SlideShare a Scribd company logo

Cloud security law cyber insurance issues phx 2015 06 19 v1

Michael C. Keeling, Esq.
Michael C. Keeling, Esq.

This presentation focuses to the rising prominence of insurance considerations—and more particularly—to legal aspects of insurance as it relates to cybersecurity and privacy. The presentation defines "Cyber and Privacy Insurance” and organizes such insurance into four main types of cyber insurance coverage: data breach and privacy management coverage, multimedia liability coverage, extortion liability coverage, and network security liability coverage. With these definitions, the presentation then gives snapshot of how the Cyber Insurance Market Is Maturing, its participants, costs, and related attributes. Consideration is given to the importance of defined terms, before launching into difficulties that providers and users have relative to measuring, modeling, and pricing cyber insurance risk. Particular attention is given to the language of “claims” and how to navigate through associated risk/cost analyses and cost structures. Additionally, general considerations, pre-conditions, cost of compliance, business interruption, governing board oversight and related issues are brought together is a cohesive manner.

Law
1 of 27
Download to read offline
CLOUD SECURITY LAW SERIES CYBER AND PRIVACY INSURANCE ISSUES MICHAEL KEELING, PE, ESQ. KEELING LAW OFFICES, PC PHOENIXANDCORONADO Presented at INTERFACE 2015 June 19, 2015 Phoenix, AZ NOTE: Information contained in this presentation is intended for informational purposes ONLY. It is not intended to be, and should not be construed as, legal advice to any person or in connection with any transaction. Always consult with an experienced attorney before engaging in any transaction that might involve the legal issues discussed herein.
“Cyber and Privacy Insurance” Defined (International Risk Management Institute) “... cyber and privacy policies [cyber-insurance] cover a business's liability for a data breach in which the firm's customers’ … information [PII, PHI, FTI, etc.] … is exposed or stolen by a … criminal who has gained access to the firm's electronic network. The policies [can] cover a variety of expenses associated with data breaches, including notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft. In addition, the policies [can] cover liability arising from website media content ... property exposures from ... business interruption, data loss/destruction ... and cyber extortion.” Massive Money--Spinning $1.4 Billion US Premiums in 2014
Four Main Types Of Cyber Insurance Coverage Data Breach And Privacy Management Coverage Crisis services—focuses to managing and recovering from data breaches/leakages—investigating, notifying, credit monitoring, data restore, and associated legal fees Regulatory defense—federal and state compliance-investigation, legal support, fines, penalties (note sublimits) Prior-acts coverage—retroactive date for delayed breach-discoveries). Multimedia Liability Coverage Focuses to media, intellectual property rights, and website defacement. Extortion Liability Coverage Focuses to damages incurred from extortion. Network Security Liability/Contingent Business Disruption Focuses to network availability and third-party data theft. Third party acts or omissions—indemnification triggers Cyber insurance policies generally exclude real property damage Conversely, many property and terrorism insurance policies exclude real property damage caused by malicious cyber-attacks. Net Diligence Cyber Claims Study, almost half of cyber-insurance payouts from data breaches was for crisis management services (2014).
Cyber Insurance Market—Is Maturing 50-60 insurers offer first-party and third-party coverage ACE, AIG, Aon, Beazley and Hiscox—have written cyber-policies for multiple years, have large books, and adjudicate claims monthly. Cyber insurance annual-premium range (per $1 million of coverage) Gartner reports $10K to $35K (2012-2013). Marsh reports $12.5K to $15K—across many sectors (2015) Aon reports Small Companies: $1K to $7.5K (2015) Aon reports Medium Companies: $5K to $25K (2015) Aon reports Large Companies: $10K to $75K (2015) Increased purchasing of cyber insurance Marsh reports #-Policies increased about 30% per year since 2012 Chubb-reports Average policy-limits increasing at about 20 percent annually AON PLC, broker, claimed cyber insurance growing at 38% annually (2014) Increased purchasing of cyber insurance policies Marsh reports the No. of Policies increased about 30% per year since 2012
“Stacking” Policies to Create “Towers” • Average policy-limits—per carrier • Chubb reports $16.8 million across all industries. • Chubb-reports Average policy-limits increasing 20% per year • Maximum Policy-limits available • $10 million to $50 million from a single carrier • Carriers have limited claims-data • Difficult to quantify trade secrets and intellectual property losses • Do not support actuarial analysis • Frustrates carriers’ ability to standardize polices • Results in coverage-caps, sublimits, and exclusions based on risks identifiable in individual policy applications (individualized basis) • Policyholders can “stack” limits of liability—from multiple carriers—to create • Towers of cyber-insurance up to $350 million. “Stacking means treating multiple policies that apply to a single loss as cumulative—as a ‘stack’ of coverage—rather than as mutually exclusive.” State v. Continental Ins. Co., 88 Cal. Rptr.3d 288, 302 (Cal. Ct. App. 2009), aff’d, 145 Cal.Rptr.3d 1 (2012). An insured can obtain indemnity for a loss under more than one policy period if the loss exceeds the limits of liability of all of the policies in a single policy period or coverage tower. Stacking treats a single occurrence as multiple occurrences.
Companies Under-Insure Cyber Risks • Target Corp. reported $252 million in expenses related to its 2013 data breach, offset by only $90 million in insurance • January 2015 10-K securities filing • 2015 Global Cyber Impact Report, noted that 80% of companies are likely to suffer a data breach within a 12- month period and while in most cases, the cost will be less than $1 million, there’s a 5% chance of a material loss of $20 million or more. • For comparison, the probability of a fire causing a material loss is less than 1%.
Cyber Insurance Risk Is Difficult To Measure, Model, And Price Sparse data to model, price, or hedge cyber risk. No standardized assessment of cyber risks. No public disclosure of ways and means for underwriters to measure risk and price policies. Difficult for insurers to: Assess effectiveness of various prevention schemes Hedge their assumed-risk Establish required reserves. BitSight has a security ratings service for cyber insurers based on its Security Ratings Platform. Its scoring model is similar to consumer  credit ratings.  Willis Re, a re‐insurance broker, announced a tool (PRISM‐Re) for accessing insurance company portfolios’ exposure to cybersecurity  risks.
Why Cyber-Policies Do Not Pay-Out Delaying notice is a potential claims killer  Once a breach is detected, don't wait too long to notify your insurer of the issue. Not paying retroactively.  Given that breaches can be discovered months or even years after they begin or end, organizations should carefully consider when coverage starts. Contractual liability exclusions  Vendor contractual relationships, e.g., credit card companies, and banks act may void coverage if a breach. Terrorism/act of foreign enemy exclusions.  Many cyber attacks originate from outside a country's borders, and many of them are believed to be state sponsored. Insurance policies only cover theft of data  Many policies include language that makes them only cover losses from theft of data. No coverage for negligence.  If an employee loses a laptop with sensitive data, some policies won't cover it. Failure of insured to adhere to minimum required practices  Insured did not continuously implement procedures and risk controls as identified in the Insured’s application.  Data breach a result of file transfer protocol settings on Cottage's 3rd PARTY Internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google Inc.'s Internet search engine.  Columbia Casualty agreed to fund $4.13 million settlement—Subject to a complete reservation of rights  Then, Columbia sued Cottage Health System (Columbia Casualty v. Cottage Health System, U.S. District Court for Middle District of California (2:15-cv-03432-DDP-AGR))
