Add to collection(s) Add to saved
  1. Business
  2. Finance

limitations of “legacy” insurance policies

advertisement 
CYBER 3.0:
CUTTING-EDGE ADVANCEMENTS IN
INSURANCE COVERAGE FOR
CYBER RISK AND REALITY
Tuesday April 29, 2014, 9:00 am – 11:00 am
•
•
•
•
Roberta D. Anderson
Richard S. Betterley, CMC
Mark Camillo
Debra A. Samuel
Recording of this session via any media type is strictly prohibited.
Page 1
WHAT TO EXPECT
•
•
•
•
•
•
•
Hear About the Latest Real World Cyber Claim Examples
Get a Handle on Practical Risk and Exposure
Understand the Latest Developments in the Legal and Regulatory Framework
Learn the Limitations of “Legacy” Insurance Policies
Explore the Newest Cutting Edge “Cyber” Products
Understand How To Enhance “Off-The-Shelf” Cyber Policies Through Negotiation
Take Away a “Best Practices” Checklist for a Successful Cyber Placement
Recording of this session via any media type is strictly prohibited.
Page 2
AGENDA
•
•
•
•
•
•
•
•
•
•
•
Introduction of Speakers and Overview
Real World Cyber Claim Examples
The Spectrum of Cyber Risk
Practical Risk and Exposure
Underwriting Considerations
Legal and Regulatory Framework
The Role of the Risk Manager in Addressing and Mitigating Cyber Risk
Limitations of “Legacy” Insurance Policies
Cutting Edge “Cyber” Products
How To Enhance “Off-The-Shelf” Cyber Insurance Forms Through Negotiation
Questions, Final Comments and Contact Information
Recording of this session via any media type is strictly prohibited.
Page 3
INTRODUCTION OF SPEAKERS AND OVERVIEW
rd
ar
da
rd
ar
rrr
r
Roberta D. Anderson
Richard S. Betterley, CMC
Insurance Coverage /
President
Cyber Law & Cybersecurity Betterley Risk Consultants,
Partner
Inc.
Mark Camillo
Head of Network Security
/ Privacy
for the Americas
Debra A. Samuel
Manager
Insurance
Risk Management
Recording of this session via any media type is strictly prohibited.
Page 4
REAL WORLD CYBER CLAIM EXAMPLES
Recording of this session via any media type is strictly prohibited.
Page 5
Breach: A hospital employee sold patients’ personally identifiable information for tax fraud
purposes.
Coverage: The breach resulted in litigation against the Insured, and AIG provided the Insured
with national and local counsel to best protect its interests.
Breach: An email server and external hard drive were stolen from the premises of an outside
vendor compromising approximately 175,000 individuals.
Coverage: AIG extended $1 Million of Event Management coverage for the cost of notifications
and the retention of a law firm and public relations firm.
Breach: An apparel retailer experienced a systems failure that resulted in massive customer
service delays and customer walk-outs.
Coverage: AIG retained a forensic accountant and reimbursed the Insured the full amount of lost
sales in excess of the applicable waiting period.
Breach: Hackers placed malware onto an Insured’s network and demanded $3,000 to
un-encrypt. After reporting the claim, the FBI advised the insured not to pay the ransom.
Coverage: A forensics firm removed the malware and determined an employee of the Insured was
responsible. AIG reimbursed the insured $50,000 for forensic costs.
Breach: An Insured posted photographs of a celebrity and a corresponding story that implies he
has been dealing illicit drugs online.
Coverage: The celebrity denied the accusations and through counsel demanded a retraction of
the story. AIG assisted the Insured in settling with the celebrity.
Recording of this session via any media type is strictly prohibited.
T
The scenarios above are offered only as an examples. Coverage depends on the actual facts of each data breach and the terms, conditions, and exclusions of each individual policy.
Page 6
CLAIM SCENARIO - HEALTHCARE
Insured is a Hospital in the Southeast:
First Breach –
Second Breach –
.
Third Breach –
The insured discovered an employee was creating a handwritten list with
patient information, i.e. paper breach. Approximately 1500 records
compromised.
While investigating the first breach the Insured uncovered a second
employee had accessed and downloaded patient files.
Approximately 8,500 patient records
During the investigation and notification process of the first two
breaches, a third breach was discovered. A former employee
continued to access the systems using her access password and code.
