Your questions answered
We are here to help you navigate the complex cyber security landscape. We negotiate with industry leading vendors offering security solutions software and hardware, computer equipment all at lowest price guarantees. In the event that you experience a breach, your membership will grant you 24/7 unlimited IT support from HP and access to data breach vendors who will assist you every step of the way.
Our PLUS membership includes all the benefits of our Club tier PLUS
- ID theft protection for up to 100 of your employees
- One free initial legal consultation with law firm Foley and Lardner (post breach)
- Unlimited around the clock incident response support
- Security risk self-assessments
- Incident response plan templates
- Lowest negotiated prices on breach response services
- Data breach notification letter template
- forensics consultation
- educational portal
Once you join our PLUS tier, you receive all the listed benefits plus access to our data breach vendors at lowest rates on all preventive/pre-breach and post breach vendor services.
Purchase our PREMIUM membership and you will receive all the features of the Club and Plus tiers in addition to Unlimited 24/7 IT support from HP and regulatory compliance templates. Considering majority of small business owners do not have IT support on staff, this benefit provides your very own IT support Anywhere, Antime, Any Device. Need help staying complaint with regulatory agencies? Download these compliance templates and protect your business from potentially significant regulatory fines and penalties. These two benefits add tremendous value to purchasing a membership. Again, you will receive 24/7 Unlimited IT support for any device throughout your company from HP
We have a two-tiered pricing system starting at $399 for Plus membership, and $599 for our Premium level membership. Each membership tier has specific benefits available.
A cyber incident is any event that threatens the security, confidentiality, integrity, or availability of information assets (electronic or paper), information systems, and/or the networks that deliver the information. Any violation of computer security policies, acceptable use policies, or standard computer security practices is an incident. Incidents may include but are not limited to: Unauthorized entry, Security breach or potential security breach, Unauthorized scan or probe, Denial of service, Malicious code or virus, Networking system failure (widespread), Application or database failure (widespread).
Most states, the District of Columbia, Puerto Rico and the US Virgin Islands have enacted data breach notification laws requiring businesses to notify affected individuals (customers, clients, patients, employees) when a data breach involving their personally identifiable information (also referred to as PII) occurs. However, not all security incidents are considered breaches under each state’s data breach notification law. An analysis in accordance with the incident response plan may be necessary to determine if a security incident requires notification under the applicable state’s breach notification law
An incident response plan (IRP) is a set of written instructions for detecting, responding to and limiting the effect of a security incident. IRP provides a step-by-step process that should be followed when an incident occurs.
According to the SANS Institute, there are six key phases of an incident response plan:
- Preparation: Preparing users and IT staff to handle potential incidents should they should arise
- Identification: Determining whether an event is indeed a security incident
- Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage
- Eradication: Finding the root cause of the incident, removing affected systems from the production environment
- Recovery: Permitting affected systems back into the production environment, ensuring no threat remains
- Lessons learned: Completing incident documentation, performing analysis to ultimately learn from incident and potentially improve future response efforts
“Cyber” Liability is insurance coverage specifically designed to protect a business or organization from:
- Liability claims involving the unauthorized release of information for which the organization has a legal obligation to keep private or confidential
- Liability claims alleging invasion of privacy and/or copyright/trademark violations in a digital, online or social media environment
- Liability claims alleging failures of computer security that result in deletion/alteration of data, transmission of malicious code, denial of service, etc.
- Defense costs in State or Federal regulatory proceedings that involve violations of privacy law; and
- The provision of expert resources and monetary reimbursement to the Insured for the out-of-pocket (1st Party) expenses associated with the appropriate handling of the types of incidents listed above
The term “Cyber” implies coverage only for incidents that involve electronic hacking or online activities, whenin fact this product is much broader, covering private data and communications in many different formats – paper, digital or otherwise.
The Privacy Liability insuring agreement in our policy goes beyond providing liability protection for the Insured against the unauthorized release of Personally Identifiable Information (PII), Protected Health Information (PHI), and corporate confidential information like most popular “Data Breach” policies. Rather, our policy provides true “Privacy” protection in that the definition of Privacy Breach includes violations of any rights to privacy (e.g., person’s right of publicity or disclosure of private information). Because information lost in every data breach may not fit State or Federal-specific definitions of PII or PHI, our policy helps to fill these potentially costly gaps. This is a key provision that truly sets the BCS Cyber and Privacy Liability Policy apart from others.
