Cyber/Privacy Insurance Information Exposures • Credit Card Information • Personally Identifiable Information – – – – – Social Security Numbers Drivers License Numbers Banking Information Employment Information Insurance Information • Personal Health Information • Business Information – Ever sign confidentiality agreements or non-disclosure agreements? Private co. financials? Likely Causes of Loss • Lost/stolen portable computers or media…Blackberry/iPhone • Lost/stolen back up tapes. • Improper disposal – Paper records – Computer Equipment (fax machines) • Computer Hacking • Employee Misuse • Rogue Employee – According to 2004 CSI/FBI computer crime security survey, inside jobs represent 80% of reported security incidents. • Vendor Negligence – big issue - Target • Negligent Release Value of Stolen Data:Symantec Corp Report on the Underground Economy ‘07-’08 Rank for Sale Rank Requested Goods and Services % for Sale % Requested Range of Prices 1 1 Bank account credential s 18% 14% $10$1,000 2 2 Credit Card #’s with CVV@ #’s 16% 13% $.50 - $12 3 5 Credit Cards 13% 8% $.10 - $25 4 6 E-mail addresses 6% 7% $.30 - $40 5 14 E-mail passwords 6% 2% $4 - $30 6 3 Full identities 5% 9% $.90 - $25 After Breach. What to do? • First off, was there a breach? Voluntary notification costs are huge. • What happened and what data, hardware, and software was affected? Computer forensics firm • What regulations apply and how do we comply? Privacy Attorneys – Along these lines, is affected data for people in other states? Other states notification laws? • How do we restore trust/make it right with our customers? Public Relations, Credit Monitoring, ID Theft Counseling Current Developments • High profile data breaches: Target, Neiman Marcus, Sony, RSA, Citibank, Lockheed Martin, Google • Cloud Computing • Texas Medical Records Privacy Act (2012) – broader in scope than HIPAA as it applies to health care providers, heath plans, and other entities, individuals, businesses, or organizations that obtain, store, or possess PHI • HIPAA provides that if a state law grants more privacy protection to a patient, state law applies • PCI Standards/Compliance – Started in 2006 • Cyber/Privacy Insurance Market Growth: Approx $800M premium in 2010, which is about double 2007 (Betterley Report) • Down Economy means Crime goes up…Why wouldn’t Cyber Crime go up? – In 2009, more than 222M records were compromised in 469 reported incidents (per Identity Theft Resource Center) Current Developments – Target & Neiman Marcus • Hackers becoming more sophisticated – robbers are always ahead of the cops • One unanswered question from the Target and Neiman Marcus breaches is how internal or external attackers managed to steal so much data while avoiding detection. But people with knowledge of the Target investigation told Reuters that the attackers' toolkit reportedly included memory-parsing malware known as RAM scrapers. The malware can be used to infect point-of-sale (POS) systems -- a fancy name for retailers' digital cash registers -- and then intercept sensitive information such as credit card numbers and magnetic-stripe data. While the data resides in memory it remains in plaintext -- and thus easy to intercept -- even if it later gets encrypted for storage or transmission. • Visa reportedly published two security alerts last year -- in April and August -- warning retailers about a rise in RAM-scraping attacks. But one source told Reuters that the RAM scraping tools used by attackers were more sophisticated than what's been seen before, meaning that even if Target or any other retailer had bolstered its security defenses in the wake of the Visa warning, they may have been unable to stop the new malware. Current Developments • SMALL BUSINESS IS THE TARGET: – 2013 Symantec: Internet Security Threat Report :Targeted attacks on businesses with fewer than 250 employees are growing. Small businesses are now the target of 31 percent of all attacks, a threefold increase from 2011. While small businesses may feel they are immune to targeted attacks, cybercriminals are enticed by these organizations’ bank account information, customer data, intellectual property and the knowledge that they often lack adequate security practices and infrastructure. – Among the key findings of Symantec’s 2010 SMB Protection Survey, small businesses: • sustained an average loss of $188,000 per breach, • comprised 73 percent of total cyber crime targets/victims, • lost confidential data in 42 percent of all breaches, and • suffered direct financial losses in 40 percent of all breaches. – In 2010, the U.S. Secret Service and Verizon Communications Inc.'s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers. – A 2010 survey by the National Retail Federation and First Data Corp. of small- and medium-size retailers in the U.S. found that 64% believed their businesses weren't vulnerable to card data theft and only 49% had assessed their security safeguards. Healthcare – Recent Data Privacy Developments • Federal Law: American Recovery and Reinvestment Act of 2009 (aka the Stimulus Bill) – HITECH Act. – Government spending $25.9B to promote and expand health information technology – Goal is to create a nationwide network of electronic health records • U.S. Department of Health and Human Services office for Civil Rights (OCR) has beefed up staff and oversight. (UCLA Healthcare Systems had to pay $865K for celebrity patient disclosures – failed to restrict employees from records.) • Contrasts with lax enforcement for the past 15 years. • Under HITECH, "business associates," or third parties such as a billing company or cloud provider, now must follow the HIPAA privacy laws by protecting patient information and reporting data breaches. HITECH Act (cont’d) • What changes for a “business associate”? – They