‘What is’ Non-Panel Response Provider

Non-Panel Response Provider

Any firm other than a Pre-Approved Response Provider who provide services that incur reasonable and necessary expenses to be paid by the policyholder in the event of a Cyber Incident.

 

Pre-Approved Response Provider

Any firm listed on the insurance company’s pre-approved provider list or the pre-approved provider list specified on the website listed in the policy wordings.

 

Cyber Incident Response Expenses

Reasonable and necessary expenses incurred by the policyholder due to the occurrence of a Cyber Incident. These can include expenses associated with legal compliance and defence, forensics, public relations and risk management that result from such incidents.

 

Digital Data

Digital (electronic) data refers to electronic information stored on a computer system owned by the policyholder, as well as on a computer system not owned by the policyholder but used by a third party for their benefit as enforced by a written contract between the two. It will also include the ability of an insured computer system to store, process and transmit information over the internet.

‘What is’ Cyber Incident Response

Q: What is a Cyber Incident?

  1. Any failure of your Computer System’s or Shared Computer System’s Network Security.
  2. Malicious and/ or Fraudulent Computer Acts against your computer system, or a shared computer system: such as unauthorized access or use of a computer, misuse or destruction of digital data, computer viruses, and access restriction attacks against a computer system.
  3. Failure to protect a third party’s sensitive and confidential personal or financial information, for which you are legally responsible to maintain.
  4. An insured’s unintentional violations of any Privacy or Cyber Law, including unintentionally collecting protected information.
  5. Interruption in computer system service caused by a malicious and/ or fraudulent computer attacks, up to the limit of Business Interruption and Extra Expense coverage purchased.
  6. Any reasonably suspected Extortion Threat relating to the release of private personal or financial information, taken from an insured as a result of unauthorized access or use of the insureds computer system and/or shared computer system. As long as coverage is purchased for Network Extortion.

 

Definitions:

Network Security Failure: means a failure in Network Security, including the failure to prevent a Malicious Computer Act

Network Security means those activities performed by an Insured, or by others on behalf of an Insured, to protect an Insured’s Computer System or Shared Computer System.

Protected Information:  means the following, in any format:

  1. a natural person’s name, e-mail address, social insurance number, social security number, medical or healthcare data, other protected health information, driver’s licence number, federal, provincial, state or personal identification number, credit card number, debit card number, address, unpublished telephone number, account number, account histories, personally identifiable photos, personally identifiable videos, Internet browsing history, biometric records, passwords or other non-public personal information as defined in any Privacy or Cyber Laws; or
  2. any other third party confidential or proprietary information:
    • provided to an Insured and protected under a nondisclosure agreement or similar contract; or
    • which an Organization is legally responsible to maintain in confidence.

Network Extortion Threat: means any credible threat or series of related threats directed at an Insured to: 

  1. release, divulge, disseminate, destroy or use Protected Information or confidential corporate information of an Insured taken from an Insured as a result of the unauthorized access to or unauthorized use of an Insured’s Computer Systemor Shared Computer System;
  2. cause a Network Security Failure;
  3. alter, corrupt, damage, manipulate, misappropriate, delete or destroy Digital Data; or
  4. restrict or inhibit access to an Insured’s Computer System or Shared Computer System;

where a demand exists for the Insured to make a payment or a series of payments, or otherwise meet a demand, in exchange for the mitigation or removal of such threat of series of related threats.

Privacy or Cyber Law, means any federal, provincial, state, local, and foreign identity theft and privacy protection laws, legislation, statutes, or regulations that require commercial entities that collect Protected Information to post privacy policies, adopt specific privacy or security controls, or notify individuals in the event that Protected Information has potentially been compromised.

 

Q: What is a Shared Computer System?

A shared Computer system, is a third party’s computer system, operated by a third party under written contract with the insured, to the benefit of the insured. The insured must be dependent on the third party’s computer system in order for it to qualify as a Shared Computer System.

Examples: Cloud Services, Data Hosting, Data Back-Up, Data Storage

‘What is’ Contingent Business Interruption Loss And Extra Expenses

Q: What is considered a Contingent Business Interruption loss?

  1. The normal operating and payroll expenses that continue even in the case of a service interruption due to a cyber incident impacting the function of a Shared Computer System.
  2. The net profit before income tax, that would have been earned had there no interruption in regular business activity due to a cyber incident affecting a Shared Computer System.

