CYBER 3.0
Cutting-Edge Advancements in
Insurance Coverage for Cyber Risk and Reality
April 14, 2015
Annual RIMS/CPCU Joint Chapter Session
Sheraton Station Square
© Copyright 2015 by K&L Gates LLP. All rights reserved.
AGENDA
 Introduction
 Role and Perspective of the Risk Manager
 The Risk Manager’s Role in Addressing and Mitigating Risk
 Unique Challenges and Opportunities in Placing “Cyber” Insurance
 Setting the “Cyber” Stage
 Practical Risk and Exposure
 Latest Legal and Regulatory Developments
 Newest Cutting Edge “Cyber” Products
 Third-Party, First-Party, and DIC Coverages
 How to Avoid the Traps
 How to Enhance “Off-The-Shelf” Forms / Best-Practices “Checklist”
 Legacy Insurance Policies -- Potential Coverage And Limitations
INTRODUCTION
rd
ar
da
rd
ar
rrr
r
Roberta D. Anderson
Insurance Coverage /
Data Privacy & Cybersecurity
Partner
rd
ar
da
rd
ar
rrr
r
rd
ar
da
rd
ar
rrr
r
Timothy Flaherty
Manager
Insurance Risk Management
ROLE AND PERSPECTIVE OF
THE RISK MANAGER
 The Risk Manager’s Role in Addressing and Mitigating Risk
 Unique Challenges
 Lack of Standardization (ISO Forms)
 Lack of Claims/Legal Precedent
 Capacity
 Opportunities
 Tailored Coverages
 Ability to Negotiate Enhancements
 Increasing Market Capacity
ROLE AND PERSPECTIVE OF
THE RISK MANAGER
 In Placing Coverage:
 Determine the Need for Coverage

Risk Assessment
 Review the Extent of Coverage under Existing Policies
 Engage a Knowledgeable Broker and Outside Counsel
 Execute Non-disclosure Agreements with Potential Insurers
 Conduct Open Discussions and Partner with Your Chief Information Officer to
Complete an Extensive Application
 Conduct Face-to-Face Meetings with Potential Insurers
 Obtain Senior Management Concurrence or Authorization to Bind Coverage
 Retro Date Logistics
 Acquisitions
 Aligning “Cyber” Placement with Existing Programs
 Length of Time for Placement
SETTING THE “CYBER” STAGE
PRACTICAL RISK AND
EXPOSURE
• Malicious attacks
– Advanced Persistent Threats
– Social Engineering
– Viruses, Trojans, DDoS attacks
• Data breach / Unauthorized Access
• Software Vulnerability
(HeartBleed)
• System Glitches
• Employee Mobility
• Lost or Stolen Mobile and Other
Portable Devices
• Vendors/Outsourcing
(Function, Not the Liability)
• The Internet Of Things
• Human Error
klgates.com
8
PRACTICAL RISK AND
EXPOSURE
Source: Ponemon Institute 2014 Cost of Data Breach
Study – Global
Source:
Ponemon Institute LLC
Cost of Data Breach Study:
Global Analysis
(May 2014)
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
LATEST LEGAL AND
REGULATORY DEVELOPMENTS
• Federal Cybersecurity/Data Privacy Laws
– HIPAA/HITECH – FCC Act
– FCRA/FACTA
– GLBA
– FTC Act
• State Cybersecurity/Data Privacy Laws/Consumer Protection
Statutes
– 47 states, D.C., & U.S. territories breach notification laws
– State Security Standards (MA, CA, CT, RI, OR, MD, NV)
• NIST Cybersecurity Framework
• Industry Standards, e.g., PCI DSS
• SEC Cybersecurity Risk Factor Guidance
SEC CYBERSECURITY
 “[A]ppropriate disclosures may include”:
 “Discussion of aspects of the registrant’s business or operations that give rise to
material cybersecurity risks and the potential costs and consequences”;
 “To the extent the registrant outsources functions that have material cybersecurity
risks, description of those functions and how the registrant addresses those risks”;
 “Description of cyber incidents experienced by the registrant that are individually, or
in the aggregate, material, including a description of the costs and other
consequences”;
 “Risks related to cyber incidents that may remain undetected for an extended
period”; and
 “Description of relevant insurance coverage.”
Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,
http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/
SEC CYBERSECURITY
“We note that your network-security insurance coverage is
subject to a $10 million deductible. Please tell us whether
this coverage has any other significant limitations. In
addition, please describe for us the ‘certain other coverage’
that may reduce your exposure to Data Breach losses”
Target Form 10-K (March 2014)
SEC CYBERSECURITY
“We note your disclosure that an unauthorized party was
able to gain access to your computer network ‘in a prior
fiscal year.’ So that an investor is better able to understand
the materiality of this cybersecurity incident, please revise
your disclosure to identify when the cyber incident occurred
and describe any material costs or consequences to you as
a result of the incident. Please also further describe your
cyber security insurance policy, including any material limits
on coverage.”
