Digital Property Replacement Coverage

Digital Property Replacement is a subset of the Breach Rectification coverage of the cyber liability policy that PBI Group recommends. This section covers the replacement of software, data and hardware which has been destroyed because of a network breach of your IT systems. A good example is your email system which could be corrupted during a breach and now users no longer have access to their emails. Below are excerpts from the policy and some commentary to help understand what is covered and not covered in this nuanced section.

 “Digital Property Replacement means those reasonable and necessary costs incurred to replace, restore, or re-collect Digital Property from written records or from partially or fully matching electronic data records due to their alteration, corruption or destruction caused by a Network Security Failure. This shall include Network Security Failure Investigation Expenses; however, in the event that the Digital Property cannot be replaced, restored or recollected, Digital Property Replacement shall be limited to the reasonable and necessary costs incurred to reach this determination. “

 Some importantly related definitions to help explain what is included in the above definition of Digital Property Replacement.

 “Digital Property means software and data in electronic form which is stored on the Your Computer System. Digital Property shall include the capacity of the Your Computer System to store information,process information, and broadcast information over the Internet. “

 “Your Computer System means a Computer System that is leased, owned, or operated by You; or operated solely for Your benefit by a third party service provider under written contract with You.”

 “Computer System means computer hardware (including laptops and mobile devices), software, firmware, and the data stored thereon, as well as associated input and output devices, data storage devices, networking equipment and Storage Area Network or other electronic data backup facilities.”

 So, in general, this section of coverage provides protection to restore your computer systems back to their pre-breach state of operations, including the rebuild of the information inside the systems. But there are some exclusions worth noting.

 “Digital Property Replacement does not include:

  1. costs or expenses incurred to update, replace, restore, or otherwise improve Digital Property to a level beyond that which existed prior to the loss event;
  2. costs or expenses incurred to identify or remediate software program errors or vulnerabilities, or
  3. costs to update, restore, replace, upgrade, update, maintain, or improve any Computer System;
  4. costs incurred to research and develop Digital Property, including Trade Secrets;
  5. the economic or market value of Digital Property, including Trade Secrets;
  6. costs or expenses incurred due to ordinary wear and tear or gradual deterioration of Digital Property, including any data processing media; or any other consequential loss or damage.”

Other Exclusions with some additional clarification:

  1. “Solely with respect to Digital Property Replacement coverage, any transmission of unauthorized, corrupting or harmful software code, distributed attacks, viruses, worms or malware which is self-propagating.”

Digital Property Replacement is a 1st party coverage designed to protect the insured. This means that there is no 3rd party coverage for digital property replacement for someone else’s computer systems which maybe damaged by self-propagating/ harmful code from your computer systems. There may be other coverage under the Network Security and Privacy Liability section of the policy if a 3rd party sues but that is not considered digital property replacement.

  1. “Solely with respect to Digital Property Replacement coverage, any operator error, software error, faulty instruction, unintentional programming error, or failure in project planning.”

This means the damaging event must be breach related, not a flaw in your organization. You can’t cause the issue by something you did to your computer systems.

  1. “Solely with respect to Digital Property Replacement coverage, any accounts, bills, evidences of debt, money, valuable papers, records, abstracts, deeds, manuscripts or other documents, except as they have been converted to data processing media form, and then only in that form.”

This means that the policy will not manually re-collect digital data from physical documents which are listed above. For example, if your billing system was breached and is now destroyed but you have a bunch of physical invoices in boxes which were never entered into a system as data, the policy cover will not work through those physical files to enter them into the newly restored accounting system.

*Based on policy information provided by: Victor O. Schinnerer & Company, Inc.


Wire Fraud Scam Getting Worse: New Twist

Here is a recent situation which unfortunately impacted one of our clients and worth sharing in the hope that increased awareness will limit the chance of this happening again. This situation is a twist on the traditional wire fraud scam and shows how far the bad guys are willing to go to steal from your clients.

The title company involved on a transaction was breached by bad guys who found out the specifics of a closing coming up at our insured’s real estate agency.  Instead of the bad guys sending a fraudulent email posing as the title agency they called the agent of the buyer to communicate the updated wiring information for the funds needed to close.  The realtor took the telephone call thinking it was the title company and relayed the information to the buyer who in turned wired the closing funds to a fraudulent bank account.  Luckily a majority of the funds were recovered but not after considerable effort and expense. What makes this more concerning than most wire fraud situations is that neither the E&O policy or the Cyber Liability policy were willing to cover the lost funds.

What makes this different?

An important distinction here is that bad guys are learning that real estate agents are not trusting email as a communication tool for wiring instructions and are adapting by making telephone calls, falsely representing the title company. This is a disturbing new development. Please communicate this to your agents.

How did their liability policies respond?

  • Cyber liability policies are triggered when the insured has a situation where a breach is suspected. In this situation, the cyber policy triggered to provide forensic services to determine the origin of the breach which ended up being the title company. At that point, the policy stops covering any liability since the insured’s systems were not compromised. It is worth noting that even if the bad guys sent an email from the title company to the agent, instead of the telephone call, the cyber policy would not have provided cover for the same reason. No Breach No Cover.
  • The E&O policy has a specific exclusion for any liability resulting from wire transfers. These exclusions are becoming more common in E&O policies since carriers are not interested in the exposure related to wire transfer fraud.

What can you do to protect yourself?

  • Do not get involved in any communication of wire instructions to your client. This includes text messages, email and telephone calls.
  • Create a Fund Transfer Pledge with your clients.
  • If you receive communication regarding a closing, be sure to call the related party by dialing a number that is NOT part of the recent communication since it is likely that telephone number goes directly to the bad guys. Call another number you have on file.

Cyber Liability Policy Section Review: Part 3

The 3rd and final subsection in the policy is focused on 1st party Crime exposures. Money or computer assets that you (the insured) have lost as a result of a breach or deception.

  • Under the Cyber Extortion sub section, the carrier pays funds (minus the deductible) to cover extortion payments or expenses from a cyber criminal’s demand. There are several examples of cyber extortion, many don’t make the news but the recent ransomware WannaCry attack is a good example. The common thread of these attacks: the bad guys take control over some important computer system and make you pay $X before they give you back control. Here are some interesting examples from some large companies.
  • Under the Electronic Transfer Fraud sub section, the carrier will pay for your loss of funds directed from a financial institution to transfer, pay, or deliver funds from Your Account. This is a situation where the bad guys figure out how to gain access to your financial accounts and steal your money by sending it to themselves.
  • Under the Deceptive Transfer Fraud sub section, the carrier will pay for your loss of Funds resulting directly from Your having transferred, paid or delivered any Funds from your account as the direct result of an intentional misleading request. This is commonly referred to as Social Engineering or Confidence Scams – the hacker has essentially exploited common confidence in a party (boss to an employee) in order to deceive you into transferring funds.  The classic example is an employee wire transfers money to a vendor per an email request from the CFO but the request was a fraudulent email from the bad guys how have hacked into the email system.
  • Under the Telephone Toll Fraud sub section, the carrier will pay for a loss of funds resulting directly from charges you incur for voice telephone -long distance toll calls which were incurred due to fraudulent use or fraudulent manipulation of an Account Code or System password. This is a very specific coverage to deal with the situation where the bad guys have routed all your call traffic through toll number they control resulting in large fees being incurred. The insured would get an unusually large bill from the telephone provider because of the inflated toll traffic.

*Based on policy information provided by: Victor O. Schinnerer & Company, Inc.