 

Q: What are Business Interruption Extra Expenses?

  1. Reasonable and Necessary Expenses incurred in order to control, reduce, or avoid an interruption in service caused by a cyber incident. Extra Expenses are covered, so long as they are expenses that would not have been necessary without the Service Interruption to a Shared Computer System.
  2. Reasonable and Necessary Expenses incurred to reduce the amount of time that the Shared Computer System is down for.
  3. With the insurance company’s consent, the costs to hire a forensic accounting firm to determine the costs of the service interruption.

 

Q: What is a Shared Computer System?

A: A shared Computer system, is a third party’s computer system, operated by a third party under written contract with the insured, to the benefit of the insured.

The insured must be dependent on the third party’s computer system in order for it to qualify as a Shared Computer System.

Examples: Cloud Services, Data Hosting, Data Back-Up, Data Storage

Extra Expenses will not cover:

  1. Expenses incurred to prevent a loss due to deficiencies or problems with a Shared Computer System.
  2. Costs and expenses associated with maintenance, updates, or improvements of a Shared Computer System.
  3. Any penalties arising from contracts.

Who should be listed as a Named Insured?

APPLICANT (NAMED INSURED), WHO SHOULD BE LISTED?

 

Please note that the person who is listed as the applicant will become the Named Insured on the policy.

The Named Insured has special rights and duties. These rights and duties are explained in General Rules of the policy wording.

Individual - If you are applying as an individual, please list your full legal name in the Applicant’s name box.

Partnership or Joint Venture - If you are applying as a Partnership or Joint Venture please list you and partners or co-venturers full legal names.

Trade Name/Unincorporated Company  - If you are applying as a company that is not incorporated please list your full legal name and your unincorporated company name by including the acronym dba (doing business as).  An example of how to correctly list your name in this scenario is below:

Jane Doe dba ABC Production  Company

Corporation - If you are applying as a Corporation, please list the full legal name of your corporation including the company’s designation (i.e. Inc. Ltd, Corp.)

Please note that if you need to list vendors (i.e. Rental Houses) or locations as an additional insured or loss payee, they should not be listed as the applicant/Named Insured. When you purchase the policy, you will be supplied with a blank certificate of insurance. This certificate will allow you to add loss payees and additional insureds to your policy as needed per the terms and conditions of the policy.

Which Insurance Company issues the policy?

The insurance company is Chubb Insurance Company of Canada. Chubb Insurance Company of Canada is a member of the Chubb Group of Insurance Companies. For over 85 years, we have been delivering exceptional property and casualty insurance products to businesses and individuals in Canada.

View the Chubb website.

 

What is your estimated gross annual revenue?

Your estimated gross annual revenues figures are used to rate the premium for your policy. We use this estimate to help generate the premium charged.   This information is kept private. 

In simple terms, revenue is the money earned through sales, services and other means. 

What if my operations don’t fit into one of these options listed?

At this time, we are only able to provied the online program to a select group of business. We look forward to expanding this offering soon. 

This program is currently available to Canadian based businesses only.

 

What date should my coverage begin?

If you choose to purchase your policy on the same day you want the policy to go into effect, the policy begins at the time your confirmation email is received with the policy documents.  

If you purchase a policy for a future date, the policy will begin at 12:01am on the date chosen.

Please note that the policy cannot be backdated.

Regulatory Proceeding

Regulatory Proceeding

A legal suit action, civil investigation or civil proceeding by or on behalf of a government agency, licensing entity or regulatory authority. It is initiated by a complaint or similar pleading made against the accused party based on an alleged or potential violation of Privacy or Cyber Laws as a result of a Cyber Incident and which may reasonably give rise to a third party liability claim under this policy.

Payment Card Loss

Payment Card Loss

Payment card loss refers to those sums that the policyholder becomes legally obligated to pay relating to additional costs or expenses incurred due to the policyholder’s (alleged) failure to:

  1. Maintain adequate Network Security, or;
  2. Properly protect, handle, manage, store, destroy or otherwise control Payment Card data. This also applies to confidential information belonging to third parties that has been shared with the policyholder.

In relation to the legal agreement in place between the Payment Card Brand or Vendor and the policyholder.