The Privacy Regulatory Claims Coverage insuring agreement provides coverage for both legal defense and the resulting fines/penalties emanating from a regulatory claim made against the Insured, alleging a privacy breach or a violation of a Federal, State, local or foreign statute or regulation with respect to privacy regulations.
This 1st Party coverage reimburses an Insured for costs incurred in the event of a security breach of personal, non-public information of their customers or employees. Examples include:
- The hiring of a public relations consultant to help avert or mitigate damage to the Insured’s brand
- IT forensics, customer notification and 1st Party legal expenses to determine the Insured’s obligations under applicable Privacy Regulations
- Credit monitoring expenses for affected customers. Our policy can extend coverage even in instances where there is no legal duty to notify if the Insured feels that doing so will mitigate potential brand damage (such voluntary notification requires prior written consent).
The Security Liability insuring agreement provides coverage for the Insured for allegations of a “Security Wrongful Act”, including:
- The inability of a third-party, who is authorized to do so, to gain access to the Insured’s computer systems
- The failure to prevent unauthorized access to or use of a computer system, and/or the failure to prevent false communications such as “phishing” that results in corruption, deletion of or damage to electronic data, theft of data and denial of service attacks against websites or computer systems of a third party
- Protects against liability associated with the Insured’s failure to prevent transmission of malicious code from their computer system to a third party’s computer system
The Multimedia Liability insuring agreement provides coverage against allegations that include:
- Defamation, libel, slander, emotional distress, invasion of the right to privacy, copyright and other forms of intellectual property infringement (patent excluded) in the course of the Insured’s communication of media content in electronic (website, social media, etc.) or non-electronic forms
Other “Cyber” insurance policies often limit this coverage to content posted to the Insured’s website. Our policy extends what types of media are covered as well as the formats where this information resides.
The Cyber Extortion insuring agreement provides:
- Expense and payments to a harmful third party to avert potential damage threatened against the Insured such as the introduction of malicious code, system interruption, data corruption or destruction or dissemination of personal or confidential corporate information.
The Business Income and Digital Asset Restoration insuring agreement provides for lost earnings and expenses incurred because of a security compromise that leads to the failure or disruption of a computer system, or, an authorized third-party’s inability to access a computer system. Restoration costs to restore or recreate digital (not hardware) assets to their pre-loss state are provided for as well. What’s more, the definition of Computer System is broadened to include not only systems under the Insured’s direct control, but also systems under the control of a Service Provider with whom the Insured contracts to hold or process their digital assets.
The Payment Card Industry Data Security Standard (PCI-DSS) was established in 2006 through a collaboration of the major credit card brands as a means of bringing standardized security best practices for the secure processing of credit card transactions. Merchants and service providers must adhere to certain goals and requirements in order to be “PCI Compliant,” and under specific agreements, may subject an Insured to an “assessment” for breach of such terms. The BCS Cyber and Privacy Liability Policy responds to PCI assessments as well as claims expenses in the wake of a breach involving cardholder information.
The Cyber Deception extension, if the applicant is eligible and if purchased for an additional premium, provides coverage for the intentional misleading of the Applicant by means of a dishonest misrepresentation of a material fact contained or conveyed within an electronic or telephonic communication(s) and which is relied upon by the Applicant believing it to be genuine. This is commonly known as “spear-phishing” or “social engineering”.
As with any insurance policy, what sets our coverage apart lies in the definitions and exclusions in the policy. The BCS Cyber and Privacy Liability Policy offers comprehensive critical terms such as Privacy Breach, Computer System, and Media Content. These definitions, along with the absence of some industrystandard exclusions and a drastically streamlined application process, make this policy more comprehensive and easier to access than the typical cyber policy available from traditional sources.
The short answer is “No”. While liability coverage for data breach and privacy claims has been found in limited instances through General Liability, Commercial Crime and some D&O policies, these forms were not intended to respond to the modern threats posed in today’s 24/7 information environment. Where coverage has been afforded in the past, carriers (and the ISO) are taking great measures to include exclusionary language in form updates that make clear their intentions of not covering these threats. Additionally, even if coverage can be found in rare instances through other policies, they lack the expert resources and critical 1st Party coverages that help mitigate the financial, operational and reputational damages a data breach can inflict on an organization.
