3. Speakers
Robert Hammesfahr
HWR Consulting
moderator
Robert Parisi
Marsh USA
Kevin Baughn
Safehold Special Risk
Michael D. Handler
Cozen O’Connor
John Wurzler
OneBeacon
Technology Insurance
4. What are Cyber Risks?
Any organization that: (1) uses technology in its operations &/or (2) handles/collects/stores
confidential information has Cyber Risk.
• Legal liability to others for computer security breaches
• Legal liability to others for privacy breaches of confidential information
• Regulatory actions, fines and scrutiny
• Loss or damage to data / information
• Loss of revenue due to a computer attack
• Extra expense to recover / respond to a computer attack
• Loss or damage to reputation
• Cyber-extortion
• Cyber-terrorism
5. Cyber Coverage Overview
Network Security Liability: liability to a third party as a result of a failure of your network security to protect against destruction,
deletion, or corruption of a third party’s electronic data, denial of service attacks against internet sites or computers; or transmission of
viruses to third party computers and systems
Privacy Liability: liability to a third party as a result of the disclosure of confidential information collected or handled by you or under
your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information you had entrusted to them
in the normal course of your business.
Regulatory Investigation Defense: coverage for legal expenses associated with representation in connection with a regulatory
investigation, including indemnification of fines & penalties where insurable.
Event Response and Crisis Management Expenses: expenses incurred in responding to a data breach event, including retaining
forensic investigator, crisis management firm and law firm. Includes expenses to comply with privacy regulations, such as
communication to impacted individuals and appropriate remedial offerings like credit monitoring or identity theft insurance.
Cyber Extortion: ransom &/or investigative expenses associated with a threat directed at you that would cause an otherwise
covered event or loss
Network Business Interruption: reimbursement of your loss of income and / or extra expense resulting from an interruption or
suspension of computer systems due to a failure of technology. Includes coverage for dependent business interruption.
Data asset protection: recovery of costs and expenses you incur to restore, recreate, or recollect your data & other intangible assets
(i.e., software applications) that are corrupted or destroyed by a computer attack.
6. The Cyber Insurance Market
Market capacity:
• Over 50 markets selling or participating in cyber insurance
• Over $600M deployable capacity; largest placements still in $200M range
Appetite & Approach:
Different for each insurer and varies by:
• Size: revenue, record count, transaction volume
• Industry: Healthcare, Retail, Finance, Higher Ed, etc.
• Jurisdiction: USA, Canada, Europe, Asia, etc.
Principal Markets:
• For larger risks: AIG, Beazley, Zurich, Chubb, Safehold (representing certain Lloyd’s Syndicates)
• For SME, key markets: capacity is plentiful--One Beacon, Philadelphia, etc.
Market Size:
• Estimates vary at between $750M & $1B GWP 2013
7. Privacy Has Emerged
Global reliance on real time data has created the greater need
for real time innovative solutions.
Privacy is a heightened
and evolving exposure
8. Privacy – Today the Need has Changed
1.Failing to protect:
Personally Identifiable Information (PII)
employee, customer, Service Provider, or;
Personal Health Information
customers, members, employees
2. Worldwide Regulatory changes occurring
Federal, State, Sovereign, Local Governmental Agencies
3. Reliance on Service Providers
Hosting, Cloud, IT, HR, Archiving
4. Financial Institutions are suing for cost to reissue credit cards
5. Business Interruption and Systems Failure
6. Global Threat Environment – Hostile State sponsored terrorism threats
7. Malware is influencing the threat environment and includes.
10. What Kind of Data?
1. Paper and Electronic
2. Personally identifiable information (employee, customer, Service
Provider), or;
3. Personal Health Information (customers, members, employees)
4. Credit Card Numbers
5. Confidential 3rd party information
6. Merger/Acquisition target/plans
7. Financial Account Information
11. Privacy Risk Management
Ask Privacy/IT professionals:
− Incident Response Plan (tested?)