Important Lesson “Failure to Follow Minimum Required Practices”  Cottage Health System obtained cyber-insurance from Columbia, in-part based on an application asking:  Do you check for security patches on your systems at least weekly and implement them within 30 days?  Do you replace factory default settings to ensure your information security systems are securely configured?  Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?  Do you outsource your information security management to a qualified firm specializing in security or have staff responsible for and trained in information security?  Do you have a way to detect unauthorized access or attempts to access sensitive information?  Do you control and track all changes to your network to ensure it remains secure?  Whenever you entrust sensitive information to third parties do you  contractually require all such third parties to protect your information with safeguards at least as good as your own  perform due diligence on each such third party to ensure that their safeguards for protecting sensitive information meet your standards  audit all such third parties at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information  require them to have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality?  A data leak occurred via Cottage’s IT vendor, left data unencrypted for two months—accessible by the Internet  Suits ensued—and Columbia Casualty agreed to fund $4.13 million settlement—Subject to a complete reservation of rights  Then—Columbia alleged it had no duty to defend or indemnify the policyholder because policyholder:  failed to follow minimum required practices, including failing to continuously implement appropriate procedures and risk controls identified in the application submitted with the application.  failed to regularly check and maintain security patches;  failed to regularly re-assess its information security exposure and enhance risk controls;  failed to have system in place to detect unauthorized access or attempts to access sensitive information on its servers; and  failed to control and track all changes to its network to ensure it remained secure. Columbia Casualty v. Cottage Health System, U.S. District Court for Middle District of California (2:15-cv-03432-DDP-AGR)
Secondary Benefits of Cyber-Insurance Insurer as partner Best practices both before and after breach event/notice Negotiated rates for post-breach vendors instead of getting gouged Access to expert Help Carrier staff and outsourced resources Attorneys, proactive security experts, breach-response experts, credit monitoring services, etc. But—be wary of insurer-communications after a breach Non-lawyer communications are not note privileged—are discoverable Communications can determine a covered versus an uncovered claim Be watchful of email/IM with insurance companies/brokers or consultants
Getting Started … Categorize Your Exposures—In Your Language Business interruption Credit monitoring Cyber extortion Data loss/destruction Defend 3rd-party/class-action claims Defend claims by state and federal regulators Fines and penalties Identity theft related losses Notification Website media content related losses Be Inclusive—think of every related risk exposure
Map Your Exposures into Coverage Terms Exposure Exposure/Claim Language Regulatory proceeding Costs incurred to defend organization for failure to disclose an event to governmental authorities when required by any security breach notice law Security and privacy liability Cost to defend organization from allegations of privacy violation including costs of settlement or judgment Digital asset loss Cost to replace lost/damaged e-files Event breach costs Cost incurred by organization arising out of (1) forensic investigation of breach; (2) use of public relations, crisis management firms, law firms; (3) notifications costs (i.e., printing, advertising, and mailing); (4) cost of identity theft call centers, credit file monitoring, and similar costs; (5) other costs as may be approved by the insurer Network interruption Loss of income from material interruption of organization computer systems due to security/breach event and costs incurred as a result of the network interruption. Depending on the organization, this may not be a significant exposure and may not need to be insured. Cyber extortion Costs incurred when insurer approves extortion payment(s) made to hacker or other criminal party to stop a planned event from occurring. Coverage also can include costs to conduct an investigation after the fact into the act of extortion. Internet media liability Cost to defend organization from allegations of privacy violation from unauthorized website changes, including costs of settlement or judgment Source: Adapted from International Risk Management Institute.
Defined Terms—Are Maturing (http://www.irmi.com/online/insurance-glossary/default.aspx) Computer system  Hard/software owned, operated, control of organization or hosted by 3rd party. Cyber extortion  Expenses and monies for threat or extortion act. Defense within limit  Overall limit applies to all coverages including defense costs. Digital asset loss  Cost to replace loss of e-data. Event/breach management cost  Forensic investigation, credit reports, PR, notification, etc. Media liability  Insured’s liability for website content. Network interruption  Loss of net income/increased operating costs from material interruption. Privacy event  Failure to protect confidential info (i.e., e/data or other-paper) Regulatory proceeding  Request for info, civil investigation, etc. brought by government agency. Security/privacy liability  Organization liability for damages from breach of confidential information.
Request and Evaluate Complete Cyber-Insurance Exposure Proposals Request complete proposals Contract terms/conditions, limits, deductibles, premiums Specimen policy All endorsements. Evaluate each proposal and sample policy Become familiar with how policies address cyber/privacy events Map limitations/conditions/exclusions Compare Contract terms, general conditions, limits, deductibles Pre-conditions Conditions Specimen policies Endorsements Premiums
Policy Analysis and Comparison GENERAL CONSIDERATIONS Coverage—Last Line of Defense When Technology Fails Insure cyber-risks not eliminated through available security measures Insure cyber-risks that Commercial General Liability (CGL) policies do not cover Negotiate cyber-insurance policy provisions to cover your particular cyber threats/risks while avoiding exclusions that limit coverage Coverage Type Data breach/leakage and privacy management coverage Multimedia liability coverage Extortion liability coverage Network security liability coverage Retro date Look-back period, before policy start-date
Policy Analysis and Comparison PRE-CONDITIONS Required “Base-line” levels and Governance of Data privacy/Data security Access governance, encryption and segmentation Application security Role-based access controls and access logging Network security Advanced authentication 3rd Party/Supply chain practices Required Compliance (annual audit, etc.) based on NIST Framework/Executive Order 13636 ISO/IEC 27xxx PCI/DSS HIPAA/HITECH SEC Blueprint Beazley plc, predicts next targets for hackers include … entities having patchworks of systems and security practices plus "treasure troves" of data—such as health information exchange organizations (large volumes of data), electronic health record systems at hospitals (provide easy access to clinicians) and integrated healthcare delivery systems.
