Cybersecurity Insurance For Security Integrators

Published Nov 29, 2018 16:40 PM

Most security industry professionals carry insurance to cover themselves in the event of a general loss. However, most are not carrying cyber insurance.

Insurers and industry groups IPVM spoke to say it is a 'no-brainer,' however, for integrators that are concerned about the bottom line and may feel that they will not have an issue, this may look like a poor investment.

IPVM Image

In this note, based on our research and interviews we look at:

  • Why have it
  • What are the different types
  • Who offers it
  • How much does it cost
  • Who is endorsing it
  • What reasons against it

Why **** ** - ******** **** ***** ****

**** ******** ************* **** ** ***** at ***** ******* ********* (**) ******** to ******* ***** ******** ** *** event ** * **** ** ** the ***** **** **** * ******* on * ****** *******. *** *******, it ** ****** ** ********** **** to ******* ***** ** *********.

*******, ***** ********* ** *** ******* something **** ******** *********** ***** **, though********* *********, ***., *** ** *** ******** **** spoke ****, **** **** "***** ** one ** *** ******* ****** ***** and *** ** *** ******* ****** areas *** *** ********* ********, *******."

[**** ** ****** *********]

********* ** ****** ********** [**** ** longer *********], ************ ***** ****** *************, * ********* ****** ** ***** policies ** ********* *********, *** ******** a ***** ****** *** *** ********* very *******:

*** ******* ****** **** *** ********* in *** $**-$** ******* ******* ***** without * ****** ** $***,***. *** average **** *** * ******* ******** is $***/****. *** ******* **** *** a ******** ********* ****** ** *********** your ****** ** $***/****.

********* ********* ******* ** ************** ***** **** ****** *********** **** a ***** ****** ** **** ***** was **********, **** **** *** ******** for *** ***********.

*******, *********** **** ***** ******** ************ are ******** ** ****** ** ********* of ****** *********:

** ***** *********** **** ****** *******, those ******* *** ***** ** **** bigger ***** ***** *** ****'** ** putting ***** ********* **** ***** ************.

IPVM Image

***** **** [**** ** ****** *********] of******* ************* **** **** **** **** *** best ** ********** *** *** **** stringent ************* **** ********* *********, *** careless ******** ******** ** * **** in ** ***** *** ********* * company *** **** **** ** * breach.

What *** *** ********* *****

*********** **** **** ** ** ****** a ******** ** ***** ** *** different ***** ** ******** ** ****** "cyber":

***** ** * *** **** *** it. ** ****** ***** *** **** is—on ***** ** ** *** *****—***’** still ****** *** **. ********’* ******* on *** ******, *** ** **** plenty ****** ****** ** **** ****’* about ********.

***** *** ******** * ***** ** coverage **** **** ***** *** ******* catch-all ******* "*****," ********* ** ***********

  • *******
  • *****
  • *******

********** ****:

*** ******* ******* ** ***** *** when * ******* ****** * ***** guide ****** *** ** *** ** $80,000 ***** ******* ****** **** *** an ******** ******* *** ****** ********** posting *******. * ***** ** ****** had ********** **** ***** *****, ** the ******* ****.

********* ** *** ******** **** ***** with * **** ***** ****** ****** also ***** ****** **** *******, *****, misrepresentation, ********* ************, *** ****** **** infringement.

Who ****** **

*** ********* ***** ******, ***********, **** there **** ******** ***** **** * dozen ******** *** **** ******** ***** coverage *** ***** ** ****:

**** * *****-***** ***********, ***** *** probably **-** *** ****** **** *****’* probably * ** * *** *** doing * **** **** *** ** writing ******** *** **********-***** *********.

***** ******** **** *** ********* ***** coverage ********** ********, ******* ****** [**** ** ****** available],********* ********,********* *********, ***., *** ******. **** ** *** an ********** ****. **** **** ******* out ** *** *********, ***** ****, Allstate, *** *******' ********* *** *** not ***** **** ***.

