Add to collection(s) Add to saved
  1. Business
  2. Finance

Cyber Insurance

advertisement 
Cyber Insurance:
The Future is Now
Texas Lawyer
In-HouseTitle
Counsel
Here Summit
May 8, 2015
©2015, Amy Stewart PC
Cyber Risks in 2015
 Two years ago – “not if, but when”
 Today – those who know they’ve been
hacked and those who haven’t yet discovered
the breach
 Risks evolving rapidly
 As corporate America tries to get ahead of
cyber exposures, insurance industry scurrying
to provide solutions
 Assessing constantly-changing risks
 Underwriting challenges
©2015, Amy Stewart PC
Cyber Risks in 2015
 Cyber security breaches rose 48% between
2013 and 2014, with 42.8 million incidents
reported
 Financial losses attributed to these incidents
also increased 34% in 2014
 Institutions hit in 2014—
 Adobe = 152 million records
 eBay = 145 million records
 JP Morgan Chase = 76 million records
 Target = 70 million records
 Home Depot = 56 million records
©2015, Amy Stewart PC
Cyber Risks in 2015
 Many businesses unaware of the magnitude
of their cyber risk exposure
 Others are working hard to get their arms
around the risk
 Less than 25% of Fortune 500 companies
have adequate cyber coverage in place
 More than 50 insurers provide some sort of
cyber insurance, some very limited
 Traditional policies = very limited (if any)
coverage, especially today
©2015, Amy Stewart PC
Cyber Risks in 2015
 Most businesses unaware of the magnitude of
their cyber risk exposure
 Less than 25% of Fortune 500 companies
have adequate cyber coverage in place
 More than 50 insurers provide some sort of
cyber insurance, some very limited
 Traditional policies = very limited (if any)
coverage
©2015, Amy Stewart PC
Limitations of Conventional Coverage
 Commercial General Liability (CGL)
 Coverage A – “Bodily Injury or Property
Damage”
 ISSUE: Electronic data is NOT tangible
property
 Coverage B – “Advertising and Personal Injury”
 ISSUE: Too narrow to protect insured as it
covers specific types of injury—not including
misuse or disclosure of private information
©2015, Amy Stewart PC
Limitations of Conventional Coverage
 Case Study – Sony
 2011 Playstation II Breach
 Breach = publication under CGL,
Coverage B
 Trial court said coverage only if publication
was by Sony; liability arising from hacker
actions not covered
 While appeal pending, Sony and Zurich
settled (April 30, 2015)
©2015, Amy Stewart PC
Limitations of Conventional Coverage
 Case Study – Sony
 2014 Email Incident
 Sony Pictures CEO: company was
covered by cyber policy
 Insurers paid most of loss, estimated at
$100 million
 Uninsured cost to Sony = $15 million
©2015, Amy Stewart PC
Limitations of Conventional Coverage
 Professional Liability | Errors & Omissions
(E&O)
 May provide coverage depending on nature of the
“professional services”
 ISSUE: non-technology insureds are unlikely to
have coverage for common cyber exposures
 Business Interruption Insurance
 ISSUE: does not cover business interruption loss
caused by damage to non-tangible property, i.e.,
data
©2015, Amy Stewart PC
Cyber & Privacy Insurance
 Broadly speaking, cyber insurance covers
risks and liability associated with e-business,
the Internet, computer networks and
technology, privacy issues, computer virus
transmission and other means by which
compromised data is passed to a third party
 Policies vary widely; not standardized
(although ISO has begun promulgating forms)
©2015, Amy Stewart PC
Cyber Policies – Basic Concepts
 First-Party Coverage
 Covers the insured’s own loss and expenses
 Cyber theft
 Failure of insured’s systems
 Network interruption coverage
 Privacy event management, breach
notification costs, call center expenses
 Cyber extortion – pays “ransom” costs
 Forensic investigation costs
 Cost associated with restoration of data (often
subject to a large retention)
©2015, Amy Stewart PC
Cyber Policies – Basic Concepts
 Third-Party Coverage
 Covers the insured’s exposure to others
 Defense costs for litigation initiated against
insured
 Indemnity for cyber-related claims
 Damages to third-party claimants
 Fines + penalties
 Breach notification costs
 Crisis management
 Call centers
 Credit / identity monitoring
©2015, Amy Stewart PC
Cyber Policies – Basic Concepts
 Insuring agreement – sample #1
The Company shall pay Loss on behalf of
an Insured on account of any Claim first
made against such Insured during the
Policy Period, or, if exercised, during the
Extended Reporting Period, for Injury.
