Uploaded by Bonny Qiao

Cyber Insurance White Paper

advertisement
Cyber Insurance White Paper
The outbreak of Covid-19 has brought numerous challenges to cybersecurity protection
across the nation. Organizations are more susceptible to cyberattacks under this global
pandemic because employees working remotely from home are more likely to use a less
secure network and hardware, making it easier for hackers to infiltrate the network. In
addition, employees working from home might not apply the same security standard on their
networks and devices as they should in a corporate environment, which presents
opportunities for cybercriminals.
Local governments are a hot target for cyberattacks. Local governments offer a wealth of
information about citizen activities, which often time include sensitive personal information
such as property tax information, social security number and voter records. These
information, once compromised, might cause severe consequences. Therefore, city
governments should implement robust information security practices to safeguard its
information assets.
In order to improve cybersecurity, local governments should consider establishing a
comprehensive cybersecurity program to manage cyber risks. There are numerous tools and
frameworks that can assist in improving cybersecurity. One way is to purchase cyber
insurance policy to transfer risks of cyber incidents. However, because the cyber insurance
market in the U.S. is still growing, little resources and assistance are provided to
organizations that seek to transfer risks through the purchase of insurance.
This paper is intended to provide resources and advice to the City of Bloomington in the
consideration of purchasing cyber insurance. This document provides an overview of the
cyber insurance market, and sets out principles and best practices to help evaluate any
cyber insurance options.
When evaluating cyber insurance policies, the following considerations are recommended:
•
•
•
•
•
Understand the city government’s cybersecurity risks
Understand the complexities of cyber insurance policies
Balance the cost of premiums and of implementing controls
Understand the claims process
Understand that cyber insurance is not a replacement for information security
practices
Cyber Insurance Market
Cyber insurance market is growing. Current cyber insurance market is estimated at about
US$2 billion in premiums worldwide, with the US market accounting for approximately 90%
of that total. Cyber insurance premiums globally are expected to reach US$20 billion by
2025.1
Despite the market growth, cyber insurance adoption among organizations remains at a low
level: according to a survey by Marsh, 43% of the companies with more than US$1 billion in
1
KPMG, Lead in Cyber Insurance, available at https://home.kpmg/xx/en/home/insights/2018/10/lead-incyber-insurance-fs.html
1
revenue do not have a stand-alone cyber insurance policy, with the uninsured total soaring
to 64% for midsized and smaller firms.2 The reasons summarized by Deloitte include:3
•
•
•
Lack of awareness as to the costs associated with cyber incidents and believe that it
is already insured under general liability policy.
Underwriting complexity associated with the cyber insurance policies.
Lack of proper understanding of the organization’s cyber risks and vulnerabilities.
Overall, the cyber insurance market remains immature, with room for future improvement.
Common Coverage Provided by Cyber Insurance
Cyber insurance policies typically provide coverage for business interruption, data
restoration, cyber extortion, and relevant legal support. Like most insurance products, cyber
insurance generally distinguishes between first party and third party coverage.
First party coverage relates to losses directly suffered by the insured, and typically includes: 4
•
•
•
•
•
Crisis management and identity theft response, which include expenses for
o Hiring attorneys to advise on notification and other legal requirements
o public relations firms
o crisis management firms
o computer forensic firms
o credit monitoring services
Cyber extortion and fraud, which includes expenses for
o Paying ransom; hiring experts to negotiate with the extortionist
o Investigating threats
o Compensating damage of a computer system
Data restoration, including
o Costs and expenses for back-ups
o Costs and expenses for data recreation
Business Interruption
o Reimbursement for loss of income resulting from the breach
Administrative safeguard support, which includes
o Training employees
o Establishing information portals
o Creating security and incident response templates
Third party coverage relates to losses incurred by third parties in response to a cyber
incident, which generally includes:5
•
•
Regulatory defense costs, fines, and punitive damages, including
