@
Information and
Communication Technology
ICT Professional Indemnity
Claims scenarios
Cyber and Data Security
Claims handling
5-7
8
1
2
4
In an economy where investment returns are low, those with cash are looking internally to strengthen their position and improve their efficiencies. In many cases this involves system reviews and investment in technology.
Whilst this means that the technology sector has not necessarily seen the significant drop in revenue that others have, it does mean that clients are more careful to protect their investments and say when they feel there is something amiss.
This means that the insurance that companies purchase needs to be able to withstand the potential barrage of situations that could happen, from contract disputes to intellectual property issues, from computer viruses to unauthorised access. The wordings themselves are important, but it’s the underwriters who write the risk and understand what clients need which make the real difference. There is no point in having the best tools if you don’t know how to use them! At QBE we are able to combine a quality wording with the experience to know how it should be used.
QBE is a long established insurer in the
Information and Communication Technology sector and is forward looking in both our products and underwriting. Today brokers and clients have access to a fifth generation
Information and Communication Technology wording which has continued to evolve over the years to meet the needs and expectations of clients. The market experience QBE has along with entrepreneurial spirit can be seen in the new Cyber and Data Security product that is now on offer.
One of the firm beliefs of QBE is being able to back up the quality of our products with a quality claims handling service. To enable us to continue to provide the highest standards on our new Cyber and Data Security product,
QBE has teamed up with red24, a global crisis management company, to ensure that the
24hour response that clients need and should expect can be delivered.
• Nearly 1 in every 20 people employed in the UK work in the IT sector
• There are over 100,000 companies in the UK IT sector
• Over ¾ of people in the UK use IT as part of their job
• The UK sector is the largest IT market in Europe.
In this brochure you will find details of the full range of products available to the ICT sector. If you need more information please contact your local
QBE underwriter.
QBE Information and Communication Technology, Cyber and Data Security 1
Breach of contract – Probably the most important element of cover to a Technology company. Breach of contract is mentioned in all Professional Indemnity policies, but in many the cover is then restricted or removed entirely under the exclusions. QBE do not apply such restrictions and even go as far as to define Breach of Contract so clients clearly see what is covered.
Liquidated damages – Many contracts these days include liquidated damages as standard. Liquidated damages are covered as long as they are a fair and reasonable estimate of damages that could be recovered should a liquidated damages provision not have been included in the contract. The majority of policies available exclude this cover as standard and therefore penalise the forward thinking client.
Hacker protection – QBE recognise the risk of hackers in the current environment and the damage that they can cause. As standard under the policy there is cover for a third parties good faith/reliance on a hackers fraudulent use of the insured’s systems.
Further protection from Cyber risks can be purchased through the addition of QBE’s
Cyber Response product.
Unauthorised access – In 99% of hardware and software projects there is an element of network security. Failing to configure security correctly, add patches where needed and even to switch the security features back on following changes are all areas where insureds face a potential exposure following a hack or virus on their network. This is an area that is often excluded in competitor wordings.
Infringement of intellectual property rights – Breach of intellectual property rights is something that is often given in the market, and yet is also often restricted in value. This is an approach that QBE has not taken, and we provide cover for the full limit. In addition Patent cover is often requested, seldom provided.
QBE has the ability to quote up to £1 million limit of liability following additional questions.
The technology sector is slightly different to others in that it is not always easy to see where a PI and PL/products risk stop and other starts. QBE recognises this and so has developed the ability to quote the Products under the same policy as the PI. The benefit for the broker and the client is that you don’t need to worry about the incidents that bridge the two heads of cover, all you need know is that
QBE will look after it. Under the commercial liability QBE will be able to quote Public,
Products Liability and Employers’ Liability cover with limits up to £10 million.
Public relations and crisis management services – It’s all very well protecting the client who has suffered the loss, but what could be the consequence of details of that claim reaching your other clients? Would they be concerned? Could they leave?