Policy Analysis and Comparison POLICY CONDITIONS POLICY CONDITIONS Example Conditions Policy Form Review Review for completeness Claim Conditions Claims-made and reported Additional Conditions Insurer specific Advance notice of cancellation Only if premium not paid ERP/Tail-auto (extend reporting) 125% Annual Premium for 1-year; 200% for 2-years Territory Worldwide/US NI may waive right of recovery No release allowed/Prior to loss in writing Definition of Insured NI (named insured), D&O, Employee, written-AI (additional insured) Confidential info: paper/e-data Personal info, "any form" Definition of PII, PHI, FTI, etc. Broad/narrow 3rd party contractor negligence Yes: "Information Holder" Event management Costs from security/privacy event Covered loss PR, 3rd party notice, credit reports, e-data restore Event costs No time limitation to report costs Source: Adapted from International Risk Management Institute.
Policy Analysis and Comparison NETWORK INTERRUPTION Exposure Limits Assign to 3rd party responsible for your network Network Outage Loss of profits Incurred expenses Consequential damages Source: Adapted from International Risk Management Institute.
Policy Analysis and Comparison CYBER EXTORTION Cyber Extortion Funds for security/privacy threat Security Threat Threat/attack Employee own/used computers Privacy Threat Threat to release confidential info Terrorism Included or Excluded Professional Services Included or Excluded Extended Reporting Period/Tail Included or Excluded Source: Adapted from International Risk Management Institute.
Policy Analysis and Comparison SECURITY FAILURE/PRIVACY EVENTS SECURITY FAILURE/ PRIVACY EVENTS Example Responses Security failure/Privacy event Failure to protect confidential info Legal Defense Duty and right to defend Hammer clause (allows insurer to compel insured to settle) 50% (cap on amount of indemnification that InsurCo will provide) Settlement authority Insurer with consent of Insured Attorney chosen by insurer No, subject to insurer consent Loss include punitive, exemplary Yes, unless prohibited by law Regulatory Proceeding Gov't proceeding, etc. Source: Adapted from International Risk Management Institute.
Policy Analysis and Comparison When is an Event a Claim? Cyber-policies define the term “claim” “Claim” is a key trigger term; insureds must Convert generalized “claim” definitions to specific “claims” Provide timely notice to insurer. Broad definitions of “claim” often result in late notice that forecloses coverage. Cyber-policies are claims-made policies Policies that provide coverage during period in which the insurer receives a claim. Insured forfeits coverage if notice is provided after A short period of days within a policy period, or End of the policy period.
Security Failure Or Data Breach Example Cyber-Claim Cost-Categories Example first-party costs Business interruption--Loss of profits and extra expense Customers-credit monitoring Forensic breach-investigation Intellectual property infringement Legal advice to determine your notification and regulatory obligations. Notification costs of communicating the breach Privacy liability Public relations expenses Tort liability (negligence, slander, libel, defamation and related torts) Example third-party costs Legal defense Liability to 3rd parties, e.g., banks for re-issuing credit cards, data leakage Regulatory inquiries Regulatory fines/penalties (including Payment Card Industry fines) Settlements, damages and judgments related to the breach
Policy Analysis and Comparison Quantifying Costs of a Cyber-Breach Event Source: $195 per record is from Ponemon Institute in its "2015 Research Report" based on calendar 2014 data. This, per-record cost has substantially increased. No formula to set reasonable coverage or policy limits Insufficient credible public settlement information Caselaw damages still developing. Direct "event breach” costs for US data breaches Estimated to be $195 per record  Forensic experts, outsourced hotline support, free credit monitoring subscriptions, and discounts for future products and services Costs become staggering as number of breached records increases. $1-Million Coverage = 5000 Records (Direct Costs—No Defense Costs).  1-Million Records = $195-Million Coverage Indirect "event breach” costs Third-party-related defense Settlement/judgment costs for damages claimed by injured parties Government-induced costs.
Policy Analysis and Comparison Cross-Walk Claim-Costs to Policy Limits POLICY LIMITS Example Limits Overall Limit $10,000,000 shared/aggregate Defense Costs inside/outside limit Inside Regulatory Proceeding $10,000,000 Security/Privacy liability $10,000,000 Digital asset loss $10,000,000 Event/breach mgmt costs $10,000,000 Network Interruption $10,000,000 Cyber extortion $10,000,000 Internet media liability $10,000,000 Retention-unless stated $500,000 Regulatory Proceeding $500,000 Network Interruption 24 hours/$500,000 Adapted from International Risk Management Institute. Many cyber insurance policies also impose sublimits, such as for crisis‐management expenses, notification costs and  regulatory investigations. These sublimits can be negotiated.
Policy Analysis and Comparison Premiums and Other Costs Annual Premium—Large Companies Average cost for $1 million of coverage $12,500 and $15,000 across various industry sectors including healthcare; transportation; retail/wholesale; financial institutions; communications, media and technology; education; and power and utilities. (See Testimony-Beshar-2015-01-28 of Peter J. Beshar, Executive Vice President and General Counsel, Marsh & McLennan Companies, before United States Senate Committee on Homeland Security & Governmental Affairs, Jan. 28, 2015). Gartner reports—cyber insurance premiums range from $10,000 to $35,000 for $1 million in coverage (2012-2013). Cost of compliance Is a strict condition-precedent for many cyber-security policies Varies widely by industry and by cyber-insurance underwriter required standards/frameworks. Purging unnecessary data In EHRs/etc., administrative, billing, and other legacy systems throughout your ecosystem.
Director Liability Arising From Data Breach Palkonv.Holmes,No.14-cv-01234(D.N.J.),WyndhamSHssuedD&O’s,claimingtheirfailuretoimplementadequateinformation-securitypoliciesallowed3databreaches Shareholder derivative actions  Plaintiff is not required to prove damages resulting from theft of PII.  Directors owe Duties Of Care (BJR) and Loyalty—including Duty of Oversight (No BJR)  Did not implement reporting or information system controls; or  Implemented controls, BUT “consciously failed to monitor or oversee its operations.” Stone. After a data breach, claims against board probably will be  Breach of Duty of Care and  Breach of Duty Loyalty/Oversight  Court “look[s] for evidence of whether a board has acted in a deliberate and knowledgeable way identifying and exploring alternatives.” Citron v. Fairchild Camera  Directors may rely on reports prepared by others, BUT MUST TAKE an active and direct role  Board that fails to manage and monitor cybersecurity probably breaches its duties of care and oversight Protect Against Liability  Board must become well-informed  Board should appoint a committee responsible for privacy and security  Recruit and hire at least one tech-savvy member  Follow best industry practices Indemnification and Insurance  Articles of incorporation—provision eliminating director personal-liability for monetary damages for breach of the Duty of Care/Loyalty.  D & O Policy—WITHOUT exclusions to liability resulting from a privacy breach  Example Problem Exclusion: Insurer shall not be liable for Loss relating to a Claim made against an Insured:  “for emotional distress of any person,  or for injury from libel, slander, defamation or disparagement,  or for injury from a violation of a person’s right of privacy.”
QUESTIONS CYBER AND PRIVACY INSURANCE ISSUES Cloud Security Law Series Michael Keeling, PE, Esq. Keeling Law Offices, PC Phoenix and Coronado www.keelinglawoffices.com NOTE: Information contained in this presentation is intended for informational purposes ONLY. It is not intended to be, and should not be construed as, legal advice to any person or in connection with any transaction. Always consult with an experienced attorney before engaging in any transaction that might involve the legal issues discussed herein.