are subject to civil and criminal penalties (not just contractual claims by the covered entity). – Must comply with administrative, physical, and technical safeguards and documentation requirements under the HIPAA security rule. – Two-way policing: The business associate and the covered entity must report known violations. • Janitor in a hospital sees a doctor’s office throwing away sensitive medical records – obligated to report – Notification: Must notify the FTC of any breach, and violation is considered an unfair and deceptive act. – Covered entities: Must notify individuals within 60 days…If over 500 identities, they must notify “prominent media outlets” in the area as well as the Department of Health and Human Services. Cloud Computing • IT purchasers realize the enormous potential for reduced hardware and software costs. The cloud is becoming more popular. Issues/Thoughts: - Large risk of data loss and business interruption when moving data and applications from hardware based system to the cloud. - Access from any PC anywhere makes it more difficult for a cloud computing provider to verify that the user is who the user says they are via password. - Cloud providers typically are not responsible for the data if there is a breach. Liability is typically pushed back on the insured via contract with the provider. Think Amazon and the massive amounts of data they host in the cloud. - Will the cyber marketplace pick up contingent business income if the cloud service is unavailable? Remains to be seen. Coverage Elsewhere? • General Liability – BI/PD – definition of property is typically limited to “tangible” items – Exclusion g. to coverage A of the ISO CGL form excludes coverage for damages “arising out of the loss of, loss of use, damage to, corruption of, inability to access, or inability to manipulate electronic data (we have seen endorsements broadening coverage by adding an exception to the exclusion for damages because of “bodily injury”) • Crime – Almost all policies are limited to money and securities Cyber Insurance • 1st-Party - Direct loss due to “injury” to electronic data or systems resulting from acts of others – no need for anyone to come after you for money – Breach response, extortion, restoration costs, business income • 3rd-Party - Liability for financial losses or costs sustained by others resulting from Internet or other electronic activities – Network liability, electronic media liability, regulatory defense costs, privacy liability Breach Response • Usually triggered by unauthorized access, introduction of malicious code, accidental or unauthorized release of private information, and denial of service attacks. • Pays forensic investigation expenses, cost of advertisements, notification expenses, credit monitoring services, cost of a public relations consultant. Why Breach Response Coverage is Important: • Easily the most likely coverage to be triggered • Per Mark Greisinger,President of NetDiligence, a leading cybersecurity assurances company. www.NetDiligence.com Cyber-crime attorney: $700/hr Investigation/Computer Forensics Fees: $300 - $700/hour (find out what happened, how to prevent/stop, type of data breached, etc.) pre negotiated rates are huge Notification costs: mail notice letter to customers as much as $14/customer. Credit Monitoring: $10-$12/year per person. Public Relations Firm: $10,000/month or $400/hour. • Side note – Mark Greisinger developed the E Risk Hub that comes with probably 90% of cyber policies sold Why Breach Response Coverage is Important: • Texas Security Breach Notification Law The law requires written or electronic notice directly to the affected residents, except that if the cost of direct notification exceeds $250,000, the number of people to be notified exceeded 500,000, or the data controller did not have complete contact information, then the law allows for notification by publication. The law provides for a civil penalty of up to $1 million, plus the amount of reasonable expenses incurred in obtaining the civil penalty. The Texas attorney general or the prosecuting attorney in the county in which a violation occurred can bring suit to recover the civil penalty (payable to the state). This penalty would be in addition to any other available remedy, which could include damages suffered by the resident. More Perspective… Just Notification Costs • If it is estimated that it costs $200 per Identity… – A men’s clothing store that does 5 sales a day would end up paying $365K for the data breach of a year’s worth of customers. – MRI clinic does 10 scans a day Monday through Friday…$520K for all of the patients seen in one year. Extortion • Usually triggered by a threat to bring down a network (introduce “malicious code”), divulge digital records without authorization, or deny a company’s service to third parties (typically a retailer that depends on customer traffic/sales on their website.) • Pays investigation costs, costs for a negotiator, and “ransom.” • Can be sublimited, but not always. • Coverage used to not be that big of a deal, but a recent rise in claims (especially in Europe) has increased the importance. – Cryptolocker bigger in Europe Extortion - Example • Hackers demand $10 million to return patient records stolen from Virginia state site. The Washington Post reports, "Hackers last week broke into a Virginia state website used by pharmacists to track prescription drug abuse." After deleting records "on more than eight million patients," they "replaced the site's homepage with a ransom note demanding $10 million for the return of the records." The event marks "the second major extortion attack related to the theft of healthcare data in the past year. In October 2008, Express Scripts, one of the nation's largest processors of pharmacy prescriptions, disclosed