Would they select another supplier? This section of cover provides the insured with reasonable funds to call in experts and avert or mitigate any material damage to any of the insured’s brands or business operations.
• Limits available up to
£25 million AOC and AGG
• Breach of contract – no restrictions
• Failure to protect
• Against unauthorised access
• Denial of service attack
• Inadvertent transmission of a computer virus
• Defamation
• Infringement or interference with rights of privacy or publicity
• Misuse of information
• Infringement of intellectual property rights
• Breach of a professional duty
• Negligent acts, errors, omissions, misstatements or misrepresentation
• Defence costs
• Claims emanating from the dishonesty of employees
• Hacker protection
• Public relations and crisis management services
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
• Costs to withdraw content – mitigation costs
• Court attendance compensation
3
3
• Punitive and exemplary damages where insurable by law
• Liquidated damages
3
3
• Worldwide territory and jurisdiction.
3
2 QBE Information and Communication Technology, Cyber and Data Security
• Software companies
• Hardware companies
• IT-Services
• Telecommunications
• Communications equipment providers
• Digital broadcasters
• Electronics instrument providers.
QBE Information and Communication Technology, Cyber and Data Security 3
An insured agrees to supply software to a multi-national computer retailer that was intended to manage all aspects of service and repair relating to computers it sold.
The contract involves the supply of licences for the software and the supply of services necessary to install and integrate the software with the retailer’s other systems.
The scheduled date of implementation passes and the insured is still trying to conclude the installation. The retailer “pulls the plug” saying that the software is of no use to it and that it has suffered loss as a result of the insured’s failure to complete the execution of the services on time. With the support of the insurer, expert evidence shows that the software did work (or would have if the insured had been allowed to finish the job!) and that the reason for the late completion was the retailer’s own failure to provide timely assistance and co-operation.
A nationwide book distributor sends out tenders for a software package for administering its back-office systems. The insured says it has a ready-made software module that can do the job and wins the contract. Despite all their best efforts the software does not work as the insured said it would: the insured cannot quite make the module fit and the product is replaced with a rival software package. A multi-million pound claim is pursued, seeking to recover sums already paid to the insured and the increased cost of working, cost of replacement products, mitigation costs and loss of profits.
Although the insured’s software did not “do what it said on the tin” and the customer was justified in rejecting it, the insurer provides indemnity and works with the insured to limit losses, as expressed by an effective exclusion and limitation of liability clause to the amount of the fixed-price project fee.
These are examples only. Consideration of all claims is subject to policy terms and conditions and reviewed on a risk-by-risk basis.
An insured provides software for the creation and use of electronic application forms for store loyalty cards. It enters into an outsourcing agreement and while the insured performs its services, it has access to some of its client’s software products. After the outsourcing agreement comes to an end, the client claims that the insured has used its software to develop its own products which it is selling on to competitors and that its software infringes the client’s copyright. With the support of its insurer and its specialist solicitor the insured is able to establish that its software has been created without copying or adaptation from any corresponding part of the customer’s software.
A claimant asserts that a number of individuals posted defamatory comments about its products on the internet. The insured is an internet service provider which accepts that it had temporarily stored the defamatory information (known as “caching”).
The critical question is whether the internet service provider is liable for publication of the defamatory material through its services.
With the support of its insurer the insured argues before the court that the necessary ingredients for publication are missing. The court agrees, concluding that an internet service provider that performs no more than a passive role in facilitating postings on the internet could not be deemed to be a “publisher” at common law.
4 QBE Information and Communication Technology, Cyber and Data Security
Cyber is a relatively new product to come to market. Historically policies such as Property,
Liability and Crime have failed to cover the risks revolving around non-tangible assets (data), and network related risks. With growth in the reliance for technology in all areas of business, and the heightened threat of outsiders trying to access information the threat of these risks has increased significantly.
QBE has designed a product to mould with the needs of clients and yet also cover the range of exposures that companies now face.
are using USB drives without obtaining advance permission to do so
have lost USB drives without notifying appropriate authorities
use generic or free USB drives
• The average cost of an information security incident is £10,000-£20,000.
