Technology Media Communications Industry Session
advertisement
Technology Media Communications Industry Session Introductions for Networking Discussion: Deciphering the E&O/Cyber Policy Download slides and handouts at www.rims.org/RIMS14 Or use the RIMS 2014 App (Session # IND021) Recording of this session via any media type is strictly prohibited. Page 1 What to Expect Today 1. 2. 3. 4. 5. 6. 7. Networking & Optional Exchange of Contact Information Trends & Implications Group Challenge Cyber Coverage Terms Where is the E&O/Cyber Policy today Proactive Measures to Manage Risk RIMS 2015 – Topics for next Tech/Media/Comm Session Takeaways: Glossary of E&O/Cyber coverage terms Sample Provision Wording Recording of this session via any media type is strictly prohibited. Page 2 Introductions for Networking – Speakers • Tim Burke – Marsh FINPRO West Zone Practice Leader - Commercial Errors & Omissions • Holly Daley – Willis San Francisco, Tech Media Telecom Practice Former Risk Manager: Hitachi Data Systems, PG&E, Park Lane Hotels • Lora Figgat – NetApp, Risk Manager, Sunnyvale Former Risk Manager: Symantec Corporation • Bert Wells – Partner, Covington & Burling LLP, New York Policyholder-Side Attorney – Insurance Recovery – Transactional Matters – Policy Enhancements Recording of this session via any media type is strictly prohibited. Page 3 Introductions for Networking – Participants Your Name / Company / Location Download slides and handouts at www.rims.org/RIMS14 Or use the RIMS 2014 App (Session # IND021) Recording of this session via any media type is strictly prohibited. Page 4 Macro Trends • • • • High profile data breaches Increasing centrality of privacy & IT security Regulatory scrutiny & evolving legal landscape Supply chain risk Recording of this session via any media type is strictly prohibited. Page 5 The Compliance Scramble Mismatch Implications • • • • Vendor scrutiny Contractual risk transfer Indemnification Insurance requirements Recording of this session via any media type is strictly prohibited. Page 6 E&O/Cyber: Additional Insured Status a. You as Customer perspective • • Why you require AI status from your customers/partners When your customer/partner will not meet your requirement b. You as Vendor perspective ● Why your customer requires AI status of you as their vendor/partner ● As a vendor, should you provide AI status to customers/partners c. Additional insured endorsements Recording of this session via any media type is strictly prohibited. Page 7 Where Is the E&O/Cyber Policy Today? Standardization - ISO, markets E&O blend vs. stand-alone Prior acts - average discovery lag 253-days Menu of coverage pieces available: • • typically offered by special request Recording of this session via any media type is strictly prohibited. Page 8 Deciphering the E&O/Cyber Policy Network Security & Multimedia Liability Cyber Security Liability Computer Security Insurance Network & Information Liability Commerce or Internet Security Insurance Privacy & Network Security Liability Intellectual Property Insurance Internet Security Liability Privacy and Security Insurance Cyber & Crime Liability Data Insurance Recording of this session via any media type is strictly prohibited. Page 9 Cyber Insurance Overview Common Insuring Agreements Insuring Agreement ISO Description Third Party Liability Network Security Liability Security Breach Liability Privacy Liability Programming Errors and Omissions Liability Media Liability Website Publishing Liability or Media Liability Network security failure Failure to safeguard confidential information Advertising & Personal Injury First Party Privacy Expenses Breach Response Costs Security Breach Expense Privacy Regulatory Actions Not available First party expenses to manage data breach Defense costs, fines & penalties First Party Network Interruption Business Interruption Not available Dependent Business Interruption Not available Data Restoration Replacement or Restoration of Electronic Data Loss of net income from network down time Vendor downtime Costs to replace damages information assets Recording of this session via any media type is strictly prohibited. Page 10 Deciphering the E&O/Cyber Policy – Glossary Glossary of cyber insurance terms Recording of this session via any media type is strictly prohibited. Page 11 Role Play: What will you do differently next time? Let’s open dialogue within the group this morning. Chime Your CEO just sent you an email … To open: Please turn your chairs into groups of 8-10. Recording of this session via any media type is strictly prohibited. Page 12 Role Play: What will you do differently next time? Congratulations on your brand new job in the Risk Management Department of ARROW STORES Following a highly-publicized data breach resulting in a 40% sales decline – and attributable to a vendor’s security lapse – your CEO asks your Risk Management team to get the company back on track. Here is your new email: Please join me for lunch today in my office at high noon. I would like hear from your team: • Hindsight – Two steps or protocols Arrow could have implemented to avoid this mess. • Lessons Learned – Two steps or protocols you propose we start developing this afternoon. PERRY N. ARROW CEO ARROW STORES, INC. Recording of this session via any media type is strictly prohibited. Page 13 Risk Management – Best Practices • Create Tools to manage contract requirements Provision Templates Playbook Escalate to RM as advised (per SOW, regions, fallback/fallforward) • Distribute to stakeholders Post on RM site Training and partnering: Legal, Procurement, Sales, Finance • Develop response protocols Incident reporting directions (coverage assessment) Breach response plan: spokesperson, notification process, legal team identified Breach tabletop exercise Recording of this session via any media type is strictly prohibited. Page 14 Playbook– Prepared Responses to Your Customers’ Requirements & Requests (Hypothetical Example Below) Request Your Policy Coverage Carve out to Security & Privacy limitation of liability liability for data security to allow for unlimited liability Limit Risk Tolerance $20M Subject to approval, up to $20M Recording of this session via any media type is strictly prohibited. Page 15 Sample Contract Provision for Cyber Insurance Vendor shall procure and maintain the following insurance: Errors and Omissions Liability Insurance to cover loss arising from errors and omissions in the performance of all Services hereunder, including loss arising from destruction of data, in an amount of at least [$_______] per occurrence. Cyber-Risk, Network Security, or other coverage (regardless of name) to cover the first-party losses and liability of Customer arising from breaches of security of data or computer networks of Vendor or Customer due to Vendor’s acts, errors and omissions, including such losses arising from [specific events or causes]; in an amount of at least [$_______] per occurrence. [Other types and amounts of coverage as may be required.] Each such liability policy shall name Customer as an Additional Insured for such liability of the Customer, and each such first-party policy shall name Customer as a Loss Payee. Such insurance shall be worldwide; primary and non-contributing with respect to any insurance or self-insurance of Customer, subject to the reasonable advance approval of Customer and issued by insurers having ratings reasonably satisfactory to Customer. Recording of this session via any media type is strictly prohibited. Page 16 Actionable Points & Issues To share with your brokers, insurers, legal teams • • • Review coverage wordings Bring key IT personnel to underwriting meetings Discuss the reality of claims process Recording of this session via any media type is strictly prohibited. Page 17 Wrap Up and Q&A • Q&A Recording of this session via any media type is strictly prohibited. Page 18 Our Next Session: RIMS 2015 in New Orleans Brainstorm Topic ideas for our next Tech Media Communications Industry Session Thank you Recording of this session via any media type is strictly prohibited. Page 19
