Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SEC - The New Cyber Cop (Cyber Risk and D&O Insurance)

1,247 views

Published on

Only 20% of companies believe current incident response programs to be “very effective.” -Information Security Media Group
2012/13 supply chain disruptions were from technology & cyber events, not weather-related events. –Guy Carpenter
Reputation management was #1 in 2013 survey of executives’ top risk concerns. –TechAssure Association
30% of customers will not be back after a data breach; 70% after second incident. –Independent Consumer Poll
46% of companies surveyed in 2011 reported network intrusion attempts. -Computer Security Institute

Published in: Education
  • Be the first to comment

  • Be the first to like this

SEC - The New Cyber Cop (Cyber Risk and D&O Insurance)

  1. 1. December 2014 Cyber Risk – What Boards Need To Know
  2. 2. 2 | NOTDEFINED •Can be any or all of the following: •Loss of Personally Identifiable Information (Clients & Employees) •Failure to Prevent Unauthorized Access (Virus/Hacking) •Network or Security Failure (and Subsequent Loss of Income) •Misuse/Infringement of Copyright, Trademark, Patent •Etc. What is Cyber Liability?
  3. 3. 3 | OUTSIDE, INSIDE & SYSTEM FAILURES •Hackers & Unauthorized Access •Viruses, Trojans & Malicious Codes •Rogue Employees •System Failure •Vendors •Failure to Comply With Company Policies •Cloud •Denial of Service •Phishing Where do the threats come from?
  4. 4. 5 | Cyber Facts Only 20% of companies believe current incident response programs to be “very effective.” -Information Security Media Group 2012/13 supply chain disruptions were from technology & cyber events, not weather-related events. – Guy Carpenter Reputation management was #1 in 2013 survey of executives’ top risk concerns. –TechAssure Association 30% of customers will not be back after a data breach; 70% after second incident. –Independent Consumer Poll 46% of companies surveyed in 2011 reported network intrusion attempts. -Computer Security Institute
  5. 5. 6 | CEO + CFO + CIO = ? •False Assumptions of Security •Perceived Proactive Safeguards •Failed Expectations of Compliance The “C-Level” Disconnect
  6. 6. 7 | Spencer HooleModeratorPresident and CEODiversified Insurance Group William SternPanelistEVP, General CounselAncestry.com Susan Miner PanelistSenior PartnerWoodruff-Sawyer Daniel BurkePanelistSenior UnderwriterHiscox
  7. 7. 8 | Facts •In 2013 the FBInotified 3,000 companies in the United States that they had been victims of cyber-attacks. •Reports estimate that cybercrime cost the global economy up to $575 billion annually and approximately $100 billion in the United States alone. •According to one 2013 survey, the average annualizedcost of cyber-crimeto a sample of U.S.companies was$11.6 million per year, representing a 78% increase since2009. •77% of respondents to a 2014 PricewaterhouseCoopers study detecteda security event in the past 12 8
  8. 8. 9 | Relevant Regulation in the US •FTC regulates whether commerce is fair or deceptive Privacy statements and use of information Deceptive and/or Unfair practices Section 5 liability governed by “reasonableness” test regarding security and statements made about security in light of sensitivity, volume, size, complexity, cost/benefit of better security and reduced vulnerability (perfect security neither expected nor required). •Other regulators: Health: HIPAA (HHS); Finance: GLBA (CFPB) International: Safe Harbor (Commerce) DOT; OMB; IRS; EEO; ADA; DHS; ETC! 9
  9. 9. 10 | Standards Imposed by Private Organizations •Payment Card Industry Data Security Standards (PCI DSS) •ISO 27001 (high level organizational rules, policies procedures –a checklist, certifiable by outside auditors) •ISO 27002 (guidelines and principles for initiating, maintaining and improving security within an organization –not required and cannot be certified) •SSAE 16 auditing standards for compliance controls at “service” organizations •Industry best practice –Cloud providers 10
  10. 10. 11 | Judicial/SEC Standards •Caremark decision: Boards are protected by the Business Judgment Rule unless: -“utterly failed” to oversee system of controls -“consciously” failed to monitor or oversee risks -Result is obligation to ask for security updates/reports •SEC: 2011 Guidance regarding disclosure of cybersecurity risks and incidents Must provide specific, non-boilerplate disclosure in risk factors and MD&A Provide disclosure of Board risk oversight 11
  11. 11. 12 | What Your Board Needs to Know •Cyber-risk evaluation/response. •Require regular reports on security risks. •Review cybersecurity as part of budget. Does cybersecurity take a backseat to other IT or physical security projects? 65% of IT departments cite budget constraints as their #1 obstacle to delivering value •Re-evaluate cyber insurance. 12
  12. 12. 13 | What You Need to Know •Your information network will be compromised. Accept it! •Physical security and cybersecurity are linked. Target breach, hackers got access to the network through the HVAC system •Cyber damage goes beyond the dollars Reputational damage with customers Increased cost of new systems for prevention (EMV) •Everything cannot be protected equally Identify the crown jewels and really, really protect them •Walls are probably high enough –look at detection 13
  13. 13. 14 | Recommended steps: cyber-risk education for directors, including periodic updates to the board on newdevelopments; determinewhat part of the Board will oversee cybersecurityrisks (could be entire board or a committee); invest time and resources into making sure that managementhas developed a well- constructedand deliberateresponse plan that is consistent with best practicesfor a company in the industry; develop a business culture that prioritizes cybersecurity; review terms of insurance policy and coverage of cybersecurity issues; and assessthe need to bring in external advisors. 14
