Cyber-Attacks: Insurance Coverage for Cyber
Risks and Realities
Roberta D. Anderson
roberta.anderson@klgates.com
@RobertaEsq
© Copyright 2013 by K&L Gates LLP. All rights reserved.
June 25, 2014
Lloyd’s of London (Reuters) May 8, 2000
1
Agenda












The Spectrum of Cyber Risk
Practical Risk and Exposure
Legal and Regulatory Framework
What to do Before an Incident?
What to do After an Incident?
Potential Coverage Under “Legacy” Policies
Limitations of “Legacy” Insurance Policies
Technology Errors & Omissions Coverage
Cutting Edge “Cyber” Products
How to Enhance “Off-The-Shelf” Cyber Insurance Forms Through Negotiation
A Word About Vendor Contracts
Audience Q&A
THE SPECTRUM OF CYBER RISK
© Copyright 2013 by K&L Gates LLP. All rights reserved.
The Spectrum of Cyber Risk

Malicious attacks
 Advanced Persistent Threats
 Social engineering/employee sabotage
 Vruses, worms, Trojans
 DDoS attacks








Data breach
Software vulnerability (HeartBleed)
Unauthorized access (spyware)
Inadequate security and system glitches
Employee mobility and disgruntled employees
Lost or stolen mobile and other portable devices
Vendors/outsourcing (the function but not the risk) & the “cloud”
Human error
oops!!
back
link
klgates.com
5
klgates.com
6
“[T]here are only two types of
companies: those that have been
hacked and those that will be.
And even they are converging into
one category: companies that
have been hacked and will be
hacked again.”
Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA Cyber Security Conference San Francisco, CA (Mar. 1, 2012)
7
LEGAL AND REGULATORY FRAMEWORK
© Copyright 2013 by K&L Gates LLP. All rights reserved.
Legal and Regulatory Framework
 State Privacy Laws
 http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx
 State Consumer Protection Laws
 Federal Laws
 Gramm-Leach-Billey Act
 HIPAA/HITECH
 Federal Trade Commission Act, Section 5 (FTC v. Wyndham Worldwide Corp.)
 FCRA /FACTA/Red Flags Rule
 Foreign Laws
 PCI Data Security Standards (PCI DSS)
 Common law
back
Legal and Regulatory Framework
 SEC Guidance -- “[A]ppropriate disclosures may include”:
 “Discussion of aspects of the registrant’s business or operations that give rise to
material cybersecurity risks and the potential costs and consequences”;
 “To the extent the registrant outsources functions that have material cybersecurity
risks, description of those functions and how the registrant addresses those risks”;
 “Description of cyber incidents experienced by the registrant that are individually, or
in the aggregate, material, including a description of the costs and other
consequences”;
 “Risks related to cyber incidents that may remain undetected for an extended perid”;
and
 “Description of relevant insurance coverage.”
Five Tips to Consider When Any Public Company Might be The Next Target, http://www.klgates.com/five-tips-to-consider-whenany-public-company-might-be-the-next-target-02-11-2014
Legal and Regulatory Framework
Legal and Regulatory Framework
 NIST Cybersecurity Framework -- provides a common taxonomy and mechanism
for organizations to:
 Describe their current cybersecurity posture;
 Describe their target state for cybersecurity;
 Identify and prioritize opportunities for improvement within the context of a
continuous and repeatable process;
 Assess progress toward the target state;
 Communicate among internal and external stakeholders about cybersecurity
risk.
 The Framework is voluntary (for now)
Legal and Regulatory Framework
 NIST Cybersecurity Framework
NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/
Legal and Regulatory Framework
back
PRACTICAL RISK AND EXPOSURE
© Copyright 2013 by K&L Gates LLP. All rights reserved.
Practical Risk and Exposure
 Breach Notification Costs/Identity Monitoring
 Computer Forensics/PR Consulting
 Loss of Customers/Revenue
 Damaged Reputation/Brand
 Regulatory Actions/Fines/Penalties/Consumer Redress
 Lawsuits & Defense Costs
 Loss of “Crown Jewels”
 Business Interruption & Supply Chain Disruption
 Drop in Stock Price/Loss of Market Share
 Potential D&O Suits (Target)
Practical Risk and Exposure
 “[T]he average total cost of a data breach for the companies
participating in this research increased 15 percent to $3.5
million”
 “The average cost paid for each lost or stolen record containing
sensitive and confidential information increased more than 9
percent from $136 in 2013 to $145 in this year’s study.”
 “However, German and US organizations on average experienced
much higher costs at $195 and $201, respectively.”
 “These countries also experienced the highest total cost (US at
$5.85 million and Germany at $4.74 million)”
 “[W]e do not include data breaches of more than approximately
100,000 compromised records in our analysis.”
WHAT TO DO BEFORE AN INCIDENT?
© Copyright 2013 by K&L Gates LLP. All rights reserved.
What to do Before an Incident?
 Pro-active management of cyber risks at the C-Suite level
 Assessment of key risks impacting the business and identifying critical
information assets
 Get a graded cybersecurity assessment
 Regular internal training on information management and IT security
 Have an incident response plan in place before a cybersecurity incident
 Pay attention to vendor contracts
 Address and mitigate risk through insurance
WHAT TO DO AFTER AN INCIDENT?
© Copyright 2013 by K&L Gates LLP. All rights reserved.
What to do After an Incident?


