What Your Company Needs To Know About
Cybersecurity

David Bateman
K&L Gates klgates.com 5

klgates.com

The Spectrum of Cyber Attacks
 Advanced Persistent Threats (“APT”)
 Data Breach and Malware
 Denial of Service attacks (“DDoS”)
 Domain name hijacking
 Corporate impersonation and Phishing
 Employee mobility and disgruntled employees
 Lost or stolen laptops and mobile devices
 Inadequate security and systems: first party and third-party vendors klgates.com 6

Advanced Persistent Threats
 targeted, persistent, evasive and advanced
 nation state sponsored
P.L.A. Unit 61398
“ Comment Crew ” klgates.com 6

Advanced Persistent Threats
 United States Cyber Command and director of the
National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the “greatest transfer of wealth in history.” klgates.com
Source: New York Times, June 1, 2013.
6

Advanced Persistent Threats
 Penetration: Spear Phishing
 67 percent of organizations admit that their current security activities are insufficient to stop a targeted attack.*
 Duration:
 average = 356 days**
 Discovery: External Alerts
 55 percent are not even aware of intrusions*
**Source: Mandiant, “APT1, Exposing One of
China’s Cyber Espionage Units” klgates.com
*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challeng es/advance-targeted-attacks/index.html
6

Advanced Persistent Threats
 Target Profiles
 Industry:
 Information Technology
 Aerospace
 Telecom/Satellite
 Energy
 Engineering/Research/Defense
 Chemical/Pharma
 Activities:
 Announcements of China deals
 China presence klgates.com 6

Litigation Risks and Case Developments
 Class Action exposure – new theories of economic harm

In Re LinkedIn User Privacy Litigation (N.D. Cal. 2014)(promises of security overvalued cost of “premium” service)
 Grigsby v. Valve Corp.
(W.D. Wash. 2013)(promises of security overvalued services)
 Class Action exposure – securities litigation

In re Heartland Payment Systems, Inc. (D. N. J. 2009)(80% stock drop leads to derivative suit)
 Agency Enforcement
 FTC v. Wyndham Hotels (D. Ariz. 2012)(2 year Russian hacking)
 FTC v. RockYou, Inc . (N.D.Cal. 2012)(hackers access PII of 32 million users)
 Mass. v. South Shore Hospital (AG enforcement; $750k settlement)
 Indiana v. Wellpoint, Inc. (AG enforcement; $100k settlement) klgates.com 9

R
V
T
C
Approximately 60,000 Know Vulnerabilities
It is never the risk that causes damage or creates opportunities; it is how we respond…before, during, and after.
Scott Angelo
2014 Senior Administrators
’
Meeting 9

2,164
Incidents in 2013
Records exposed
822M
Discovered externally
67%
9% from customers
66%
Go unnoticed for over a month
229 Days is the
Median
92% of breaches are external
40% of breaches utilized malware
29% of breaches used social means
10 klgates.com
10

85%
Increase in our logging capabilities
120m
Per day
1.2m pieces of mail per day
Only 200k are valid!
Reduced system vulnerabilities
66%
72%
More malicious websites blocked
4m
Per month
Threats blocked monthly
5M
11 klgates.com
11

• Detection, Isolation, and Containment
• Define which assets face the highest risk for an attack
• Identify threats before attacks occur—and respond
• Mine intelligence from internal and external sources
• SIEM (Security Information and Event Management)
• Security researchers and experts
• Law enforcement
• ISAC (Information Sharing and Analysis Centers)
• Focused Cyber Security Ed and Awareness
• In-house Cyber Security Professionals
12

AGENDA
 Why Consider Insurance Coverage?
 Legacy Insurance Policies (And Their Limitations)
 Technology E&O Coverage
 Cutting Edge “Cyber” Coverage
 How To Enhance “Off-The-Shelf” Cyber Insurance Forms
Through Negotiation
 TIPS For A Successful Placement
 Audience Q&A

