Coverage for Cyber and Computer Related Risks

If your city suspects or believes it has already experienced a data breach or other type of cyber or privacy event, contact LMCIT claims staff immediately at (800) 925-1122. Please don’t hesitate to call. Our claims staff will help you confirm, respond to, and recover from a cyber incident.

The League of Minnesota Cities Insurance Trust (LMCIT) provides broad coverage for members’ cyber and other computer-related risks. It is issued under the following coverage parts.

First-party coverage (for members’ own claims)

LMCIT’s first-party cyber coverage will respond in two ways: 1) To a member’s suspected data security breach, and/or 2) To a member’s actual claim that has resulted from their own data breach or cyber event. This coverage was previously provided under LMCIT’s property coverage, but it is now in a standalone coverage document with an explicit premium charge.

Following are the types of cyber risks that are covered:

  1. Data security breach response costs, like legal and information technology consulting, providing notice to affected persons, credit monitoring and identity theft services, and other reasonable expenses incurred to respond to a breach.
  2. Loss of revenue, extra expense, and expediting expense caused by a cyber virus or hacking attack.
  3. Cost to reproduce or restore electronic data that’s been damaged or destroyed by unauthorized intrusive codes or programming, such as a virus, hacker, or similar attack.
  4. Cost to repair or replace computer equipment rendered nonfunctional for its intended purpose due to unauthorized intrusive codes or programming, such as a virus, hacker, or similar attack.

There is a $250,000 aggregate limit per member for the first-party coverage. Members can increase that limit to $500,000 for an additional premium charge if they can answer yes to the following loss control questions.

  • Is annual cyber training provided to all employees?
  • Are computer use policies in place?
  • Is there a firewall between the internet and the member’s network?
  • Are monthly updates being done on antivirus and Windows software?
  • Are monthly data backup procedures in place?

In addition to the aggregate, there is a shared pool limit threshold for first-party cyber claims. Members share a $10 million limit for common causes, or similar cyber claims stemming from one event, and a $25 million aggregate limit over a 12-month period.

Liability and third-party coverage (for external parties’ claims)

LMCIT’s municipal liability coverage, which is on a claims-made basis, will respond to another party’s claim that has resulted from a member’s data security breach or other computer-related risk. The cost for this coverage is included in members’ overall liability premiums.

The standard limit is $2 million per occurrence. There are, however, two annual aggregate limits:

  • $3 million annual aggregate (total amount of coverage for the year, regardless of the number of claims) for third-party liability claims arising out of data security breaches.
  • $250,000 annual aggregate/sublimit (part of and not in addition to the $3 million data security breach aggregate) for payment card industry (PCI) fines, penalties, and assessments; and data security breach regulatory fines and penalties resulting from a data security breach claim.

Examples of data security breach claims include:

  • Member is sued for invasion of privacy or a data practices violation. This could result from actual or potential unauthorized access by an outside party of private or confidential data stored in the member’s computer system.
  • Member fails to prevent a hack into an emergency dispatch, traffic light, or water tower system. The incident doesn’t necessarily involve the unauthorized acquisition of personal or confidential data.
  • A member employee loses a laptop from which a criminal accesses the employee’s files, including employee names with Social Security numbers and other confidential information. One or more employees incur damages because of the unauthorized acquisition of data.
  • A member’s accounts receivable system, which contains names and credit card numbers, is hacked. An individual incurs damages as a result.

LMCIT’s liability coverage also applies to other types of computer-related liability claims members can face that don’t involve a data security breach. The $3 million annual aggregate does not apply to these types of claims. Examples include:

  • Member employee uses member’s email system for sexual, racial, or other harassment of another employee.
  • Member employee subscribes to a job-related Listserv, makes comments there about a vendor, and gets sued for defamation.
  • Member employee uses member’s web access to view pornography; another employee sees it and sues the member for a hostile work environment.
  • Member is sued because its website infringes on a copyright or trademark.

Crime coverage (theft by external parties)

Members that have LMCIT’s property coverage receive standard crime coverage for no additional premium charge. The standard limit is $250,000 per occurrence for the following types of claims:

  • Loss of money resulting from theft by an outside party, including theft by electronic means, such as wire transfer fraud.
  • Losses resulting from credit card fraud that are not otherwise reimbursable by the issuer, owner, or holder of the card. However, following a credit card fraud loss that involves a point-of-sale terminal, the coverage terms may be restricted unless and until further action is taken by the member to prevent future losses by installing and converting to credit card chip technology.

There is a $50,000 sublimit for:

  • Fraudulent instruction claims, which are defined by LMCIT as a “loss resulting from an employee’s reliance on fraudulent instructions from a person purporting to be a fellow employee or a representative from an individual or entity that provided or will provide goods or services to the member.”

Municipal bond coverage (theft by internal parties)

LMCIT’s bond coverage is an optional coverage available to members of the property/casualty program. Bond coverage will respond to theft of member funds by an internal party, including theft by electronic means. Bond limits are available between $50,000 and $3 million per occurrence.

Auto coverage

LMCIT’s auto physical damage coverage responds to auto damages caused by a computer virus or hacking attack. There is an exclusion for loss caused by unauthorized intrusive codes of programming, such as computer viruses or hacking. However, there is an exception for damage resulting from a collision caused by the disablement or commandeering of steering, braking or other vehicle controls.

Additional resources

Underwriters are available to assist with questions about coverages and more. Connect with LMCIT underwriters by going to the League of Minnesota Cities staff page and choosing “underwriting” under the “Department” section.

The League offers additional resources to help members with computer-related risks.