50,000 patients were notified of this breach.
Recording of this session via any media type is strictly prohibited.
Page 7
THE SPECTRUM OF CYBER RISK
Recording of this session via any media type is strictly prohibited.
Page 8
CYBER CONCERNS OF ORGANIZATIONS
Clients’ Top Concern is Cyber Risk* Clients’ Cyber Concerns
• 80% of clients believe that it is
1. Cyber Risk
86%
2. Loss of Income
82%
3. Property Damage
80%
difficult to keep up with cyber
threats because they are
evolving so quickly
4. Worker’s
Compensation
5. Utility Interruption
78%
• 74% of clients believe human
6. Securities/Investment
Risk
7. Auto/Fleet Risk
76%
76%
error is a significant source of
cyber risk
• 82% believe hackers are the
primary source of cyber threats
65%
* Based upon 2012 AIG survey. Percentage of respondents who indicated they were “very” or “somewhat” concerned about each specific risk from
a base of 256 quantitative interviews among brokers, risk managers, C-Suite executives and information technology decision makers, October –
November 2012.
Recording of this session via any media type is strictly prohibited.
Page 9
POTENTIAL THREATS TO DIGITAL ASSETS
• Outside Attacks/Hackers
•
•
•
•
•
•
•
Rogue Insiders
Malware – Trojans, Viruses, Etc. – and Bugs (Heartbleed)
Vendor Error/Negligence
Physical Security Breach
Social Engineering
Poor IT Controls
Lost Hardware
Recording of this session via any media type is strictly prohibited.
Page 10
•
•
They are going to get in
•
•
They need a “getaway car”
We have more control
over them inside our
systems
Lock them in the vault
•
Use application
“whitelisting”
•
•
•
Patch software
•
Continuous monitoring
Patch operating systems
Minimize # of user admin
privileges
PRACTICAL RISK AND EXPOSURE
Recording of this session via any media type is strictly prohibited.
Page 13
INCIDENTS ON THE RISE
• Threats and Losses Increasing
• Financial Impact per Incident: $3.5M (from NetDiligence Claims Study, 2013) to $9.4M
(Ponemon Cyber Study - 2013)
• Losses In Large Data Breaches Have Exceeded $100M
• Settlements With Major Credit Card Providers Alone Have Exceeded $20M
• Derivative Claim Examples
• In re Heartland Payment Systems, Inc. Securities Litigation, Civ No. 09-1043 (D.N.J)
• Louisiana Municipal Police Employees’ Retirement System v. Alvarez, CA5620 (Del.
Chancery Ct., Wilmington) – TJX Breach
• Collier v. Steinhafel et al., No. 0:14-cv-00266 (D. Minn.) – Target Breach
Recording of this session via any media type is strictly prohibited.
14
Page 14
WHAT THIS MEANS FOR THE BOARD
• Costs from a data breach can quickly escalate and include:
•
•
•
•
•
•
Public Embarrassment, Shareholder and Public Outcry
Loss of Customers/Revenue
Damaged Reputation/Brand
Notification and identity monitoring
Computer forensics, PR consulting, Legal Assistance + Call Center Services
Liability from class action lawsuits, regulatory actions and fines/penalties
• Potential D&O suits:
• Allegations of Negligence By Board – Lack of Oversight
• Allegations Directors Should Have Known that Information Assets Were Vulnerable
• Allegations Directors Failed to Purchase Sufficient Insurance Despite Clear And
Prevalent Exposure
•
When organizations lose money, shareholder suits are not far behind.
Recording of this session via any media type is strictly prohibited.
Page 15
UNDERWRITING CONSIDERATIONS
Recording of this session via any media type is strictly prohibited.
Page 16
UNDERWRITING CONSIDERATIONS
• Revenue / # of Records
• Industry
• Security & Privacy Culture
• Network Operations
• Organization Controls
• Administrative Controls
• Electronic Controls
• Physical Controls
• Regulatory Compliance
• Vendor Management
• Loss Experience
• Crisis Management Preparedness
Recording of this session via any media type is strictly prohibited.
17
Page 17
LEGAL AND REGULATORY FRAMEWORK
Recording of this session via any media type is strictly prohibited.
