SlideShare a Scribd company logo

The Basics of Cyber Insurance

Download as PPTX, PDF
HB Litigation Conferences
HB Litigation Conferences

Presented at NetDiligence Cyber Risk & Privacy Liability Forum in Santa Monica, Calif., Oct. 8-9, 2014.

Law
1 of 26
NetDiligence® Cyber Risk & Privacy Liability Forum October 8-9, 2014
Cyber Basics
Speakers Robert Hammesfahr HWR Consulting moderator Robert Parisi Marsh USA Kevin Baughn Safehold Special Risk Michael D. Handler Cozen O’Connor John Wurzler OneBeacon Technology Insurance
What are Cyber Risks? Any organization that: (1) uses technology in its operations &/or (2) handles/collects/stores confidential information has Cyber Risk. • Legal liability to others for computer security breaches • Legal liability to others for privacy breaches of confidential information • Regulatory actions, fines and scrutiny • Loss or damage to data / information • Loss of revenue due to a computer attack • Extra expense to recover / respond to a computer attack • Loss or damage to reputation • Cyber-extortion • Cyber-terrorism
Cyber Coverage Overview Network Security Liability: liability to a third party as a result of a failure of your network security to protect against destruction, deletion, or corruption of a third party’s electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third party computers and systems Privacy Liability: liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information you had entrusted to them in the normal course of your business. Regulatory Investigation Defense: coverage for legal expenses associated with representation in connection with a regulatory investigation, including indemnification of fines & penalties where insurable. Event Response and Crisis Management Expenses: expenses incurred in responding to a data breach event, including retaining forensic investigator, crisis management firm and law firm. Includes expenses to comply with privacy regulations, such as communication to impacted individuals and appropriate remedial offerings like credit monitoring or identity theft insurance. Cyber Extortion: ransom &/or investigative expenses associated with a threat directed at you that would cause an otherwise covered event or loss Network Business Interruption: reimbursement of your loss of income and / or extra expense resulting from an interruption or suspension of computer systems due to a failure of technology. Includes coverage for dependent business interruption. Data asset protection: recovery of costs and expenses you incur to restore, recreate, or recollect your data & other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.
The Cyber Insurance Market Market capacity: • Over 50 markets selling or participating in cyber insurance • Over $600M deployable capacity; largest placements still in $200M range Appetite & Approach: Different for each insurer and varies by: • Size: revenue, record count, transaction volume • Industry: Healthcare, Retail, Finance, Higher Ed, etc. • Jurisdiction: USA, Canada, Europe, Asia, etc. Principal Markets: • For larger risks: AIG, Beazley, Zurich, Chubb, Safehold (representing certain Lloyd’s Syndicates) • For SME, key markets: capacity is plentiful--One Beacon, Philadelphia, etc. Market Size: • Estimates vary at between $750M & $1B GWP 2013
Privacy Has Emerged Global reliance on real time data has created the greater need for real time innovative solutions. Privacy is a heightened and evolving exposure
Privacy – Today the Need has Changed 1.Failing to protect: Personally Identifiable Information (PII) employee, customer, Service Provider, or; Personal Health Information customers, members, employees 2. Worldwide Regulatory changes occurring Federal, State, Sovereign, Local Governmental Agencies 3. Reliance on Service Providers Hosting, Cloud, IT, HR, Archiving 4. Financial Institutions are suing for cost to reissue credit cards 5. Business Interruption and Systems Failure 6. Global Threat Environment – Hostile State sponsored terrorism threats 7. Malware is influencing the threat environment and includes.
Privacy Regulation Milestones © 2014 OneBeacon Technology Insurance Group 500 Million Records disclosed since 2005 – represents a sampling www.privacyrights.org/data-breach 47 States plus DC have consumer data protection laws; HIPAA, HiTech; Congress to pass Fed Law? (Oct 2014) Obama Executive Order 13636 – Improving Critical Infrastructure in Cybersecurity -February 2013 results in S. bill 1638 the Cybersecurity Public Awareness Act of 2013 (November 5) California S.B. 1386, Personal Information, Privacy, July 1, 2003. Considered by many to be the first Data Privacy Legislation.
What Kind of Data? 1. Paper and Electronic 2. Personally identifiable information (employee, customer, Service Provider), or; 3. Personal Health Information (customers, members, employees) 4. Credit Card Numbers 5. Confidential 3rd party information 6. Merger/Acquisition target/plans 7. Financial Account Information
Privacy Risk Management Ask Privacy/IT professionals: − Incident Response Plan (tested?) − Service Provider Contracts / Insurance Requirements − Requirements − Evaluation − Selection − SLA Considerations − Contracting Parties (when your Service Provider pharms out) − Location…Location…Location (Where is your data?) Privacy Risk Assessment (sources, vulnerabilities, processes, perils) Check Existing Insurance Gap Analysis (GL, Prop, E&O, Crime, K&R) New coverage terms must integrate − With Response Plans − With Traditional Policies
Insurance Coverages – First & Third, Nobody Out? First Party Coverage – Damage to digital assets – Business interruption – Extortion – Privacy Breach Expenses Third Party Coverage – Privacy liability – Network security liability – Internet media liability – Regulatory liability – Contractual liability
Recent Cyber Product Innovation • Traditional Approach: – Fines & Penalties drop down coverage through Bermuda as an Excess & DIC component of standard cyber capacity – Business Interruption - System Outage/Technology Failure trigger expands beyond a cyber attack - Dependent Business Interruption trigger - Reputational trigger – Catastrophic Approach - Broad form coverage for accounts taking catastrophic approach to risk transfer—i.e. taking a retention above $100M • Non-Traditional Approach: – Industrial Risks - Coverage for property damage caused by technology failure of industrial components, i.e. industrial control systems – P&C Excess-DIC - Excess/DIC coverage over traditional coverage lines (property, casualty, etc.) that picks up covered loss/damage otherwise excluded because caused by a cyber attack
