Exclusion J. Damage to Property:  “Property Damage” to (4) Personal Property in the care, custody or control of the insured.

For example, your client drops off their laptop to you for repairs.  You take the laptop with you as you head to another client’s location.  While you are there, someone breaks into your car and steals numerous items, including your client’s laptop.  Your General Liability policy would not respond; however, if you purchase a Property policy or are able to add Property coverage to your existing General Liability policy, there is a coverage that can be included called “Personal Property of Others”.  You are able to choose the desired limit of coverage and it must be combined with coverage for your own business personal property or building.

Many business owners simply do not understand the importance of purchasing a Cyber Liability policy or how the policy works.  Quite often, they are also under the assumption that their current Business Owners policy provides coverage for such a risk.

Hartford has created a short video that will help address some of the common misconceptions regarding Cyber Risk.  You may view the video by clicking here.

The 2001 ISO version of the General Liability form includes a new exclusion that eliminates coverage for “injury arising out of the infringement of copyright, patent, trademark, trade secret, or other intellectual property rights.” However, the new exclusion excepts “ infringement in your ‘advertisement’ of copyright, trade dress, or slogan.” Therefore, coverage is now specifically excluded for all trademark and trade secret claims. In addition, coverage for the three remaining types of intellectual property claims (copyright, trade dress, or slogan) is dependent upon such offenses arising out of an ‘advertisement’.

As regards the definition of ‘advertisement’, only infringements that occur in the advertisement itself are covered. The new 2001 edition includes the following new restrictions on Internet activity:

 *  Advertisement with respect to a website means only “that part” of the website that is about “your products, goods or services for the purposes of attracting customers or supporters.”

 *  Coverage is eliminated for claims “rising out of an electronic chat room or bulletin board that the (insured) hosts, owns, or over which the (insured) exercises control.” It is likely that the use of blogs, Facebook, Twitter, and other social media fall under this exclusion.

 *  Coverage is also eliminated for “unauthorized use of another’s name or product in the (insured’s) e-mail address, domain name or meta-tag, or any other similar tactics to mislead another’s potential customers.” One area of concern that has not yet been clarified by the courts is use of trademarked terms in meta-tags.

To follow are some common situations where the above mentioned restrictions can eliminate coverage for non-media companies:

 *  Claims for copyright infringement arising out of text, photographs or other content that are not part of an online advertisement. The use generic photos on company on company websites in areas that are not actually part of a specific product advertisement is a common source of litigation. Providers of stock photos are using watermarking technology to search the internet for instances of the unauthorized use of their photographs and many law firms are specializing in providing representation in this area.

 *  Trade dress claims arising out the look and feel of a website, blog, social media, etc. that is not part of an online advertisement. These involve navigation (ex: buttons, bars), color schemes, hyper links, menus, etc.

 *  Online comparative advertising where your product is represented as being bigger, better, faster, etc. as compared to the competition. These representations may result in claims for false or misleading advertising and unfair competition under the Lanham Act or various state statutes. However, if these representations are directed at a specific competitor, they may be covered under advertising injury.

 *  Product packaging that too closely resembles a competitor may result in liability for trade dress infringement. These claims may be excluded because the courts may not consider the product packaging to be part of an advertisement.

If any of these instances of potential uncovered claims are a concern, a business should strongly consider adding Media Liability (offline) or Cyber Liability policies (online).

Source: Elizabeth C. Kock and Jay Ward Brown, Levine Sullivan Koch & Shultz, LLP; Risk & Insurance; December 2011.

The odds that a cybergang will stealthily turn your PC into a bot this summer and use it to carry out all manner of cyberattacks just notched notably higher.

Security analysts anticipate a surge in SpyEye attacks the rest of this year. “Every level of criminal, from the lowest to the highest rungs, can now use one of the deadliest Swiss Army knife hacking toolkits in the world,” say Sean Bodmer, senior threat intelligence analyst at network security firm Damballa.

Using SpyEye, a criminal can issue commands to networks of thousands of bots. SpyEye-run botnets have proved to be unstoppable. Criminals use them to deliver spam scams, conduct hacktivist attacks and booby-trap legit websites with infections that create more bots.