that extortionists were threatening to disclose personal and medical information on millions of Americans if the company failed to meet payment demands." Restoration Costs • Usually triggered by unauthorized access, introduction of malicious code, accidental or unauthorized release of private information, and denial of service attacks. • Pays for Restoration of Data within computer system. If the data cannot be restored or recreated, policy will pay the cost to reach that determination. • Can be directly related to extortion coverage. Business Interruption • Intent has to be malicious and direct. Will not be triggered if power goes out, servers fail, etc. • Pays normal gross margins for the time period in which the network was disabled. • Time Period Deductible (i.e. 10 hours) • Direct – Loss of Sales. • Indirect – Lose ability to Manage Inventory. Example: WaWa stores ***Some markets playing around with customer attrition/reputational damage products. Network Liability • Often confused with privacy coverage. Not so. • Triggered by unauthorized access/use, computer virus, denial of service attack, denial of access, mistake in administration of network. • Pays third party damages for inability to access website (e.g. customer of a supplier), transmission of a virus to a third party from insured’s computer system, use of insured’s network to launch of a denial of service attack on a third party. Electronic Media Liability • Personal Injury for Insured’s Network Communications. Think of insured’s website as a newspaper. • Libel, slander, product disparagement; violation of right of privacy; misappropriation and plagiarism; infringement of copyright, trademark, etc. Electronic Media Coverage – May be Worthless • Recent ISO CGL PI/AI coverage should pick it up…except: j. Insureds In Media And Internet Type Businesses "Personal and advertising injury" committed by an insured whose business is: (1) Advertising, broadcasting, publishing or telecasting; (2) Designing or determining content of web-sites for others; or (3) An Internet search, access, content or service provider. However, this exclusion does not apply to Paragraphs 14.a., b. and c. of "personal and advertising injury" under the Definitions Section. For the purposes of this exclusion, the placing of frames, borders or links, or advertising, for you or others anywhere on the Internet, is not by itself, considered the business of advertising, broadcasting, publishing or telecasting. k. Electronic Chatrooms Or Bulletin Boards "Personal and advertising injury" arising out of an electronic chatroom or bulletin board the insured hosts, owns, or over which the insured exercises control. ***A note on Chatrooms. The website owner is usually not responsible for “user” content. If they screen “users” beforehand, the law assigns a higher standard. Regulatory Defense Costs/Fines and Penalties • Covers the defense of regulatory actions by governmental agencies against the insured for alleged violations of privacy regulations/laws. • Attorney’s Generals are becoming more and more aggressive in enforcing regulations • AG’s have historically been understaffed and cannot handle enforcement, so some have engaged 3rd party law firms to investigate random companies and make sure they are compliant with state laws • AG’s like to use high profile breaches to spring board their political careers into the spotlight – CT, NY, SD, MA AG’s have already indicated they will file suit against Target due to the recent breach Privacy Liability • Usually triggered by misappropriation, theft or unauthorized access. (Failure to secure data or errors and omissions in handling data.) • Data covered: Personal Information, Non-public data (usually corporate information). • *****Want all data covered, not just electronic data. (Improperly disposed of or secured paper records.) • Claims from individuals are rare but seen on the healthcare side – class actions a bigger worry. • National Institute of Standards and Technology (part of Dept of Commerce) has issued cyber standards. They are informal and voluntary, but… – Gives plaintiff attorneys ammunition when it comes to class actions – Seen as informal government regulations – There is no negligence standard for safeguard of PII, but the NIST is speculated to be used heavily to create one for those entrusted with PII Why Don’t Insureds Buy? • Firewalls are up to date/everything is encrypted – robbers are always ahead of the cops. • Cost – historically cost has been high. Carriers now have a better grasp of exposures and have more premium across their books, so pricing is significantly less than what it was just a few years ago. • App is too long – we can provide a standalone quote with full limits with nothing more than a company name, revenues, and an address. Will always turn around a quote in 24 hours, but usually it’s flipped in less than an hour. • Any other objections you hear? Who Needs the Coverage (the most)? • Who deals with confidential data? – Healthcare – Government – Financial Institutions – Schools/Universities – Online Merchants – Churches/Philanthropic Organizations What can your clients do to prevent/mitigate cyber losses? • Policies • Privacy Policies • Information Security Policies • Computer Usage Policies • Employee Training • Technical Security Controls • Access Controls: Firewalls, passwords, etc. • Anti-virus • Physical Security Controls • Incident Response Plan • Erisk Hub is very useful for insureds Conclusion • Not a matter of “if” but “when” almost nothing you can do to prevent an attack • Small business is a huge target fewer controls and resources to prevent/handle an attack • 1st party coverage is huge “tack on cyber” on a Chubb, Hartford, etc – E&O policy will typically sublimit 1st party cover to something silly