Cyber – Privacy & Security Liability

cyber word cloud

June 30, 2021

Today, many businesses rely on third party platforms to help with card payments and accounts settlement, leaving them vulnerable to attack from malicious actors.

In this month’s Cyber Blog from MGAM, we look at how the MGAM Cyber Policy could provide support when you need it most.

What happened?

The Insured operates an on-line fashion website. 

Their card payment provider notified them that their website was a common point for recent fraudulent transactions. 

Where is this covered?

Privacy and Security Liability is an insured event under the Insuring Clauses of the MGAM Cyber policy.

Coverage intent

Where a claim is brought against you alleging a data breach, security breach or privacy breach the policy will pay for the costs incurred in defending such a claim including any resultant damages you are required to pay.

What was the outcome of the claim?

The Insured appointed a PCI Forensic Investigator and notified the matter to the Cyber Hotline. 

An Incident Manager was appointed on a without prejudice basis to assist the Insured. 

The Incident Manager arranged for the Insured to appoint IT, legal and PR support from the Insurers’ panel. 

IT specialists responded within a 2-hour SLA to perform an IT forensic analysis.  Meanwhile, solicitors advised on the Insured’s notification requirements.

IT investigators discovered a card-skimming script was on the Insured’s website.  This was introduced via a vulnerability in a third-party extension to the Magento platform, a popular e-commerce platform. 

Following evidence of potential data extraction, lawyers assisted the Insured with notifying the UK Information Commissioners Office.

The potentially affected data subjects (nearly 400,000) were from over 100 different countries, therefore, the law firm utilised their global network to determine notification requirements of the various jurisdictions and notified the necessary regulators/data subjects in compliance with local laws.

In the meantime, legal and PR specialists handled the small number of demands for compensation.  Credit monitoring and ID theft protection was offered to complainants; with two escalating to small monetary settlements.

The Insured received approximately GBP120,000 in indemnity for the costs incurred with the panel experts and additional defence costs.