Types of First Party Losses • Hardware or software malfunction/corruption • Denial of service • Loss of business – Service downtime – Abnormal turnover of customers – Related to reputation / PR • Data theft • Loss of trust (customers, employees, shareholders) • Brand damage • Exposure or proprietary/sensitive data • Breach expenses • Forensic costs
Issues With First Party Policies • Named Perils – coverage would normally not be triggered by cyber loss because not a named peril • All Risk– requires “direct physical loss” to “covered property” • Business Interruption – loss must be caused by fortuitous event inflicting “physical injury to tangible property”
Cyber Risk Policies • First party policies often do not apply – “direct physical loss or damage” • “physical” = tangible … not electronic data • Bodily Injury often requires damage or destruction of property • Exclusions often apply – Fidelity and commercial crime insurance may apply • High costs – $188/record, average of >28k records (Ponemon Institute Survey) – $277 when caused by malicious attacks (Ponemon Institute Survey – Just a sample; not catastrophic • It will eventually happen
Cyber Risk Policies • Each data breach is different • Prevention consultation – Strong security decreases downstream costs • Assistance with incident response plans – Incident response plans save $42 record (Ponemon) • Response consultation – Consultants decrease costs and increase remediation effectiveness – Consultants can save $13/record (Ponemon) • Crisis management and public relations to mitigate fallout
Causes of Data Breaches: Advanced Persistent Threats • Internet Malware Infections – Drive by downloads – Email attachments – File sharing – Pirated software • Physical Malware Infections – Infected USB memory sticks, CDs, and DVDs – Infected applications – Backdoored IT equipment • External Exploitation • Human Error
SEC CF Disclosure: Cybersecurity Risk Factors • Consistent with Regulation S-K Item 503(c) Risk Factors should include: – A discussion of cybersecurity and cyber incidents if such issues are among the most significant factors that make an investment in the company speculative or risky. • In deciding on disclosures, companies consider: – The frequency and severity of prior cyber incidents – The probability of, qualitative, and quantitative magnitude of risk from future attacks. – Per Disclosure Guidance: adequacy of any preventative measures taken • Type(s) of Insurance purchased may be relevant to disclosures, depending in part on standards in the industry.
SEC CF Disclosure: Cybersecurity • Event Disclosure • Management Discussion and Analysis • Description of Business • Legal Proceedings • Financial Statement Disclosures • Disclosure Controls and Procedures • Form 8-K
Case Update: Sony PlayStation February 2014 Ruling • 60 underlying lawsuits involved in PlayStation cyberattack • $2 Billion in losses after hackers stole personal information from millions of PlayStation users – One of largest recorded data security breaches at the time – Required shutdown of server for nearly a month • Personal information included: – Names, addresses, birthdates, credit card numbers, bank account information • Large breach, but since eclipsed by more recent cyberattacks (e.g. Target, Xmas 2013 & JP Morgan Chase, Summer 2014).
Case Update: Sony PlayStation Ruling • Coverage B: “oral or written publication in any manner of material that violates a person’s right of privacy” • Issue: whether Sony required to commit the breach-causing act, or if third parties’ acts suffice • Court found Sony was not involved in the “publication” – declined to expand insurer’s liability by construing “in any manner” to include criminal hackers • Provision could only be read to require policyholder to perpetrate or commit the “publication” - could not be expanded to third parties • Implications: otherwise reluctant policyholders encouraged to buy data breach coverage • No automatic coverage for these types of large-scale response costs, or responding to third party litigation
Data Breach Liability Exclusion ISO Form • CG 21 06 05 14: – Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – With Limited Bodily Injury Exception • Excludes damages arising out of: – (1) Any access to or disclosure of any persons’ or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or – (2) The loss of, loss of use of, damage to corruption of, inability to access, or inability to manipulate electronic data • Exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by your or others arising out of that which in (1) or (2) above • However, unless Paragraph (1) above applies ,this exclusion does not apply to damages because of “bodily injury”
Data Breach Liability Exclusion ISO Form • As used in the exclusion, electronic data means information facts or program stored as or on, created or used on, or transmitted to or from computer software including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment • The exclusion does not apply to “personal and advertising injury” – Arising out of any access to or disclosure of any person’s or organization’s confidential or personal information – Exclusion applies even if damages are claimed for notifications costs, credit monitoring expenses, forensic expenses, etc.
Data Breach Liability Exclusion’s Impact • As CGL policies expire and are replaced, businesses must carefully consider how to manage their financial exposure to newly excluded data losses, including those carried by third-party vendors • Managing data risk requires a collaborative effort to predict foreseeable losses and potential impacts, to meet today’s digital challenges • Exclusion should ultimately reduce litigation on whether data breaches are covered by CGL policies, while providing needed protection and certainty for insurers and policyholders alike
Speakers MODERATOR: Robert Hammesfahr HWR Consulting rhammesfahr@ameritech.net John Wurzler OneBeacon Technology Insurance Jwurzler@onebeacontech.com 952.852.6025 Kevin Baughn Safehold Special Risk kevin.baughn@safehold.com 206-470-3296 Robert Parisi Marsh USA robert.parisi@marsh.com 212 345 5924 Michael D. Handler Cozen O’Connor mhandler@cozen.com (206) 808-7839

