Cyber-insurance coverage: do you have it? Robert E. Sumner, IV, Esq. and Tosh Siao of Willis Group September 17, 2015 Topics to be covered: 1. What is a data breach? 2. Incidence/frequency of data breaches. 3. Data on the cost/expenses associated with breaches. 4. CGL standard policies. Topics to be covered: 5. Cyber policies and endorsements. 6. State of the cyber insurance market. 7. Evolving coverage issues 8. Role of your insurance broker. Topics to be covered: 9. Navigating through the underwriting process. 10. How much coverage? 11. Examples of cyber insurance programs. 12. What to do when the breach occurs. WHAT IS A DATA BREACH? What is a data breach? Key Defined Terms Personal Information (PI) or Personally Identifiable Information (PII)– “Generally, the definition requires both a name (first initial and last name often suffices), and some additional item of information that could be used to steal a person’s identity or access his or her financial accounts (or, in some cases, healthcare information) without authorization.” Florida definition (FIPA) “Personal information” means either of the following: 1. Individual’s first name or first initial and last name one of the following: (a) A social security number; (b) A driver license or identification card number; (c) A financial account number with security code,; (d) An individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or (e) An individual’s health insurance policy or ID #. 2. A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. Key Defined Terms Personal Health Information (PHI) – “Individually identifiable health information.” PHI relates to: i. Individual’s past, present or future physical or mental health or condition; ii. Provision of health care to the individual; or iii. Past, present or future payment for the provision of health care. Key Defined Terms • Data incident – IT term (nerd term); something “not normal”. • Data breach – legal term (matter of interpretation); unauthorized access to PII or PHI. • A “breach” triggers the reporting/response. • Types of breaches: i. Cyber hacking (hacktivism, cyber espionage) ii. Unintentional loss of information iii. Employee misconduct iv. Bad business practices v. Theft DATA BREACH EMPIRICAL DATA Empirical Data: Verizon Data Breach Investigation Report (2015) • 79,790 security incidents in 2014; • 2122 confirmed data breaches in 2014;. Net Diligence Cyber Claims Study (2014) [Mark Greisinger] $698,797: average cost of defense of a data breach lawsuit; and $733,109: average claim payout ($1.3M for Healthcare); $558,520: average settlement for a data breach lawsuit; $1,041,906: average cost for defense of regulatory matter. Empirical Data: Ponemon Institute Study (2015) [Symantec & Ponemon Benchmark Study] $3.79 million is the average total cost of data breach; 23% increase in total cost of data breach since 2013; Healthcare industry has the highest cost associate with breach; $6.53 million: average cost per data breach for U.S. company; $417,000: average detection cost per breach (2014) $509,237: average notification cost per breach (2014); $1,599.996: average post data breach cost (2014) Lost business cost increased from $1.33 million last year to $1.57 million in 2015.; CGL Standard Policies do not have Cyber-Coverage General commercial liability policies include three types of coverages: „ Coverage A, which covers bodily injury and property damage Coverage B, which covers personal and advertising injury Coverage C, which covers medical payments for bodily injury. These policies define property damage as a physical injury to or the loss of use of tangible property. Most policies specify that electronic data is not tangible property. Cyber Policies and Endorsements Effective May 1, 2014 in many jurisdictions, ISO introduced several endorsements: • CG 21 06 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – With Bodily Injury Exception) — excludes coverage, under Coverages A and B, for injury or damage arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information. Cyber Policies and Endorsements • CG 21 07 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included) – which is very similar to CG 21 06 but does not include the bodily injury exception described above. • CG 21 08 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information (Coverage B Only) — exclusion with respect to any access to or disclosure of any person’s or organization’s confidential or personal information is limited to personal and advertising injury. Cyber Policies and Endorsements ISO Electronic Data Liability Coverage • Form CG 00 65 • Broad coverage: Actual loss of data – no requirement for “physical injury to tangible property” • Claims made • Covers loss caused by “electronic data incident” Cyber Policies and Endorsements ISO Electronic Data Liability Coverage ISO Business Owner Policies: Endorsement BP 05 95 – Electronic Data Liability – limited coverage endorsement (direct damage to data of others due to insured’s negligence) Endorsement BP 05 96 – Electronic Data Liability – broad coverage endorsement (like ISO Form CG 00 65) Available Cyber Coverages • Privacy Liability: Provides defense