*********** **** *** *** ********* ********* for ****** *********** *** ******** ** the *****/******** ***** ************* ***,******,***, *********.

IPVM Image

**** ******* [**** ** ****** *********], President, *** *** ***** ******** ********** * *******, *******, ******* **** most *********** **** ** ** ***** existing ******* ********* ***** *** **** tell ****, ******** ***********, **** *** provide *** ***** ********:

** ********* ********* ***** ********** **** existing *****. ******* *** **** ******** of **** ******** ****** *** ***** to *** **** **** **** **** type ** ******** **** ** **** that ** *** *** ****.

How **** **** ** ****

*** ******** ** ***** **** **** the **** **** **** ********* ** a ****** ** *******, ********* *** revenues ** *** ******* ** ********, the ***** ** ************ **** **** with, *** ****** ** ***** ********* and *** ********* **** **** ***** coverage ** **. ** *********** **** cyber **** ********, ******** **** ** less **** * **** ****** ******** privacy, *****, *** *******. *** ******** in *** ***** ***** *** * $10 ******* ** ******** *******:

  • $* ******* ** ******** ** ~$*,***/****
  • $* ******* ** ******** ** ~$*,*** - $*,***/****
  • $* ******* ** ******** ** ~$**,***/****

********** **** *** **** *** * $10 ******* ** ******** ******* *** $1 ******* ** ******** *** ***** only ** ~$***/****.

*********** ******** **** ***** *** **** of ******** *** ***** *** **** create ** *********** ***** **** ****** doesn't ******* ****** **********:

*** *** ** ****, **** **** they *** ***** ***** $** ***-*** and ****’** **** ***** **** ** without **** ****. * **** ****** will ******* **** ******* ***** ****** add-ons ***'* *******.

Who ** ********* **

***'* *******, ** ***** *****, **** they ********* ***** ******* *********** ******* coverage **** ** ******* *** *** cyber ******* ** ***** ** ****** the ******. ** **** **** ** today's ***** ** *** *** **** sense ** *** **** *** ******** since ** ******** ** *** ********** and *** ******* *** *** ***** to ****:

******** *********** ******* **** **’* ***** to ** ****** *********, *** ** isn’t. ** ****************. **’** *** * ****** ** claims, ***** ** ** *** *** the ****** *** ** *** ******** each.

********, ******* **** ** **** **** coverage *** ******** **** *** **** than *** *********, **** **** **** half ** *** ******* ******** ***** coverage:

** ******** **** ******* ** **% of *** ******* **** * **** cyber ******** ****** ** ****** ***. They’re *** **** *********. ****’* ****** no ****** *** ** **** *** these ****.

*** ********** ******** *************** ******** ***** ********* ******** ******* their******** ******* **** ********** ***** [*****]:

** ****** ********* ***** ******** ** all ******** *** *******. *** ******** is **** *** **** * ***** happens, *** **** ******* ** **** you ******* **. *** ******* ** a**************.

*** ******** ******** ***********(***) **** ********** *********** ******** ********* and ******* ********** ** ******:

*** ********** ***** ** ******** ***** insurance ******** ********* *** ** ********* if * ***** ********* ****** ***** their *****. *** ******** ****** ** closely ********, *** *******, *** ******** cyber ********* *** ** * ****** tool.

What *** *** ******* ******* **

**** *********** ****** ******* **** * breach ** ******** ** ****** ****. And, *************, ***** *** *** ***** charged ** ********, **** ******* **** they *** ***** (*.*., ** * $1 ******* ****** ***** $***, **** implies *** ******* ****** *** **** of ** ********** ** * **** are **** **** * ** *,***).

**** *********** **** ****** **** *** good ** ***** *** *** **** not **** *** ***** ** ******** that **** ** **** ********. *** example, **** **** ***** *** ****** precautionary ***** ** ******* ****, **** down ******, ****** ******** *** ******* any ****** **** *********.