Payment card loss does not include:

  1. Subsequent fines or assessments for non-compliance with the Payment Card Industry Data Security Standards that are unrelated to a specific claim, or;
  2. Costs or expenses incurred to update or improve privacy or network security controls, policies or procedures to a level beyond that which existed prior to the applicable claim or to comply with applicable Payment Card Industry Data Security Standards or legal agreements

 

Claim example: An insured computer system is hacked and the credit card information of several of their clients are stolen.

 

Payment Card

An authorized account or evidence of an account, for credit cards, debit cards, charge cards, fleet cards or stored value cards between the Payment Card Brand and its customer.

 

Payment Card Brand

Any payment provider whose payment method is accepted for processing, including Visa Inc. International, MasterCard Worldwide, Discover Financial Services, American Express Company and JCB International.

 

Payment Card Industry Data Security Standards

The rules, regulations, standards or guidelines adopted or required by the Payment Card Brand or the Payment Card Industry Data Security Standards Council relating to data security and the safeguarding, disclosure and handling of confidential information

 

Regulatory Proceeding

A legal suit action, civil investigation or civil proceeding by or on behalf of a government agency, licensing entity or regulatory authority. It is initiated by a complaint or similar pleading made against the accused party based on an alleged or potential violation of Privacy or Cyber Laws as a result of a Cyber Incident and which may reasonably give rise to a third party liability claim under this policy.

Network Extortion

Network Extortion Threat

Any credible threat or series of related threats directed at the policyholder to:

  1. Release, divulge, disseminate, destroy or use confidential information, personal or corporate, taken from the policyholder as a result of unauthorized access to or use of an insured computer system such as by hacking
  2. Cause a Network Security Failure
  3. Alter, corrupt, damage, manipulate, misappropriate, delete or destroy electronic data
  4. Restrict or inhibit access to an insured computer system

Where a demand exists for the policyholder to make a (series of) payment(s) or similar demand, in exchange for the mitigation or removal of such threat or series of related threats

Claim example: An insured computer system is infected with ransomware, restricting access to the insured’s files until a ransom is paid to the hacker.

How do I make policy changes once my policy is purchased?

Once a policy is purchased, you can request policy changes HEREPlease note: changes that result in additional premium owing are subject to a $25 change fee. 

Do your internal IT security controls comply with all of the following?

At this time, we are only able to provied the online program to a select group of business with the following internal IT Security Controls in place.  We look forward to expanding this offering soon. 

  • Antivirus and Firewalls (Windows 7 or higher qualifies)
  • Encryption of Sensitive Data
  • Encryption of Mobile Computing Devices
  • Critical Software Patching Procedures
  • Critical Data Backup and Recovery Procedures

 

This program is currently available to Canadian based businesses only

Digital Data Recovery

Digital Data means software or other information in electronic form which is stored on an Insured’s Computer System or Shared Computer System. Digital Data shall include the capacity of an Insured’s Computer System or Shared Computer System to store information, process information, and transmit information over the Internet. Digital Data shall not include or be considered tangible property.

Digital Data Recovery Costs

Digital data recovery costs refers one of the following:

  1. The reasonable and necessary expenses incurred by the policyholder to replace, restore, recreate, re-collect or recover electronic data from written records or partially or fully matching electronic records due to the corruption, theft or destruction of the originals due to a Network Security Failure. This includes disaster recovery or computer forensic investigation efforts. If electronic data cannot be replaced, restored, recreated, re-collected or recovered, settlement will be limited to the amount of the reasonable and necessary expenses to determine as such.
  2. Reasonable and necessary expenses incurred by the policyholder to mitigate or reduce any costs or loss resulting from the above.

Cyber, Privacy & Network Security Liability

Cyber, Privacy & Network Security Liability: This coverage will respond for those sums that the policyholder becomes legally obligated to pay such as compensatory damages, regulatory fines and settlements as a result of a “cyber incident” that occurs during the policy period. It will not include coverage for such items as punitive damages, royalties, costs associated with correcting or re-performing services or amounts that are uninsurable or that the policyholder is not legally or financially obligated to pay.

 

A “cyber incident” refers to the failure or omission of the policyholder, including allegations of such, to prevent an insured computer system from being compromised due to a Network Security Failure, Cyber Extortion or interruption of service including by hacking. Coverage will also be provided for legal fees and other reasonable expenses incurred in relation to a claim made against the policyholder.

Are you located outside of Canada?

We cannot currently provide insurance through this system for individuals or companies outside of Canada.