Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance

on

  • 535 views

Slides from our June 12, 2014 webinar focusing Cybersecurity. These slides contain information on risk, legal information, and how to choose an insurance policy covering cybersecurity breaches.

Slides from our June 12, 2014 webinar focusing Cybersecurity. These slides contain information on risk, legal information, and how to choose an insurance policy covering cybersecurity breaches.

Statistics

Views

Total Views
535
Views on SlideShare
186
Embed Views
349

Actions

Likes
1
Downloads
9
Comments
0

7 Embeds 349

http://www.securedocs.com 321
https://preview.hs-sites.com 14
http://blog.securedocs.com 5
http://securedocs.com 5
http://feeds.feedburner.com 2
http://info.securedocs.com 1
http://preview.hs-sites.com 1
More...

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance Presentation Transcript

  • 1. Cybersecurity  Brief:  Understanding   Risk,  Legal  Framework,  &  Insurance  
  • 2. About  SecureDocs   •  SecureDocs  is  a  virtual  data  room  for  sharing  and  storing  sensi5ve  documents   both  internally  and  with  outside  par5es.     Company  Basics:   •  Virtual  data  room  used  by  companies  from  fundraising  to  exit     •  Developed  by  the  team  that  created  and  launched  GoToMyPC  and  GoToMeeKng       •  Web-­‐based  business  soNware  for  financial  and  legal  professionals   •  DisKnguished  through  it’s  ease-­‐of-­‐use,  industry-­‐leading  security,  and  flat-­‐fee   pricing    
  • 3. About  Roberta  D.  Anderson   Roberta  is  a  partner  in  the  PiSsburgh  office  of   K&L  Gates  LLP.    A  member  of  the  firm’s   Insurance  Coverage  and  Cybersecurity  pracKce   groups,  Roberta  concentrates  her  pracKce  in   insurance  coverage  liKgaKon  and  counseling  and   emerging  cybersecurity  and  data  privacy-­‐related   issues.    
  • 4. Agenda   –  The  Spectrum  of  Cyber  Risk   –  Prac5cal  Risk  and  Exposure   –  Legal  and  Regulatory  Framework     –  What  to  do  Before  an  Incident?   –  Poten5al  Coverage  Under  “Legacy”  Policies     –  Limita5ons  of  “Legacy”  Insurance  Policies   –  Technology  Errors  &  Omissions  Coverage   –  CuMng  Edge  “Cyber”  Products   –  How  To  Enhance  “Off-­‐The-­‐Shelf”  Cyber  Insurance  Forms  Through   Nego5a5on   –  A  Word  About  Vendor  Contracts     –  Audience  Q&A  
  • 5. THE  SPECTRUM  OF   CYBER  RISK  
  • 6. The  Spectrum  of  Cyber  Risk   –  Malicious  aXacks  (Advanced  Persistent  Threats,  spear  phishing/ social  engineering,  viruses,  worms,  Trojans,  DDoS  aXacks)   –  Data  breach     –  Unauthorized  access  (hacker  aXacks,  spyware)     –  Inadequate  security  and  system  glitches   –  Employee  mobility  and  disgruntled  employees   –  Lost  or  stolen  portable  devices     –  Inadequate  security  and  systems:    first  party  and  third-­‐party  vendors   –  Carelessness  of  an  employees  and  vendors     “[T]here  are  only  two  types  of  companies:  those  that  have  been   hacked  and  those  that  will  be.  And  even  they  are  converging  into  one   category:  companies  that  have  been  hacked  and  will  be  hacked   again.”  -­‐    Robert  S.  Mueller,  III   Director,  FBI  
  • 7. LEGAL  AND  REGULATORY   FRAMEWORK    
  • 8. –  State Privacy Laws –  http://www.ncsl.org/research/telecommunications-and- information-technology/security-breach-notification-laws.aspx –  Federal Privacy Laws –  Gramm-Leach-Billey Act –  HIPAA/HITECH –  Federal Trade Commission (FTC v. Wyndham Worldwide Corp.) –  FACTA/Red Flags Rule –  Foreign Privacy Laws –  PCI Data Security Standards (PCI DSS) Legal  and  Regulatory  Framework  
  • 9. Five Tips to Consider When Any Public Company Might be The Next Target, http://www.klgates.com/five-tips-to-consider-when-any-public-company-might-be-the-next-target-02-11-2014 Legal  and  Regulatory  Framework   “appropriate  disclosures  may  include:  .  .  .  [a]  [d]escripIon  of   relevant  insurance  coverage.”   §  SEC Guidance -- “[A]ppropriate disclosures may include”: §  “Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences”; §  “To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks”; §  “Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”; §  “Risks related to cyber incidents that may remain undetected for an extended perid”; and §  “Description of relevant insurance coverage.”
  • 10. Legal  and  Regulatory  Framework  
  • 11. –  NIST Cybersecurity Framework -- provides a common taxonomy and mechanism for organizations to: –  Describe their current cybersecurity posture; –  Describe their target state for cybersecurity; –  Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; –  Assess progress toward the target state; –  Communicate among internal and external stakeholders about cybersecurity risk. –  The Framework is voluntary (for now) Legal  and  Regulatory  Framework  