o Failure to protect personally identifiable information
o Violations of privacy regulations
Litigation defense costs and damages, including
o Claims and settlement expenses relating to law suits
2
Marsh, 2019 global cyber risk perception survey report, 2019, available at
https://www2.deloitte.com/us/en/insights/industry/financial-services/cyber-insurance-marketgrowth.html#endnote-sup-9
3 Deloitte, Cyber Insurance-A Key Element of the Corporate Risk Management Strategy, available at
https://www2.deloitte.com/content/dam/Deloitte/cy/Documents/risk/CY_Risk_CyberInsurance_Noexp.PDF
4 FSSCC, Purchasers’ Guide to Cyber Insurance Products (2016).
5 Id.
2
o
Costs for litigation and responding to regulatory inquiries
However, variations exist over different insurance policies, and some may impose sub-limits
within coverages to restrict payouts. Below is research done by Deloitte on insurance
coverage and sub-limits.6
Size of company
(Based on
Revenue)
Small companies
(Less than $100
million)
Coverage
$1 - 5 million
Middle sized
companies
($100 million -$1
billion)
$5 -20 million
Large companies
(More than $1
billion)
$15 - 25+ million
Yearly Premium
$7,000 - $15,000
$10,000 - $30,000
$20,000 - $50,000
(Cost for
Per million in
per million in
per million in
Coverage)
coverage
coverage
coverage
Typical Coverage Sub-limits (Restrictions on Payout)
Notification cost
$100,000 - $500,000 $500,000 - $2
$1.5 - $2.5 million
limit
million limit
limit
Crisis management $250,000 - $1.25
$1.25 - $5 million
$3.74 - $6.25 million
cost
million limit
limit
limit
Legal and
$500,000 - $2.5
$ 2.5 million - $10
$7.5 - $12.5+ million
regulatory defense million limit
million limit
limit
expense
Best practice: Because the scope of coverage of cyber insurance varies widely, and may
contain multiple sub-limits, local governments must pay close attention to all policy terms to
ensure full understanding of the scope of coverage and that it is adequate considering the
government’s needs and risk profiles.
Exclusions to Coverage
Cyber insurance policies typically exclude incidents not directly related to the cyber realm,
but instead involving criminal, fraudulent, or matters related to physical harm or certain
aspects of liability suits.7
These exclusions typically include:
•
•
•
•
Criminal activities
Cyber terrorism/ act of god
Physical harm
Claims arising out of various violation categories, such as
o Employment practices
o Pollution
o Antitrust violations
o Employment Retirement Income Security Act (ERISA) violations
o Telephone Consumer Protection Act violations
In addition, policies may exclude coverage for
• Losses to systems out of the policy holder’s control
6
Deloitte, Cyber Insurance-A Key Element of the Corporate Risk Management Strategy, available at
https://www2.deloitte.com/content/dam/Deloitte/cy/Documents/risk/CY_Risk_CyberInsurance_Noexp.PDF
7 FTC, Content Analysis of Cyber Insurance Policies: How do Carriers Write Policies and Price Cyber Risk?
3
•
•
•
•
Directors’ and officers’ intentional acts, regardless of whether they acted outside the
scope of their employment and intended to harm the company
Unlawfully collecting personally identifiable non-public information
Negligent information security practices, such as failing to install software patches for
known software vulnerabilities
Incidents involving payment card data
Best practice: In deciding whether or not to purchase cyber insurance, local government
should review the exclusion provisions carefully. Common cyber risks such as social
engineering and phishing are typically not covered by cyber insurance, but instead covered
under criminal/fidelity insurance. Local government should compare coverage with preexisting insurance policies to evaluate available coverage options.
Exclusions under cyber terrorism and act of god should be limited to those recognized by the
US government or the United Nation. In the age of a global pandemic, it Is crucial to clarify
cyber insurance exclusions, and see if certain elements of loss would be better covered
under property or criminal policies. Local government should fully assess their operations
(including contractual obligations) to determine their cyber risks and coverage needs.
Comparison Between Traditional Insurance and Cyber Insurance
Traditional insurance policies may provide coverage for some specific areas related to cyber
risks, but they are not designed to fully cover all the potential costs and losses. Below is a
comparison between traditional insurance and cyber insurance.8
Types of
insurance
Network
security
Privacy
breach
Media
liability
Professional
services
Virus
transmission
Damage to
data
Breach
notification
Regulatory
investigation
Extortion
Virus/hacker
attack
Denial of
service
attack
General
liability
+
Property
E&O/D&O
Crime
Cyber
+
+
+