**** **** ******** **** ** *** cost ********** **** ****** ******** *** weigh **** ******* *** ****** **** they **** ****** * ****** *** say *** **** ** *** ********* by *** ****. ***** *********** **** rightly ****** **** ********* ********* ***** not ***** ** ***** ******** *** actually ****** *** **** *****. ********* companies ******** ** ****** *** **** because **** ******* **** ** ****** premiums **** **** *** *** ** claims.

**** ** ***** ** ******** **** of ********* **** *** ******* **** spoke **** ******* ** *** "****, wild ****." *** ***** ** ********* available ***** ****** ** ***** ** overpriced. * **** *** *** ******** may ** **** ** **** ****.

Vote / ****

Comments (16)
U
Undisclosed #1
Nov 29, 2018

As a consultant, all of my projects now require a minimum of $1M in cyber liability insurance. 

(1)
(5)
Avatar
Dan Gelinas
Nov 29, 2018
IPVM

Thanks for the feedback U#1. Let me ask you, are there specific types or terms you list for the cyber policy?

(2)
U
Undisclosed #1
Nov 29, 2018

Here is the typical language for the average project:

Cyber Liability Insurance: Privacy and Network Security (“cyber”) insurance covering loss arising out of or in connection with loss or disclosure of Personal Information, PHI, or Confidential Information, in a minimum amount of $1,000,000 per occurrence and in the annual aggregate.

The contractor is require to submit their certificate of insurance with their bid. 

(3)
NA
Nathan Adams
Dec 10, 2018

Why not state the contractor will not store Personal Information, PHI, or Confidential Information?  It is very rare for these contracts to have a need to do so.  And how do you arrive at the $1,000,000 figure? Are you assuming your client will somehow be entitled to a share of that money?      

U
Undisclosed #1
Dec 11, 2018

Why not state the contractor will not store Personal Information, PHI, or Confidential Information?

We do but it is impossible to enforce. The cyber policy provides the extra financial protection should an issue arise.  The $1M amount is a standard limit and a business would have a hard time finding a carrier who would write it for less.  We would increase that amount for larger or more sensitive clients and the amount would be determined by working with the clients insurance company. 

Are you assuming your client will somehow be entitled to a share of that money?

That is not an assumption. If a contractors network is breached and exposes a clients information their insurance company absolutely will be providing financial compensation to the client. 

U
Undisclosed #2
Nov 29, 2018

Not that this is a bad thing but I am sure many insurance agents will soon be making a killing by scaring both the integrator and customer. YOU NEED THIS NOW BECAUSE!!!!

Perhaps the insurance rates should be adjusted by manufacturer type. Compare insurance on a Bugatti versus a Volkswagen Jetta. Of course I am only joking, however blanket insurance for the lack of technical knowledge is embarrassing. People, you need to know how to harden and maintain your technical infrastructures as a service life cycle and use that revenue paid by your customer to cover the new insurance costs.

We are all screwed because soon the AI will be the insurance adjuster for outdated systems attached to the internet. Systems not in compliance based on all of the meta data farmed by AI will result increased fines and penalties for poor maintenance of said systems. This could stem all the way to not keeping your refrigerator firmware updated and letting sit on the internet like a rotten apple decaying on the ground. Perhaps Comcast can soon offer an IT-AI bot service that maintains all of your device compliances and lifespan for a low-low monthly subscription. (owned).

AI is the new banking system, just watch for that comet that is coming! Did you see the new Capital 1 cafes? Come here guy, come eat some food while we make our wallets fatter! (Origami Tin Foil Hat Deployed).

(3)
U
Undisclosed #1
Nov 29, 2018

I am sure many insurance agents will soon be making a killing

My wife is a commercial insurance agent who deals with cyber policies a lot.  These policies are typically add-ons to the general liability policies and pay very little.  For example, an average sized contractor (according to her) will pay about $1,000 a year for a $1M dollar policy.  The agency will make 10% and the agent will get somewhere between 35%-50% of that so you are talking $35-$50. Needless to say she has not made me rich yet and I am still required to go to work everyday. 