Page 18
LEGAL AND REGULATORY FRAMEWORK
• State Privacy Laws
– http://www.ncsl.org/research/telecommunications-and-informationtechnology/security-breach-notification-laws.aspx
• Federal Privacy Laws
–
–
–
–
Gramm-Leach-Billey Act
HIPAA/HITECH
Federal Trade Commission (FTC v. Wyndham Worldwide Corp.)
FACTA/Red Flags Rule
• Foreign Privacy Laws
• PCI Data Security Standards (PCI DSS)
Recording of this session via any media type is strictly prohibited.
Page 19
LEGAL AND REGULATORY FRAMEWORK
•
•
•
•
•
•
•
•
•
•
Breach Notification Costs/Identity Monitoring
Computer Forensics/PR Consulting
Loss of Customers/Revenue
Damaged Reputation/Brand
Regulatory Actions/Fines/Penalties/Consumer Redress
Lawsuits & Defense Costs
Loss of “Crown Jewels”
Business Interruption & Supply Chain Disruption
Drop in Stock Price/Loss of Market Share
Potential D&O Suits (Target)
Recording of this session via any media type is strictly prohibited.
Page 20
LEGAL AND REGULATORY FRAMEWORK
Recording of this session via any media type is strictly prohibited.
Page 21
LEGAL AND REGULATORY FRAMEWORK
• SEC Guidance -- “[A]ppropriate disclosures may include”:
• “Discussion of aspects of the registrant’s business or operations that give rise to material
cybersecurity risks and the potential costs and consequences”;
• “To the
extent the registrant
outsources
that
cybersecurity
“appropriate
disclosures
mayfunctions
include:
. .have
. [a]material
[d]escription
of risks,
description of those functions and how the registrant addresses those risks”;
relevant insurance coverage.”
• “Description of cyber incidents experienced by the registrant that are individually, or in the
aggregate, material, including a description of the costs and other consequences”;
• “Risks related to cyber incidents that may remain undetected for an extended period”; and
• “Description of relevant insurance coverage.”
Five Tips to Consider When Any Public Company Might be The Next Target, http://www.klgates.com/five-tips-to-consider-whenany-public-company-might-be-the-next-target-02-11-2014
Recording of this session via any media type is strictly prohibited.
Page 22
LEGAL AND REGULATORY FRAMEWORK
• NIST Cybersecurity Framework -- provides a common taxonomy and
mechanism for organizations to:
• Describe their current cybersecurity posture;
• Describe their target state for cybersecurity;
• Identify and prioritize opportunities for improvement within the context of a continuous
and repeatable process;
• Assess progress toward the target state;
• Communicate among internal and external stakeholders about cybersecurity risk.
• The Framework is voluntary (for now)
Recording of this session via any media type is strictly prohibited.
Page 23
LEGAL AND REGULATORY FRAMEWORK
• NIST Cybersecurity Framework
NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/
Recording of this session via any media type is strictly prohibited.
Page 24
“[T]here are only two types of
companies: those that have been
hacked and those that will be. And
even they are converging into one
category: companies that have
been hacked and will be hacked
again.”
Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA Cyber
Security Conference San Francisco, CA (Mar. 1, 2012)
klgates.com
Recording of this session via any media type is strictly prohibited.
25
Page 25
THE ROLE OF THE RISK MANAGER IN
ADDRESSING AND MITIGATING CYBER RISK
Recording of this session via any media type is strictly prohibited.
Page 26
ROLE OF THE RISK MANAGER IN ADDRESSING AND
MITIGATING CYBER RISKS
Determine the need for coverage
Review the extent of coverage under existing policies
Engage a knowledgeable broker and outside counsel
Execute non-disclosure agreements with potential insurers
Conduct open discussions and partner with your Chief Information
Officer to complete an extensive application
• Conduct face-to-face meetings with potential insurers
• Obtain senior management concurrence or authorization to bind
coverage
•
•
•
•
•
Recording of this session via any media type is strictly prohibited.
Page 27
LIMITATIONS OF “LEGACY” INSURANCE
POLICIES
Recording of this session via any media type is strictly prohibited.
Page 28
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
•
•
•
•
•
Directors’ and Officers’ (D&O)
Errors and Omissions (E&O)/Professional Liability
Employment Practices Liability (EPL)
Fiduciary Liability
Crime
• Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th
Cir. 2012) (DSW covered for expenses for customer communications, public
relations, lawsuits, regulatory defense costs, and fines imposed by Visa and
Mastercard under the computer fraud rider of its blanket crime policy)
• Commercial General Liablity (CGL)?