and liability coverage for claims resulting from your failure to maintain the privacy of information entrusted to you. Examples of Sensitive Information: Protected Health Information; Personally Identifiable Information; or a Third Party’s Confidential Corporate Information that you are required to keep confidential. • Breach Events Costs: Provides coverage for costs incurred due to a breach of individuals personally identifiable information or protected health information for public relations; notification (Voluntary notification available from some carriers) of individuals; credit monitoring; call centers; obtaining legal counsel; and forensic experts and for any other expenses approved by the insurer, to respond to a breach. New: Coverage may be written as a dollar amount or person amount. Available Cyber Insurance Coverages (Cont’d) • Regulatory Defense Fines and Penalties: Provides coverage for proceedings brought by a government agency for an alleged violation of privacy regulations resulting from a breach of personal information. Coverage includes, defense, consumer redress, fines and penalties (where allowable by law). • PCI Fines and Penalties: Provides coverage for a monetary assessment of a fine or penalty by a Card Association or Acquiring Bank due to insured’s non-compliance with a PCI Data Security Standard. • Cyber Extortion: Coverage for Costs to investigate and terminate a threat to commit an intentional attack against your Computer System. • Crisis Management: Expenses for managing public relations and media outlets. Evolving coverage concerns and issues • Property Damage, yes. Bodily Injury, not sure. • “Dumpster Diving” • Defense Costs erode policy limits • Legacy exposures • Maintain “top shelf” coverage • Vendors and subcontractors Broker’s Role in Cyber Liability • Advise on evolving risk with non-stop change • Understand the financial and reputational impact • Know best access points to the insurers • Manage detailed underwriting and claims • Build the “moat” with vendor management Navigating the underwriting process • Highest risks are retail, health care, and technology • UWs understand there is no perfect account • Plenty of underwriting capacity • Revenues and deductibles drive pricing • Application process What is the right amount of coverage? Willis Estimated Data Breach Costs (based on number of affected individuals compromised) 1,000 10,000 100,000 500,000 1,000,000 10,000,000 100,000,000 PRIVACY EXPENSES $35,000 $140,000 $270,000 $530,000 $1,050,000 $1,750,000 $3,500,000 Forensics Investigation $25,000 $100,000 $200,000 $400,000 $750,000 $1,000,000 $2,000,000 Data Breach Coach $10,000 $20,000 $30,000 $50,000 $100,000 $250,000 $500,000 Privacy Expense (Forensics/Crisis) $0 $20,000 $40,000 $80,000 $200,000 $500,000 $1,000,000 $8,500 $80,000 $800,000 $3,625,000 $4,800,000 $40,000,000 $325,000,000 Customer Notification $2,000 $15,000 $150,000 $625,000 $1,000,000 $9,000,000 $50,000,000 Call Center $1,000 $10,000 $100,000 $500,000 $800,000 $5,000,000 $20,000,000 Credit Monitoring $4,500 $45,000 $450,000 $2,250,000 $2,500,000 $25,000,000 $250,000,000 Public Relations Privacy Expense (Notice/Credit Monitoring) Identity Fraud Remediation $1,000 $10,000 $100,000 $250,000 $500,000 $1,000,000 $5,000,000 Privacy Expense Total: $43,500 $220,000 $1,070,000 $4,155,000 $5,850,000 $41,750,000 $328,500,000 (Privacy Expense Cost per record) $43.50 $22.00 $10.70 $8.31 $5.85 $4.18 $3.29 $15,000,000 How much coverage do you need? PRIVACY LIABILITY Regulatory Defense/Fines $0 $0 $350,000 $750,000 $1,500,000 $6,000,000 State Regulatory (AG) $0 $0 $250,000 $250,000 $500,000 $1,000,000 $5,000,000 Federal Regulatory (FTC) $0 $0 $100,000 $500,000 $1,000,000 $5,000,000 $10,000,000 PCI Fines/Penalties $0 $10,000 $20,000 $100,000 $500,000 $1,000,000 $2,000,000 $9,000 $180,000 $900,000 $3,900,000 $7,000,000 $45,000,000 $330,000,000 Legal Defense/Damages/Class Actions $0 $100,000 $300,000 $900,000 $2,000,000 $5,000,000 $30,000,000 Card Reissuance Liability $9,000 $80,000 $600,000 $3,000,000 $5,000,000 $40,000,000 $300,000,000 Privacy Liabilty Total: $9,000 $190,000 $1,270,000 $4,750,000 $9,000,000 $52,000,000 $347,000,000 $52,500 $410,000 $2,340,000 $8,905,000 $14,850,000 $93,750,000 $675,500,000 $52.50 $41.00 $23.40 $17.81 $14.85 $9.38 $6.76 Civil Liability Total Data Breach Cost: Per Record Cost: Retail Assumptions: Credit Monitoring: $15 per individual (10%-15% take-up rate) Identity Fraud Remediation: $100-$500 per affected individual (less than 1% typically require fraud remediation) Program Example #1 Industry Annual Sales Policy Limit Deductible Premium Rate (per $ 1,000 sales) Cloud Hosting $ 85,000,000 $ 2,000,000 $ 100,000 $ 56,093 $ 0.66 Program Example #2 Industry Annual Sales Policy Limit Deductible Premium Rate (per $ 1,000 sales) Manufacturing $ 110,000,000 $ 2,000,000 $ 50,000 $ 16,506 $ 0.15 When the breach occurs Gather details of the incident Determine insuring agreements, limits, and retentions that will apply What triggers a loss or claim under the policy? What are the notice requirements? Timing around an upcoming policy renewal/expiring policy period that require an expedited notice?