Recommended

Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ncell
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 

Recommended

Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ncell
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
EC-Council
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
PECB
 
cyber security
cyber securitycyber security
cyber security
abithajayavel
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2
Semir Ibrahimovic
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
Amazon Web Services
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
BOC Group
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Artificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for CybersecurityArtificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for Cybersecurity
Dr David Probert
 
Cyber security laws
Cyber security lawsCyber security laws
Cyber security laws
Nasir Bhutta
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
Edureka!
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001
CUNIX INDIA
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Mart Rovers
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 
ISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber SecurityISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber Security
Tharindunuwan9
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
This account is closed
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
isc2-hellenic
 

More Related Content

What's hot

Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
PECB
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Artificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for CybersecurityArtificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for Cybersecurity
Dr David Probert
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 

What's hot (20)

Information security management system
Information security management systemInformation security management system
Information security management system
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
cyber security
cyber securitycyber security
cyber security
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Artificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for CybersecurityArtificial Intelligence and Machine Learning for Cybersecurity
Artificial Intelligence and Machine Learning for Cybersecurity
 
Cyber security laws
Cyber security lawsCyber security laws
Cyber security laws
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
ISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber SecurityISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber Security
 

Similar to The Basics of Cyber Insurance

Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
EY
 
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
James Fisher
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
SafeNet
 

Similar to The Basics of Cyber Insurance (20)

Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
 
Construction Cyber Risks
Construction Cyber RisksConstruction Cyber Risks
Construction Cyber Risks
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
 
Infocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationInfocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar Presentation
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security Awareness
 
Cyber liaility insurance the basics
Cyber liaility insurance the basicsCyber liaility insurance the basics
Cyber liaility insurance the basics
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptx
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Business Law Training: Market Turmoil in D&O Insurance and Is Your Company Pr...
Business Law Training: Market Turmoil in D&O Insurance and Is Your Company Pr...Business Law Training: Market Turmoil in D&O Insurance and Is Your Company Pr...
Business Law Training: Market Turmoil in D&O Insurance and Is Your Company Pr...
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
 
