Data and systems are key assets for most companies because without them you cease to exist.
From a lost device to a more deliberate cyber-attack, ITOO Cyber Insurance provides your business with access to expert knowledge and resources to effectively manage and recover from a cyber incident.
What are the benefits of Cyber Liability Insurance?
Designed to cover the resultant costs and damages from a privacy breach or a network security breach, a cyber insurance policy covers what has previously been uninsurable providing comprehensive first and third-party coverages with an expert incident response process.
Far broader than the name cyber would imply, our policy extends to cover numerous incidents including but not limited to:
- Physical data theft and loss (both devices and physical hard copy data).
- Cyber extortion and malware (viruses, ransomware, or publishing of stolen data).
- Denial of service (disruption to operations).
- Downstream attack (a compromise of your environment resulting in damages to others).
- Hacking.
- Insider and privilege misuse (unauthorised access and use of systems and data by employees and service providers).
- Threats posed by third-party access into a client environment.
While Cyber Liability Insurance does NOT replace good IT security practices, a cyber liability policy does provide a safety net to protect you, your business and your patients.
CFP has negotiated discounted rates with iTOO Special Risks (Pty) Ltd and we have two types of cyber covers to offer exclusively to our scheme policyholders.
Abbreviated Summary of Cyber Liability Options
Data Protection Extension OR iTOO Go Cyber Insurance
Please read the full Cyber Liability policy document that is available on your personal Medical Malpractice Profile.
(See Terminology Section at the bottom of this page for further clarification).
| COVER SECTIONS | DATA PROTECTION EXTENSION | ITOO GO CYBER INSURANCE | WHY DO YOU NEED THIS COVER? | |
|---|---|---|---|---|
| Cyber Liability | Includes Privacy Liability and Network Security) | If you were to suffer a cyber breach, you would be legally liable to everyone whose data was compromised. If your system security incident affects other parties’ systems and their data, you would be liable to them as well. What would your total liability and defence costs be? Can you afford to cover this yourself? This cover provides the defence and settlement of liability claims arising from:
| ||
| Incident Response Costs | Crisis Management Expenses | Cover includes expenses for a public relations consultant and related advertising or communication expenses at the direction of the consultant to protect your reputation. | ||
| Notification Expenses | To comply with governing regulations, you would need to notify everyone whose information has been breached. Can you comply with these regulations without assistance and still run your business? Provides:
| |||
| Incident Triage and Forensics | Do you have the expertise to investigate how your systems were compromised and how to contain the breach? Covers expenses for security specialists, forensic investigators and loss adjusters to contain, manage and recover from an incident. | |||
| Regulatory Fines | Pays for fines issued by regulators due to an information privacy breach so long as those fines are insurable by law. | |||
| Loss of Business Income / Business Interruption | If you can’t work due to a network breach you start to lose income. This covers network/business interruption to compensate for system downtime and the consequential loss of earnings resulting from the breach. | |||
| Data Restoration | Costs to restore, re-collect or replace data lost, stolen or corrupted due to the security incident as well as the increased cost of working following the breach. Consider if you were to have a medical malpractice claim but you had no records to rely on for your defence. This lack of records could compromise your cover. Therefore, it is extremely important for you to get help to recover your data where possible. | |||
| Cyber Extortion | Costs to investigate and mitigate a cyber-extortion threat, also referred to as ‘ransomware’. Where required, costs to comply with a cyber extortion demand. | |||
Which option will suit you best?
Before making your decision, it would be worth considering the following:
- How dependent are you on your data and systems? If access was removed, could you recover from scratch? How long would it take you and at what cost?
- If an incident occurred, who would you appoint to investigate and assist in recovering from the incident?
- Are they equipped to conduct a proper forensic investigation?
- What would it cost to conduct a forensic investigation? (This would ascertain what happened, how it happened and how to prevent it from happening again.)
- What could the potential impact be of not investigating and managing an incident correctly?
- Could you cover the costs associated with cyber extortion or a ransomware demand, and do you know how to negotiate with hackers?
Why is our offering different?
Our cyber insurance offering includes a defined incident response process including a wide range of experienced specialists with a local presence as well as global experience and expertise.
Key areas of experience and expertise:
- IT response costs to understand, mitigate and recover from the incident
- Crisis communications and public relations costs, to reduce potential reputational damage and customer churn
- Notification and remediation services, to prevent affected parties from suffering further damages
View the additional Policy Claim examples below for more illustrative scenarios to help you make your decision.
Policy Claim examples
Scenario 1
Ransomware
An employee clicks on a link in an email and malware is downloaded which encrypts all information throughout the organisation. A ransom demand is received requiring payment within 24 hours in exchange for the key to decrypt the information.
Policy trigger: network security breach (malicious code)
Potential incident response costs: specialist’s costs to recover operations and calculate lost revenue as a result of downtime, increased cost of working i.e., overtime once the information is decrypted, extortion negotiation fees, actual extortion payment, specialist costs to contain and remove the malware as well as recover data, forensics, legal consultation fees and incident response manager fees.