Recommended

Cyber risk challenge and the role of insurance
Cyber risk challenge and the role of insuranceCyber risk challenge and the role of insurance
Cyber risk challenge and the role of insuranceMunich Re
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSHB Litigation Conferences
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data PrivacyWilmerHale
 
Cybersecurity and Data Privacy Update
Cybersecurity and Data Privacy UpdateCybersecurity and Data Privacy Update
Cybersecurity and Data Privacy UpdateWilmerHale
 
Convince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR complianceConvince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR complianceDave James
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Richik Sarkar
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänsterTranscendent Group
 

Recommended

Cyber risk challenge and the role of insurance
Cyber risk challenge and the role of insuranceCyber risk challenge and the role of insurance
Cyber risk challenge and the role of insuranceMunich Re
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSHB Litigation Conferences
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data PrivacyWilmerHale
 
Cybersecurity and Data Privacy Update
Cybersecurity and Data Privacy UpdateCybersecurity and Data Privacy Update
Cybersecurity and Data Privacy UpdateWilmerHale
 
Convince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR complianceConvince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR complianceDave James
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Richik Sarkar
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänsterTranscendent Group
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016Anthony Rapa
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMS
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMSSOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMS
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMSHB Litigation Conferences
 
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?Brian K. Dickard
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditNationalUnderwriter
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 aIT Strategy Group
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2Paul Richards
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsResilient Systems
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionWilliam McBorrough
 
S719a
S719aS719a
S719aecommerce
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyThoughtworks
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
20140317eyinformationsupp
20140317eyinformationsupp20140317eyinformationsupp
20140317eyinformationsuppNicola Hermansson
 
The non market issue of cloud computing hp - cloud security alliance
The non market issue of cloud computing hp - cloud security allianceThe non market issue of cloud computing hp - cloud security alliance
The non market issue of cloud computing hp - cloud security allianceSumaya Shakir
 
Protecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudProtecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudSymantec
 
Big Data (security Issue)
Big Data (security Issue)Big Data (security Issue)
Big Data (security Issue)Export Promotion Bureau
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesPaige Rasid
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 

More Related Content

What's hot

The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016Anthony Rapa
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMS
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMSSOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMS
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMSHB Litigation Conferences
 
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?Brian K. Dickard
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditNationalUnderwriter
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 aIT Strategy Group
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2Paul Richards
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsResilient Systems
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionWilliam McBorrough
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyThoughtworks
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
The non market issue of cloud computing hp - cloud security alliance
The non market issue of cloud computing hp - cloud security allianceThe non market issue of cloud computing hp - cloud security alliance
The non market issue of cloud computing hp - cloud security allianceSumaya Shakir
 
Protecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudProtecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudSymantec
 

What's hot (19)

The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016Cyber Claims Brief Summer 2016
Cyber Claims Brief Summer 2016
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
 
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMS
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMSSOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMS
SOCIAL MEDIA RISKS | HB EMERGING COMPLEX CLAIMS
 
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 Predictions
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure Protection
 
S719a
S719aS719a
S719a
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny Leroy
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
20140317eyinformationsupp
20140317eyinformationsupp20140317eyinformationsupp
20140317eyinformationsupp
 
