Cyber risks are an increasingly important consideration for Minnesota cities. Unlike most private insurers, the Trust does not issue a separate coverage document for cyber risks. Instead, cyber risks are built into the Trust’s standard liability, property, crime, bond, and auto coverages. It covers members’ cyber and other computer-related risks, including:
- Liability claims made against a member resulting from a data security breach or other computer-related errors, acts, or omissions.
- Payment card industry (PCI) fines, penalties, and assessments; and data security breach regulatory fines and penalties resulting from a data security breach claim.
- Cyber-related property damage, including the cost to restore or replace equipment destroyed due to a virus or hacking attack; cost to reproduce or restore intangible electronic data; and loss of revenue, extra expense, and expediting expense resulting from a virus or hacking attack.
- Data security breach response expenses incurred by a member, including legal and information technology consulting, providing notice to affected persons, credit monitoring and identity theft services, and other reasonable expenses incurred to respond to a breach.
- Theft of city funds by electronic means.
Coverage for these exposures is provided under several separate coverage parts. For coverage to apply for all these exposures, the member would need to have all the following Trust coverages: municipal liability, property, bond, and auto coverages.
The Trust’s municipal liability coverage, which is on a claims-made basis, applies to claims resulting from data security breaches or other computer-related risks.
- The standard limit is $2 million per occurrence. There are, however, two annual aggregate limits:
- $3 million annual aggregate (total amount of coverage for the year, regardless of the number of claims) for third-party liability claims arising out of data security breaches.
- $250,000 annual aggregate/sub-limit (part of and not in addition to the $3 million data security breach aggregate) for PCI fines, penalties, and assessments; and data security breach regulatory fines and penalties resulting from a data security breach claim.
Examples of data security breach claims include:
- City is sued for invasion of privacy or a data practices violation. This could result from actual or potential unauthorized access by an outside party of private or confidential data stored in the city’s computer system.
- City fails to prevent a hack into an emergency dispatch, traffic light, or water tower system. The incident doesn’t necessarily involve the unauthorized acquisition of personal or confidential data.
- A city employee loses a laptop from which a criminal accesses the city’s employee files, including employee names with Social Security numbers and other confidential information. One or more employees incur damages because of the unauthorized acquisition of data.
- A city’s accounts receivable system, which contains names and credit card numbers, is hacked. An individual incurs damages as a result.
The Trust’s liability coverage also applies to other types of computer-related liability claims members can face that don’t involve a data security breach. The $3 million annual aggregate does not apply to these types of claims. Examples include:
- City employee uses city’s email system for sexual, racial, or other harassment of another employee.
- City employee subscribes to a job-related listserv, makes comments there about a vendor, and gets sued for defamation.
- City employee uses city’s web access to view pornography; another employee sees it and sues the city for a hostile work environment.
- City is sued because its website infringes on a copyright or trademark.
The Trust’s property coverage provides coverage for the following three types of cyber-related property risks:
- Cost to reproduce or restore electronic data that’s been damaged or destroyed by unauthorized intrusive codes or programming, such as a virus, hacker, or similar attack. There is a $1 million per occurrence sub-limit.
- Data security breach response costs, like legal and information technology consulting, providing notice to affected persons, credit monitoring and identity theft services, and other reasonable expenses incurred to respond to a breach. Expenses are subject to a $250,000 annual aggregate sub-limit, which can be increased to $500,000.
- Loss of revenue, extra expense, and expediting expense caused by a cyber virus or hacking attack. The per occurrence sub-limit is $500,000.
All three of these cyber exposures — cost to reproduce or restore data, data security breach response costs, and loss of revenue — have a combined $2 million annual aggregate, meaning $2 million is the most the Trust would pay for all claims, occurrences, or incidents for these cyber coverages during a member’s coverage term.
Members that have the Trust’s property coverage also receive standard crime coverage for no additional premium charge. The standard limit is $250,000 per occurrence.
The crime coverage applies for loss of money resulting from theft by an outside party, including theft by electronic means, such as wire transfer fraud. It also includes losses resulting from credit card fraud that are not otherwise reimbursable by the issuer, owner, or holder of the card. However, following a credit card fraud loss that involves a point-of-sale terminal, the coverage terms may be restricted unless and until further action is taken by the member to prevent future losses by installing and converting to credit card chip technology.
The Trust’s bond coverage is an optional coverage available to members of the property/casualty program. Bond coverage applies for theft of city funds by an internal party, including theft by electronic means. Bond limits are available between $50,000 and $3 million per occurrence.
The Trust’s auto physical damage coverage responds to auto damages caused by a computer virus or hacking attack.
The League offers additional resources to help cities with computer-related risks.
- View the discussion on Computer and Network Loss Control
- Access the NetDiligence eRisk Hub, a web-based portal containing information and technical resources that can assist in the prevention of network, cyber, and privacy losses.