• For a large company with more than 500 employees it can be up to £1-£2 million
• 2011 Government report estimates the value of cyber crime to the UK economy at £27 billion a year, £21 billion of this being to businesses,
£2.2 billion to government and
£3.1 billion to citizens.
• Of the £21 billion, intellectual property theft cost £9.2 billion, industrial espionage £7.6 billion, this was followed by extortion, which cost £2.2 billion, and direct online theft, which cost business
£1.3 billion. Some £1 billion was lost through theft of customer data.
• 81% of small businesses consider data to be the organisations most valuable asset according to the
Carbonite study in the US. Source: http://www.scmagazineuk.com/ why-is-data-protection-not-apriority-for-small-businesses/ article/217673
Source : UK STILL SLOW ON USB SECURITY study conducted by the Ponemon Institute in ten European countries
QBE Information and Communication Technology, Cyber and Data Security 5
Business disruption
Time spent responding to the incident
Direct cash spent in responding to the incident
Direct financial loss (e.g. loss of assets, fines etc)
Indirect financial loss (e.g. theft of intellectual property)
Damage to reputation
Total cost of worst incident on average
2008 comparative
£200,000 - £380,000
Over 2-5 days
£6,000 - £12,000
15-30 man days
£25,000 - £40,000
£25,000 - £40,000
£15,000 - £20,000
£15,000 - £200,000
£280,000 - £690,000
£90,000 - £170,000
Source:InformationSecurityBreaches2010 http://www.infosec.co.uk/files/isbs_2010_technical_report_single_pages.pdf
The immediate impact of a compromise of our systems was the closing down of the web aspect of the retail business equating to 12.5% of our retail operation or, all of our profit. More telling though was the resulting loss of consumer confidence which is ongoing. This coupled with restrictions set by the ICO in the avoidance of their potential
£500,000 fine which inhibit the business in improving one of the key aspects of the online shopping experience, the checkout process. We estimate this to have created something close to a 400% increase in cart abandonment or 38% loss in conversion.
The impact of the security breach had a profound impact on the business, as the most profitable and highest growth avenue of the business were affected. Combine this with a lack of knowledge on how to handle such a scenario and the whole incident has left a residual and rather chaotic spirit within the company. These two points have affected the balance of a traditionally frugal business resulting in considerable expense on reassurance and methods to gain confidence in ourselves through certified or recommended security firms.
The ICO investigation did cost time, but then so many things did at that time, the main concern of mine for the business was the retention of staff, confidence of customers and the re-launch of the digital arm of the business coinciding the implementation of tighter security measures in order to restore such a large and influential aspect of the business.
Other negative interest and fines at the time other than the ICO came from VISA,
MasterCard and our acquirers, Worldpay, but the real impact to the business is that loss of confidence and the restrictions of the ICO.
6 QBE Information and Communication Technology, Cyber and Data Security
Regulatory defence and penalties –
The area of data security is continually moving with more and more responsibility being placed on companies. Cover will extend to cover investigation costs and fines imposed by government or public authority regulator against the insured to the extent of insurable by law.
Public relations, crisis management, forensics and security specialist services – If something goes wrong then it’s all well and good having cover for potential claims that may be made, but what happens when the incident is spread all over the papers? Bad press can have a major impact on anyone and it can take a huge amount of time, effort and cost to rebuild a reputation.
With a QBE Cyber and Data Security policy comes the full support of experts at red24.
With a 24 hour hotline to assist in controlling and delivering a PR response and forensics teams to work out what has happened and rectify (if the extension has been purchased), the impact to a business can be minimised.
Privacy breach costs cover – Reform of
European Data protection laws mean that companies will be required by law to notify data protection authorities and data subjects where there has been a data loss. These laws are anticipated to come into play in mid 2012. This section of cover provides cover for the costs incurred in notifying those affected, credit monitoring of those affected where necessary and also the costs of setting up a call centre to field enquiries of concerned clients.