• Property?
Recording of this session via any media type is strictly prohibited.
Page 29
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
• Coverage B provides coverage for damages because of “personal and
advertising injury”
• “Personal and Advertising Injury” is defined in part as injury
arising out of “[o]ral or written publication,
in any manner, of material that violates a person’s
right of privacy”
• What is a “Person’s Right of Privacy”?
• What is a “Publication”?
Recording of this session via any media type is strictly prohibited.
Page 30
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
klgates.com
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
ISO states that “when this endorsement is
attached, it will result in a reduction of
coverage due to the deletion of an
exception with respect to damages
because of bodily injury arising out of loss
of, loss of use of, damage to, corruption of,
inability to access, or inability to manipulate
electronic data.”
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
• Zurich American Insurance Co. v. Sony Corp. of America et al.
Recording of this session via any media type is strictly prohibited.
Page 37
CUTTING EDGE “CYBER” PRODUCTS
AN UPDATE ON THE MARKET’S HOTTEST PRODUCTS
Recording of this session via any media type is strictly prohibited.
Page 39
CYBER INSURANCE:
WHAT DOES (OR SHOULD) IT COVER?
• Liability for loss of personally identifiable information
• Not just electronic, but all types of data, including paper
• Corporate information, not just individuals
• All types of data, not just financial
• Some cover loss of data when in the possession of a 3rd party, such as a vendor
• Many think it covers all liability for all types of electronic activity, such as social
media; it doesn’t
• Costs for responding to a data breach
•
•
•
•
Public relations response
Legal guidance
Victim notification
Credit monitoring
Recording of this session via any media type is strictly prohibited.
40
Page 40
COVERAGE (CONT’D.)
• Fines and penalties
• Defense costs
• Consumer Redress funds
• Civil money penalties (but not if unlawful to insure; look for most favored venue
language)
• Penalties imposed by credit card issuing entities (Visa/MasterCard, etc.)
• Typically sub limited
• Value-added Services
•
•
•
•
Discounted response services
Helplines
Network testing
Virtual privacy officer
Recording of this session via any media type is strictly prohibited.
41
Page 41
COVERAGE OPTIONS
• 1st Party
•
•
•
•
Loss of Data
Business Interruption and Extra Expense
Cyber Extortion
Crisis Response Fund
• Theft
• Data
• $$$
• Products or Services
Recording of this session via any media type is strictly prohibited.
42
Page 42
COVERAGE OPTIONS (CONT’D.)
• Media Liability
• All media activities or just online media (including social media)
• Intellectual Property liability coverage:
• Copyright infringement – can be included
• Trade or Service Mark infringement – can be included
• Patent Infringement – cannot be included in most forms
Recording of this session via any media type is strictly prohibited.
43
Page 43
NOTABLE EXCLUSIONS
• Dishonest/Criminal/Intentional Acts (but severability generally
applies)
• Contractual Liability
• Data Outside of Your Network
• This is in reference to cloud-type computing, which is often insurable
• Non-electronic data
• Such as paper documents; generally insurable
Recording of this session via any media type is strictly prohibited.
44
Page 44
PRACTICAL TIPS FOR SELECTING THE RIGHT POLICY
• 30+ meaningful carriers offer Cyber insurance
• Several offer multiple versions
• Non-global insurance brokers are still grappling with these
products, but making progress
• Knowledge level varies greatly
• Wholesalers are a good resource and should be considered
Recording of this session via any media type is strictly prohibited.
45
Page 45
PRACTICAL TIPS FOR SELECTING THE RIGHT POLICY
• Coverage can be acquired via other policies
• Tech and other forms of E&O
• MedMal
• Management Liability products
• But make sure the coverage is complete
• Not just liability coverage
Recording of this session via any media type is strictly prohibited.
46
Page 46
PRACTICAL TIPS FOR SELECTING THE RIGHT POLICY
• Sublimits for breach response costs are being eliminated (or
at least eased)
• Look carefully at value-added services, which are becoming
more robust and effective
• Not all Cyber insurers are going to stay in this space
• Choose carefully
• Cost efficiencies of response costs panel providers are an
important benefit of the policy
Recording of this session via any media type is strictly prohibited.
