Cyber Risk

Camargue’s Cyber Risks policy covers organisations against the risks arising out of operating a computer network. Depending on what options have been selected it can also -

  • Cover liability arising from on-line publishing (such as a web site) as well as from traditional media such as brochures
  • Provide professional indemnity cover appropriate to technology companies
  • Provide a form of specialised business interruption cover which covers the Insured’s loss of income arising out of computer down-time
  • Cover the cost of recovering the Insured’s lost data.
Question: Brief overview of policy exclusions
Answer:
  • Reasonable foreseeability
    • There is no cover for liability arising out of acts which the insured could reasonably have foreseen would lead to a claim.
  • Third Party infrastructure failure
    • There is no cover for liability arising out of the failure of third party equipment which is not under the Insured’s control. This applies to both electrical and mechanical failures.
    • Example: liability caused by an Eskom power failure.
    • Remember: this exclusion also applies to damage which is caused by a power spike.
  • Gradual deterioration
    • The policy excludes losses arising out of progressive or gradual deterioration.
    • Example: There is no cover for a loss which could have been prevented by properly maintaining the computers and other equipment.
  • Costing
    • There is no cover for liability arising out of incorrect or inadequate price or cost estimates or product descriptions.
  • Liability arising out of ceasing to provide a product or service
    • Example: The Insured decides to stop providing technical support for an old product. As a result these old machines stop working and the customers suffer a financial loss. There would be no cover if they sued the Insured for this financial loss.
  • Liability arising out of gambling, prizes, coupons, pornography, alcohol, tobacco, drugs, etc. is expressly excluded.
  • Unfair competition

There is no cover for liability arising out of:

  • anti-competitive behaviour
  • violating a restraint of trade
  • deceptive trade practices
  • FICA violations
    • There is no cover for liability arising out of a violation of the Prevention of Corrupt Activities Act of the Financial Intelligence Centre Act.
    • This exclusion applies to the Privacy Regulatory Defence and Penalties.
  • Government
    • There is no cover under the Professional Services section for claims brought against the Insured by any government - in its capacity as a customer - if the claim arises out of a violation of the Prevention of Corrupt Activities Act of the Financial Intelligence Centre Act
  • Bodily injury
    • Injury includes death and sickness
    • Mental anguish is covered if it results from the trauma of a breach of privacy and the like.
  • Property Damage
    • There is no cover for loss, destruction and corruption of tangible property. This exclusion does not apply to data which is not tangible property.
  • Fire & perils
    • There is no cover for liability arising out of fire, flood, earthquake, etc.
    • However if the fire & perils event causes an insured event (such as the loss of data) then there would be cover for the insured event.
    • Example: This exclusion would not apply if the tsunami destroyed the Insured’s data centre as well as the back-up site.
    • Remember: There is no cover for the hardware itself, only the data and the consequential loss are covered.
  • Assumed liability
    • There is no cover if the Insured takes over someone else’s liability (unless the Insured would have been liable anyway).
  • Beta Testing
    • There is no cover for any loss of data and income arising out of using programs which are not production ready.
  • Unlicensed programs
    • There is no cover for wilful acts such as knowingly using unlicensed programs.
  • Electromagnetic fields
    • Liability arising out of electromagnetic fields is not covered.
  • Retroactive date
    • There is no cover if the event which caused the liability happened before the retroactive date.
  • Pre-existing claims
    • There is no cover if the Insured was aware of the liability, or the possibility of that liability before the start of the policy.
    • There is no cover any claim which was notified to a previous insurer.
  • Insured v Insured
    • Claims made by one insured party against another are not covered.
    • An exception arises where the claim is brought by an employee against the Insured.
  • Wilful acts
    • Liability arising from wilful, deliberate, malicious or criminal acts is excluded.
    • Where such a claim is made against the Insured or its employee, the policy will pay the defence costs, but if found guilty, those defence costs must be repaid.
    • There is no cover if an employee, director or partner of the Insured deliberately assists the Insured in infringing any intellectual property or trade secret.
    • Liability arising out of the use of pirated software is also not covered.
  • Outside activities
    • The policy provides no cover for any activities which happen while acting on behalf of someone other than the named Insured.
    • Example: Peter is one of the Insured’s employees who writes a program for his uncle’s company. Things go wrong and Peter is sued. Although the policy does cover the Insured’s employees, there would be no cover for Peter in this case because it was not the Insured’s business that Peter was busy with.
  • Insolvency
    • There is no cover for liability arising out of insolvency which includes the inability or unwillingness to make payment because of insolvency, liquidation and bankruptcy.
  • Hardware confiscated by the government
    • There is no cover for the liability caused by any public authority confiscating or damaging all or part of a computer network.
    • This only applies to physical components of a computer network, so this exclusion does not apply to the software or data which is confiscated.
    • This exclusion applies regardless of whether the network belongs to the Insured or to some other third party.
  • Sanctions
    • There is no cover for liability arising out of the violation of USA imposed trade sanctions.
  • Securities
    • There is no cover for liability arising out of the sale, purchase or loss in value of securities.
    • Example: The Insured fails to disclose important problems in the company when selling shares. There is no cover if the buyer sues the Insured for the amount that that he overpaid for the shares.
    • Example: When Peter, a director of the Insured, fails to move the data backup system off site, all the Insured’s data is lost in a fire. As a result the value of the Insured’s shares fall. There is no cover if angry investors sue Peter. (This could fall under a D&O policy.)
  • Discrimination
    • There is no cover for liability arising out of unfair discrimination.
    • Example: The Consumer Protection Act prohibits suppliers from charging rich people more than poor people. There would be no cover if the Insured is penalised for this discrimination.
    • Unfair discrimination includes discrimination based on age, race, gender, religion, sexual preference, disability, pregnancy, social status, etc.
    • Fair discrimination includes giving discounts for bulk purchases, early payment, etc.
  • Employment related matters