+
+
+
+


+
+
+
+
+

+
+
+
+

+
+
+
+

+
+
+

+
+
+

+
+
+
+
+
+
+


+
+
+
+

8
Deloitte, Cyber Insurance-A Key Element of the Corporate Risk Management Strategy, available at
https://www2.deloitte.com/content/dam/Deloitte/cy/Documents/risk/CY_Risk_CyberInsurance_Noexp.PDF
4
Business
interruption
loss
+
+

+ possible  coverage
Best practice: In selecting cyber insurance policies, local government should compare the
cyber policies with preexisting insurance coverage, and identify gaps and overlaps in
coverage under existing policies to assess coverage needs.
Conditions that trigger coverage
Unlike traditional commercial insurance policies, which are available on either a claimsmade or occurrence-based coverage structure, cyber insurance is currently only available on
a claims-made basis. Under a claims-made policy, the trigger for coverage is a claim made
against the policyholder during the policy period.
Because many cyber intrusions go undetected for months or even years, local government
should consider that they may already have an undetected data breach when they are
applying for coverage and attempt to secure coverage that might apply to any undetected
events. In some cases, insurers may be willing to provide retroactive coverage for up to two
years before writing the policy. However, whether or not an insurers will offer retroactive
coverage is highly dependent on the insurer and the potential insured’s unique risk profile.
The Underwriting Process
Before determining coverage, the insurer will engage in an underwriting process. During the
process, underwriters will ask for information related to the cyber security maturity of an
organization. Underwriters will determine the amount of coverage available and the terms
and cost of the coverage. Below are some of the general categories of information that
insurers typically ask for before offering coverage9:
9
•
Dedicated information security resources. Whether the organization has a Chief
Information Officer (CIO) or a Chief Information Security Officer (CISO) and whether that
individual has other responsibilities outside of information security.
•
Information security policies and procedures. Underwriters would want to know an
organization’s cyber security maturity and whether organization follows national cyber
standards, such as the NIST cybersecurity framework.
•
Employee education. Underwriters would ask an organization to provide security awareness
programs for employees and may specifically ask whether the organization conducts regular
penetration tests on employees.
•
Incident response planning. The underwriters will want to know whether the business has a
formal incident response plan in place.
•
Security measures. Underwriters are typically interested in data management, data
classification, log monitoring, penetration testing, patch management, and business
interruption planning. They will also want to know whether the business has an encryption
strategy and the technologies used to encrypt or otherwise protect sensitive data.
FSSCC, Purchasers’ Guide to Cyber Insurance Products (2016).
5
•
Vendor management. Many recent data breaches have occurred through third-party
relationships, underwriters are concerned with third-party vender management. It will be
important to describe whether the business has a formal third-party management process,
due diligence, and ongoing oversight performed on third parties, and the contractual
obligations required of third parties.
•
Board oversight. Underwriters will also likely ask how frequently cybersecurity risks are
reported to the board and whether there is board-level approval or oversight of the
information security program.
Best practice: Prior to placing coverage, the insurer will engage in an underwriting process
which often time involve handling out a checklist to organizations to understand the maturity
of its information security practice. The insurer will then determine coverage and premiums
based on the answers to the checklist. Therefore, organizations can do a lot to shore up
their information security policies and practices to increase the availability of coverage and
reduce the cost of coverage.
General Recommendations for Selecting Cyber Insurance
1. Assess Cyber Risk
Selecting effective cyber coverage requires local government to consider the nature of cyber
risks it faces. A good starting point is to understand the most significant risks facing the local
government. For some, the primary concern may be the costs resulting from the theft of
personal identifiable information (e.g., notification costs, credit monitoring, etc.). For others,
the main concern could be ransomware attacks.
Identifying and assessing cybersecurity risks requires amassing information from multiple
stakeholders, including:
