MPR offers Cyber Incident Response and Insurance to organisations to protect against 1st party costs and third-party liabilities arising from Cyber Events.
This Cyber insurance policy offers integrated insurance and vendor-led solutions to protect and assist organisations following a Cyber Event. It provides immediate incident response within the crucial first few hours and coordinates the necessary services and resources at a time of need. A Cyber Event is likely to be one of the most testing times for any organisation and responding quickly, and correctly, is vital.
Why do your clients need cyber insurance?
- Cyber events have become part of modern business life and are increasing all the time, impacting organisations of all shapes and sizes.
- Even companies with strong security and privacy controls are not immune to cyber risks. Many organisations have focussed on IT security and defence as a main priority, but not attached the same importance to response and recovery should the worst happen.
- The first 48 hours following a cyber event are crucial. It is often the way an organisation responds, not the event itself, which has the biggest impact. Slow or poor handling can have catastrophic implications and severely damage the reputation of an organisation.
- Longer term consequences (for example, 3rd party claims, regulator fines, business income loss and reputation damage) are all heavily mitigated or influenced by the immediate evaluation, action and handling of the short-term crisis.
- The UK regulations changed in May 2018 with the implementation of the UK Data Bill, which complies with the EUs GDPR (General Data Protection Regulation). This brought additional regulatory requirements to organisations for notifying and dealing with cyber events.
What does the policy cover?
1st Party cover:
- Immediate Incident Response – 24/7/365 – triage and coordination;
- Crisis Management Expenses – advice, forensics, information
security services, recovery of data, PR and call centre activities; - Privacy Notification Expenses – advice and notification, including
credit monitoring services; - Cyber Extortion Expenses – consultancy and payments;
- Business Interruption & System Damage – lost net profits during a
cyber event and rectification of data/systems.
3rd party Cover
- Cyber Liability – Privacy and network security wrongful acts;
- Media Liability – Infringement of IP, defamation, invasion of privacy due to online media;
Fines and penalties
- Privacy Regulator Actions – defence costs, consumer redress funds and fines (where insurable);
- PCI Loss – Payment Card Industry fines due to non-compliance.
What limits are available?
Up to £5 million in the aggregate.
What does an underwriter like to see?
- A broad range of firms with good IT security, access control and established risk management principles;
- A form of cyber security accreditation or external testing;
- Good staff awareness and training;
- Good control and contractual protection from
3rd party service providers; - UK domiciled organisations;
- Target areas include firms with traditional
business models or those in the professional services sector.
Is there anything an underwriter wouldn’t insure?
- Some organisations are exposed to more risk. Underwriters will therefore exercise a more cautious approach to firms with poor IT security or inadequate risk management
controls; - Underwriters are also more cautious of businesses involved in large retail, utilities, payment processing, critical infrastructure, telecoms or gambling/gaming;
- Businesses with large volumes of personal data or heavy US exposure will also require careful consideration.
Why choose MPR?
- Deep experience over many years in all the products we underwrite
- Simple and clearly stated policy language with the removal of ambiguity
- A straightforward, broker focussed, technical and service based proposition
- Strong financial rating
Features
- Modular, flexible approach to cover
- The insured can choose insuring clauses and limits to suit their requirements (including full limits on privacy notification & crisis management expenses).
- ‘Pay on behalf of’ language
- Many Cyber insurance policies provide good 1st party coverage, but on a reimbursement basis, meaning the insured must incur the costs and then claim the money back. ‘Pay on behalf of’ language ensures a smooth process that doesn’t inconvenience the insured.
- Worldwide cover
- Cyber events can happen anywhere in the world and data breaches require different notification requirements by location. If an insured has a privacy breach it must follow the privacy laws that govern where it’s data subjects live, not where the company is headquartered. Having a policy that recognises this, and legal experience to assist, is therefore vital.
- Immediate Incident Responses – zero deductible
- This is critical when dealing with a Cyber Event – the first few hours are often the hardest to deal with and can have the greatest long-term impact. With MPR’s policy, there is immediate access to a market leading risk response service who triage the situation, coordinate with the insured and begin the immediate steps to bring in the necessary vendor services. What is more, the deductible for this immediate triage is £0.
- Immediate Incident Response – Lawyer- led and focussed on the Insured
- Having a lawyer-led service gives legal privilege, which can be vital when dealing with sensitive information and potential regulatory matters. The service is also focussed on the insured, and not geared towards limiting the costs to the insurer. This is mutually beneficial, as having a thorough service at the start will mitigate further costs, claims or fines later in the process.
Within one hour of phoning the 24/7 helpline, the insured will be speaking with a lawyer, who will initiate the streamlined response.