Alion Science and Technology Corp. S-1 filing (March 2014)
SEC CYBERSECURITY
“Given the significant cyber-attacks that are occurring with
disturbing frequency, and the mounting evidence that
companies of all shapes and sizes are increasingly under a
constant threat of potentially disastrous cyber-attacks,
ensuring the adequacy of a company’s cybersecurity
measures needs to be a critical part of a board of director’s
risk oversight responsibilities . . . .
Thus, boards that choose to ignore, or minimize, the
importance of cybersecurity oversight responsibility, do so
at their own peril.”
Luis Aguilar, SEC Commissioner, speech given at NYSE June 10, 2014
20
FTC CYBERSECURITY
22
FTC CYBERSECURITY
23
STANDING TREND – SONY
STANDING TREND – MICHAELS
STANDING TREND – ADOBE
STANDING TREND – TARGET
NEWEST CUTTING EDGE “CYBER”
PRODUCTS
REMEMBER THE
SNOWFLAKE
back
klgates.com
THIRD-PARTY COVERAGE
 Privacy and Network Security
 Generally Covers Third-Party Liability Arising from Data Breaches and Other Failures to
Protect Confidential, Protected Information, as well as Liability Arising from Security
Threats to Networks, e.g., Transmission of Malicious Code
 Questions:
 Coverage for the Acts, Errors, Omissions of Third Parties, e.g., Vendors?
 Coverage for Data in the Care, Custody, Control of Third Parties, e.g., Cloud Providers?
 Coverage for Proliferating and Expanding Privacy Laws/Regulations?
 Coverage for Data in Any Form, e.g., Paper Records?
 Coverage for Confidential Corporate Data, e.g., Third-Party Trade Secrets?
 Coverage for “Rogue” Employees?
 Coverage for Wrongful Collection of Data?
 Coverage for TCPA Violations?
THIRD-PARTY COVERAGE
 Regulatory Liability
 Generally Covers Amounts Payable in Connection with Administrative or Regulatory
Investigations
 Questions:
 Coverage for Fines and Penalties?
 Coverage for Consumer Redress Funds?
 Regulatory Exclusion Carve Backs?
 Sufficient Sublimit?
 PCI-DSS Liability
 Generally Covers Amounts Payable in Connection with PCI Demands for Assessments,
Including Contractual Files and Penalties, for Alleged Non-compliance with PCI Data
Security Standards
THIRD-PARTY COVERAGE
 Media Liability
 Generally Covers Third-Party Liability Arising From Infringement of Copyright and Other
Intellectual Property Rights, and Torts Such as Libel, Slander, and Defamation Arising
From the Insured's Media Activities, e.g., Broadcasting and Advertising
 Questions:
 Coverage for “Rogue” Employees?
 Coverage for Media Content in Any Form, e.g., Printed Publications, or Limited to Digital
Media Content?
 Coverage Limited to Certain Locations of Media Content Display, e.g., on the Insured’s
Website or Social Media sites?
 Coverage for Liability Arising Out Of the Insured’s Own Advertising Activities?
 “Occurrence”-Based or Claims Made Coverage?
 Appropriate for Media Companies?
FIRST-PARTY COVERAGE
 Crisis Management
 Generally Covers “Crisis Management” Expenses That Typically Follow in the Wake of a
Breach Incident, e.g., Breach Notification Costs, Credit Monitoring, Call Center Services,
Forensic Investigations, and Public Relations
 Questions:
 Triggered by Failures of Security?
 Coverage for Forensic Investigation and PCI Forensic Investigator?
 Coverage for Public Relations, Crisis Management, “Breach Coach” Counsel?
 Coverage for Notification? How about ID Theft Education, ID Theft Restoration Services,
Call Center Services, Credit Monitoring, Reimbursement Insurance?
 Insured’s Reasonable Selection of Counsel/Vendors?
 Outside or Inside Limits?
 Sufficient Sublimits?
FIRST-PARTY COVERAGE
 Network Interruption
 Generally Covers First-Party Business Income Loss Associated with the Interruption of
the Insured’s Business Caused by the Failure of Computer Systems
 Questions:
 Coverage for Third Party Systems?
 Coverage for Cloud Failure?
 Coverage for Non-Malicious Acts, e.g., Unintentional, Unplanned Outage?
 Exclusion for Power Failure, Blackout/Brownout, Etc.?
 Coverage Beyond the Interruption, e.g., 120 Days?
 Waiting Period, e.g., 12 Hours?
 Hourly Sublimits?
 Sufficient Sublimit(s), e.g., Contingent and Non-Malicious Acts Coverage?
 What About Loss Caused By Physical Perils, e.g., Flood?