WHY CONSIDER INSURANCE COVERAGE?
“[T]here are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA
Cyber Security Conference San Francisco, CA (Mar. 1, 2012) klgates.com 15

WHY CONSIDER INSURANCE COVERAGE?
• Breach Notification Costs/Identity Monitoring
• Computer forensics/PR Consulting
• Loss of Customers/Revenue
• Damaged Reputation/Brand
• Regulatory Actions/Fines/Penaltiers/Consumer
Redress
• Lawsuits & Defense Costs
• Loss of “Crown Jewels”
• Business interruption and supply chain disruption
• Drop in stock price/loss of market share
• Potential D&O Suits (Target)

WHY CONSIDER INSURANCE COVERAGE?

WHY CONSIDER INSURANCE COVERAGE?
 SEC Guidance -- “[A]ppropriate disclosures may include”:
 “Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences”;
 “To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks”;
 “Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”;
 “Risks related to cyber incidents that may remain undetected for an extended period”; and
 “Description of relevant insurance coverage.”
“appropriate disclosures may include: . . . [a]
[d]escription of relevant insurance coverage.”

LEGACY INSURANCE POLICIES (AND
THEIR LIMITATIONS)
 Directors’ and Officers’ (D&O)
 Errors and Omissions (E&O)/Professional Liability
 Employment Practices Liability (EPL)
 Fiduciary Liability
 Crime/Employee Theft
 Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa.,
691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)
 CGL?

LEGACY INSURANCE POLICIES (AND
THEIR LIMITATIONS) klgates.com

LEGACY INSURANCE POLICIES (AND
THEIR LIMITATIONS) klgates.com

Legacy Insurance Policies (And Their
Limitations) klgates.com
ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

Legacy Insurance Policies (And Their
Limitations) klgates.com

TECHNOLOGY E&O COVERAGE
 Essential for a provider of e-commerce-related solutions
 Covers:
 Errors & Omissions in the Provision of Technology Services
 Failure of Technology Products to Serve Their Purpose
 But There Are Limitations
 Triggered By a “Claim” That Alleges An Act or Omission
 May Exclude Security Beach or Unauthorized Access to Information
 May Not Include Breach Notification Costs, Which is Viewed As More of a “First-Party” Loss

klgates.com

CUTTING EDGE “CYBER” COVERAGE
 Privacy And Network Security
 Provides coverage for liability (defense and indemnity) arising out of data breaches, transmission of malicious code, denial of third-party access to the insured’s network, and other network security threats
 Regulatory Liability
 Provides coverage for liability arising out of administrative or regulatory proceedings, fines and penalties
 Media Liability
 Provides coverage for liability (defense and indemnity) for claims alleging infringement of copyright and other intellectual property rights and misappropriation of ideas or media content

CUTTING EDGE “CYBER” COVERAGE
 Information Asset Coverage
 Coverage for damage to or theft of the insured’s own systems and hardware, and may cover the cost of restoring or recreating stolen or corrupted data.
 Network Interruption And Extra Expense (and CBI)
 Coverage for business interruption and extra expense caused by malicious code, DDoS attacks, unauthorized access to, or theft of, information, and other security threats to networks.
 Extortion
 Coverage for losses resulting from extortion (payments of an extortionist’s demand to prevent network loss or implementation of a threat)
 Crisis Management

DATA BREACH COVERAGE EXAMPLE 1

DATA BREACH COVERAGE EXAMPLE 1

DATA BREACH COVERAGE EXAMPLE 2

DATA BREACH COVERAGE EXAMPLE 2

DATA BREACH COVERAGE EXAMPLE 3

DATA BREACH COVERAGE EXAMPLE 3

TIPS FOR A SUCCESSFUL PLACEMENT
 Embrace a Team Approach
 Understand the Risk Profile
 Review Existing Coverages
 Purchase Cyber Coverage as Needed
 Remember the “Cyber” Misnomer
 Spotlight the “Cloud”
 Consider the Amount of Coverage
 Pay attention to the Retroactive Date and ERP
 Look at Defense and Settlement Provisions

THE.
FINE.
PRINT.