What’s more, SpyEye may be best known for enabling thieves to orchestrate the systematic siphoning of cash from the online banking accounts of consumers and small organizations. Transactions security firm Trusteer has documented SpyEye-orchestrated banking account heists in action. SpyEye:

•Waits for the account holder to log into his or her online banking account.

•Collects the user’s balance figure and determines whether the account is ripe for theft.

•Initiates money transfers invisibly.

•Transfers funds into a mule account that is set up and controlled by the thief to receive cash transfers.

•Erases any evidence of the fraudulent transfer.

•Adds the stolen amount back to the official account balance, as if nothing is amiss.

Skilled hackers quickly created simple programs to access full versions of SpyEye and began selling them for about $100, Damballa’s Bodmer says.

The emergence of this new, cheap spy software could be the tipping point that finally convinces most small businesses with websites of the need to purchase cyber liability insurance.

Source: Spy Eye hacker toolkit to lead surge in cyber attacks, USA Today, August 22, 2011,

Since the recession began two and a half years ago, crimes by employees and third parties, including the dollar amounts involved, have risen sharply. Fueled by the fear of unemployment, employees are increasingly fighting back against their employers. They’re more likely to take what they feel they deserve because of the work done for their company over the years. As well, many companies are taking a closer look at risk controls to cut unnecessary costs, uncovering theft issues that may have been undetected in the past.

The vast majority of people who commit these crimes are not professional criminals–they’re in a financial  bind…and they tend to rationalize their conduct as borrowing the money they took until they can pay it back.

Small businesses must take all necessary precautions to prevent employee theft and fraud by addressing the fraud risks or their policy limits to adjust for the related losses, as only one in four private companies buys crime insurance. Stand alone crime policies are better than crime coverage added to Business Owners Policies (BOPs). Separate out crime coverage’s and add things like computer fraud and funds transfer fraud.

One way to determine an appropriate crime limit is to assume 5% of the company’s revenues will be the cost of fraud, and include that amount in the limit. Another way is to use organizations like Advisen that can evaluate a client’s cash flow, number of employees and business locations, employee turnover rates, and the effectiveness to its internal risk controls in order to determine a limit.

Risk Controls to minimize employee fraud:

• use pre-numbered checks typed or written in permanent ink
• be aware of employees who object strongly to new policies concerning financial, inventory, or supply matters
• employees with duties that do not include check preparation or distribution should reconcile the bank checking account
• improve background checks of job applicants
• separate receiving, storekeeping, and shipping functions. Complete physical inventories annually and assign them to an individual who is not responsible for inventory records.
• be aware of employees who exhibit signs of compulsive gambling, persistent borrowing, or repeated requests for salary advances–Separate mail opening and posting functions
• record Checks and cash in appropriate registers and stamp checks for deposit only
• be aware of employees who suddenly want to work late

Source: Russ Banham, Independent Agent, Nov 2010

The spammers and cyberthieves haven’t given up and gone home. Instead they are moving with the times and stirring up trouble in other ways, targeting smartphones and social networkds, which offer vast amounts of personal information.

The popularity of “apps” is opening the door to a wide range of suspicious and malicious applications. Locative services such as Foursquare and Fowalla are also a potential problem. These services allow you to easily search, track, and plot the wherabouts of friends and strangers. But cybercriminals can use this information to craft targeted attacks, according to McAfee.

The main way to combat breaches, [Beeson] said, is by encrypting the information. But the McAfee report noted that because of our historically fragile cellular infrastructure and slow strides toward encryption, user and corporate data may face serious risks.

Source: Patricia Vowinkel, February 17, 2011

Once the computer is infected they not only become victims of fraud but also pay money for the so called “security software”.   Victims report that they loss even more money to eliminate the malicious software.

Some important ways to protect yourself is to always be cautious of offers that pop up while you are already online.  And be careful of what you download.  Many large and small businesses use filters or blocks to protect their data.   If you need security software, buy from a reputable vendor through their website.