Look (hopefully) to the incident response plan
Notification of a security breach must be given to all or some of:



Potentially impacted individuals
State AGs / Regulators
“Breach coach” counsel should:
 Advise on who, when, and how to notify

Engage pre-vetted forensics professionals and other crisis management
responders (e.g., credit monitoring,
public relations)
POTENTIAL COVERAGE UNDER “LEGACY” POLICIES
© Copyright 2013 by K&L Gates LLP. All rights reserved.
Potential Coverage Under “Legacy” Policies





Directors’ and Officers’ (D&O)
Errors and Omissions (E&O)/Professional Liability
Employment Practices Liability (EPL)
Fiduciary Liability
Crime
 Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821
(6th Cir. 2012) (DSW covered for expenses for customer communications, public
relations, lawsuits, regulatory defense costs, and fines imposed by Visa and
Mastercard under the computer fraud rider of its blanket crime policy)


Property?
Commercial General Liability (CGL)?
Potential Coverage Under “Legacy” Policies
 Coverage B provides coverage for damages because of “personal and
advertising injury”
 “Personal and Advertising Injury” is defined in part as injury
arising out of “[o]ral or written publication,
in any manner, of material that violates a person’s
right of privacy”
 What is a “Person’s Right of Privacy”?
 What is a “Publication”?
LIMITATIONS OF “LEGACY” INSURANCE
POLICIES
© Copyright 2013 by K&L Gates LLP. All rights reserved.
Limitations of “Legacy” Insurance Policies
Limitations of “Legacy” Insurance Policies
klgates.com
Limitations of “Legacy” Insurance Policies
ISO states that “when this endorsement is
attached, it will result in a reduction of
coverage due to the deletion of an
exception with respect to damages
because of bodily injury arising out of loss
of, loss of use of, damage to, corruption of,
inability to access, or inability to manipulate
electronic data.”
Limitations of “Legacy” Insurance Policies
Limitations of “Legacy” Insurance Policies
Limitations of “Legacy” Insurance Policies
Limitations of “Legacy” Insurance Policies
 Zurich American Insurance Co. v. Sony Corp. of America et al.
TECHNOLOGY ERRORS & OMISSIONS COVERAGE
© Copyright 2013 by K&L Gates LLP. All rights reserved.
Technology E&O Coverage
 Essential for a provider of e-commerce-related solutions
 Covers
 Errors & Omissions in the Provision of Technology Services
 Failure of Technology Products to Serve Their Purpose




But there are limitations
Triggered By a “Claim” That Alleges An Act or Omission
May Exclude Security Beach or Unauthorized Access to Information
May Not Include Breach Notification Costs, Which is Viewed As More of a “FirstParty” Loss
CUTTING EDGE “CYBER” PRODUCTS
© Copyright 2013 by K&L Gates LLP. All rights reserved.
Specialty “Cyber” Policies – Third Party
 Privacy And Network Security
 Provides coverage for liability (defense and indemnity) arising out of data
breaches, transmission of malicious code, denial of third-party access to the
insured’s network, and other network security threats
 Regulatory Liability
 Provides coverage for liability arising out of administrative or regulatory
proceedings, fines and penalties
 Media Liability
 Provides coverage for liability (defense and indemnity) for claims
alleging infringement of copyright and other intellectual property rights
and misappropriation of ideas or media content
Specialty “Cyber” Policies – First Party
 Information Asset Coverage
 Coverage for damage to or theft of the insured’s own systems and hardware,
and may cover the cost of restoring or recreating stolen or corrupted data.
 Network Interruption And Extra Expense (and CBI)
 Coverage for business interruption and extra expense caused by malicious
code, DDoS attacks, unauthorized access to, or theft of, information, and other
security threats to networks.
 Extortion
 Coverage for losses resulting from extortion (payments of an extortionist’s
demand to prevent network loss or implementation of a threat)
 Crisis Management
HOW TO ENHANCE “OFF-THE-SHELF” CYBER INSURANCE
FORMS THROUGH NEGOTIATION
© Copyright 2013 by K&L Gates LLP. All rights reserved.
back
klgates.com
Data Breach Example 1
Data Breach Example 1
Data Breach Example 2
Data Breach Example 2
Data Breach Example 2
Data Breach Example 2
Network Security Example 1
Network Security Example 1
Network Security Example 2
Network Security Example 2
Network Security Example 3
Network Security Example 3
TIPS For A Successful Placement
Remember Dave?
■
Privacy And Network Security
■
Regulatory Liability
■
Media Liability
■
Information Asset Coverage
■
Network Interruption And Extra Expense (and CBI)
■
Extortion
■
Crisis Management
TIPS For A Successful Placement
■
Embrace a Team Approach
■
Understand the Risk Profile
■
Review Existing Coverages
■
Purchase Cyber Coverage as Needed
■
Remember the “Cyber” Misnomer
■
Spotlight the “Cloud”
■
Consider the Amount of Coverage
■
Pay attention to the Retroactive Date and ERP
■
Look at Defense and Settlement Provisions
■
Engage Coverage Counsel
BEWARE
THE
FINE
PRINT
“A well drafted policy will reduce
the likelihood that an insurer will
be able to avoid or limit
insurance coverage in the event
of a claim.”
Roberta D. Anderson, Partner, K&L Gates LLP (June 25, 2014)
A WORD ABOUT VENDOR CONTRACTS
© Copyright 2013 by K&L Gates LLP. All rights reserved.
A Word About Vendor Contracts
■
Be specific
■
■
■
■
■
Who is responsible for securing stored data? Data in motion?
Reference objective standards, e.g., Version 5 of the SANS Institute Critical Security
Controls http://www.sans.org/critical-security-controls
Who has access – and to which parts –to various parts of the organizations
network?
What are the required cybersecurity standards?
Dovetail Vendor Contracts With Insurance Contracts
AUDIENCE Q&A
© Copyright 2013 by K&L Gates LLP. All rights reserved.
Linkedin: robertaandersonesq
Twitter: @RobertaEsq
Insurance Thought Leadership
60