Managing Cyber Risk Through Insurance and Vendor

advertisement
Managing Cyber Risk
Through Insurance and Vendor
Contracts
Dino Tsibouris (614) 360-3133 dino@tsibouris.com
Tom Srail, SVP, FINEX NA – Cyber and E&O Team tom.srail@willis.com
Mehmet Munur (614) 360-3101 mehmet.munur@tsibouris.com
Outline
1.
2.
3.
4.
5.
6.
7.
8.
Cyber risks
Costs relating to cyber risks
Use of insurance for cyber risks
Lawsuits relating to insurance policies
Strategies in obtaining coverage
Traditional v. Cyber Insurance
Vendors
Conclusion
Cyber Risks
•
•
•
•
•
•
•
•
Hacking incidents
Data breaches
Privacy breaches
Unauthorized access
Social engineering
Vandalism or defacement
Cyber extortion
Regulatory enforcement following incidents
Cyber Risks
•
•
•
•
Privacy is a heightened & evolving exposure
Reliance on Vendors (Cloud, IT, HR)
Regulatory Changes
Underwriters are paying multi-million dollar
losses
• Business Interruption and Systems Failure
• Credit card related fines and lawsuits.
• “Cyber” Insurance has broadened to address
these risks
“CYBER” INSURANCE TIMELINE
Cyber
Insurance
Introduced
Notice
Costs
Covered
Broad Privacy Ins.
Vendor Coverage
Corp Confidential Info
PCI Fines
& Penalties
Reg. Fines Systems
&Penalties Failure
1996
HIPAA
1998
2000
GLB
2002
2004
SB1386
PCI
Card
Systems
Insurance History
Regulatory/Industry History
Claims/Losses History
2006
2008
2010
HITECH
TJX
Heartland
2012
SEC
Epsilon/
Sony
What is the Data?
What Data do you collect/process?
• Personally Identifiable Information (PII): SSN,
Drivers License, etc.
• Payment Card Information (PCI): Credit Card,
Debit Card Numbers
• Protected Health Information (PHI)
• Personal or Sensitive Personal Data (EU)
Where is the Data?
Where is it? Do you share with third parties?
• How well is it protected?
• How long is it kept?
What is a Breach?
• Unauthorized disclosure
• Unauthorized acquisition
• Data compromised
Causes of a Data Breach
Hacked Systems
7
9
35
9
Malicious Insider or
Code
Paper Records
Electronic Backup
19
21
Lost Laptop or
Device
3rd Party or
Outsourcer
Costs of a Data Breach
DIRECT COSTS
Cost per record:
$214 (2010) (up $10
Notification
Call Center
Identity Monitoring (credit/non-credit)
Identity Restoration
Discovery / Data Forensics
Loss of Employee Productivity
INDIRECT COSTS
Restitution
Additional Security and Audit
Requirements
Lawsuits
Regulatory Fines
Loss of Consumer Confidence
Loss of Funding
from 2009)
$141
$73
Source: Ponemon
Institute
Costs of a Data Breach
• Notification: $1/individual
• Credit monitoring: $15-$50/individual
• Call Centers, Fraud Alerts, Database Scanning,
Restoration Services
• Civil, regulatory and possibly criminal defense
• Data Privacy counsel can cost $1,000+ per
hour.
• Business Interruption Costs/Data Damage?
Rating for Potential Dangers Posed by
Cyber Risks
12.4
1.6
13.1
Extremely
Serious
Serious
Moderate
29.7
43.2
Mild
Very Mild
Source: Advisen Cyber Risk Special Report
Considering Buying Coverage Next Year?
23.6
24.4
Yes
No
Don't Know
52
Source: Advisen Cyber Risk Special Report
Heartland Payment Systems Breach
5
Visa & Banks
32.4
59.3
MasterCard
American Express
3.5
Legal Fees and
Costs
Discover
41.4
In millions of dollars
Source: SEC
Security Incidents and Insurance Proceeds
200
180
171.5
160
147.1
Total Cost
Covered By Insurance
140
120
100
80
66.3
60
31.2
40
20
38.3
18.9
11
In millions of dollars
Source: SEC
0
TJX
HPS
RSA
ChoicePoint
Epsilon
Creative Hospitality Ventures v.
US Liability Insurance
• Restaurant gives customers
receipts showing full account
number in violation of FACTA.
• Class action lawsuit ensues.
• Restaurant seeks coverage
under CGL policy.
Creative Hospitality Ventures v.
US Liability Insurance
• Policy limited to “personal and advertising
injury.”
• Defined as any publication that invaded the
right to privacy.
• Circuit court reversed magistrate holding that
printing receipt was publication.
• Therefore, no coverage.
Auto-Owners Insurance v. Websolv
• Individual sues Websolv for sending
unsolicited faxes as a violation of TCPA.
• Websolv seeks coverage under CGL policy.
• Auto-Owners sued arguing that it had no duty
to defend under:
– Advertising Injury – publication & privacy.
– Property Damage – fax.
Auto-Owners Insurance v. Websolv
• Appeals court held that Iowa law, not Illinois
law, applied and that policy did not cover the
injury.
• Appeals court held:
– Privacy interest v. seclusion interest.
– Publication v. secrecy.
– Damages expected v. intended.
• Concluded that there was no coverage.