− Service Provider Contracts / Insurance Requirements
− Requirements
− Evaluation
− Selection
− SLA Considerations
− Contracting Parties (when your Service Provider pharms out)
− Location…Location…Location (Where is your data?)
Privacy Risk Assessment (sources, vulnerabilities, processes, perils)
Check Existing Insurance Gap Analysis (GL, Prop, E&O, Crime, K&R)
New coverage terms must integrate
− With Response Plans
− With Traditional Policies
12. Insurance Coverages – First & Third, Nobody Out?
First Party Coverage
– Damage to digital assets
– Business interruption
– Extortion
– Privacy Breach Expenses
Third Party Coverage
– Privacy liability
– Network security liability
– Internet media liability
– Regulatory liability
– Contractual liability
13. Recent Cyber Product Innovation
• Traditional Approach:
– Fines & Penalties drop down coverage through Bermuda as an Excess & DIC component of standard cyber capacity
– Business Interruption
- System Outage/Technology Failure trigger expands beyond a cyber attack
- Dependent Business Interruption trigger
- Reputational trigger
– Catastrophic Approach
- Broad form coverage for accounts taking catastrophic approach to risk transfer—i.e. taking a retention above $100M
• Non-Traditional Approach:
– Industrial Risks
- Coverage for property damage caused by technology failure of industrial components, i.e. industrial control systems
– P&C Excess-DIC
- Excess/DIC coverage over traditional coverage lines (property, casualty, etc.) that picks up covered loss/damage
otherwise excluded because caused by a cyber attack
14. Types of First Party Losses
• Hardware or software
malfunction/corruption
• Denial of service
• Loss of business
– Service downtime
– Abnormal turnover of customers
– Related to reputation / PR
• Data theft
• Loss of trust (customers,
employees, shareholders)
• Brand damage
• Exposure or
proprietary/sensitive data
• Breach expenses
• Forensic costs
15. Issues With First Party Policies
• Named Perils – coverage would normally not be triggered by
cyber loss because not a named peril
• All Risk– requires “direct physical loss” to “covered property”
• Business Interruption – loss must be caused by fortuitous
event inflicting “physical injury to tangible property”
16. Cyber Risk Policies
• First party policies often do not apply
– “direct physical loss or damage”
• “physical” = tangible … not electronic data
• Bodily Injury often requires damage or destruction of property
• Exclusions often apply
– Fidelity and commercial crime insurance may apply
• High costs
– $188/record, average of >28k records (Ponemon Institute Survey)
– $277 when caused by malicious attacks (Ponemon Institute Survey
– Just a sample; not catastrophic
• It will eventually happen
17. Cyber Risk Policies
• Each data breach is different
• Prevention consultation
– Strong security decreases downstream costs
• Assistance with incident response plans
– Incident response plans save $42 record (Ponemon)
• Response consultation
– Consultants decrease costs and increase remediation effectiveness
– Consultants can save $13/record (Ponemon)
• Crisis management and public relations to mitigate fallout
18. Causes of Data Breaches: Advanced Persistent Threats
• Internet Malware Infections
– Drive by downloads
– Email attachments
– File sharing
– Pirated software
• Physical Malware Infections
– Infected USB memory sticks, CDs, and DVDs
– Infected applications
– Backdoored IT equipment
• External Exploitation
• Human Error
19. SEC CF Disclosure: Cybersecurity Risk Factors
• Consistent with Regulation S-K Item 503(c) Risk Factors should include:
– A discussion of cybersecurity and cyber incidents if such issues are among the most
significant factors that make an investment in the company speculative or risky.
• In deciding on disclosures, companies consider:
– The frequency and severity of prior cyber incidents
– The probability of, qualitative, and quantitative magnitude of risk from future attacks.
– Per Disclosure Guidance: adequacy of any preventative measures taken
• Type(s) of Insurance purchased may be relevant to disclosures,
depending in part on standards in the industry.