(5)
(2)
U
Undisclosed #2
Nov 29, 2018

Thanks for the info UD#1, any money is good money. Perhaps I should have directed the "killing" towards the agencies themselves, 10% just buy a few faulty password hacks, GDPR leaks is still promising forecastable revenue to get moving on.

Personally I want foam flip flop insurance, so when my flip flop breaks I don't have to run to the grocery store to buy a new pair for $1 dollar while then being tempted to spend another $20 dollars on other crap. Actually it should be "Insurance for those that buy cheap stuff".

(1)
U
Undisclosed #1
Nov 29, 2018

There is actually an insurance company for that called Lloyd's of London. They will literally insure anything... for a price.

(1)
(1)
U
Undisclosed #3
Nov 29, 2018

Considering the insurance industry is built on fear-mongering, I'll consider this more mongering. 

(1)
(2)
U
Undisclosed #4
Nov 30, 2018

Hoeflinger is an interesting last name. 

On a serious note... This could be possibly covered in your T's and C's in the fine print in your quotes.  As a consultant this is a concern just as much. We have it, but it's something we hopefully won't have to use because we wrote and added a strong cyber security spec section to help protect our customers from irresponsible integrators.

Good point of discussion and great article.

(1)
(1)
(3)
NA
Nathan Adams
Dec 10, 2018

Don't be confused by someone breaching an integrator's enterprise network vs someone breaching a system or device an integrator supplies.  One is covered by cyber security insurance, one is not.  

The only reason an end-user should require cyber security insurance of an integrator is if the integrator will store end-user confidential data on their networks. This is common among hosted platforms but completely irrelevant to traditional system sales.  Instead, the end-user and integrator should make it clear in the contract that at no times shall the integrator store end-user confidential data on their enterprise network.

Say an end-user buys an access control system and six months after installation someone hacks all the cardholder data, including SSNs, from the system.  That is not protected by cyber security insurance.  It is likely not covered by anything except perhaps professional liability insurance (errors and omissions) if the breach was a result of negligence. 

Bottom line: It's good practice to have cyber security insurance to protect your data - but does not benefit you to force someone else to protect their data.

 

 

(1)
Avatar
Dan Gelinas
Dec 11, 2018
IPVM

Good morning, Nathan. I wanted to thank you for the information. I've reached back out to my sources for the story as well as a new contact at the Insurance Information Institute to see if I can find some more information. I'll follow up with more information as it becomes available.

Avatar
Dan Gelinas
Dec 11, 2018
IPVM

Hello Nathan. I heard back from Hannah at INSUREtrust and also from Lynne at the Insurance Information Institute. Here is what Hannah had to say and Lynne's comments follow:

I’m not sure where this individual got this information but it is inaccurate. They might have a very poor “add-on” cyber-extension in place if they are under the impression that coverage is this limited. They might also not have understood that the information I spoke to was meant to address both the Cyber and Tech E&O exposures on a combined basis. Those are the policies we are placing and recommending on system integrator placements. 

 

“Say an end-user buys an access control system and six months after installation someone hacks all the cardholder data, including SSNs, from the system. That is not protected by cyber security insurance.”

 