Eyeblaster v. Federal Insurance
• Computer user sues Eyeblaster alleging
injuries relating to its advertising software.
• Eyeblaster seeks coverage under CGL and
Network Technology Errors or Omissions
Liability policies.
• Federal denies coverage and brings this
lawsuit.
Eyeblaster v. Federal Insurance
• CGL includes coverage for “physical injury to
tangible property” but excludes “any software,
data or other information that is in electronic
form.”
• District court finds that there is no physical
injury; therefore, no coverage.
• Appeals court finds that inability to use
computer constitutes injury under the policy
and reverses.
Zurich Insurance v. Sony
• Sony’s online networks are attacked and
passwords are compromised.
• Sony shuts down PSN for weeks.
• Sony offers fraud monitoring.
• Sony offers discounted games in apology.
• Sony is sued in tens of class action lawsuits.
• Zurich sues Sony for declaratory judgment.
Zurich Insurance v. Sony
• Sony has insurance through many providers,
including Mitsui Sumitomo, National Union,
ACE, AXIS, Lloyd’s, Chartis, and others.
• Zurich claims that its insurance policies cover:
– Bodily injury,
– Property damage, and
– Personal and advertising injury.
• Litigation ongoing.
Common Issues
• Interpretation of undefined terms crucial in
coverage.
• Interpretation varies depending on trial court,
appeals court, and state law.
• Litigating insurance policy consumes
time and resources.
Common Issues
• Data may not be tangible personal property.
• Publication may not have occurred.
• Privacy rights may not have been breached.
Common Issues
• CGL policy covers specific risks.
• Cyber risks may not be covered.
• Coverage varies widely among policies.
Traditional Insurance Gaps
• Theft or disclosure of third party information
(GL)
• Security and privacy – “Intentional Act”
exclusions (GL)
• Data is not “tangible property” (GL, Prop,
Crime)
• Bodily Injury & Property Damage triggers (GL)
• Value of data if corrupted, destroyed, or
disclosed (Prop, GL)
Traditional Insurance Gaps
• Contingent risks (from external hosting, etc.)
• Commercial Crime policies require intent, only
cover money, securities and tangible property.
• Territorial restrictions
• Sublimit or long waiting period applicable to
any virus coverage available (Prop)
Preparation is Key
• Policy must be part of an Enterprise Risk
Management program
• Utilize privacy, security, and legal:
– Policies
– Procedures
– Controls
• Understand probability and magnitude of risk
• Audit products and services
Preparation is Key
• Ask Your Privacy / IT professionals:
– Incident Response Plan (tested?)
– Vendor Contracts / Insurance Requirements
• Privacy Risk Assessment
• Check Existing Insurance Gap Analysis
• New coverage terms must integrate with
– Response Plans
– Traditional Policies
Cyber Risk Coverage
•
•
•
•
•
•
Data breach
Governmental civil actions
Virus liability
Content liability
Extortion
Lost data
Privacy & Network Coverages
Expense (Loss Mitigation) Coverage
• Data Breach Expenses:
– Consumer notification and credit
monitoring service costs (sub-limit)
– Forensics/Investigations
– Public Relations/Crisis Management
Expenses
Privacy & Network Coverages
Liability Coverage
• Privacy Liability
• Network Security Liability
• Media, IP and Content Liability
Privacy & Network Coverages
Direct (First Party) Coverage
• Revenue Loss (Interruption to income due to
systems outage)
• Data Reconstruction
Limits and Exclusions
•
•
•
•
•
Must the insured notify you right away?
Indemnification for losses or claims, too?
Who chooses the lawyer to defend a lawsuit?
Are there preferred vendors?
Limitation of liability – dollar amount?
Vendor Contracts
• Breaches may occur at a vendor.
• Contract clauses and limitations should
harmonize with insurance clauses.
• Damage limits should factor policy limits.
• Notify if a breach may have occurred.
• Should they tender your defense?
• You are liable, but they can help.
Vendor Contracts
IT/Software Companies
• Request Tech E&O, plus Privacy/Network
Coverage
• Some Tech E&O policies have security/privacy
exclusions
• Breach could occur without “wrongful act”
being committed
Vendor Contracts
Business Services – Payroll, Auditors, Counsel
• Request appropriate E&O coverage
• Request Privacy/Network coverage
Credit Card Processors/Acquiring Banks
• Request Privacy/Network Coverage (Gaps in
Bond or Professional Liability coverage)
Vendor Contracts
Other Vendors that transport, touch, interact
with your systems or sensitive information
• Request Privacy/Network coverage
Upcoming Issues
• Revisions to the EU Data Protection Directive
that propose fines of up to 2% of annual
turnover of a company
• Federal data breach notification in the U.S.
• FTC Final Privacy Report and Privacy by Design
• Department of Commerce multi-stakeholder
enforceable codes of conduct process
Outline
1.
2.
3.
4.
5.
6.
7.
8.
Cyber risks
Costs relating to cyber risks
Use of insurance for cyber risks
Lawsuits relating to insurance policies
Strategies in obtaining coverage
Traditional v. Cyber Insurance
Vendors
Conclusion
Questions
Dino Tsibouris (614) 360-3133 dino@tsibouris.com
Tom Srail, SVP, FINEX NA – Cyber and E&O Team tom.srail@willis.com
Mehmet Munur (614) 360-3101 mehmet.munur@tsibouris.com
Download