47
Page 47
PRACTICAL TIPS FOR SELECTING THE RIGHT POLICY
• When selecting coverage, be sure it includes:
• Data wherever/whenever
• Not just electronic data – ALL data
• Loss caused by insiders, not just outsiders
• Make sure the coverage does not require:
• Insured to have updated software protections
• An exclusion for state-sponsored attacks
Recording of this session via any media type is strictly prohibited.
48
Page 48
WHERE DOES CYBER GO FROM HERE?
• Avoidance
• Improved prevention
• Such as hardware to defeat intrusion attempts
• Pre-loss helpline/virtual privacy officers
• Data lockdown
• Lower response costs driven by insurer-negotiated pricing & fewer affected
individuals making claims for credit monitoring
• Underwriting and pricing
• Better recognition of the value of loss avoidance tools and techniques
• Coverage
• Non-state sponsored attacks
• Theft of corporate Intellectual Property
• Loss of value
• Liability
Recording of this session via any media type is strictly prohibited.
49
Page 49
HOW TO ENHANCE “OFF-THE-SHELF”
CYBER INSURANCE FORMS THROUGH
NEGOTIATION
Recording of this session via any media type is strictly prohibited.
Page 51
Recording of this session via any media type is strictly prohibited.
klgates.com
Page 52
DATA BREACH COVERAGE EXAMPLE 1
DATA BREACH COVERAGE EXAMPLE 1
DATA BREACH COVERAGE EXAMPLE 2
DATA BREACH COVERAGE EXAMPLE 2
DATA BREACH COVERAGE EXAMPLE 3
DATA BREACH COVERAGE EXAMPLE 3
NETWORK SECURITY COVERAGE EXAMPLE 1
NETWORK SECURITY COVERAGE EXAMPLE 1
NETWORK SECURITY COVERAGE EXAMPLE 2
NETWORK SECURITY COVERAGE EXAMPLE 2
NETWORK SECURITY COVERAGE EXAMPLE 3
NETWORK SECURITY COVERAGE EXAMPLE 3
HOW TO ENHANCE “OFF-THE-SHELF” CYBER
INSURANCE FORMS THROUGH NEGOTIATION
• Privacy And Network Security
• Crisis Management
• Regulatory Liability
• Media Liability
• Information Asset Coverage
• Network Interruption
• Extortion
Recording of this session via any media type is strictly prohibited.
Page 65
TIPS FOR A SUCCESSFUL PLACEMENT
• Embrace a Team Approach
• Understand the Risk Profile
• Review “Traditional” Coverages
• Purchase Cyber Coverage as Needed
• Remember the “Cyber” Misnomer
• Spotlight the “Cloud”
• Consider the Amount of Coverage (Limits and Sublimits)
• Pay Attention to the Retroactive Date and ERP
• Look at Defense and Settlement Provisions
Recording of this session via any media type is strictly prohibited.
Page 66
BEWARE.
THE.
FINE.
PRINT.
Recording of this session via any media type is strictly prohibited.
Page 67
QUESTIONS, FINAL COMMENTS AND
CONTACT INFORMATION
• Roberta D. Anderson
• Richard S. Betterley, CMC
• Mark Camillo
• Debra A. Samuel
roberta.anderson@klgates.com
@RobertaEsq
rbetterley@betterley.com
mark.camillo@aig.com
debra.samuel@alcoa.com
Recording of this session via any media type is strictly prohibited.
Page 69
KEEP THIS SLIDE FOR EVALUATION
INFORMATION/MOBILE APP ETC.
Please complete the session survey on the RIMS14 mobile application.
Recording of this session via any media type is strictly prohibited.
Page 70
Related documents
Technology Media Communications Industry Session
Technology Media Communications Industry Session
protecting your brand and reputation: update on insurance and best
protecting your brand and reputation: update on insurance and best
CONFIDENTIALITY REQUIREMENTS FOR OBSERVATION
CONFIDENTIALITY REQUIREMENTS FOR OBSERVATION
Technology Advancements Impacting Risk Management Today
Technology Advancements Impacting Risk Management Today
EMP202: The Risk Manager`s Role in Mitigating Employment
EMP202: The Risk Manager`s Role in Mitigating Employment
M&A Insurance
M&A Insurance
RIMS Supply Chain Brain
RIMS Supply Chain Brain
View session overview, activities and output
View session overview, activities and output
Download
advertisement