Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber liability insurance and your security program


Published on

This presentation discusses the current status of Cyber Liability Insurance and how carriers are managing to understand and cover cyber risk. If one views "cyber risk" from a operational risk perspective versus IT risk, then Cyber liability insurance can be one of the most effective countermeasures available to you.

However, buyer this is a nascent market where underwriters, actuaries, and others involved in providing cyber insurance are on a steep learning curve. Aligning insurance policy language with your security program is that when the time comes and you need it most, you'll have a smooth claims process, without litigation with your carrier.

Effectively implementing a cyber insurance policy as another arrow in your quiver, requires collaboration across your organizations.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Cyber liability insurance and your security program

  1. 1. Cyber Liability Insurance and Your Security Program – How They Fit Together SCOTT TAKAOKA SCOTT@VERSPRITE.COM, 415.509.8071 VP BUSINESS DEVELOPMENT
  2. 2. Cyber Insurance Basics o Sold as specialty insurance o General liability, Errors & Omissions policies often do not cover cyber events o Covers costs associated with breach o First party – outside counsel, notification, PR, forensics, credit monitoring, extortion payments o Third party – class action suits, regulatory investigations/fines o Brokers line up multiple carriers to bid on your policy o Security often participates on discovery calls o Multiple carriers may participate in a “risk tower”
  3. 3. Risk Tower Example 1st $10M - Carrier A 2nd $10M – Carrier B 3rd $ 10M - Carrier C 4th $10M - Carrier D 5th $10M - Carrier A $50m in coverage Payout for 1st $10M in loss
  4. 4. Wild, Wild West I N S U R AN C E C AR R I E R S AR E ON A S T E E P L E AR N I N G C U R VE o GL insurance may provide coverage example - “property” o Cyber - non admitted policies o No standard language – caveat emptor! o SMB gets off-the-shelf language o Your policy will change
  5. 5. What’s Behind the Curtain? I N S U R AN C E C AR R I E R S AR E ON A S T E E P L E AR N I N G C U R VE o No actuarial models for cyber risk o Steep learning curve for infosec o Less rigor on application - tight scrutiny on claims o Imperfect information – working through brokers o Broad range in pricing Write policies with basic underwriting Understand claims Write more exclusions Adjust premiums
  6. 6. Interesting Case Law • Columbia Casualty Company (CNA) v. Cottage Health System • Server mis-configuration: anonymous FTP • Exposure of 32,500 records – settled class action suit of $4.1M • Claim initially accepted by CNA • Examined application, then reversed course and sued Cottage • Case dismissed on procedure
  7. 7. Cottage “failed to apply minimum required security practices”…and must “continuously implement” security measures… — CNA Interesting Case Law An unresolved argument
  8. 8. AgendaTake Action • Collaborate across silos - pen-testers to general counsel • Understand context – your threats/attack scenarios and loss potential • PASTA (process for attack simulation and threat analysis) • FAIR (factor analysis for information risk) • Strength of security vs. business impact cyber insurance requirement Legal Business Risk Security
  9. 9. AgendaTake Action • Governance – easiest deficiencies to spot when applying for cyber • Collaborate to review and negotiate policy language - exclusions, BYOD, cloud, vendors risk… • Be careful what you state – you answers are a “warranty” • Be mindful of time limits on notification of breach Legal Business Risk Security
  10. 10. Cyber Liability Insurance and Your Security Program – How They Fit SCOTT TAKAOKA VP BUSINESS DEVELOPMENT