Skip to main content

Crime Or Cyber? How To Tell The Difference

Hands typing on a laptop with a digital overlay of a shield and network connections, symbolizing cybersecurity.

January 23, 2021 | CSD Team

Depending on the incident, find out which coverage applies to you.

Cyber-related incidents and risks continue to cause problems for many government entities. Even entities without websites or electronically stored data face some type of cyber exposure, since banking transactions are completed electronically. These exposures can leave organizations more vulnerable than expected.

Best practices for managing your cyber risk include performing a network cybersecurity assessment, implementing procedures for a payment request protocol as well as post-incident recovery, and training employees on emerging cyber threats. However, in the event that these practices fall short, the CSD Pool has several types of coverage to protect you from a loss.

Cyber Coverage Details

Cyber coverage can include protection against both first-party and third-party losses.

Third-party losses are liability claims brought against a district for negligence in maintaining network security which caused a breach of private data or a ransomware attack. First-party losses are the expenses that arise out of a cyber incident and can include:

  • Ransom demands for the release of data encrypted via malware; coverage is usually excluded if ransomware payments are made to parties in restricted countries included on the Office of Foreign Assets Control (OFAC) sanctions list.
  • Costs of notification, credit monitoring, call center services, and public relation services arising from the electronic disclosure of confidential information including personally identifiable information (PII) from a network security breach.
  • Costs of a forensic investigation into cyber incident.
  • Costs to recreate or restore electronic data to pre-loss conditions after damaged or destroyed by a computer virus, malicious code, or denial of service attack.

Crime Coverage Details

Crime coverage protects against the loss of money and/or securities by a third-party, which can include an electronic loss. The two types of electronic loss included are:

  • Funds Transfer Fraud:  Protection against fraudulent electronic, telephonic, or written instructions to a financial institution directing them to transfer money without the district’s knowledge or consent.
  • Social Engineering Fraud: Protection against loss from an employee who transfers money to a cybercriminal’s account after being intentionally misled with a request that came from a genuine source such as a vendor, a client, or manager.

Public Officials Liability Coverage Details

Public officials liability coverage protects a district’s board of directors from allegations of a breach of fiduciary duty arising from the failure to oversee cybersecurity practices adequately.

Cyber Coverage Limits:

The CSD Pool’s Public Entity Liability Program includes a $200,000 cyber coverage sublimit, which includes first-party expenses and third-party liability. Members may qualify to increase this sublimit to $1,000,000 at no cost on completing a qualifying cybersecurity assessment. The higher sublimit can continue annually by providing a copy of the board’s agenda and minutes confirming review of the district’s network security and privacy practices by September 30 of each year. For more information, turn to page 24 for more information on cyber assessments.

A coverage extension is also included for public relations expenses up to a $25,000 limit. This will reimburse a district for pre-approved expenses incurred to retain the services of a public relations firm for the purpose of averting or mitigating damages to a district’s reputation caused by a data compromise or cyber extortion event.

Crime Coverage Limits

The CSD Pool’s crime coverage includes Social Engineering Fraud (formerly known as Fraudulent Impersonation) and Funds Transfer Fraud coverage. We offer coverage limits from $5,000 to $5,000,000 with the exception of Social Engineering Fraud, which is available up to $250,000. As a precedent to coverage in 2022 all districts must have a procedure in place regarding the verification of payment requests such as:

  • A policy to verify the request verbally with the requester of the payment
  • An authority matrix for dollar amounts of wire transfers/ACH payments that requires co-authorization by one or more employees and a senior staff member depending on the dollar value. For example:
  1. Up to $5,000 can be initiated and authorized by one employee
  2. $5,000 – $20,000 can be initiated by one employee and authorized by another
  3. Over $20,000 can be initiated by an employee, authorized by another and verified by senior staff
  • A procedure to verify the accuracy of a vendor or customer payment request with one of their representatives directly, independent of email, will be required in 2022 or coverage will not apply

Public Officials

The CSD Pool’s public officials liability, provided under public entity liability, covers allegations relating to the actions or inactions of a district’s board or management. We offer a base limit of $2,000,000 for each occurrence with the option to purchase higher excess limits up to a $10,000,000 maximum. This is a shared limit for all liability coverages provided under the form.

For More Information

These programs protect our members from risks associated with conducting business in today’s world.

If you would like more information regarding your excess liability limits, or if you want to determine if your fraud and embezzlement limits are high enough, reach out to us at pc@csdpool.org.

News

Industry and membership news tailored to Colorado special districts.