20. SEC CF Disclosure: Cybersecurity
• Event Disclosure
• Management Discussion and Analysis
• Description of Business
• Legal Proceedings
• Financial Statement Disclosures
• Disclosure Controls and Procedures
• Form 8-K
21. Case Update: Sony PlayStation February 2014 Ruling
• 60 underlying lawsuits involved in PlayStation cyberattack
• $2 Billion in losses after hackers stole personal information from
millions of PlayStation users
– One of largest recorded data security breaches at the time
– Required shutdown of server for nearly a month
• Personal information included:
– Names, addresses, birthdates, credit card numbers, bank account information
• Large breach, but since eclipsed by more recent cyberattacks (e.g.
Target, Xmas 2013 & JP Morgan Chase, Summer 2014).
22. Case Update: Sony PlayStation Ruling
• Coverage B: “oral or written publication in any manner of material that
violates a person’s right of privacy”
• Issue: whether Sony required to commit the breach-causing act, or if third
parties’ acts suffice
• Court found Sony was not involved in the “publication” – declined to
expand insurer’s liability by construing “in any manner” to include criminal
hackers
• Provision could only be read to require policyholder to perpetrate or
commit the “publication” - could not be expanded to third parties
• Implications: otherwise reluctant policyholders encouraged to buy data
breach coverage
• No automatic coverage for these types of large-scale response costs, or
responding to third party litigation
23. Data Breach Liability Exclusion ISO Form
• CG 21 06 05 14:
– Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related
Liability – With Limited Bodily Injury Exception
• Excludes damages arising out of:
– (1) Any access to or disclosure of any persons’ or organization’s confidential or personal
information, including patents, trade secrets, processing methods, customer lists, financial
information, credit card information, health information or any other type of nonpublic
information; or
– (2) The loss of, loss of use of, damage to corruption of, inability to access, or inability to
manipulate electronic data
• Exclusion applies even if damages are claimed for notification costs, credit
monitoring expenses, forensic expenses, public relations expenses or any
other loss, cost or expense incurred by your or others arising out of that
which in (1) or (2) above
• However, unless Paragraph (1) above applies ,this exclusion does not apply
to damages because of “bodily injury”
24. Data Breach Liability Exclusion ISO Form
• As used in the exclusion, electronic data means information facts or
program stored as or on, created or used on, or transmitted to or from
computer software including systems and applications software, hard
or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices
or any other media which are used with electronically controlled
equipment
• The exclusion does not apply to “personal and advertising injury”
– Arising out of any access to or disclosure of any person’s or organization’s confidential
or personal information
– Exclusion applies even if damages are claimed for notifications costs, credit monitoring
expenses, forensic expenses, etc.
25. Data Breach Liability Exclusion’s Impact
• As CGL policies expire and are replaced, businesses must carefully
consider how to manage their financial exposure to newly excluded
data losses, including those carried by third-party vendors
• Managing data risk requires a collaborative effort to predict
foreseeable losses and potential impacts, to meet today’s digital
challenges
• Exclusion should ultimately reduce litigation on whether data breaches
are covered by CGL policies, while providing needed protection and
certainty for insurers and policyholders alike
26. Speakers
MODERATOR: Robert Hammesfahr
HWR Consulting
rhammesfahr@ameritech.net
John Wurzler
OneBeacon Technology Insurance
Jwurzler@onebeacontech.com
952.852.6025
Kevin Baughn
Safehold Special Risk
kevin.baughn@safehold.com
206-470-3296
Robert Parisi
Marsh USA
robert.parisi@marsh.com
212 345 5924
Michael D. Handler
Cozen O’Connor
mhandler@cozen.com
(206) 808-7839
Editor's Notes
Service Provider Access/Capabilities/Storage/Process
Mobile Devices (Application)/Portable Devices (i.e. thumb drives)
Service Provider Access/Capabilities/Storage/Process
Mobile Devices (Application)/Portable Devices (i.e. thumb drives)