Approximately every 3 ½ seconds a new threat is unleashed by cyber criminals into the online world of the internet. These criminals can range from middle schoolers who vandalize websites to international terrorists who target a country’s defense infrastructure.
Financial firms face increasingly complex information and computer security risks. If you store client confidential information or anything defined as personal identifiable information (PII), cyber criminals have an interest in your stored data files to target, breach and obtain such information.
Mercer Health & Benefits Administration LLC arranges financial professionals’ Cyber Liability Insurance protection for both first party exposure and third party exposure.
Answers about the plan, including eligibility, options, enrollment, customer service and more.
Wouldn't my firm's E&O Insurance policy protect us in case of a Cyber or Privacy Breach?
This is often a coverage misinterpretation by E&O Insurance policyholders. Most Errors & Omissions Insurance policies do not cover cyber or privacy breaches. An E&O insurance policy is intended to cover clients' claims about unintentional errors or omissions while providing specified professional services. E&O policy excludes intentional criminal acts such as those commonly associated with cyber-crimes.
If Cyber exposure is not covered by E&O Insurance, can it be covered by our firm's Fidelity Bond?
Fidelity Bond or Crime Insurance Policy generally responds to a direct loss involving theft of money, securities or other tangible property. Because it does not typically cover the theft of data or other intangible property, Cyber Liability Insurance is purchased.
Some fidelity bond providers may offer a rider extending Cyber Insurance for wire transfer fraud or data theft. Conversely, some Cyber Insurance policies may offer a rider extending theft of monies by cyber criminals.
What are my obligations to report a Cyber / Privacy Breach? To whom do I report?
All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches involving personally identifiable information.
Security breach laws typically have provisions regarding who must comply with the law; definitions of “personal information”; what constitutes a breach; requirements for notice; and exemptions (e.g., for encrypted information).
Failure to report such breaches can be subject to hefty fines and penalties by state and industry regulators. When you service clients in multiple states, a single breach can lead to costly legal expenses to satisfy the impacted states' notification requirements. Having proper Cyber Liability Insurance not only assists in covering these expenses but also in managing the crisis.
How can I learn more about the insurance products offered by Mercer Health & Benefits Administration LLC and how they can best serve my insurance needs?
The average cost of a data breach is $204 per lost record, with more than half of such costs attributable to lost customers and the associated public relations expenses to rebuild an organization’s reputation.1 The below examples illustrate situations in which the costs incurred to remediate a data breach were significant.
An international computer hacking group gained access electronically to the computerized cash registers of a restaurant chain and stole credit card information of 5,000 customers, starting a flood of fraudulent purchases around the world.
Theft of Digital Assets
A regional retailer contracted with a third party service provider. A burglar stole two laptops of the service provider containing the data of over 800,000 clients of the retailer. Under applicable notification laws, the retailer - not the service provider - was required to notify affected individuals. Total expenses incurred for notification and crisis management to customers was nearly $5,000,000.
Theft of Digital Assets
A home healthcare organization had backup tapes, laptops and disks containing social security numbers, clinical and demographic information, and in a small number of cases, patient financial data that was stolen. In total, over 365,000 patient records were exposed. The organization settled with the state attorney general, providing patients with free credit monitoring, credit restoration to patients that were victims of identity fraud, and reimbursement to patients for direct losses that resulted from the data breach. The organization was also required to revamp its security policies, implement technical safeguards and conduct random compliance audits.
A non-profit community action corporation printed two 1099 forms on one piece of paper. An employee was supposed to separate the forms and send each to its rightful owner. Instead, one person received both copies. The mistake sent tax forms and social security numbers to strangers. Approximately 50% of the landlords who work with the community action corporation received their forms in addition to the private information of the others.
Cyber Extortion Threat
A U.S. based information technology company contracted with an overseas software vendor. The contracted vendor left universal “administrator” defaults installed on the company’s server and a “Hacker for Hire” was paid $20,000 to exploit such vulnerability. The hacker advised if the requested payment was not made he would post the records of millions of registered users on a blog available for all to see. The extortion expenses and extortion monies are expected to exceed $2,000,000.
An employee of a private high school mistakenly distributed via e-mail the names, social security numbers, birthdates and medical information of students and faculty creating a privacy breach. Overall, 1,250 individuals’ information was compromised.
A juvenile released a computer worm directing infected computers to launch a denial of service attack against a regional computer consulting & application outsourcing firm. The infection caused an 18 hour shutdown of the entity’s computer systems. The computer consulting & application outsourcing firm incurred extensive costs and expenses to repair and restore their system as well as business interruption expenses which totaled approximately $875,000.
1Ponemon Institute, 4/2009 Global Cost of a Data Breach Study.