CRI Retail Cyber Threats
CRI Retail Cyber ThreatsCRI Retail Cyber Threats
CRI Retail Cyber Threats
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policies
 
Introduction to Incident Response Management
Introduction to Incident Response ManagementIntroduction to Incident Response Management
Introduction to Incident Response Management
 

More from HB Litigation Conferences

"Who's Ox is Being Gored? A Comparison of ConsensusDOCS and AIA Form Construc...
"Who's Ox is Being Gored? A Comparison of ConsensusDOCS and AIA Form Construc..."Who's Ox is Being Gored? A Comparison of ConsensusDOCS and AIA Form Construc...
"Who's Ox is Being Gored? A Comparison of ConsensusDOCS and AIA Form Construc...
HB Litigation Conferences
 
Additional Insured Issues in the Construction Industry" - Dnjcon14 session 2 ...
Additional Insured Issues in the Construction Industry" - Dnjcon14 session 2 ...Additional Insured Issues in the Construction Industry" - Dnjcon14 session 2 ...
Additional Insured Issues in the Construction Industry" - Dnjcon14 session 2 ...
HB Litigation Conferences
 

More from HB Litigation Conferences (20)

LEGALIZED MARIJUANA | HB EMERGING COMPLEX CLAIMS
LEGALIZED MARIJUANA | HB EMERGING COMPLEX CLAIMSLEGALIZED MARIJUANA | HB EMERGING COMPLEX CLAIMS
LEGALIZED MARIJUANA | HB EMERGING COMPLEX CLAIMS
 
GMO | HB EMERGING COMPLEX CLAIMS
GMO | HB EMERGING COMPLEX CLAIMSGMO | HB EMERGING COMPLEX CLAIMS
GMO | HB EMERGING COMPLEX CLAIMS
 
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMS
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMSSOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMS
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMS
 
PRIMARY - EXCESS | THE BUSINESS OF LAYERS | HB EMERGING COMPLEX CLAIMS
PRIMARY - EXCESS | THE BUSINESS OF LAYERS | HB EMERGING COMPLEX CLAIMSPRIMARY - EXCESS | THE BUSINESS OF LAYERS | HB EMERGING COMPLEX CLAIMS
PRIMARY - EXCESS | THE BUSINESS OF LAYERS | HB EMERGING COMPLEX CLAIMS
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
 
ACAM webinar presentation final v4
ACAM webinar presentation final v4ACAM webinar presentation final v4
ACAM webinar presentation final v4
 
Vendor Contracts & Cyber Risks
Vendor Contracts & Cyber RisksVendor Contracts & Cyber Risks
Vendor Contracts & Cyber Risks
 
Technology to Mitigate Risk
Technology to Mitigate RiskTechnology to Mitigate Risk
Technology to Mitigate Risk
 
Small Entity Cyber Liability
Small Entity Cyber LiabilitySmall Entity Cyber Liability
Small Entity Cyber Liability
 
Payment Card Industry Adjudication Process
Payment Card Industry Adjudication ProcessPayment Card Industry Adjudication Process
Payment Card Industry Adjudication Process
 
London Cyber Risk Perspectives
London Cyber Risk PerspectivesLondon Cyber Risk Perspectives
London Cyber Risk Perspectives
 
State of Litigation: Data Breach & Coverage Litigation
State of Litigation: Data Breach & Coverage Litigation State of Litigation: Data Breach & Coverage Litigation
State of Litigation: Data Breach & Coverage Litigation
 
Dissecting a Data Breach
Dissecting a Data BreachDissecting a Data Breach
Dissecting a Data Breach
 
The Cloud: Insurance Aggregation, Cloud Contracts & Technology
The Cloud: Insurance Aggregation, Cloud Contracts & TechnologyThe Cloud: Insurance Aggregation, Cloud Contracts & Technology
The Cloud: Insurance Aggregation, Cloud Contracts & Technology
 
Data Breach Claims & Loss Update
Data Breach Claims & Loss UpdateData Breach Claims & Loss Update
Data Breach Claims & Loss Update
 
Big Data & Wrongful Collection
Big Data & Wrongful CollectionBig Data & Wrongful Collection
Big Data & Wrongful Collection
 
