located in South Africa.

Question: Does a Cyber Liability policy cover Own Damage?
Answer:
  • Liability policies are designed to cover the costs that the Insured must pay in order to make good the damage they did or the loss they caused to others (the third party).
  • By contrast, an ‘own damage' policy covers the costs which the Insured incurs in restoring its own property after some mishap to its own possessions.
    • Burglary and fire policies are examples of own damage policies.
  • A Cyber Liability policy provides both liability and own damage cover. The following table provides a very brief indication of the policy’s cover.

Insuring Agreement

Nature

Very Brief Description

1. Professional Services

Liability

Covers the Insured’s liability arising out of negligence in their work.

2. Multimedia Liability

Liability

Covers the Insured’s liability arising out of any physical or electronic publication.

3. Security & Privacy Liability

Liability

Covers the Insured’s liability arising out of its negligence in preventing a computer security breach.

4. Data Recovery & Loss of Income

Own Loss

Provides a form of business interruption cover and also covers other own damage in the form of the cost of restoring lost data.

5. Privacy Regulatory Defence & Penalties

Liability

Liability as a result of not complying with laws relating to privacy.

6. Crisis Management Costs

Both

It mitigates the potential damage to the Insured’s brand (own damage) and it also covers the Insured’s liability arising out of compliance with privacy legislation.

7. Data Extortion

Own Loss

Covers costs which would otherwise be incurred by the Insured in preventing a loss and liability

Question: Who is insured in terms of a Cyber Liability policy?
Answer:

The policy covers not only the entity named on the schedule, but also includes

  • Its subsidiaries
    • The subsidiary does not need to be named in the policy schedule, but the Insured does need to own more than 50% of the shares.
  • Employees and directors of the Insured, provided that the liability arises out of their duties for the Insured.
  • Other organisations that the Insurers agree to include under this policy.
Question: Why purchase Cyber Risks Insurance?
Answer:

The incredible pace of growth in technology worldwide has produced a society which has become totally dependent on technology. This has caused a greater connectivity between people and organisations than has ever existed in human history. Unfortunately this has brought with it new risks which traditional insurance is ill-equipped to cope with. These risks include viruses, hacking attacks, liability arising out of online publishing and cyber-crime; to name but a few.

Cyber liability insurance has been designed to address these new and unusual threats faced by organisations operating in a high-tech world.

Question: What is Cyber Risks Insurance?
Answer:
  • Cyber liability covers organisations against the risks arising out of operating a computer network.
  • Liability arising from on-line publishing (such as a web site) as well as from traditional media such as brochures can also be covered.
  • There is an option which provides professional indemnity cover appropriate to technology companies.
  • It not only covers the Insured’s liabilities to others, it also provides a form of specialised business interruption cover which covers the Insured’s loss of income arising out of computer down-time. In addition, the actual cost of recovering lost data is also covered.