  • If this person carries insurance that doesn’t cover this scenario, they are under-insured for their exposure and hopefully not paying much for their coverage. This coverage is 100% available in a GOOD Cyber/Tech policy. This is also the perfect scenario to illustrate the need to have a tech E&O/Cyber policy on a combined form. The carriers I mentioned I used most often are those combined-form carriers that wouldn’t leave a gap like this in the coverage. I gave several comments you quoted focusing on the first-party side of the breach to your own systems – but that isn’t the only thing an integrators policy needs to cover or what the whole take-away should be.
  • We’ve had a claim where an audio/visual tech integrator didn’t catch malicious code that was in some of the software/hardware that was being installed and as a result of their services, multiple clients found out about attack to their systems that occurred 8-10 months after the services were performed. There is gray area as to whether or not the tech E&O or the Cyber should respond in some of these scenarios, hence the benefit of placing them on a combined, sophisticated form that keeps anything from falling through the cracks. You might have an issue getting this covered if you have a throw-in E&O add on to your GL and a throw-in Cyber extension, which is precisely why we recommend against this approach . In this case, we did get it covered via a combined tech E&O/Cyber form. It was both Network Security negligence because that is how the malicious code found its way through to these systems in the first place – but also quasi-professional negligence as it is part of their standard of care to ensure their services won’t result in compromised data. Had they not had this on a sophisticated, combined form in place, there would have been more finger pointing between insurers and less actual claims handling. This could have delayed or even eliminated any claims payment from their policies.
  • Also, the definition of a claim in your combined policy should include a trigger for Breach of Contract. This should cover any breach of warranties relating to the confidentiality of client data AND any claims made against you for unintentional breach of contract relating to your professional/tech services. Adequately covering any messy scenarios that could cross-over into Cyber and E&O, but also providing broad coverage where many GL policies actually exclude breach of contract even when they do try and throw in Cyber and tech E&O.
  • Your liability as an integrator/installer doesn’t disappear once the installation is finished – so neither should your coverage. If malicious activity was found on a client’s system as result of your connection to that system/data and you caused them damages as a result, you are liable AND coverage is available for this. Many Cyber/Tech claims we handle happened after the service was offered. In a lot of cases, the insured could have some kind of continuous connection or capability to remote-in and provide support/maintenance of systems and clients. If a privacy/security event was caused in association with that any connection from the integrator to the customers network (at any point during the policy period) they should have coverage. Additionally, some of these claims happen purely through email communication (cyber fraudulent transfer of funds coverage/phishing coverage/transmittal of viruses, etc.)

 

“The only reason an end-user should require cyber security insurance of an integrator is if the integrator will store end-user confidential data on their networks.”

 

  • Most companies these days are outsourcing a multitude of business functions for efficiency purposes. One commonly being cloud hosting environments. What if the integrator isn’t storing any sensitive client data on their own systems but rather outsourcing this to a cloud provider where they store it all? This is still legally their responsibility to protect, regardless if a breach results from the cloud provider. That would be the insurance’s job to pursue/subrogate on the integrators behalf on the back-end. The integrator would still have to answer to their clients on the front end – this the current legal stance of privacy regulators. This is why first party Cyber coverage is important. 
  • All businesses are offering more and more technology based solutions and products to capture more customers with a “cutting-edge” approach. This is even more predominant in this industry that, by nature, works with sophisticated products and inter-connected tech products/solutions. So many integrators and security/alarm providers not only can remote-connect or continuously monitor systems in order to provide support and additional services, but are also developing Apps and internet-connected user platforms to make their services even more convenient to end-users. It’s not as simple as “are you storing client data or not” as I expanded upon above. This opens up a lot of unknowns for our insureds and clients alike regarding cyber and technology risks. Data has a chain of custody and depending on who is storing/transmitting or touching/connected to that data at any point in time, there might be many parties potentially liable in the situation. There also exposures linked to cyber and technology now (like property damage and even bodily injury, invoices being manipulated via email hack, etc.) that we need to be addressing NOT just packaged into GL coverage. To reiterate, this is why they need someone crafting a combined exposure policy. As we continue down this path of technological verticals, as regulatory environments become more complex, and as our own business models differentiate and involve more subbing out of services and data – we need to make sure our businesses are prepared for the possible costs and expenses to their business.

And here is what Lynne at the Insurance Information Institute had to say:

If you have someone else handling your data, you must be sure your vendor contract makes them liable for data breaches – and they must have cyber insurance.

 

Yes, I’d agree with that statement above. And, you also must continually review the details of your vendor contracts to see that they assume breach liability.