The non market issue of cloud computing hp - cloud security alliance
The non market issue of cloud computing hp - cloud security allianceThe non market issue of cloud computing hp - cloud security alliance
The non market issue of cloud computing hp - cloud security alliance
 
Protecting Corporate Information in the Cloud
Protecting Corporate Information in the CloudProtecting Corporate Information in the Cloud
Protecting Corporate Information in the Cloud
 

Viewers also liked

Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesPaige Rasid
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Nano Bio Art040201
Nano Bio Art040201Nano Bio Art040201
Nano Bio Art040201klee4vp
 
Third Grade Globes9
Third Grade Globes9Third Grade Globes9
Third Grade Globes9jwaddington
 
Developing Online Programs Today To Prepare Educators For Tomorrow V3[1]
Developing Online Programs Today To Prepare Educators For Tomorrow V3[1]Developing Online Programs Today To Prepare Educators For Tomorrow V3[1]
Developing Online Programs Today To Prepare Educators For Tomorrow V3[1]RandyHansen
 
omnicare annual reports 1999
omnicare annual reports 1999omnicare annual reports 1999
omnicare annual reports 1999finance46
 
CLX1101BalSheet-456456
CLX1101BalSheet-456456CLX1101BalSheet-456456
CLX1101BalSheet-456456finance48
 
Commercial Appeal 3.28.10
Commercial Appeal 3.28.10Commercial Appeal 3.28.10
Commercial Appeal 3.28.10stwordsmith
 
Trabalho De Matematica Completo
Trabalho De Matematica CompletoTrabalho De Matematica Completo
Trabalho De Matematica Completogueste1a09a
 
Wishes For 2010
Wishes For 2010Wishes For 2010
Wishes For 2010steefaj
 
Fontys Gastles Svh 04122012
Fontys Gastles Svh 04122012Fontys Gastles Svh 04122012
Fontys Gastles Svh 04122012Johan Lapidaire
 
Государственная социальная сеть
Государственная социальная сетьГосударственная социальная сеть
Государственная социальная сетьVadim Andreev
 
Cloudstackをみんなでつくってみよう! in 広島 【第2回】XenServer編(計画中)
Cloudstackをみんなでつくってみよう! in 広島 【第2回】XenServer編(計画中)Cloudstackをみんなでつくってみよう! in 広島 【第2回】XenServer編(計画中)
Cloudstackをみんなでつくってみよう! in 広島 【第2回】XenServer編(計画中)Yoshitake Takata
 
Introduction to Programming in Go
Introduction to Programming in GoIntroduction to Programming in Go
Introduction to Programming in GoAmr Hassan
 
PHP 5.3, a walkthrough
PHP 5.3, a walkthroughPHP 5.3, a walkthrough
PHP 5.3, a walkthroughDavid Coallier
 
Quick Introduction to Sphinx and Thinking Sphinx
Quick Introduction to Sphinx and Thinking SphinxQuick Introduction to Sphinx and Thinking Sphinx
Quick Introduction to Sphinx and Thinking Sphinxhayesdavis
 
Rx for Ad Agencies Suffering From Direct, Digital and Social Media Confusion...
Rx for Ad Agencies Suffering From Direct, Digital and Social Media Confusion...Rx for Ad Agencies Suffering From Direct, Digital and Social Media Confusion...
Rx for Ad Agencies Suffering From Direct, Digital and Social Media Confusion...Clive Maclean
 

Viewers also liked (20)

Big Data (security Issue)
Big Data (security Issue)Big Data (security Issue)
Big Data (security Issue)
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
 
Nano Bio Art040201
Nano Bio Art040201Nano Bio Art040201
Nano Bio Art040201
 
Third Grade Globes9
Third Grade Globes9Third Grade Globes9
Third Grade Globes9
 
Developing Online Programs Today To Prepare Educators For Tomorrow V3[1]
Developing Online Programs Today To Prepare Educators For Tomorrow V3[1]Developing Online Programs Today To Prepare Educators For Tomorrow V3[1]
Developing Online Programs Today To Prepare Educators For Tomorrow V3[1]
 
Code reviews
Code reviewsCode reviews
Code reviews
 
omnicare annual reports 1999
omnicare annual reports 1999omnicare annual reports 1999
omnicare annual reports 1999
 
CLX1101BalSheet-456456
CLX1101BalSheet-456456CLX1101BalSheet-456456
CLX1101BalSheet-456456
 
Commercial Appeal 3.28.10
Commercial Appeal 3.28.10Commercial Appeal 3.28.10
Commercial Appeal 3.28.10
 
Educational Podcasting
Educational PodcastingEducational Podcasting
Educational Podcasting
 
Trabalho De Matematica Completo
Trabalho De Matematica CompletoTrabalho De Matematica Completo
Trabalho De Matematica Completo
 
Wishes For 2010
Wishes For 2010Wishes For 2010
Wishes For 2010
 
Fontys Gastles Svh 04122012
Fontys Gastles Svh 04122012Fontys Gastles Svh 04122012
Fontys Gastles Svh 04122012
 
Государственная социальная сеть
Государственная социальная сетьГосударственная социальная сеть
Государственная социальная сеть
 
Cloudstackをみんなでつくってみよう! in 広島 【第2回】XenServer編(計画中)
Cloudstackをみんなでつくってみよう! in 広島 【第2回】XenServer編(計画中)Cloudstackをみんなでつくってみよう! in 広島 【第2回】XenServer編(計画中)
Cloudstackをみんなでつくってみよう! in 広島 【第2回】XenServer編(計画中)
 
Introduction to Programming in Go
Introduction to Programming in GoIntroduction to Programming in Go
Introduction to Programming in Go
 
PHP 5.3, a walkthrough
PHP 5.3, a walkthroughPHP 5.3, a walkthrough
PHP 5.3, a walkthrough
 
Quick Introduction to Sphinx and Thinking Sphinx
Quick Introduction to Sphinx and Thinking SphinxQuick Introduction to Sphinx and Thinking Sphinx
Quick Introduction to Sphinx and Thinking Sphinx
 
Rx for Ad Agencies Suffering From Direct, Digital and Social Media Confusion...
Rx for Ad Agencies Suffering From Direct, Digital and Social Media Confusion...Rx for Ad Agencies Suffering From Direct, Digital and Social Media Confusion...
Rx for Ad Agencies Suffering From Direct, Digital and Social Media Confusion...
 