Attorneys General Perspectives on Data Breaches
Attorneys General Perspectives on Data BreachesAttorneys General Perspectives on Data Breaches
Attorneys General Perspectives on Data Breaches
 
Advanced Level Cyber Insurance Coverage
Advanced Level Cyber Insurance CoverageAdvanced Level Cyber Insurance Coverage
Advanced Level Cyber Insurance Coverage
 
"Who's Ox is Being Gored? A Comparison of ConsensusDOCS and AIA Form Construc...
"Who's Ox is Being Gored? A Comparison of ConsensusDOCS and AIA Form Construc..."Who's Ox is Being Gored? A Comparison of ConsensusDOCS and AIA Form Construc...
"Who's Ox is Being Gored? A Comparison of ConsensusDOCS and AIA Form Construc...
 
Additional Insured Issues in the Construction Industry" - Dnjcon14 session 2 ...
Additional Insured Issues in the Construction Industry" - Dnjcon14 session 2 ...Additional Insured Issues in the Construction Industry" - Dnjcon14 session 2 ...
Additional Insured Issues in the Construction Industry" - Dnjcon14 session 2 ...
 

Recently uploaded

ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
CssSpamx
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
JosephCanama
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
Airst S
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
Airst S
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
e9733fc35af6
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
Airst S
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
irst
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
Fir La
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
Airst S
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
seri bangash
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
F La
 

Recently uploaded (20)

ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
 
Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
 
Reason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in IndiaReason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in India
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy NovicesIt’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 