Source: Matrix Consulting – Newsletter

Due to the changing nature of cyber risk, IT risk managers must upgrade risk management strategies to focus on new areas of concern. In the past, primary attention was given to protecting computer infrastructure from losses caused by lapses of physical security, internet servers, networks, and rogue insiders. Now, attention must be expanded to applications and software used by the organization.

Due to stepped up risk management controls in the areas of improved network security, cyber criminals have turned their attention to less protected vulnerabilities in applications and software. In addition, the purpose of the attacks have morphed from causing embarrassment and denial of service to profiting from the theft of confidential financial and client information.

Cyber Attacks focus on the following areas:

* disrupting infrastructure operations

* posting confidential enterprise information online

* theft of intellectual property

* identity theft

* theft of confidential information

* confiscating or compromising online bank accounts

* spreading viruses on other computers

* malicious insiders seeking revenge

* use of internet launched viruses, malware, trojans, phishing, botnets, other malicious code

A company’s risk analysis should include identification from among the following risks where primary attention should be given to those risks which present the largest loss potential by either their frequency or severity:

* identification of viruses on servers, workstations, and laptops.

* open ports on firewall

* which assets are currently being attacked

* which assets are most likely future targets

* Payment Card Industry (PCI) audit if credit cards are used

* HIPAA and HITECH audit for medical information if applicable

* various state confidentiality and data protection laws 

See entire article for suggested risk management controls to reduce these risks.

Source: Resources, Winter 2010, Paul W. Burkett, The National Alliance For Insurance Education And Research

Trojans are planted into networks of target companies, stealing passwords to various online services such as fund management and online banking.  This opens up ACH or Automatic Clearing House Network Fraud where hackers wire money from the victim’s accounts and into the accounts of money “mules” that launder the money for a profit.  Criminal masterminds positioned in other countries such as China and Russia receive the funds since they are out of the reach of US law enforcement.    

The small and midsized businesses are favored because hackers know they often lack the time and money to put stringent security controls in place.  Even though this may be true there are ways to protect your business and yourself.  Educate your employee’s about the risk and instruct them in basic security awareness.  Also, use network security procedures such as web and mail filtering solutions, network firewalls, and antivirus software.

Source: US Federal Bureau of Investigation

Here are some eye opening facts:

• According to a 2008 survey by Computer Security Institute, the average financial loss due to computer fraud was $289,000.  The average loss due to funds transfer fraud was $500,000.
• Pfishing scams, Trojan horses, key loggers and other techniques allow hackers to gain control of online banking transactions and to circumvent normal online authentication controls.
• Internal controls such as antivirus, firewalls, and employee training are critical, but not enough for 100% protection. 
• Specialized Financial Insurance coverages should be purchased to protect against this risk.

Electronic Funds Transfer Fraud Claim Examples:

• The bank of a victim company allegedly sent a letter explaining a new security program.  The company received the email that appeared to be from the bank and an employee opened the email.  Opening the email allowed a Trojan horse virus access, which read keystrokes from the company’s computer, thereby allowing the perpetrator to obtain banking and password information.  A fraudulent electronic wire transfer was initiated and the company lost $683,000.  
• Finance director of a company opened an attached zip file in an email that contained a virus.  The user ID and password to the company’s account with its bank was obtained through code inserted by the virus.  A fraudulent electronic wire transfer totaling $147,000 was initiated by criminals from the company’s bank account to an unknown bank account in Arizona.   The immediate withdrawal was unrecoverable. 
• Payroll supervisor logged on to the payroll account for the company and noted that three payments totaling $704,632 had been wired from the account. The transactions were reported to the bank as unauthorized and the account was shut down.  Unfortunately, $238,781 was not recovered. 

Computer Fraud Claim Examples:

• An employee of a customer of a company hacked into the company’s website and changed the bank routing and account numbers to her own.  When the company paid her employer for services rendered, she fraudulently received the funds in her account. 
• A former employee used his supervisor’s password to enter the insured’s unlocked building and gained access to use the supervisor’s computer.  Using his bank routing number, he activated transactions to receive fake reimbursements allegedly made to the company’s customers.

Source: Travelers Bond & Financial Products, Bulletin, 11-09