Enterprise Pro Cyber Liability Program
The Enterprise Pro Cyber Liability Program protects Michigan businesses and companies for the cost of an actual or suspected violation of a privacy regulation due to a security breach that results in the unauthorized release of protected personal identifiable information which is any private, non-public information of any kind in the merchant’s care, custody or control.
The Enterprise Pro Cyber Liability Program is facilitated through the North American Data Security RPG (named insured on master policy), a risk purchasing group which is registered in all 50 states and the District of Columbia. The master policy is underwritten by AXIS Insurance Company, an A+ rated insurance carrier by AM Best.
- Limit of Liability per business options:
- $1,000,000 (annual aggregate)
- Master policy – admitted – claims made policy form
- No aggregate limit on master policy
- $2,500 retention
- Coverage territory is worldwide
- Claim reporting requirement – within 60 days upon becoming aware of a suspected or actual breach
- Eligibility: U.S. businesses with less than $50,000,000 in annual revenue
- Civil proceeding or investigation including requests for information for an actual or alleged violation of any privacy regulation (PII data) brought on behalf of any federal, state, or foreign governmental agency including:
- Defense & settlement or judgment
- Regulatory fines & penalties (including PCI)
- Mandatory forensic examination
- PCI re-certification services to re-certify compliance with PCI Security Standards
- Ransomware – $1,000,000 – retention applies
- Website media Liability
- Business Interruption – $1,000,000 – 8 hour waiting period applies
- Data Recovery Expense – $1,000,000 – retention applies
- Crisis management and fraud prevention expense:
- Call center
- Sub-limits apply:
- Credit monitoring
- Public relations
- Associated legal expenses
- Telecommunications Theft – $100,000 sub-limit – retention applies
- Social Engineering Fraud – $100,000 sub-limit – retention applies
- E – Theft – $100,000 sub-limit – retention applies
- Underwriting is limited to four questions
- Rating is based on revenue for businesses up to $50,000,000 in annual revenue
- Excluded classes include; (a) Banks, (b) Credit Unions, (c) Payment Processors, (d) Gambling Organizations,
(e) Online Adult Industry, (f) Social Media/Networking Firms, (g) Cloud Providers (h) Federal and State government agencies (I) Municipalities (j) Franchise (k) Crypto-currency (l) marijuana dispensaries
This is a brief coverage summary, not a legal contract. The actual policy should be reviewed for specific terms, conditions, limitations, and exclusions that will govern in the event of loss. Extended sixty day reporting period applies.
The Need for Cyber Liability Insurance
50% of confirmed data breaches target Michigan small business and 60% of small businesses within Michigan fail within 6 months of a breach.
Frequently asked questions about cyber liability and cyber insurance for businesses
1. What does cyber insurance cover?
- The cost to respond and recover from a data breach
- Theft of funds electronically or through fraudulent instructions
- Cost of ransom if your computer is encrypted
- Business interruption if your computer systems are damaged due to an attack
2. What if I don’t have sensitive data?
- Almost every business stores or collects sensitive data including credit card information, banking information, employee information, customers driver license numbers, social security numbers, or protected health information
- You are legally obligated to protect information you collect
3. We don’t take credit cards or store other sensitive information on customers
- Do you bank online? Do you pay vendors using ACH or Wire?
- Social Engineering fraud is a leading cyber exposure. Cyber criminals deceive small businesses in to sending money by using transfer instructions which seem legitimate
- Do you rely on a computer system or network to conduct day to day business that is also used for email and web browsing by your employees?
- Ransomware is a leading form of cyber extortion. Criminals lock your computer after infecting it with malware typically through an email. All files and access is denied until the ransom is paid
- What if your computer system is hacked and computers and servers are wiped out or not available for use? How will you conduct your day to day business? Can your business cover the lost income?
4. In addition to the cost of a cyber breach, who would you call if a breach occurred at your business?
- Most businesses do not have the resources available and your general corporate attorney most likely does not have the knowledge base on hand to make sure you are complying with various states’ legal requirements.
These costs and services can be covered through cyber liability insurance policy.
Cyber Insurance Claim Examples
- A residential contractor became a victim of a social engineering attack and wired $35,000 to criminals after receiving fraudulent instructions.
- A dental practice found a ransomware demand for $4,900 on a computer which contained protected health information (“PHI”) on 3,780 patients. In addition to paying the ransom the dental practice incurred the following expenses: IT services, legal services, breach notification expenses, identity restoration and credit monitoring, and public relations expenses totaled $49,428.79.
- A professional services firm was hacked and personnel files of employees were breached. In addition to breach notification and credit monitoring services some employees filed suit against their employer. The total cost of the breach was in excess of $100,000
- A retail store operating two locations in was notified by Visa of a high incidence of fraud on their customer’s credit cards and were mandated to undergo a forensic examination to determine the source of the breach. The store engaged a forensic examiner which totaled $26,200 in expenses. A month later, MasterCard assessed a Case Management Fee totaling $6,000 and almost seven months after the initial notification, Visa assessed a non-compliance fine of $5,000 to the store for this incident. The store had a total cost of $37,200 on this breach.
- An employee of a professional services firm had a lap top stolen during a work conference. The laptop contained sensitive client information. The computer was password protected but information was not encrypted. The incident cost the firm more than $20,000 in forensics and notification expenses.
- A restaurant in Washington was notified of a breach by MasterCard due to a high level of fraud committed on customer credit cards who patronized their business. They were required to immediately undergo a forensic examination which totaled $11,646.90. Six months later, the restaurant was notified by MasterCard that fines of $26,242 for Fraud Recovery along with a Case Management Fee of $8,000 were being assessed. Two months afterwards, Visa assessed a non- compliance fine for $5,000. The restaurant had a total cost of $50,888.90 due to this breach.
- A small online retailer infected with malware that affected accounting software and customer account files including credit card information, social security numbers and customer names and addresses. The malware encrypted 15,000 customer files and demanded $5,000 in ransom. The business’ backup systems had not been working and were forced to pay the $5,000 ransom.