•
•
•
•
•
Information technology (IT) and information security
The privacy or compliance office
Human resources (HR)
Business operations
Legal and risk
This cross-disciplinary approach is necessary to assess the following issues, which are
critical in determining local government’s cyber risk profile:
•
•
•
•
•
•
•
The nature of the data the government maintains
Legal obligations in the event of a data breach
The cost to recreate data
The security program’s strength and data control
The cost to recreate data
The security program’s strength and data control
Previous breaches or other security events
Understanding what risks are most important to the local government is essential to the
process of securing the best coverage possible.
2. Assess Coverage Needs
6
As noted above, local government may find coverage for a data breach or cyber claim in
many different types of insurance policies. Knowing what the government’s preexisting
insurance policies will and will not cover may significantly reduce the expense of a cyber
liability insurance policy. For example, if the government already has third party coverage
through an E&O policy, it may be possible to reduce the premium for a cyber liability policy
by removing duplicate coverage or by purchasing lower premiums.
In addition to the coverage terms, local government should consider:
•
•
•
•
•
•
Appropriate retroactive coverage for prior unknown breaches
Appropriate retentions
Appropriate limits and sub-limits
The cost of premiums
The control the insurer retains over decision-making in responding to an incident
Whether the insurer requires the insured to use panel counsel or venders if an
incident occurs, and if so, the panels’ strengths and depth
Given the uncertainty of coverage for data breach incidents under legacy policies, local
government should involve counsel with experience and knowledge about data breach
coverage. Counsel can, for example:
•
•
•
•
•
•
Assist local government in evaluating the risks that it faces from data breaches.
Identify the insurers who offer the product best suited to an local government’s
needs.
Evaluate the scope of coverage offered under insurance policies.
Help negotiate favorable terms and price.
Assist with the insurance application process to avoid potential misstatements and
omissions.
Help local government identify and remove policy language that will likely lead to
litigation and coverage denials.
In selecting a policy, some insurers may assign a dedicated breach coach/ breach response
manager to the claim to help the insured navigate through a breach response. Local
government must assess whether this type of service is desirable when selecting coverage.
Some carriers offer risk management services as part of their coverage. These services may
include, for example:
•
•
•
Security assessments or audits
Incident response plan assessments
Penetration testing
While these services may be attractive, local government should consider whether they
actually add value or if others are already providing the services.
3. Negotiate the Coverage Grants
Local government should negotiate for the broadest possible coverage for data breaches to
decrease the likelihood of coverage denial and litigation.
•
Consider coverage for acts by third parties. Many companies outsource data
processing or storage to third-party vendors. Organizations should attempt to insure
for claims arising from a third-party data breach.
7
•
Purchase broad coverage for regulatory investigations. Organizations should
ensure that a cyber policy covers all potential regulatory investigations following a
breach rather than a narrow list of agencies.
•
Obtain coverage for unencrypted devices. Some cyber policies attempt to exclude
coverage for unencrypted devices, which often affects companies that allow
employees to use their own devices. Organizations should consider including policy
language that provides coverage for any electronic data losses regardless of
encryption.
•
Consider coverage for data restoration costs. Many cyber insurance policies do
not provide coverage for data restoration after a data breach. Organizations should
ensure that their policies provide coverage for the costs of replacing, upgrading, and
maintaining a breached computer system.
Data breach coverage litigations show that disputes about coverage frequently focus on a
few words within the policy. Local government should therefore ensure the policy language
adequately protects it before purchasing insurance by:
•
•
•
•
•
Analyzing all potential data breach scenarios against the policy’s language.
Identifying and correcting all ambiguous language and illusory provisions in the
policy.
Reviewing all definitions in the policy to ensure they are broad enough to cover data
breach claims.