There is no cover for liability arising out of

  • Any claim made against the Insured by any of its employees
    • However there would be cover if the employee claimed that his/her personal information was not properly protected.
    • Employment practices
      • Example: if the CCMA ruled that the employee was unfairly dismissed, the policy would not pay those damages.
    • Worker’s compensation or similar laws
      • Example: there is no cover if an employee is injured whilst on duty.
    • Strikes and labour actions
    • Pension fund and employee benefit related mechanisms.
  • War, terrorism
  • Payment card industry standard
    • There is no cover for fines and penalties arising out of a violation of payment card industry standards.
    • Example: fines for late payment of credit card debt.
    • However if the fine is caused by a breach of privacy then this exclusion falls away.
Question: Data Extortion
Answer:

The company will reimburse the Insured in respect of:

  • Extortion money paid to terminate a threat of corruption or damage to programmes and information held on a computer network
  • Other related expenditure, such hiring a consultant to establish if the threat is for real
Question: Crisis Management Costs, Customer Notification, Support and Credit Monitoring Services
Answer:

Following a security breach the company will pay:

  • Cost of employing a public relations consultant to mitigate brand damage if the security breach was publicized in the media.
  • PR, advertising and related expenses required to comply with a mandatory customer notification following the compromise of personal info.
  • Customer support activities such as credit file monitoring and ID theft education
Question: Privacy Regulatory Defence and Penalties
Answer:

This section covers damages and defence costs for which the insured becomes liable as a result of a civil regulatory action. This action would be caused by a security breach or privacy breach.

  • Includes cover for civil penalties and fines if they are insurable by law
Question: Data Recovery and Loss of Business Income
Answer:

Covers the Insured’s “own damage” monetary loss caused by a security breach, virus, human error causing data loss, accidental hardware destruction or a programming error. The cover applies regardless of whether the act was committed by an employee or a third party.