  • 12. –  NIST Cybersecurity Framework NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/ Legal  and  Regulatory  Framework  
  • 13. PRACTICAL  RISK  AND   EXPOSURE  
  • 14. •  Breach Notification Costs/Identity Monitoring •  Computer Forensics/PR Consulting •  Loss of Customers/Revenue •  Damaged Reputation/Brand •  Regulatory Actions/Fines/Penalties/Consumer Redress •  Lawsuits & Defense Costs •  Loss of “Crown Jewels” •  Business Interruption & Supply Chain Disruption •  Drop in Stock Price/Loss of Market Share •  Potential D&O Suits (Target) PracKcal  Risk  and  Exposure  
  • 15. WHAT  TO  DO  BEFORE  AN   INCIDENT?  
  • 16. 16 “[T]here are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” Robert  S.  Mueller,  III,  Director,  Federal  Bureau  of  InvesKgaKon,  RSA  Cyber   Security  Conference  San  Francisco,  CA  (Mar.  1,  2012)  
  • 17. POTENTIAL  COVERAGE     UNDER  “LEGACY”  POLICIES    
  • 18. –  Directors’ and Officers’ (D&O) –  Errors and Omissions (E&O)/Professional Liability –  Employment Practices Liability (EPL) –  Fiduciary Liability –  Crime –  Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy) –  Property? –  Commercial General Liablity (CGL)? PotenKal  Coverage  Under   “Legacy”  Policies    
  • 19. –  Coverage B provides coverage for damages because of “personal and advertising injury” –  “Personal and Advertising Injury” is defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” –  What is a “Person’s Right of Privacy”? –  What is a “Publication”? PotenKal  Coverage  Under   “Legacy”  Policies    
  • 20. LIMITATIONS  OF  “LEGACY”   INSURANCE  POLICIES  
  • 21. klgates.com
  • 22. ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”
  • 23. –  Zurich American Insurance Co. v. Sony Corp. of America et al.
  • 24. TECHNOLOGY  ERRORS  &   OMISSIONS  COVERAGE  
  • 25. –  Essen5al  for    a  provider  of  e-­‐commerce-­‐related  solu5ons   –  Covers     •  Errors  &  Omissions  in  the  Provision  of  Technology  Services   •  Failure  of  Technology  Products  to  Serve  Their  Purpose   –  But  there  are  limita5ons     •  Triggered  By  a  “Claim”  That  Alleges  An  Act  or  Omission   •  May  Exclude  Security  Beach  or  Unauthorized  Access  to  Informa5on   •  May  Not  Include  Breach  No5fica5on  Costs,  Which  is  Viewed  As  More  of  a  “First-­‐ Party”  Loss     Technology  E&O  Coverage  
  • 26. CUTTING  EDGE  “CYBER”   PRODUCTS  
  • 27. –  Privacy  And  Network  Security   –  Provides  coverage  for  liability  (defense  and  indemnity)  arising  out  of   data  breaches,  transmission  of  malicious  code,  denial  of  third-­‐party   access  to  the  insured’s  network,  and  other  network  security  threats   –  Regulatory  Liability   –  Provides  coverage  for  liability  arising  out  of  administra5ve  or   regulatory  proceedings,  fines  and  penal5es   –   Media  Liability   –  Provides  coverage  for  liability  (defense  and  indemnity)  for  claims   alleging  infringement  of  copyright  and  other  intellectual  property   rights  and  misappropria5on  of  ideas  or  media  content     Specialty  “Cyber”  Policies  –  Third   Party  
  • 28. –  Informa5on  Asset  Coverage     –  Coverage  for  damage  to  or  thee  of  the  insured’s  own  systems  and   hardware,  and  may  cover  the  cost  of  restoring  or  recrea5ng  stolen  or   corrupted  data.     –  Network  Interrup5on  And  Extra  Expense  (and  CBI)   –  Coverage  for  business  interrup5on  and  extra  expense  caused  by   malicious  code  ,  DDoS  aXacks,  unauthorized  access  to,  or  thee  of,   informa5on,  and  other  security  threats  to  networks.     –  Extor5on   –  Coverage  for  losses  resul5ng  from  extor5on  (payments  of  an   extor5onist’s  demand  to  prevent  network  loss  or  implementa5on  of   a  threat)     –  Crisis  Management     Specialty  “Cyber”  Policies  –  First   Party  
  • 29. HOW  TO  ENHANCE  “OFF-­‐THE-­‐ SHELF”  CYBER  INSURANCE   FORMS     THROUGH  NEGOTIATION  
  • 30. klgates.com  
  • 31. Data  Breach  Example  1  
  • 32. Data  Breach  Example  2  
  • 33. Data  Breach  Example  3  
  • 34. Network  Security  Example  1  
  • 35. Network  Security  Example  2  
  • 36. Network  Security  Example  3  
  • 37. TIPS  For  A  Successful  Placement    §  Embrace a Team Approach §  Understand the Risk Profile §  Review Existing Coverages §  Purchase Cyber Coverage as Needed §  Remember the “Cyber” Misnomer §  Spotlight the “Cloud” §  Consider the Amount of Coverage §  Pay attention to the Retroactive Date and ERP §  Look at Defense and Settlement Provisions
  • 38. BEWARE. THE. FINE. PRINT.
  • 39. 49 “A well drafted policy will reduce the likelihood that an insurer will be able to avoid or limit insurance coverage in the event of a claim.” Roberta  D.  Anderson,  Partner,  K&L  Gates  LLP    (June  25,  2014)  
  • 40. A  WORD  ABOUT  VENDOR   CONTRACTS