Similar to Cloud security law cyber insurance issues phx 2015 06 19 v1

Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationCyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
Webcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportWebcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportJasonSchupp1
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106Ted Richmond
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarDon Grauel
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
Infocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationInfocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationEthos Media S.A.
 
Debunking Myths for Cyber-Insurance
Debunking Myths for Cyber-InsuranceDebunking Myths for Cyber-Insurance
Debunking Myths for Cyber-InsurancePriyanka Aash
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to knowNathan Desfontaines
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!topseowebmaster
 
National Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy AgendaNational Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy Agendanationalconsumersleague
 

Similar to Cloud security law cyber insurance issues phx 2015 06 19 v1 (20)

Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability Risk
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationCyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and Preparation
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance Temp
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 
Webcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportWebcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats Report
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
B crisis
B crisisB crisis
B crisis
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 
Infocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationInfocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar Presentation
 
Debunking Myths for Cyber-Insurance
Debunking Myths for Cyber-InsuranceDebunking Myths for Cyber-Insurance
Debunking Myths for Cyber-Insurance
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
 
National Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy AgendaNational Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy Agenda
 

Recently uploaded

KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxKEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxRRR Chambers
 
Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxelysemiller87
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理Airst S
 
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxadvabhayjha2627
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategyJong Hyuk Choi
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理Airst S
 
Police Misconduct Lawyers - Law Office of Jerry L. Steering
Police Misconduct Lawyers - Law Office of Jerry L. SteeringPolice Misconduct Lawyers - Law Office of Jerry L. Steering
Police Misconduct Lawyers - Law Office of Jerry L. SteeringSteering Law
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdfSUSHMITAPOTHAL
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhaiShashankKumar441258
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.pptseri bangash
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Nilendra Kumar
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)Delhi Call girls
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxca2or2tx
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxRRR Chambers
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理Airst S
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Dr. Oliver Massmann
 
Performance of contract-1 law presentation
Performance of contract-1 law presentationPerformance of contract-1 law presentation
Performance of contract-1 law presentationKhushdeep Kaur
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.tanughoshal0
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsAurora Consulting
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理bd2c5966a56d
 

Recently uploaded (20)

KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxKEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
 
Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptx
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
 
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
 
Police Misconduct Lawyers - Law Office of Jerry L. Steering
Police Misconduct Lawyers - Law Office of Jerry L. SteeringPolice Misconduct Lawyers - Law Office of Jerry L. Steering
Police Misconduct Lawyers - Law Office of Jerry L. Steering
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptx
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
 
Performance of contract-1 law presentation
Performance of contract-1 law presentationPerformance of contract-1 law presentation
Performance of contract-1 law presentation
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 