The Basics of Cyber Insurance

  • 1. NetDiligence® Cyber Risk & Privacy Liability Forum October 8-9, 2014
  • 3. Speakers Robert Hammesfahr HWR Consulting moderator Robert Parisi Marsh USA Kevin Baughn Safehold Special Risk Michael D. Handler Cozen O’Connor John Wurzler OneBeacon Technology Insurance
  • 4. What are Cyber Risks? Any organization that: (1) uses technology in its operations &/or (2) handles/collects/stores confidential information has Cyber Risk. • Legal liability to others for computer security breaches • Legal liability to others for privacy breaches of confidential information • Regulatory actions, fines and scrutiny • Loss or damage to data / information • Loss of revenue due to a computer attack • Extra expense to recover / respond to a computer attack • Loss or damage to reputation • Cyber-extortion • Cyber-terrorism
  • 5. Cyber Coverage Overview Network Security Liability: liability to a third party as a result of a failure of your network security to protect against destruction, deletion, or corruption of a third party’s electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third party computers and systems Privacy Liability: liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information you had entrusted to them in the normal course of your business. Regulatory Investigation Defense: coverage for legal expenses associated with representation in connection with a regulatory investigation, including indemnification of fines & penalties where insurable. Event Response and Crisis Management Expenses: expenses incurred in responding to a data breach event, including retaining forensic investigator, crisis management firm and law firm. Includes expenses to comply with privacy regulations, such as communication to impacted individuals and appropriate remedial offerings like credit monitoring or identity theft insurance. Cyber Extortion: ransom &/or investigative expenses associated with a threat directed at you that would cause an otherwise covered event or loss Network Business Interruption: reimbursement of your loss of income and / or extra expense resulting from an interruption or suspension of computer systems due to a failure of technology. Includes coverage for dependent business interruption. Data asset protection: recovery of costs and expenses you incur to restore, recreate, or recollect your data & other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.
  • 6. The Cyber Insurance Market Market capacity: • Over 50 markets selling or participating in cyber insurance • Over $600M deployable capacity; largest placements still in $200M range Appetite & Approach: Different for each insurer and varies by: • Size: revenue, record count, transaction volume • Industry: Healthcare, Retail, Finance, Higher Ed, etc. • Jurisdiction: USA, Canada, Europe, Asia, etc. Principal Markets: • For larger risks: AIG, Beazley, Zurich, Chubb, Safehold (representing certain Lloyd’s Syndicates) • For SME, key markets: capacity is plentiful--One Beacon, Philadelphia, etc. Market Size: • Estimates vary at between $750M & $1B GWP 2013
  • 7. Privacy Has Emerged Global reliance on real time data has created the greater need for real time innovative solutions. Privacy is a heightened and evolving exposure
  • 8. Privacy – Today the Need has Changed 1.Failing to protect: Personally Identifiable Information (PII) employee, customer, Service Provider, or; Personal Health Information customers, members, employees 2. Worldwide Regulatory changes occurring Federal, State, Sovereign, Local Governmental Agencies 3. Reliance on Service Providers Hosting, Cloud, IT, HR, Archiving 4. Financial Institutions are suing for cost to reissue credit cards 5. Business Interruption and Systems Failure 6. Global Threat Environment – Hostile State sponsored terrorism threats 7. Malware is influencing the threat environment and includes.
  • 9. Privacy Regulation Milestones © 2014 OneBeacon Technology Insurance Group 500 Million Records disclosed since 2005 – represents a sampling www.privacyrights.org/data-breach 47 States plus DC have consumer data protection laws; HIPAA, HiTech; Congress to pass Fed Law? (Oct 2014) Obama Executive Order 13636 – Improving Critical Infrastructure in Cybersecurity -February 2013 results in S. bill 1638 the Cybersecurity Public Awareness Act of 2013 (November 5) California S.B. 1386, Personal Information, Privacy, July 1, 2003. Considered by many to be the first Data Privacy Legislation.
  • 10. What Kind of Data? 1. Paper and Electronic 2. Personally identifiable information (employee, customer, Service Provider), or; 3. Personal Health Information (customers, members, employees) 4. Credit Card Numbers 5. Confidential 3rd party information 6. Merger/Acquisition target/plans 7. Financial Account Information
  • 11. Privacy Risk Management Ask Privacy/IT professionals: − Incident Response Plan (tested?) − Service Provider Contracts / Insurance Requirements − Requirements − Evaluation − Selection − SLA Considerations − Contracting Parties (when your Service Provider pharms out) − Location…Location…Location (Where is your data?) Privacy Risk Assessment (sources, vulnerabilities, processes, perils) Check Existing Insurance Gap Analysis (GL, Prop, E&O, Crime, K&R) New coverage terms must integrate − With Response Plans − With Traditional Policies
  • 12. Insurance Coverages – First & Third, Nobody Out? First Party Coverage – Damage to digital assets – Business interruption – Extortion – Privacy Breach Expenses Third Party Coverage – Privacy liability – Network security liability – Internet media liability – Regulatory liability – Contractual liability
  • 13. Recent Cyber Product Innovation • Traditional Approach: – Fines & Penalties drop down coverage through Bermuda as an Excess & DIC component of standard cyber capacity – Business Interruption - System Outage/Technology Failure trigger expands beyond a cyber attack - Dependent Business Interruption trigger - Reputational trigger – Catastrophic Approach - Broad form coverage for accounts taking catastrophic approach to risk transfer—i.e. taking a retention above $100M • Non-Traditional Approach: – Industrial Risks - Coverage for property damage caused by technology failure of industrial components, i.e. industrial control systems – P&C Excess-DIC - Excess/DIC coverage over traditional coverage lines (property, casualty, etc.) that picks up covered loss/damage otherwise excluded because caused by a cyber attack