Scenario 2
Personal Information theft
The incorrect attachment is accidentally mailed out to a third-party. The attachment contains personally identifiable information belonging to employees and customers.
Policy trigger: privacy breach
Potential incident response costs: credit and identity theft monitoring expenses for those whose personally identifiable data was disclosed, forensics, legal consultation fees for defence and settlement of ensuing liability claims and incident response manager fees.
Scenario 3
Denial of Service
An online platform provider suffers a denial of service attack which results in their clients’ not being able to access their hosted portals for several hours.
Policy trigger: network security breach (denial of service attack)
Potential incident response costs: specialist’s costs to recover operations and calculate lost revenue as a result of downtime, increased cost of working i.e., overtime once the portals are back online, costs to set up and operate a call centre for enquiries, public relations expert fees to minimise the reputation damage, forensics, legal consultation fees and incident response manager fees.
How do I apply for the Cyber Liability cover?
- This optional Cyber / Data Liability Insurance offering is ONLY available to our Medical Malpractice scheme policyholders.
- Your current IT setup, data and systems must be compliant with the Minimum Security Requirements (see below). If you are not sure, we recommend that you consult your IT professional before commencing with either of these liability offerings.
- Please read the full Cyber Liability Policy Document available for viewing and downloading from your personal Medical Malpractice Profile page.
- You can take out this policy (Cyber or Data) at the same time as your Medical Malpractice insurance cover OR at any time thereafter, for instance:
- Together with your renewal of your existing Medical Malpractice cover, or
- At the same time as your NEW application for Medical Malpractice cover, or
- If you have already renewed your Medical Malpractice cover for next year, you can use the "Increase Cover" link inside your Profile page.
- Simply log in to your Medical Malpractice as usual and navigate to your Profile where you can view the official Policy Document.
Compliance with IT Security Requirements
If you purchase the Data Protection Extension or the iTOO GO Cyber Insurance cover you will need to comply fully with the Insurer’s IT security requirements. We have briefly itemised the requirements below.
However, to see the full list of IT Security requirements, please refer to the official Cyber Liability Policy Document available for viewing and download on your personal Medical Malpractice Profile.
If you are not sure that you meet the requirements, you can download the Policy Document and then speak to your IT team/consultants as they should be able to advise you further.
- Anti-virus and/or anti-malware software implemented on all desktops, laptops and Sensitive Systems (where applicable and in accordance with best practice recommendations) and kept up to date as per the software providers’ recommendations.
- Security related patches and updates applied on Sensitive Systems within 3 (three) months of release by the provider.
- Outdated software which is no longer supported by the software provider is not accessible from external networks and is disclosed to the Insurer.
- Password controls implemented on Sensitive Systems. These controls must include:
- Password length of at least 10 (ten) characters.
- User account passwords configured to be changed at least every 120 (one hundred and twenty) days unless passwords are at least 14 (fourteen) characters in length or multi factor authentication is implemented.
- Passwords prevented from being reused for at least 5 password changes.
- Passwords which are not common dictionary words and cannot within reason be deemed widely used or easily guessable, including the Insured’s name or P@ssword1 for example.
- A lockout on user accounts where, at most, there are 10 (ten) failed authentication attempts.
- All default installation and administration accounts secured via changing the account password from the well-known default passwords and/or disabling, deleting, or renaming the account.
- User privileges for users with access to Sensitive Systems and Sensitive Information must be revoked within thirty (30) days of termination of employment at the Insured and where notified, for termination of employment at a service provider.
- Resiliency controls including:
- Documented disaster recovery and business continuity plans which have been communicated to relevant key stakeholders.
- Generate backups at least weekly or have replication implemented.
- At any point in time have a backup or replicated copy which is disconnected, offline or cannot be overwritten from the production environment.
- Monitor or test at least weekly to ensure the successful generation of backups or replication.
- Test the ability to restore data from backups or read from replicated copies at least every six (6) months.
- Next generation firewalls with geo-location blocking configured to restrict access to digitally stored Sensitive Information.
- Generally accepted vulnerable network protocols are secured via disabling/blocking on the firewall or where required restricted based on IP address and/or to secured areas.
- Administrative/remote access interfaces such as Remote Desktop Protocol (RDP) are not accessible via the open internet. Where such interfaces are required, these are accessible exclusively over secured channels such as multi-factor authenticated Virtual Private Network (VPN) connections.
- The system and/or activity logs for all Sensitive Systems including firewalls and Active Directory as implemented in the Insured’s environment stored for a minimum period of 6 (six) months.
- Anti-virus and/or anti-malware software installed on all desktops, laptops and Sensitive Systems (where applicable and in accordance with best practice recommendations) and kept updated as per the software providers’ recommendations.
- Security-related patches and updates applied/installed on Sensitive Systems within 3 (three) months of release by the provider.
- Password controls are implemented on Sensitive Systems. These controls must include:
- Password length of at least 8 (eight) characters.
- Passwords which are not common dictionary words and cannot within reason be deemed widely used or easily guessable, including the Insured’s name or P@ssword1 for example.
