Cyber Insurance

advertisement
Cyber-insurance coverage: do
you have it?
Robert E. Sumner, IV, Esq. and
Tosh Siao of Willis Group
September 17, 2015
Topics to be covered:
1. What is a data breach?
2. Incidence/frequency of data breaches.
3. Data on the cost/expenses associated with breaches.
4. CGL standard policies.
Topics to be covered:
5. Cyber policies and endorsements.
6. State of the cyber insurance market.
7. Evolving coverage issues
8. Role of your insurance broker.
Topics to be covered:
9.
Navigating through the underwriting process.
10. How much coverage?
11. Examples of cyber insurance programs.
12. What to do when the breach occurs.
WHAT IS A DATA BREACH?
What is a data breach?
Key Defined Terms
Personal Information (PI) or Personally Identifiable Information
(PII)– “Generally, the definition requires both a name (first initial and last
name often suffices), and some additional item of information that could
be used to steal a person’s identity or access his or her financial accounts (or,
in some cases, healthcare information) without authorization.”
Florida definition (FIPA)
“Personal information” means either of the following:
1. Individual’s first name or first initial and last name one of the following:
(a) A social security number;
(b) A driver license or identification card number;
(c) A financial account number with security code,;
(d) An individual’s medical history, mental or physical condition, or medical
treatment or diagnosis by a health care professional; or
(e) An individual’s health insurance policy or ID #.
2. A user name or e-mail address, in combination with a password or security
question and answer that would permit access to an online account.
Key Defined Terms
Personal Health Information (PHI) – “Individually identifiable
health information.”
PHI relates to:
i. Individual’s past, present or future physical or mental
health or condition;
ii. Provision of health care to the individual; or
iii. Past, present or future payment for the provision of
health care.
Key Defined Terms
• Data incident – IT term (nerd term); something “not normal”.
• Data breach – legal term (matter of interpretation); unauthorized
access to PII or PHI.
• A “breach” triggers the reporting/response.
• Types of breaches:
i.
Cyber hacking (hacktivism, cyber espionage)
ii.
Unintentional loss of information
iii.
Employee misconduct
iv.
Bad business practices
v.
Theft
DATA BREACH EMPIRICAL DATA
Empirical Data:
Verizon Data Breach Investigation Report (2015)
• 79,790 security incidents in 2014;
• 2122 confirmed data breaches in 2014;.
Net Diligence Cyber Claims Study (2014) [Mark Greisinger]
 $698,797: average cost of defense of a data breach lawsuit; and

$733,109: average claim payout ($1.3M for Healthcare);

$558,520: average settlement for a data breach lawsuit;

$1,041,906: average cost for defense of regulatory matter.
Empirical Data:
Ponemon Institute Study (2015)
[Symantec & Ponemon Benchmark Study]

$3.79 million is the average total cost of data breach;

23% increase in total cost of data breach since 2013;

Healthcare industry has the highest cost associate with breach;

$6.53 million: average cost per data breach for U.S. company;

$417,000: average detection cost per breach (2014)

$509,237: average notification cost per breach (2014);

$1,599.996: average post data breach cost (2014)