  • 14. Types of First Party Losses • Hardware or software malfunction/corruption • Denial of service • Loss of business – Service downtime – Abnormal turnover of customers – Related to reputation / PR • Data theft • Loss of trust (customers, employees, shareholders) • Brand damage • Exposure or proprietary/sensitive data • Breach expenses • Forensic costs
  • 15. Issues With First Party Policies • Named Perils – coverage would normally not be triggered by cyber loss because not a named peril • All Risk– requires “direct physical loss” to “covered property” • Business Interruption – loss must be caused by fortuitous event inflicting “physical injury to tangible property”
  • 16. Cyber Risk Policies • First party policies often do not apply – “direct physical loss or damage” • “physical” = tangible … not electronic data • Bodily Injury often requires damage or destruction of property • Exclusions often apply – Fidelity and commercial crime insurance may apply • High costs – $188/record, average of >28k records (Ponemon Institute Survey) – $277 when caused by malicious attacks (Ponemon Institute Survey – Just a sample; not catastrophic • It will eventually happen
  • 17. Cyber Risk Policies • Each data breach is different • Prevention consultation – Strong security decreases downstream costs • Assistance with incident response plans – Incident response plans save $42 record (Ponemon) • Response consultation – Consultants decrease costs and increase remediation effectiveness – Consultants can save $13/record (Ponemon) • Crisis management and public relations to mitigate fallout
  • 18. Causes of Data Breaches: Advanced Persistent Threats • Internet Malware Infections – Drive by downloads – Email attachments – File sharing – Pirated software • Physical Malware Infections – Infected USB memory sticks, CDs, and DVDs – Infected applications – Backdoored IT equipment • External Exploitation • Human Error
  • 19. SEC CF Disclosure: Cybersecurity Risk Factors • Consistent with Regulation S-K Item 503(c) Risk Factors should include: – A discussion of cybersecurity and cyber incidents if such issues are among the most significant factors that make an investment in the company speculative or risky. • In deciding on disclosures, companies consider: – The frequency and severity of prior cyber incidents – The probability of, qualitative, and quantitative magnitude of risk from future attacks. – Per Disclosure Guidance: adequacy of any preventative measures taken • Type(s) of Insurance purchased may be relevant to disclosures, depending in part on standards in the industry.
  • 20. SEC CF Disclosure: Cybersecurity • Event Disclosure • Management Discussion and Analysis • Description of Business • Legal Proceedings • Financial Statement Disclosures • Disclosure Controls and Procedures • Form 8-K
  • 21. Case Update: Sony PlayStation February 2014 Ruling • 60 underlying lawsuits involved in PlayStation cyberattack • $2 Billion in losses after hackers stole personal information from millions of PlayStation users – One of largest recorded data security breaches at the time – Required shutdown of server for nearly a month • Personal information included: – Names, addresses, birthdates, credit card numbers, bank account information • Large breach, but since eclipsed by more recent cyberattacks (e.g. Target, Xmas 2013 & JP Morgan Chase, Summer 2014).
  • 22. Case Update: Sony PlayStation Ruling • Coverage B: “oral or written publication in any manner of material that violates a person’s right of privacy” • Issue: whether Sony required to commit the breach-causing act, or if third parties’ acts suffice • Court found Sony was not involved in the “publication” – declined to expand insurer’s liability by construing “in any manner” to include criminal hackers • Provision could only be read to require policyholder to perpetrate or commit the “publication” - could not be expanded to third parties • Implications: otherwise reluctant policyholders encouraged to buy data breach coverage • No automatic coverage for these types of large-scale response costs, or responding to third party litigation
  • 23. Data Breach Liability Exclusion ISO Form • CG 21 06 05 14: – Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – With Limited Bodily Injury Exception • Excludes damages arising out of: – (1) Any access to or disclosure of any persons’ or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or – (2) The loss of, loss of use of, damage to corruption of, inability to access, or inability to manipulate electronic data • Exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by your or others arising out of that which in (1) or (2) above • However, unless Paragraph (1) above applies ,this exclusion does not apply to damages because of “bodily injury”
  • 24. Data Breach Liability Exclusion ISO Form • As used in the exclusion, electronic data means information facts or program stored as or on, created or used on, or transmitted to or from computer software including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment • The exclusion does not apply to “personal and advertising injury” – Arising out of any access to or disclosure of any person’s or organization’s confidential or personal information – Exclusion applies even if damages are claimed for notifications costs, credit monitoring expenses, forensic expenses, etc.
  • 25. Data Breach Liability Exclusion’s Impact • As CGL policies expire and are replaced, businesses must carefully consider how to manage their financial exposure to newly excluded data losses, including those carried by third-party vendors • Managing data risk requires a collaborative effort to predict foreseeable losses and potential impacts, to meet today’s digital challenges • Exclusion should ultimately reduce litigation on whether data breaches are covered by CGL policies, while providing needed protection and certainty for insurers and policyholders alike
  • 26. Speakers MODERATOR: Robert Hammesfahr HWR Consulting rhammesfahr@ameritech.net John Wurzler OneBeacon Technology Insurance Jwurzler@onebeacontech.com 952.852.6025 Kevin Baughn Safehold Special Risk kevin.baughn@safehold.com 206-470-3296 Robert Parisi Marsh USA robert.parisi@marsh.com 212 345 5924 Michael D. Handler Cozen O’Connor mhandler@cozen.com (206) 808-7839

Editor's Notes

  1. Service Provider Access/Capabilities/Storage/Process Mobile Devices (Application)/Portable Devices (i.e. thumb drives)
  2. Service Provider Access/Capabilities/Storage/Process Mobile Devices (Application)/Portable Devices (i.e. thumb drives)