- A lockout on user accounts where, at most, there are 10 (ten) failed authentication attempts, otherwise, multi-factor authentication should be implemented.
- Firewalls configured to restrict access to digitally stored Sensitive Information.
FAQs
Cyber or Data Liability Cover
There are many ways to mitigate the risk of cyber threats such as staff education, encryption, bring-your-own-device policies and password policies, however, even the most diligent businesses can be exposed to a cyber-attack.
A cyber insurance policy provides the most comprehensive cover for system and data-related risks.
- A Professional Indemnity policy provides limited cover for third-party data loss but only as it relates to the provision of professional services.
- A General Liability policy, as data is deemed intangible provides no cover.
- A Business Interruption policy requires physical damage to trigger the policy and incidents such as ransomware or hacking a server may reflect no physical damage.
- A Commercial Crime policy provides cover for first-party financial loss only.
- A Directors & Officers policy will likely be triggered after a cyber breach but will not cover the business interruption, incident response or liability damages suffered by the company.
- This optional Cyber / Data Liability Insurance offering is ONLY available to our Medical Malpractice scheme policyholders.
- Your current IT setup, data and systems must be compliant with the Minimum Security Requirements (see below). If you are not sure, we recommend that you consult your IT professional before commencing with either of these liability offerings.
- Please read the full Cyber Liability Policy Document available for viewing and downloading from your personal Medical Malpractice Profile page.
- You can take out this policy (Cyber or Data) at the same time as your Medical Malpractice insurance cover OR at any time thereafter, for instance:
- Together with your renewal of your existing Medical Malpractice cover, or
- At the same time as your NEW application for Medical Malpractice cover,. or
- If you have already renewed your Medical Malpractice cover for next year, you can use the “Increase Cover” link inside your Profile page.
- Simply log in to your Medical Malpractice as usual and navigate to your Profile where you can view the official Policy Document.
Costs to respond to a system’s security incident, including:
- to obtain professional (legal, public relations and IT forensics) advice, including assistance in managing the incident, co-ordinating response activities, making representation to regulatory bodies and coordination with law enforcement;
- to perform incident triage and forensic investigations, including IT experts to confirm and determine the cause of the incident, the extent of the damage including the nature and volume of data compromised, how to contain, mitigate and repair the damage, and guidance on measures to prevent reoccurrence;
- for crisis communications and public relations costs to manage a reputational crisis, including spokesperson training and social media monitoring;
- for communications to notify affected parties; and
- for remediation services such as credit and identity theft monitoring to protect affected parties from suffering further damages.
Having the latest technology, firewalls and encryption will reduce the risks of a breach occurring however, many cyber threats originate internally from employee mistakes (misplacing a laptop, or not disposing of confidential information securely). Having state of the art protection is not a 100% guarantee against an incident occurring.
You are the custodian of the data and remain responsible for any data lost in a breach. Look to use a cloud service provider that can provide reasonable assurance that your data will be protected, however, there is still a chance your business could be held liable for data compromised from the cloud environment (the same would apply for other outsourced providers you make use of and share data with).
Attacks such as ransomware are indiscriminate and can affect any company and every industry. Smaller companies are often a target for hackers particularly if they are found to have less sophisticated IT infrastructure. Smaller companies can be severely impacted following a breach as they are required to absorb the high incident response costs. Compromises at larger companies tend to yield larger data sets for theft and break into the news, which can boost a hackers’ reputation.
Glossary of Terms
Cyber Liability Terminology
Loss of income and increased cost of working as a result of a systems security incident.
Costs to restore, re-collect or replace data lost, stolen or corrupted due to a systems security incident.
Unrecoverable loss of money, belonging to or for which you are legally responsible, as a direct result of a system security incident by a third party. Cryptocurrency losses are excluded.
Defence and settlement of liability claims resulting from disseminated content (including social media content) including:
- Defamation;
- Unintentional copyright infringement; or
- Unintentional infringement of right to privacy.
Defence and settlement of liability claims resulting from a system security incident affecting systems and data as well as causing harm to third-party systems and data.
Cover for exposure to named outsourced service providers including:
- defence and settlement of liability claims resulting from your data being compromised from an outsourced service provider;
- business interruption losses resulting from a systems security incident at an outsourced service provider; and
- costs to change to an alternate outsourced service provider if required.
Cover for direct monetary fines, penalties, assessments, chargebacks, reimbursements and fraud recoveries which you become legally obligated to pay in terms of a merchant services agreement as a direct result of a network security breach resulting from non-compliance with PCI-DSS.
Reasonable costs to demonstrate your ability to prevent a future breach as required by your merchant services agreement.
Call and/or bandwidth usage costs you are legally obligated to pay as a result of unauthorised use of your telecommunications system by a third party.
Costs to replace or repair direct physical damage of tangible property belonging to or rented, leased or hired by you as a direct result of a system security incident.
We hope that this information will assist you in considering taking out cyber insurance coverage.
For more information please contact CFP Brokers