Reviewing all exclusions to ensure that they do not prevent data breach coverage.
Ensuring that the organization understands and can comply with the policy’s terms
and conditions.
Conclusion
Covid-19 pandemic has presented numerous challenges to local government’s information
security practice. As remote working gradually becomes the new normal, cyber attacks will
likely become more prevalent. Having a comprehensive information security practice is
crucial to combat cyber crimes in the age of global pandemic.
Cyber insurance is a new form to safeguard the information assets of the local government.
But cyber insurance cannot completely transfer the cyber risks to insurance carriers, there
are exclusions and sub-limits that may restrict cyber insurance coverage. Local government
considering cyber insurance must take time to review and assess their cybersecurity
practice and pre-existing insurance policies to evaluate the needs for cyber insurance
coverage.
8
Appendix
Case study: City of Kirkland and City of Baltimore
1. City of Kirkland, Washington
The City of Kirkland is located in the State of Washington and is the thirteenth largest in the
State of Washington. The city has a population of approximately 89,557.10
The City of Kirkland has approximately 650 full time employees, 650 PCs and 107 servers.
City employees are located at 4 primary locations, all connected by fiber. The City’s network
consists of 11 other locations, a city-wide Intelligent Traffic System, and public wireless
access in the city’s downtown core and 4 city parks all connected with fiber. The city also
uses Cisco routers, switches, firewalls and wireless access points, Dell servers running the
Microsoft Windows server operating system, McAfee’s IPS/IDS, web and email gateway
products, and Cisco’s VoIP phone system.11
The City of Kirkland’s cyber insurance includes12:
•
•
•
•
Security and privacy liability in the amount of $1,000,000 that is primary (covers first)
before WCIA’s liability coverage document.
Regulatory action coverage in the amount of $1,000,000 to pay for fines and
penalties such as HIPAA violations that WCIA cannot cover.
Privacy event services including notifications to affected individuals, identity theft call
center assistance, identity restoration services, and identity monitoring and victim
cost reimbursement insurance.
Event management services in the amount of $500,000 for event response and
$500,000 for electronic data that covers costs for:
o Forensic investigations
o Public relations, crisis management or legal costs
o Restoration, re-collection or re-creation of electronic data
o Cyber extortion up to $1,000,000 (must be approved by AIG)
o Cyberterrorism
The cyber insurance is subject to a $25,000 deductible with certain exceptions.
The City of Kirkland also purchased crime insurance that provides $2.5 million in limits for
loss caused by employee theft, robbery or crime, computer fraud, forgery (including credit or
debit card), and funds transfer fraud with a $10,000 deductible. 13
2. City of Baltimore, Maryland
The City of Baltimore is located in the a major city in the state of Maryland and has a
population of approximately 619,493.
In May 2019, the City of Baltimore was attacked by ransomware RobbinHood. The hacker
asked for ransom in the amount of $76,000. The attack took all the city’s servers offline with
10
City of Kirkland Washington, Network Security Assessment (March, 2017), available at
http://mrsc.org/getmedia/c8ba621f-142d-416a-83c5-2b49ed1a41f4/k53networkSecurityRFP.pdf.aspx
11 Id.
12 City of Kirkland Washington, Insurance Coverage Overview Memorandum (September, 2016), available at
https://www.kirklandwa.gov/Assets/Finance+Admin/201718+Preliminary+Budget/05_1+Managed+Risk+Overview+WEB.pdf
13 Id.
9
the exception of essential services. As a result, real estate transactions were suspended,
water billing was disrupted, and city employees were unable to access key documents and
email.
The City did not pay the ransom, and the attack is estimated to have cost the city $18 million
in direct costs and lost or delayed revenue.14 The City voted to purchase two cyber
insurance policies in the amount of $835,103 which provides coverage of up to $20 million.
The insurance includes15:
•
•
•
•
•
•
•
Cyber incident response coverage including hiring investigative team.
Business interruption loss and extra expense
Digital data recovery and network extortion
Third party coverage for cyber privacy and network security
Payment card loss
Regulatory proceedings
Electronic social and printed media liability
14
Infosecurity Magazine, Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack (18 OCT
2019), available at https://www.infosecurity-magazine.com/news/baltimore-buys-cyber-insurance/
15 Id.
10
Download