This section will pay:

  • Loss of income (before income tax) or the on-going operating expenses
    • This form of business interruption cover does not require any physical damage to machinery
    • Is subject to a waiting period (this is often 24 to 48 hours)
    • Example: down time arising out of an oversight during software testing
  • The costs to restore data and programs
  • Claims preparation costs (this includes the cost of a forensic investigation)
  • Increased cost of working
    • Example: the cost of hiring external equipment, alternative premises and even staff overtime pay incurred in order to rectify the situation
  • Public relations costs
Question: Security and Privacy Liability
Answer:

Covers the Insured’s liability arising out of its negligence in preventing a security breach or a privacy breach (hacker attack), resulting in:

  • Alteration, copying, theft, destruction or unauthorised disclosure of data
    • Includes the loss or unauthorised disclosure of customer or employee information.
    • ID theft (including phishing)
  • Allowing the Insured’s network to participate in an attack on a third party’s computers
    • Example: Denial of access attack – using your system to flood the victim’s system with data requests causing the victim’s system to cease functioning
    • Example: Allowing your system to spread a computer virus
  • Breach of privacy regulations
    • Includes negligently failing to disclose a breach in terms of laws and regulations
Question: Multimedia Liability
Answer:

This section covers the Insured’s liability arising out of any physical or electronic publication. Unlike the E&O section, which covers liability caused by work done for a customer’s benefit, this section covers the Insured’s liability arising out of its own internet, marketing and advertising activities.

  • Defamation, product disparagement
    • Example: “Our product is the only product in the market which has passed the 24 hour reliability test.” A competitor may dispute this showing that their product also passed the 24 hour reliability test. They might then sue the Insured, claiming that the untruthful information on the brochure has unjustly enriched the Insured at the competitor’s expense.
  • Invasion of Privacy

Legally, an invasion of privacy may include any of the following:

  • Publication of private facts
    • Example: When a plumber publicized his skill in sorting out the on-going cockroach infestation problems at the local Big-M Restaurant, the restaurant suffered a loss of income.
    • Example: A case study illustrating cost savings shows the customer in a bad light. Although names have been removed it is still possible for people to establish who the customer is.
    • Includes the release of employee information
    • Example: As part of a misguided PR campaign the company releases the following statement “Our equity policy ensures we give priority to employing HIV+ people.” As a result of this, the company’s employees feel aggrieved as the general public now considers them “infected”.
    • Placing a person in a false light
      • Thabo’s butchery publishes a flyer advertising their monthly special on pork chops. The graphic work is done by his teenage daughter who ‘Photoshops’ the image of an actress so that it appears she is participating in the butchery. Later, the actress’ lawyers bring an action of defamation against the butchery because she is a vegetarian and does not want to be associated with a butchery.
    • Unauthorised appropriation of a person’s name or likeness
      • Example: An IT company’s web site listed its customers. One of the customers, GreenBank, acted against them claiming that the IT company is unlawfully trading off the GreenBank brand by suggesting that this reputable bank has found the IT company a worthy trading partner.
    • Intrusion into a person’s sphere
      • Example: The Insured’s HR manager bugged the office to determine if the sexual harassment charges against the CEO were valid.
    • The collection of personal data
      • While studying his psychology qualification, the Insured’s manager secretly collects data related to the employees eating, social and hygiene habits.
  • Plagiarism; dilution or infringement of copyright, domain or slogan
    • Example: Wimpie’s Plumbers hires a school kid to build his website for R700. He later discovers that the pretty face on his web site was that of Kim Kardashian and her lawyers now want compensation for the use of her image.
  • General negligence in the release of multimedia content
    • Example: The Insured forgot to tell the PR company that it did not succeed in getting James Bond to endorse its products. As a result misleading advertising was released into the market. 
Question: Professional Services
Answer:

This section covers liability arising out of the Insured providing a business service to its customers.

  • Covers a pure economic loss liability caused by negligence and
    • Arising out of the Insured’s ordinary business services performed for customers; and
    • Includes design, sale, installation, development of IT products and services.
    • Example: A broker failing to place cover as agreed.
  • Defamation, product disparagement
    • Defamation example: An agent of the bank’s outsourced call centre calls the bank’s customer a crook. The customer sues the bank for defamation and the bank in turn sues the call centre. If the call centre was the insured, then they would need Professional Services cover.
  • Copyright infringement
    • Example: The broker’s IT developer builds a program partly using code belonging to someone else. The owner of that code could sue the broker for copyright infringement and also stop them from using that program. The broker would then sue the IT developer and the IT developer’s policy would respond.