Cyber risks are an increasingly important consideration for Minnesota cities. LMCIT covers members’ cyber and other computer-related risks, including:
- Liability claims made against a member resulting from a data security breach or other computer-related errors, acts, or omissions.
- Payment card industry (PCI) fines, penalties, and assessments; and data security breach regulatory fines and penalties resulting from a data security breach claim.
- Cyber-related property damage, including the cost to restore or replace equipment destroyed due to a virus or hacking attack; cost to reproduce or restore intangible electronic data; and loss of revenue, extra expense, and expediting expense resulting from a virus or hacking attack.
- Data security breach response expenses incurred by a member, including legal and information technology consulting, providing notice to affected persons, credit monitoring and identity theft services, and other reasonable expenses incurred to respond to a breach.
- Theft of city funds by electronic means.
Coverage for these exposures is provided under several separate coverage parts. For coverage to apply for all these exposures, the member would need to have all the following Trust coverages: municipal liability, property, bond, and auto coverages.
Liability and third-party coverage
LMCIT’s municipal liability coverage, which is on a claims-made basis, will respond to claims resulting from data security breaches or other computer-related risks. The cost for this coverage is included in members’ overall liability premiums.
- The standard limit is $2 million per occurrence. There are, however, two annual aggregate limits:
- $3 million annual aggregate (total amount of coverage for the year, regardless of the number of claims) for third-party liability claims arising out of data security breaches.
- $250,000 annual aggregate/sub-limit (part of and not in addition to the $3 million data security breach aggregate) for PCI fines, penalties, and assessments; and data security breach regulatory fines and penalties resulting from a data security breach claim.
Examples of data security breach claims include:
- City is sued for invasion of privacy or a data practices violation. This could result from actual or potential unauthorized access by an outside party of private or confidential data stored in the city’s computer system.
- City fails to prevent a hack into an emergency dispatch, traffic light, or water tower system. The incident doesn’t necessarily involve the unauthorized acquisition of personal or confidential data.
- A city employee loses a laptop from which a criminal accesses the city’s employee files, including employee names with Social Security numbers and other confidential information. One or more employees incur damages because of the unauthorized acquisition of data.
- A city’s accounts receivable system, which contains names and credit card numbers, is hacked. An individual incurs damages as a result.
LMCIT’s liability coverage also applies to other types of computer-related liability claims members can face that don’t involve a data security breach. The $3 million annual aggregate does not apply to these types of claims. Examples include:
- City employee uses city’s email system for sexual, racial, or other harassment of another employee.
- City employee subscribes to a job-related listserv, makes comments there about a vendor, and gets sued for defamation.
- City employee uses city’s web access to view pornography; another employee sees it and sues the city for a hostile work environment.
- City is sued because its website infringes on a copyright or trademark.
For renewals occurring on or after Nov. 15, 2021, LMCIT will issue a new Municipal First Party Cyber Coverage form for first-party cyber risks. The coverage was previously provided under LMCIT’s property coverage, but it will now be placed in a new, standalone coverage document, and there will be an explicit premium charge for cyber rather than including it with property premiums.
The Municipal First Party Cyber Coverage provides coverage for the following types of cyber risks:
- Data security breach response costs, like legal and information technology consulting, providing notice to affected persons, credit monitoring and identity theft services, and other reasonable expenses incurred to respond to a breach.
- Loss of revenue, extra expense, and expediting expense caused by a cyber virus or hacking attack.
- Cost to reproduce or restore electronic data that’s been damaged or destroyed by unauthorized intrusive codes or programming, such as a virus, hacker, or similar attack.
- Cost to repair or replace computer equipment rendered non-functional for its intended purpose due to unauthorized intrusive codes or programming, such as a virus, hacker, or similar attack.
There is a $250,000 aggregate limit per member for the new first-party coverage. Members can increase that limit to $500,000 for an additional premium charge, as long as certain loss control protocols are met. For the 2021-2022 renewal term, members will be asked to attest to reading an excerpt that was developed by LMCIT about reducing computer security risks. Further protocols will be developed for future years.
In addition to the aggregate, there is a shared pool limit threshold for first-party cyber claims. Members will share a $10 million limit for common causes, or similar cyber claims stemming from one event, and a $25 million aggregate limit over a 12-month period.
Crime coverage (theft by external parties)
Members that have LMCIT’s property coverage receive standard crime coverage for no additional premium charge. The standard limit is $250,000 per occurrence for the following types of claims:
- Loss of money resulting from theft by an outside party, including theft by electronic means, such as wire transfer fraud.
- Losses resulting from credit card fraud that are not otherwise reimbursable by the issuer, owner, or holder of the card. However, following a credit card fraud loss that involves a point-of-sale terminal, the coverage terms may be restricted unless and until further action is taken by the member to prevent future losses by installing and converting to credit card chip technology.
There is a $50,000 sub-limit for:
- Fraudulent instruction claims, which are defined as a “loss resulting from an employee’s reliance on fraudulent instructions from a person purporting to be a fellow employee or a representative from an individual or entity that provided or will provide goods or services to the city (or entity).”
Municipal bond coverage (theft by internal parties)
LMCIT’s bond coverage is an optional coverage available to members of the property/casualty program. Bond coverage will respond to theft of city funds by an internal party, including theft by electronic means. Bond limits are available between $50,000 and $3 million per occurrence.
LMCIT’s auto physical damage coverage responds to auto damages caused by a computer virus or hacking attack. For renewals effective Nov. 15, 2021, and after, there is an exclusion in the auto physical damage coverage for loss caused by unauthorized intrusive codes of programming, such as computer viruses or hacking. However, there is an exception for damage resulting from a collision caused by the disablement or commandeering of steering, braking or other vehicle controls.
The League offers additional resources to help cities with computer-related risks.
- View the discussion on Computer and Network Loss Control
- View the discussion on Electronic Funds Transfer Fraud
- Access the NetDiligence eRisk Hub, a web-based portal containing information and technical resources that can assist in the prevention of network, cyber, and privacy losses.