Cloud security law cyber insurance issues phx 2015 06 19 v1

  • 1. CLOUD SECURITY LAW SERIES CYBER AND PRIVACY INSURANCE ISSUES MICHAEL KEELING, PE, ESQ. KEELING LAW OFFICES, PC PHOENIXANDCORONADO Presented at INTERFACE 2015 June 19, 2015 Phoenix, AZ NOTE: Information contained in this presentation is intended for informational purposes ONLY. It is not intended to be, and should not be construed as, legal advice to any person or in connection with any transaction. Always consult with an experienced attorney before engaging in any transaction that might involve the legal issues discussed herein.
  • 2. “Cyber and Privacy Insurance” Defined (International Risk Management Institute) “... cyber and privacy policies [cyber-insurance] cover a business's liability for a data breach in which the firm's customers’ … information [PII, PHI, FTI, etc.] … is exposed or stolen by a … criminal who has gained access to the firm's electronic network. The policies [can] cover a variety of expenses associated with data breaches, including notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft. In addition, the policies [can] cover liability arising from website media content ... property exposures from ... business interruption, data loss/destruction ... and cyber extortion.” Massive Money--Spinning $1.4 Billion US Premiums in 2014
  • 3. Four Main Types Of Cyber Insurance Coverage Data Breach And Privacy Management Coverage Crisis services—focuses to managing and recovering from data breaches/leakages—investigating, notifying, credit monitoring, data restore, and associated legal fees Regulatory defense—federal and state compliance-investigation, legal support, fines, penalties (note sublimits) Prior-acts coverage—retroactive date for delayed breach-discoveries). Multimedia Liability Coverage Focuses to media, intellectual property rights, and website defacement. Extortion Liability Coverage Focuses to damages incurred from extortion. Network Security Liability/Contingent Business Disruption Focuses to network availability and third-party data theft. Third party acts or omissions—indemnification triggers Cyber insurance policies generally exclude real property damage Conversely, many property and terrorism insurance policies exclude real property damage caused by malicious cyber-attacks. Net Diligence Cyber Claims Study, almost half of cyber-insurance payouts from data breaches was for crisis management services (2014).
  • 4. Cyber Insurance Market—Is Maturing 50-60 insurers offer first-party and third-party coverage ACE, AIG, Aon, Beazley and Hiscox—have written cyber-policies for multiple years, have large books, and adjudicate claims monthly. Cyber insurance annual-premium range (per $1 million of coverage) Gartner reports $10K to $35K (2012-2013). Marsh reports $12.5K to $15K—across many sectors (2015) Aon reports Small Companies: $1K to $7.5K (2015) Aon reports Medium Companies: $5K to $25K (2015) Aon reports Large Companies: $10K to $75K (2015) Increased purchasing of cyber insurance Marsh reports #-Policies increased about 30% per year since 2012 Chubb-reports Average policy-limits increasing at about 20 percent annually AON PLC, broker, claimed cyber insurance growing at 38% annually (2014) Increased purchasing of cyber insurance policies Marsh reports the No. of Policies increased about 30% per year since 2012
  • 5. “Stacking” Policies to Create “Towers” • Average policy-limits—per carrier • Chubb reports $16.8 million across all industries. • Chubb-reports Average policy-limits increasing 20% per year • Maximum Policy-limits available • $10 million to $50 million from a single carrier • Carriers have limited claims-data • Difficult to quantify trade secrets and intellectual property losses • Do not support actuarial analysis • Frustrates carriers’ ability to standardize polices • Results in coverage-caps, sublimits, and exclusions based on risks identifiable in individual policy applications (individualized basis) • Policyholders can “stack” limits of liability—from multiple carriers—to create • Towers of cyber-insurance up to $350 million. “Stacking means treating multiple policies that apply to a single loss as cumulative—as a ‘stack’ of coverage—rather than as mutually exclusive.” State v. Continental Ins. Co., 88 Cal. Rptr.3d 288, 302 (Cal. Ct. App. 2009), aff’d, 145 Cal.Rptr.3d 1 (2012). An insured can obtain indemnity for a loss under more than one policy period if the loss exceeds the limits of liability of all of the policies in a single policy period or coverage tower. Stacking treats a single occurrence as multiple occurrences.
  • 6. Companies Under-Insure Cyber Risks • Target Corp. reported $252 million in expenses related to its 2013 data breach, offset by only $90 million in insurance • January 2015 10-K securities filing • 2015 Global Cyber Impact Report, noted that 80% of companies are likely to suffer a data breach within a 12- month period and while in most cases, the cost will be less than $1 million, there’s a 5% chance of a material loss of $20 million or more. • For comparison, the probability of a fire causing a material loss is less than 1%.
  • 7. Cyber Insurance Risk Is Difficult To Measure, Model, And Price Sparse data to model, price, or hedge cyber risk. No standardized assessment of cyber risks. No public disclosure of ways and means for underwriters to measure risk and price policies. Difficult for insurers to: Assess effectiveness of various prevention schemes Hedge their assumed-risk Establish required reserves. BitSight has a security ratings service for cyber insurers based on its Security Ratings Platform. Its scoring model is similar to consumer  credit ratings.  Willis Re, a re‐insurance broker, announced a tool (PRISM‐Re) for accessing insurance company portfolios’ exposure to cybersecurity  risks.
  • 8. Why Cyber-Policies Do Not Pay-Out Delaying notice is a potential claims killer  Once a breach is detected, don't wait too long to notify your insurer of the issue. Not paying retroactively.  Given that breaches can be discovered months or even years after they begin or end, organizations should carefully consider when coverage starts. Contractual liability exclusions  Vendor contractual relationships, e.g., credit card companies, and banks act may void coverage if a breach. Terrorism/act of foreign enemy exclusions.  Many cyber attacks originate from outside a country's borders, and many of them are believed to be state sponsored. Insurance policies only cover theft of data  Many policies include language that makes them only cover losses from theft of data. No coverage for negligence.  If an employee loses a laptop with sensitive data, some policies won't cover it. Failure of insured to adhere to minimum required practices  Insured did not continuously implement procedures and risk controls as identified in the Insured’s application.  Data breach a result of file transfer protocol settings on Cottage's 3rd PARTY Internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google Inc.'s Internet search engine.  Columbia Casualty agreed to fund $4.13 million settlement—Subject to a complete reservation of rights  Then, Columbia sued Cottage Health System (Columbia Casualty v. Cottage Health System, U.S. District Court for Middle District of California (2:15-cv-03432-DDP-AGR))
  • 9. Important Lesson “Failure to Follow Minimum Required Practices”  Cottage Health System obtained cyber-insurance from Columbia, in-part based on an application asking:  Do you check for security patches on your systems at least weekly and implement them within 30 days?  Do you replace factory default settings to ensure your information security systems are securely configured?  Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?  Do you outsource your information security management to a qualified firm specializing in security or have staff responsible for and trained in information security?  Do you have a way to detect unauthorized access or attempts to access sensitive information?  Do you control and track all changes to your network to ensure it remains secure?  Whenever you entrust sensitive information to third parties do you  contractually require all such third parties to protect your information with safeguards at least as good as your own  perform due diligence on each such third party to ensure that their safeguards for protecting sensitive information meet your standards  audit all such third parties at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information  require them to have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality?  A data leak occurred via Cottage’s IT vendor, left data unencrypted for two months—accessible by the Internet  Suits ensued—and Columbia Casualty agreed to fund $4.13 million settlement—Subject to a complete reservation of rights  Then—Columbia alleged it had no duty to defend or indemnify the policyholder because policyholder:  failed to follow minimum required practices, including failing to continuously implement appropriate procedures and risk controls identified in the application submitted with the application.  failed to regularly check and maintain security patches;  failed to regularly re-assess its information security exposure and enhance risk controls;  failed to have system in place to detect unauthorized access or attempts to access sensitive information on its servers; and  failed to control and track all changes to its network to ensure it remained secure. Columbia Casualty v. Cottage Health System, U.S. District Court for Middle District of California (2:15-cv-03432-DDP-AGR)