©2015, Amy Stewart PC
Cyber Policies – Basic Concepts
 Insuring agreement – sample #2
The Insurer shall pay on an Insured’s
behalf all Loss in excess of the applicable
Retention that such Insured is legally
obligated to pay resulting from a Claim
alleging a Security Failure or a Privacy
Event.
©2015, Amy Stewart PC
Cyber Policies – Basic Concepts
 Definition of Claim—
 a written demand for money, services, nonmonetary relief or injunctive relief;
 a Suit; or
 a Regulatory Action
Regulatory Action = request for information,
civil investigative demand or civil proceeding
brought by or on behalf of a governmental
agency, including requests for information.
©2015, Amy Stewart PC
Cyber Policies – Basic Concepts
 Claims-made coverage v. occurrence-
based coverage
 Claims-made = coverage triggered when a
claim is made against an insured (common for
third-party coverages)
 Occurrence-based = coverage triggered by an
injury
 Some policies providing multiple coverages may
combine the two types—can be confusing
 Important for determining which policy is
triggered
©2015, Amy Stewart PC
Specific Cyber Coverages
 Breach Notification Expenses
 Necessary due to emerging regulations on notifying
those affected by a security breach
 May be provided with no deductible
 E-Theft
 Protects insured from fraudulent transfers of funds
or property as result of theft-related cyber crimes
 Loss, damage or destruction of media (non-tangible
property) may also be included in cyber theft
coverage
©2015, Amy Stewart PC
Specific Cyber Coverages
 Crisis Management & Reward Expenses
 Likely need coverage for a team to manage publicity
surrounding a privacy or security breach. This team
might include:
 Breach Coach
 Legal Counsel
 Information security forensic investigator
 Public Relations Consultant
 Advertising or Media Relations
 Also covers reward expenses incurred due to the
investigation of a cyber-security event
©2015, Amy Stewart PC
Specific Cyber Coverages
 Denial or Impairment of E-Service
 Fills gap in business interruption policy by covering
losses caused by damage to non-tangible property
 Specifically, will cover loss incurred as the result
of impairment or denial of insured’s business
activities caused by a
 Hacker,
 Rogue employee, or
 Cyber terrorist
©2015, Amy Stewart PC
Specific Cyber Coverages
 E-Communication
 Covers a loss caused by:
 transfer of fund or property,
 debiting of an account or
 establishment of credit
pursuant to the direction of a fraudulent ecommunication that purports to have been initiated
by the insured
 Might protect from risk of loss to third parties for
which the insured may be liable
©2015, Amy Stewart PC
Specific Cyber Coverages
 E-Vandalism
 Loss to data and intangible property caused by
cyber terrorists or hackers
 E-Threat
 “Kidnap and Ransom” coverage
 Cyber extortion
 E-Signature
 Loss resulting from insured’s acceptance of and
reliance upon a fraudulent e-signature
©2015, Amy Stewart PC
Common Exclusions
Basic exclusions—
 Claims arising from violations of ERISA
 Criminal, fraudulent or dishonest acts by an
insured
 Breach of contract
 Claims brought by insureds
 Patent infringement
 Bodily injury
©2015, Amy Stewart PC
Common Exclusions
Exclusions designed to push risks back to the
insured—
 Data lost from unencrypted devices
 Inadequate security about which the insured
knows (potential D&O issue)
 Failure to take steps to design, maintain and
upgrade security systems (D&O)
 Failures of security software (D&O)
©2015, Amy Stewart PC
Negotiating Points
 Make sure entities are covered, not just
insured persons
 Pay attention to policy provisions that limit
covered locations
 Make sure any war exclusions have a
cyberterrorism carve-back
 Consider sublimits in view of risk transfer
objectives
 Request pre-approval of vendors, if desired
©2015, Amy Stewart PC
Questions?
©2015, Amy Stewart PC
Contact Information
Amy Elizabeth Stewart
amy@amystewartlaw.com
AMY STEWART LAW
Mockingbird Station
5307 E. Mockingbird Lane, Suite 425
Dallas, Texas 75206
214 233 7076 main
©2015, Amy Stewart PC
Related documents
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
Jorge Valenzuela
Jorge Valenzuela
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
View session overview, activities and output
View session overview, activities and output
“ An insurance broker needs to be knowledgeable, genuine
“ An insurance broker needs to be knowledgeable, genuine
solving national security challenges with information technology by
solving national security challenges with information technology by
Need for New Approaches to Security PowerPoint
Need for New Approaches to Security PowerPoint
Global Data & Privacy Update
Global Data & Privacy Update
Download
advertisement