- Cyber Crime & ‘Social Engineering’ cover
- The MPR policy contains an operative clause for Cyber Crime. Many organisations are concerned about their own financial loss due to Funds Transfer Fraud, Social Engineering or Telephone Fraud loss. Unlike other insurers, this is not limited to just cyber events such as Phishing or Hacking.
- ‘Potential’ versus ‘actual’ language
- ‘Potential’ is an important word in the context of unauthorised access. For example, if a laptop is lost or misplaced, the insured does not want to be placed into a position where an actual unauthorised access needs to be proven before their cyber policy potentially responds.
- Discovery of a Cyber Event
- Another vital aspect of any Cyber policy is what constitutes ‘discovery’ and the importance of a retroactive date. MPR’s policy applies a retroactive date to the ‘wrongful act’ aspects of the policy (with the ability to backdate subject to further underwriting), but a definition of Discovery for many of the 1st party covers – i.e. the date that a senior representative of the insured learns of the Cyber Event. A Cyber Event lying undiscovered prior to the inception of the policy will still be covered if it is discovered after commencement.
- Insider and outsider threats
- MPR’s policy is not restricted to 3rd party threats, so insider breaches of security from ‘rogue employees’ are also covered.
- Corporate Information is covered
- MPR’s definition of ‘record’ is not just limited to personal information, it also includes an organisation’s non-public, corporate information.
- No onerous policy conditions or warranties
- MPR’s policy has no language eliminating cover if the insured fails to update, upgrade or test software, nor any minimum requirements for encryption or maintaining system security policies.
- Regulatory actions, fines and penalties (including PCI cover)
- (including PCI cover)
MPR’s policy provides cover for regulatory fines (where law allows), regulatory action defence costs and consumer redress payments. We can also cover Payment Card Industry (PCI) Fines.
- 3rd Party Service Providers covered
- MPR’s policy extends to records held by third party vendors and business partners (e.g. back up, cloud or hosting).
- Cyber Terrorism
- Many insurers have broad exclusions for Cyber terrorism, but this often also removes ‘hacktivist’ cover. MPR’s policy also has an exclusion, but not where it is expressly directed against the insured’s systems.
- Previous policy cover option
- The Cyber Insurance market is a difficult one to navigate, so moving insurance carrier can be a concern. Whilst there is no obvious impediment to switching to a stronger product offering with much better incident response, bewildering use of jargon and statements of product capability can nonetheless create some room for doubt. Allowing an optional ‘look back’ provision in a policy permits a previous policy to be used to interpret a claim made on a superseding form. It is a far from perfect science, but it can provide some comfort where it is required.
What can go wrong?
A marketing company executive accidentally left his laptop on a train. The laptop contained significant private customer and employee information. The laptop had password protection, but had not been fully encrypted.
The ultimate whereabouts of the laptop may never be known. However, due to the ‘potential unauthorised access language’ in the MPR policy, the insured would be able to phone the incident response number at any time. Within one hour, the insured will speak with a specialist lawyer who can coordinate any necessary incident response service and engage any appropriate vendors. An assessment of the nature of the information on the laptop can be made, with any necessary forensic experts and legal services retained to provide advice on notification requirements. MPR’s policy allows the insured to engage a notification and credit monitoring company, if that is ultimately considered to be a necessary measure.
An employee clicked on an email link that introduced malware into the organisations systems. Their critical data was encrypted and a message was received, demanding a financial payment to provide the decryption key.
This demonstrates a few key themes. First, the increase in ransomware attacks and how easily they can be triggered. Second, the significance of employees (often referred to as the ‘human firewall’) and why it is so important to train staff to recognise potential threats.
In this situation, an insured organisation could utilise the immediate incident response services to coordinate an immediate plan of action, starting with a forensic investigator and network examiner who would contain and eradicate the breach. Thankfully, the organisation had good back-up procedures and had segregated their data. No personal information was accessed, which allowed the team to reinstate with minimal loss of data and no financial impact to the business.
Forensic costs can be very expensive, but the process was very quick, with very little disruption to the business operations. The ‘pay on behalf of language’ also makes the process much smoother for the insured organisation.
An employee of an organisation was made redundant but, prior to termination, gained unauthorised access to the confidential database. The employee stole, and then sold, 20,000 customer records (names and credit card information) and the details of 250 employees.
The unauthorised access was detected and an immediate incident response triage service was initiated. A forensic team was appointed to assess the extent of the breach and a legal firm with global expertise took care of the local privacy law implications (due to the global client base).
Privacy notification services were used to inform the affected data subjects, with additional costs paid for credit monitoring and setting up a call centre to answer concerns. Insurance would also allow access to expert public relations services to handle the media response and mitigate any possible reputational damage.
The immediate forensics, crisis and notification services were completed in the first 3 days, but the call centre and PR services continued for a month.