Lost business cost increased from $1.33 million last year to
$1.57 million in 2015.;
CGL Standard Policies
do not have Cyber-Coverage
General commercial liability policies include three types of
coverages: „
Coverage A, which covers bodily injury and property damage
Coverage B, which covers personal and advertising injury
Coverage C, which covers medical payments for bodily injury.
These policies define property damage as a physical injury to or
the loss of use of tangible property.
Most policies specify that electronic data is not tangible property.
Cyber Policies and Endorsements
Effective May 1, 2014 in many jurisdictions, ISO introduced
several endorsements:
• CG 21 06 05 14 (Exclusion – Access Or Disclosure Of
Confidential Or Personal Information And Data-Related Liability –
With Bodily Injury Exception) — excludes coverage, under
Coverages A and B, for injury or damage arising out of any access
to or disclosure of any person’s or organization’s confidential or
personal information, including patents, trade secrets, processing
methods, customer lists, financial information, credit card
information, health information or any other type of nonpublic
information.
Cyber Policies and Endorsements
• CG 21 07 05 14 (Exclusion – Access Or Disclosure Of
Confidential Or Personal Information And Data-Related Liability –
Limited Bodily Injury Exception Not Included) – which is very
similar to CG 21 06 but does not include the bodily injury
exception described above.
• CG 21 08 05 14 (Exclusion – Access Or Disclosure Of
Confidential Or Personal Information (Coverage B Only) —
exclusion with respect to any access to or disclosure of any
person’s or organization’s confidential or personal information is
limited to personal and advertising injury.
Cyber Policies and Endorsements
ISO Electronic Data Liability Coverage
• Form CG 00 65
• Broad coverage: Actual loss of data – no requirement for
“physical injury to tangible property”
• Claims made
• Covers loss caused by “electronic data incident”
Cyber Policies and Endorsements
ISO Electronic Data Liability Coverage
ISO Business Owner Policies:
Endorsement BP 05 95 – Electronic Data Liability – limited
coverage endorsement (direct damage to data of others due to
insured’s negligence)
Endorsement BP 05 96 – Electronic Data Liability – broad
coverage endorsement (like ISO Form CG 00 65)
Available Cyber Coverages
•
Privacy Liability: Provides defense and liability coverage for claims
resulting from your failure to maintain the privacy of information
entrusted to you. Examples of Sensitive Information: Protected Health
Information; Personally Identifiable Information; or a Third Party’s
Confidential Corporate Information that you are required to keep
confidential.
•
Breach Events Costs: Provides coverage for costs incurred due to a
breach of individuals personally identifiable information or protected
health information for public relations; notification (Voluntary notification
available from some carriers) of individuals; credit monitoring; call
centers; obtaining legal counsel; and forensic experts and for any other
expenses approved by the insurer, to respond to a breach. New:
Coverage may be written as a dollar amount or person amount.
Available Cyber Insurance Coverages (Cont’d)
•
Regulatory Defense Fines and Penalties: Provides coverage for
proceedings brought by a government agency for an alleged violation of
privacy regulations resulting from a breach of personal information.
Coverage includes, defense, consumer redress, fines and penalties
(where allowable by law).
•
PCI Fines and Penalties: Provides coverage for a monetary
assessment of a fine or penalty by a Card Association or Acquiring Bank
due to insured’s non-compliance with a PCI Data Security Standard.
•
Cyber Extortion: Coverage for Costs to investigate and terminate a
threat to commit an intentional attack against your Computer System.
•
Crisis Management: Expenses for managing public relations and
media outlets.
Evolving coverage concerns and issues
• Property Damage, yes.
Bodily Injury, not sure.
• “Dumpster Diving”
• Defense Costs erode policy limits
• Legacy exposures
• Maintain “top shelf” coverage
• Vendors and subcontractors
Broker’s Role in Cyber Liability
• Advise on evolving risk with non-stop change
• Understand the financial and reputational impact
• Know best access points to the insurers
• Manage detailed underwriting and claims
• Build the “moat” with vendor management
Navigating the underwriting process
• Highest risks are retail, health care, and technology
• UWs understand there is no perfect account
• Plenty of underwriting capacity
• Revenues and deductibles drive pricing
• Application process
What is the right amount of coverage?
Willis Estimated Data Breach Costs (based on number of affected individuals compromised)
1,000
10,000
100,000
500,000
1,000,000
10,000,000
100,000,000
PRIVACY EXPENSES
$35,000
$140,000
$270,000
$530,000
$1,050,000
$1,750,000
$3,500,000
Forensics Investigation
$25,000
$100,000
$200,000
$400,000
$750,000
$1,000,000
$2,000,000
Data Breach Coach
$10,000
$20,000
$30,000
$50,000
$100,000
$250,000
$500,000
Privacy Expense (Forensics/Crisis)
$0
$20,000
$40,000
$80,000
$200,000
$500,000
$1,000,000
$8,500
$80,000
$800,000
$3,625,000
$4,800,000
$40,000,000
$325,000,000
Customer Notification
$2,000
$15,000
$150,000
$625,000
$1,000,000
$9,000,000
$50,000,000
Call Center
$1,000
$10,000
$100,000
$500,000
$800,000
$5,000,000
$20,000,000
Credit Monitoring
$4,500
$45,000
$450,000
$2,250,000
$2,500,000
$25,000,000
$250,000,000
Public Relations
Privacy Expense (Notice/Credit Monitoring)
Identity Fraud Remediation
$1,000
$10,000
$100,000
$250,000
$500,000
$1,000,000
$5,000,000
Privacy Expense Total:
$43,500
$220,000
$1,070,000
$4,155,000
$5,850,000
$41,750,000
$328,500,000
(Privacy Expense Cost per record)
$43.50
$22.00
$10.70
$8.31
$5.85
$4.18
$3.29
$15,000,000
How much coverage do you need?
PRIVACY LIABILITY
Regulatory Defense/Fines
$0
$0
$350,000
$750,000
$1,500,000
$6,000,000
State Regulatory (AG)
$0
$0
$250,000
$250,000
$500,000
$1,000,000
$5,000,000
Federal Regulatory (FTC)
$0
$0
$100,000
$500,000
$1,000,000
$5,000,000
$10,000,000
PCI Fines/Penalties
$0
$10,000
$20,000
$100,000
$500,000
$1,000,000
$2,000,000
$9,000
$180,000
$900,000
$3,900,000
$7,000,000
$45,000,000
$330,000,000
Legal Defense/Damages/Class Actions
$0
$100,000
$300,000
$900,000
$2,000,000
$5,000,000
$30,000,000
Card Reissuance Liability
$9,000
$80,000
$600,000
$3,000,000
$5,000,000
$40,000,000
$300,000,000
Privacy Liabilty Total:
$9,000
$190,000
$1,270,000
$4,750,000
$9,000,000
$52,000,000
$347,000,000
$52,500
$410,000
$2,340,000
$8,905,000
$14,850,000
$93,750,000
$675,500,000
$52.50
$41.00
$23.40
$17.81
$14.85
$9.38
$6.76
Civil Liability
Total Data Breach Cost:
Per Record Cost: Retail
Assumptions:
Credit Monitoring: $15 per individual (10%-15% take-up rate)
Identity Fraud Remediation: $100-$500 per affected individual (less than 1% typically require fraud remediation)
Program Example #1
Industry
Annual Sales
Policy Limit
Deductible
Premium
Rate (per $ 1,000 sales)
Cloud Hosting
$
85,000,000
$
2,000,000
$
100,000
$
56,093
$
0.66
Program Example #2
Industry
Annual Sales
Policy Limit
Deductible
Premium
Rate (per $ 1,000 sales)
Manufacturing
$ 110,000,000
$
2,000,000
$
50,000
$
16,506
$
0.15
When the breach occurs

Gather details of the incident

Determine insuring agreements, limits, and retentions that will apply

What triggers a loss or claim under the policy?

What are the notice requirements?

Timing around an upcoming policy renewal/expiring policy period that
require an expedited notice?
Download