  14. 14. 15 | Keys to an Effective Cyber Program •Led by executives defining cyber risk management priorities and risk appetite •Involve everyone –not just an IT or finance issue •Identify all stakeholders –internal and external (suppliers, vendors, partners) •Program not project –requires continuous monitoring and review •Comprehensive and integrated Understand how events impact the business Integrate IS insights into management decision making process 15
  15. 15. 16 | Cyber Risk Strategy •Align Cyber Risk strategy with business strategy •Outsource? –Determine which security functions are performed in house, which are outsourced and in the cloud •Use trusted standards to increase confidence (ISO, COSO, COBIT) •Conduct independent third party assessments •Identify and define KPI to monitor success (up-time) •Corporate culture that anticipates risks rather than reacts •Leverage expertise of others 16
  16. 16. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 17 Cyber Liability Exposure Overview
  17. 17. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 18 First-Party v. Third-Party Coverage
  18. 18. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 19 Business Interruption Insuring for Business Interruption from the failure of your technology network is a relatively new concept. Categorized into three types of failures, coverage varies based on the triggers and sources of the failure. Typical Losses: Profits and extra expenses * Property BI coverage may be applicable Sourceof Failure Triggeredby Direct Bi (YourOwn Network) Contingent Bi (Outsourced/Cloud Network) SecurityFailure Hacker / 3rdParty Breach/ Denial of Service Attack that renders a network inoperable Widely available Limited System Failure Unplanned / unintentional outage of a network Few markets Few markets PhysicalDamage Failure ofa network due to physical peril such a fire, wind, flood, etc. N/A* Rare* Coverage in Today’s Cyber Market
  19. 19. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 20 •Contractual Liability –Coverage disputes over PCI “assessments “ due to faulty policy language in breach of contract exclusions –Look for affirmative language –“demand from a payment card association or [bank] for a monetary assessment including a contractual fine or penalty for failing to comply with PCI-DSS” •Choice of counsel/vendors –Carrot vs Stick approach (Incentives for using or mandatory) –Pre-approval vs game-time decision •Prior Acts Coverage –Key issue when first purchasing coverage, as new breaches discovered during policy term may have first began months earlier –Some carriers will offer 1 year backdated for a price: PAY THIS Emerging Coverage Trends
  20. 20. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 21 Cyber Risk and D&O Litigation In October 2011, the SEC published guidance for companies that suggested issuers should consider •the “probability of cyber incidents occurring” •“the quantitative and qualitative magnitude of those risks” •that appropriate disclosure may include a “description of relevant insurance coverage.” Significant Data Breaches Can Lead to D&O Issues Company Cyber Event D&OMatter Status ChoicePoint (2005) 500,000PII exposed via a data warehouser. (2005)Class Action (2008)Settled $10M TJX (2006-2007)45M+ customer credit carddata and other PII hacked ; cost $171M. (2007) Books & Records (2007) DerivativeSuit(breach of fiduciary duty) (2010) Settled $595K plaintiffs fee award & therapeutics HeartlandPayment (2009) 130M cards at payment processor; cost $140M. (2009)ClassAction (2009) Dismissed Target (2013) 70M+ credit/debitcards breachat POS system; estimated costover $1 billion. (Jan 2014) Derivative Suit (breach of fiduciary duty) Pending Wyndham (2008 -2010) Three breaches; 619,000 customers impacted. (Feb 2014) Derivative Suit(breach of fiduciary duty) Dismissed
  21. 21. www.wsandco.com | The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co. 22 Board-Level Cyber Liability Questions
  22. 22. State of Cyber Risk Insurance Market •Growing industry segment within Insurance -more carriers entering the space •Coverage grants getting more nuanced •More industries buying cyber insurance –Healthcare –Financial Institutions –Retail –Services Companies (professional, technology, etc) –Others (Construction, Manufacturing, Energy, etc) 23
  23. 23. How Cyber Insurance is Underwritten •Premium calculated off industry class, number of records, revenues, controls and claims. •Statutory and regulatory liabilities drive coverage need –industry type matters. •Personally Identifiable Information (PII) most often triggers coverage –how many and what type of records do you have? •Do you know where all your records are stored? How are they protected? –Outsourcing the services does not outsource the liability –Encryption, encryption, encryption –Two-factor authentication –Contracts 24
  24. 24. How to Respond to a Breach Have A Plan! –67% of companies suffering Data Breaches are out of business within 6 months. (Symantec Corporation. 2013 Internet Security Threat Report. Vol. 18. California: Symantec Corporation, 2013.) –Breach Response Plan should be formalized and tested •Risk Management, IT, and Legal should all be involved –Insurance Carriers offer turn-key solutions 25
  25. 25. Navigating the Claims Process •Immediate response is key, but the claims process will take time •Multiple 1stparty elements to a breach response –Computer Forensics –Legal Consultation –Breach Notification –Credit Monitoring –Public Relations •Class action litigation 26

×