While there is presently no law that requires a business or organization to carry Cyber Liability, there is a national trend in business contracts for proof of this coverage. In addition, the SEC is encouraging disclosure of this coverage as a way of demonstrating sound information security risk management. Laws such as HIPAA-HITECH and Gramm-Leach-Bliley and state-specific data breach laws are continually driving demand as requirements for notification in the wake of a data breach become more expensive.
The Symantec 2014 Internet Security Threat Report reports that small businesses accounted for 38% of targeted spear-phishing attacks in 2015. In 2012, Verizon reported that approximately 40% of all data breaches that year occurred among companies with fewer than 100 employees. Even more alarming is the fact that 60% of companies that have been a victim of cyber-attacks are out of business within six months. While breaches involving public corporations and government entities garner the vast majority of headlines, it is the small business that can be most at risk. With lower information security budgets, limited personnel and greater system vulnerabilities, small businesses are increasingly at risk for a data breach.
The responsibility to notify customers of a data breach or legal liabilities associated with protecting customer data, remain the responsibility of the Insured. Generally speaking, business relationships exist between Insureds and their customers, not their customers and the back-office vendors the Insured uses to assist them in their operations. Outsourcing business critical functions such as payment processing, data storage, website hosting, etc. can help insulate Insureds from risk, however, the contractual agreement wording between Insureds, their customers and the vendors with whom they do business will govern the extent to which liability is assigned in specific incidents.
The Ponemon Institute, a well-known research firm, publishes an annual “Cost of a Data Breach” report. In partnership with IBM, the 2014 report indicated that the average cost paid for each lost or stolen record is $201. These numbers are reflective of both the indirect expenses associated with a breach (time, effort and other organizational resources spent during the data breach resolution, customer churn, etc.), as well as direct expenses (customer notification, credit monitoring, forensics, hiring a law firm, etc.).
Because every breach is different, and the per-capita cost of a breach depends largely on the number of records compromised, it is helpful for small to mid-sized organizations to start with a lower number of $65/record, (the average direct costs associated with a breach in the Ponemon study) – multiply this number by the estimated number of records containing PII, PHI or financial account information in the Insured’s control. By engaging in this simple exercise, businesses quickly understand the financial value of implementing cyber insurance as a risk transfer vehicle. More information can be found at www.ponemon.org.
Most States are on the admitted paper and written through BCS Insurance Company. For those remaining states where the admitted filings are still in process, the forms will be written through Lloyd’s of London. Currently, all states are written on admitted paper except: NY and VT.
The BCS Cyber and Privacy Liability Policy is underwritten by BCS Insurance Company and powered by and with the backing of certain syndicates at Lloyd’s of London. BCS Insurance Company is a licensed insurance company in all states, Puerto Rico and the District of Columbia. BCS Insurance Company provides value through a solid foundation of strong governance, national and international capabilities and product and industry expertise and is rated A- (Excellent) by A.M. Best. BCS Insurance has been in business for over 60 years. It is a wholly owned subsidiary of BCS Financial Corporation which, in turn, is owned by all Blue Cross Blue Shield primary licensees. BCS Insurance Company’s relationship with certain syndicates at Lloyd’s of London brings additional strength, stability and industry-leading expertise to the RPS cyber insurance program.
A 24-hour data breach hotline is available to report incidents or even suspected incidents. As soon as you suspect a data breach incident or receive notice of a claim, you should call the hotline listed in your policy. This hotline is manned by Baker Hostetler, a world-wide leading privacy law firm with experience in handling thousands of data breach events. Immediately after calling the hotline, you are required to send notice to Clyde & Co., the designated legal firm that has been contracted to triage initial notices in this regard. This can be done by sending an email with a brief description of the incident, including your contact information, to the claims-reporting email address listed in your policy. Your agent, as well as the in-house BCS claims team, will receive notification of the incident (or any third-party claim) as well. It is critical that you immediately report any and all incidents that you believe could give rise to a claim of any kind under this policy.
Please contact your CyberShield Global Broker at (800) 555-6750 with any questions you may have.