FIRST-PARTY COVERAGE
 Digital Asset
 Generally Covers First-Party Cost Associated with Replacing, Recreating, Restoring and
Repairing Damaged or Destroyed Programs, Software or Electronic Data
 Extortion
 Generally Covers Losses Resulting From Extortion, e.g., Payment of an Extortionist’s
Demand to Prevent a Cybersecurity Incident
 Reputational Harm
 Generally Covers “Crisis Management” Type Costs in the Event of a Publication Likely
to be Seen by an Insured’s Stakeholders, e.g., Customers, Investors, Vendors, or
Regulators, and to Have an Adverse Impact on Public Perception of the Insured or its
Brand. Can Also Cover Business Income Loss Caused By A Publication Likely to be
Seen by an Insured’s Stakeholders, and to Have an Adverse Impact on Public
Perception of the Insured or its Brand
DIC COVERAGE
v
v
DIC COVERAGE
 First-Party Property Damage and Business Interruption
 Third-Party Bodily Injury and Property Damage
[T]his policy will drop down and pay Loss caused by a Security Failure [a failure or
violation of the security of a Computer System that: (A) results in, facilitates or fails
to mitigate any: (i) unauthorized access or use; (ii) denial of service attack; or (iii)
receipt, transmission or behavior of a malicious code] that would have been covered
within an Underlying Policy, as of the inception date of this policy, had one or more
of the following not applied:
A.
a Cyber Coverage Restriction [a limitation of coverage in an Underlying
Policy expressly concerning, in whole or in part, the security of a Computer
System (including Electronic Data stored within that Computer System)];
and/or
B.
a Negligent Act Requirement. [a requirement in an Underlying Policy that
the event, action or conduct triggering coverage under such Underlying
Policy result from a negligent act, error or omission]
DIC COVERAGE
AVOID THE TRAPS
klgates.com
POLICY EXAMPLE 1
41
POLICY EXAMPLE 2
POLICY EXAMPLE 2
43
POLICY EXAMPLE 1
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 2
POLICY EXAMPLE 3
POLICY EXAMPLE 3
51
POLICY EXAMPLE 1
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 2
POLICY EXAMPLE
Any member of the “Control
Group.” e.g., CEO, CFO ,RM,
CRO, CIO, GC
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 3
Request a “Retroactive Date”
of At Least a Year
BEWARE
THE
FINE
PRINT
REMEMBER THE DEVIL IS IN THE DETAILS
BEST-PRACTICES
REMEMBERING THE SNOWFLAKE
“CHECKLIST”
BEST PRACTICES CHECKLIST
• Embrace a Team Approach
• Spotlight the “Cloud”
• Understand the Risk Profile
• Remember the Retro Date
• Review Existing Coverages
• Selection of Counsel and Vendors
• Purchase Appropriate Other
Coverage as Needed
• Engage a Knowledgeable Broker
and Outside Counsel
• Remember the “Cyber”
Misnomer
• Carefully Review the Application
“A well drafted policy will
reduce the likelihood that
an insurer will be able to
avoid or limit insurance
coverage in the event of a
claim.”
Roberta D. Anderson, Partner, K&L Gates LLP (April 14, 2015)
“LEGACY” INSURANCE POLICIES
69
POTENTIAL COVERAGE





Directors’ and Officers’ (D&O)
Errors and Omissions (E&O)/Professional Liability
Employment Practices Liability (EPL)
Fiduciary Liability
Crime
 Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821
(6th Cir. 2012) (DSW covered for expenses for customer communications, public
relations, lawsuits, regulatory defense costs, and fines imposed by Visa and
Mastercard under the computer fraud rider of its blanket crime policy)
 Property
 Commercial General Liability (CGL)
POTENTIAL COVERAGE
 Coverage B Provides Coverage for Damages Because of
“Personal and Advertising Injury”
 “Personal and Advertising Injury”: “[o]ral or written publication,
in any manner, of material that violates a person’s right of
privacy”
 What is a “Person’s Right of Privacy”?
 What is a “Publication”?
 Does the Insured Have to “Do” Anything Affirmative And Intentional to Get
Coverage?
 Coverage A Provides Coverage for Damages Because of
“Property Damage”
 “Property Damage”: “Loss of use of tangible property that is
not physically injured”
POTENTIAL LIMITATIONS
POTENTIAL LIMITATIONS
POTENTIAL LIMITATIONS
ISO states that “when this endorsement is
attached, it will result in a reduction of
coverage due to the deletion of an
exception with respect to damages
because of bodily injury arising out of loss
of, loss of use of, damage to, corruption of,
inability to access, or inability to manipulate
electronic data.”
POTENTIAL LIMITATIONS
POTENTIAL LIMITATIONS
POTENTIAL LIMITATIONS
cv
cv
POTENTIAL LIMITATIONS
 Zurich American Insurance Co. v. Sony Corp. of America et al.
QUESTIONS
THANK YOU