 

Cyber insurance DOES cover data breaches. It covers:

  • Legal fees and expenses
  • Notifying customers about a data breach
  • Restoring personal identities of affected customers
  • Recovering compromised data
  • Repairing damaged computer systems
(3)
NA
Nathan Adams
Dec 11, 2018

Thanks for the follow up, this should help everyone.

Hannah's responses speak to a combined Cyber/E&O policy which really isn't clarifying which policy covers what.  If a breach occurs the terms of one policy or the other will govern, your agent appears to be saying "just get both policies from us and surely you will be covered in any event."  If they are two separate policies then they cover different things right?  I would recommend each company get clarity on this with their own insurance provider.

Secondly I do agree with Lynne as to what Cyber Insurance covers for a data breach.

  • Legal fees and expenses
  • Notifying customers about a data breach
  • Restoring personal identities of affected customers
  • Recovering compromised data
  • Repairing damaged computer systems

What I am challenging is that the integrator's insurance company would somehow payout $1,000,000 to the end-user as some sort of punitive damages award.  They would only cover the costs of the above listed services and only if sensitive data was released as part of the breach.  With the type of data these security systems store it is unlikely this bill would run upwards of $1M.  

IMHO, the better bet for all parties is to not have the integrator store any sensitive company information in the systems they supply until the ownership of the system is transferred to the end user.  Hammer that home in your contracts!  No DL#s, no SSNs, no DOBs, no sensitive drawings, etc.  All that stuff can be added on site at which point the end-users Cyber Insurance should cover data breaches moving forward as it will be part of their enterprise IT environment and control.  (understanding all of this changes with hosted data.)

 

Avatar
Dan Gelinas
Dec 14, 2018
IPVM

Hello Nathan,

Again, Hannah has provided some further information in response to your last comment:

“Hannah's responses speak to a combined Cyber/E&O policy which really isn't clarifying which policy covers what.

  • This is exactly my point. There is not a clear line between which policies cover what when they are purchased separately – there is gray area and as long as there is gray area then this will result in unfavorable circumstances for the insured when a claim does go down, like the example I gave in my previous response. Combining the coverages is essentially filling in any gaps and eliminating the finger-pointing game when the claim happens.

“Your agent appears to be saying "just get both policies from us and surely you will be covered in any event." If they are two separate policies then they cover different things right?”

  • This is not correct. I am recommending they purchase ONE policy that is a combined policy form that accounts for both the Cyber and Tech E&O coverage in one. In these policies we are able to craft both full Cyber coverage items but also technology product failure, breach of contract, errors in hardware installation/design, as well as things like alarm monitoring services. I am recommending against purchasing two separate policies for the Cyber and E&O. If they are separate, typically the insured is getting thinner coverage and sometimes at a more expensive rate. Additionally, both those policies probably have an “other insurance clause” which is why I referenced the overlap causing delayed claims due to these clauses. Neither wants to pay out. Also, when these are separate policies we usually see that they added the E&O on their package policy (which is very limited coverage compared to a combined cyber/e&o form w/ a specialty market we’d recommend) and they have a small cyber add-on or thin cyber standalone product that doesn’t give them what they need and might also not accommodate them in the event an error in their services or product also had to do with privacy or network security negligence, which is becoming a more and more likely occurrence. And unfortunately, many people do believe that those few items Lynne listed out is adequate cyber coverage when that merely scratches the surface of what a full-fledged cyber coverage should look like.

 

Sure, all of the below are some basic Cyber coverages but there is a lot missing here.

  • Legal fees and expenses
  • Notifying customers about a data breach
  • Restoring personal identities of affected customers
  • Recovering compromised data
  • Repairing damaged computer systems

 

Major coverages that need to be requested and looked at thoroughly like business interruption costs (these can be very large losses), loss of future customers due to the hacking event, public relations expenses to help externally communicate breach events effectively, cyber crime expenses due to fraudulent emails asking for changed invoices or wire transfers, forensic expert expenses to determine the scope of breaches before recovering/repairing data, coverage for cyber extortion/ransomware demands and recovery, etc.

(1)