Dishonesty of employees – Unfortunately the people whom are employed and trusted have the greatest opportunity to access the information companies have. Password protection and restricted access are two ways of reducing the chance of something happening but don’t make companies fully secure. Unfortunately some disgruntled employees want to have the last word before they leave!
Information and communication asset rectification costs – If systems have been damaged or data lost, it can be time consuming and expensive to repair or replace the systems. This cover will put a business back to the position that you enjoyed before the incident.
Cyber Extortion – This cover protects the insured from potential cyber extortion.
Here the policy will allow for the ransom payment of genuine threats along with the negotiation, handling, contracting and delivery of monies.
Cyber Business Interruption costs –
If systems or data are damaged or lost, it is highly likely that the functionality of the company will be restricted if not stopped.
This cover will indemnify the insured for lost profit following a cyber incident.
• Failure in the handling, managing or storing of personal or corporate data
3
• Unintentional violation of government or public authority legislation or regulation regarding security
3
• Failure to protect against unauthorised access to, use of, denial of service attack by a hacker or transmission of a virus to your systems
• Unintentional transmission of a virus
• Reliance in good faith by a third party on a hackers fraudulent use of information
• Damage, destruction, alteration, corruption, copying, stealing or misuses by a hacker to your technology systems
• Defamation
• Infringement of IP
3
3
3
• Improper deep linking etc arising from publishing or broadcasting
• Dishonesty of employees
3
3
• Financial transfer indemnification
3
• Public relations, crisis management, forensics and security specialist services
3
3
3
3
• Regulatory defence and penalties
• Withdrawal of content.
3
Optional Coverage Extensions
• Privacy breach costs cover
3
• Information and communication asset rectification costs
3
• Cyber Business Interruption costs
• Cyber Extortion cover.
3
3
QBE Information and Communication Technology, Cyber and Data Security 7
QBE has a dedicated claims handling service with specific experience of Technology related claims, including breach of contract, breach of intellectual property rights and Cyber crime. Our handlers come from both a legal and insurance background and will provide a proactive and collaborative approach to both claims handling and commercial legal enquires. We pride ourselves on building relationships with our clients, understanding their needs to help protect commercial relationships and reputations.
Our in-house qualified solicitors have worked both in private practice and for insurance companies. This experience encompasses the management of court proceedings up to the House of Lords, defending claims to trial and negotiating settlement of litigation and claims. With training in legal principles our claims handlers also understand the need to ally commerciality and common sense to the defence of a claim – dictated by the individual facts of each case.
QBE has the expertise and experiences to ensure your technology clients will not only get an insurance product that will respond to their technology and media liabilities but that the claims will be handled efficiently and effectively.
QBE has teamed up with red24 to provide a dedicated claims handling service with specific experience in dealing with Cyber and Data Security related issues, particularly
PR and forensic investigation where speed of response is vital. The nature of cyber risks means that an incident can happen 24/7 and so red24 have set up a dedicated response unit that can assist whenever needed.
red24 is a global crisis management and assistance company providing global security assistance for both corporate members and affiliate partners. Their team has an unparalleled reputation for providing a comprehensive range of security solutions to corporate members wanting to minimise the risks to their personnel, operations and profitability, and to affiliates wanting to add a truly unique benefit to their product or service. Their experienced, multi-disciplinary team of security experts is ready to help
QBE’s insureds 24 hours a day, seven days a week, no matter where they are.
8 QBE Information and Communication Technology, Cyber and Data Security
3326/INFORMATIONANDCOMMUNICATIONTECHNOLOGY,CYBERANDDATASECURITY/A/APR2014
QBE European Operations is a trading name of QBE Insurance (Europe) Limited and QBE Underwriting Limited, both of which are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
Plantation Place
30 Fenchurch Street
London
EC3M 3BD tel +44 (0)20 7105 4000 fax +44 (0)20 7105 4019 enquiries@uk.qbe.com www.QBEeurope.com