  • 10. Secondary Benefits of Cyber-Insurance Insurer as partner Best practices both before and after breach event/notice Negotiated rates for post-breach vendors instead of getting gouged Access to expert Help Carrier staff and outsourced resources Attorneys, proactive security experts, breach-response experts, credit monitoring services, etc. But—be wary of insurer-communications after a breach Non-lawyer communications are not note privileged—are discoverable Communications can determine a covered versus an uncovered claim Be watchful of email/IM with insurance companies/brokers or consultants
  • 11. Getting Started … Categorize Your Exposures—In Your Language Business interruption Credit monitoring Cyber extortion Data loss/destruction Defend 3rd-party/class-action claims Defend claims by state and federal regulators Fines and penalties Identity theft related losses Notification Website media content related losses Be Inclusive—think of every related risk exposure
  • 12. Map Your Exposures into Coverage Terms Exposure Exposure/Claim Language Regulatory proceeding Costs incurred to defend organization for failure to disclose an event to governmental authorities when required by any security breach notice law Security and privacy liability Cost to defend organization from allegations of privacy violation including costs of settlement or judgment Digital asset loss Cost to replace lost/damaged e-files Event breach costs Cost incurred by organization arising out of (1) forensic investigation of breach; (2) use of public relations, crisis management firms, law firms; (3) notifications costs (i.e., printing, advertising, and mailing); (4) cost of identity theft call centers, credit file monitoring, and similar costs; (5) other costs as may be approved by the insurer Network interruption Loss of income from material interruption of organization computer systems due to security/breach event and costs incurred as a result of the network interruption. Depending on the organization, this may not be a significant exposure and may not need to be insured. Cyber extortion Costs incurred when insurer approves extortion payment(s) made to hacker or other criminal party to stop a planned event from occurring. Coverage also can include costs to conduct an investigation after the fact into the act of extortion. Internet media liability Cost to defend organization from allegations of privacy violation from unauthorized website changes, including costs of settlement or judgment Source: Adapted from International Risk Management Institute.
  • 13. Defined Terms—Are Maturing (http://www.irmi.com/online/insurance-glossary/default.aspx) Computer system  Hard/software owned, operated, control of organization or hosted by 3rd party. Cyber extortion  Expenses and monies for threat or extortion act. Defense within limit  Overall limit applies to all coverages including defense costs. Digital asset loss  Cost to replace loss of e-data. Event/breach management cost  Forensic investigation, credit reports, PR, notification, etc. Media liability  Insured’s liability for website content. Network interruption  Loss of net income/increased operating costs from material interruption. Privacy event  Failure to protect confidential info (i.e., e/data or other-paper) Regulatory proceeding  Request for info, civil investigation, etc. brought by government agency. Security/privacy liability  Organization liability for damages from breach of confidential information.
  • 14. Request and Evaluate Complete Cyber-Insurance Exposure Proposals Request complete proposals Contract terms/conditions, limits, deductibles, premiums Specimen policy All endorsements. Evaluate each proposal and sample policy Become familiar with how policies address cyber/privacy events Map limitations/conditions/exclusions Compare Contract terms, general conditions, limits, deductibles Pre-conditions Conditions Specimen policies Endorsements Premiums
  • 15. Policy Analysis and Comparison GENERAL CONSIDERATIONS Coverage—Last Line of Defense When Technology Fails Insure cyber-risks not eliminated through available security measures Insure cyber-risks that Commercial General Liability (CGL) policies do not cover Negotiate cyber-insurance policy provisions to cover your particular cyber threats/risks while avoiding exclusions that limit coverage Coverage Type Data breach/leakage and privacy management coverage Multimedia liability coverage Extortion liability coverage Network security liability coverage Retro date Look-back period, before policy start-date
  • 16. Policy Analysis and Comparison PRE-CONDITIONS Required “Base-line” levels and Governance of Data privacy/Data security Access governance, encryption and segmentation Application security Role-based access controls and access logging Network security Advanced authentication 3rd Party/Supply chain practices Required Compliance (annual audit, etc.) based on NIST Framework/Executive Order 13636 ISO/IEC 27xxx PCI/DSS HIPAA/HITECH SEC Blueprint Beazley plc, predicts next targets for hackers include … entities having patchworks of systems and security practices plus "treasure troves" of data—such as health information exchange organizations (large volumes of data), electronic health record systems at hospitals (provide easy access to clinicians) and integrated healthcare delivery systems.
  • 17. Policy Analysis and Comparison POLICY CONDITIONS POLICY CONDITIONS Example Conditions Policy Form Review Review for completeness Claim Conditions Claims-made and reported Additional Conditions Insurer specific Advance notice of cancellation Only if premium not paid ERP/Tail-auto (extend reporting) 125% Annual Premium for 1-year; 200% for 2-years Territory Worldwide/US NI may waive right of recovery No release allowed/Prior to loss in writing Definition of Insured NI (named insured), D&O, Employee, written-AI (additional insured) Confidential info: paper/e-data Personal info, "any form" Definition of PII, PHI, FTI, etc. Broad/narrow 3rd party contractor negligence Yes: "Information Holder" Event management Costs from security/privacy event Covered loss PR, 3rd party notice, credit reports, e-data restore Event costs No time limitation to report costs Source: Adapted from International Risk Management Institute.
  • 18. Policy Analysis and Comparison NETWORK INTERRUPTION Exposure Limits Assign to 3rd party responsible for your network Network Outage Loss of profits Incurred expenses Consequential damages Source: Adapted from International Risk Management Institute.
  • 19. Policy Analysis and Comparison CYBER EXTORTION Cyber Extortion Funds for security/privacy threat Security Threat Threat/attack Employee own/used computers Privacy Threat Threat to release confidential info Terrorism Included or Excluded Professional Services Included or Excluded Extended Reporting Period/Tail Included or Excluded Source: Adapted from International Risk Management Institute.
  • 20. Policy Analysis and Comparison SECURITY FAILURE/PRIVACY EVENTS SECURITY FAILURE/ PRIVACY EVENTS Example Responses Security failure/Privacy event Failure to protect confidential info Legal Defense Duty and right to defend Hammer clause (allows insurer to compel insured to settle) 50% (cap on amount of indemnification that InsurCo will provide) Settlement authority Insurer with consent of Insured Attorney chosen by insurer No, subject to insurer consent Loss include punitive, exemplary Yes, unless prohibited by law Regulatory Proceeding Gov't proceeding, etc. Source: Adapted from International Risk Management Institute.
  • 21. Policy Analysis and Comparison When is an Event a Claim? Cyber-policies define the term “claim” “Claim” is a key trigger term; insureds must Convert generalized “claim” definitions to specific “claims” Provide timely notice to insurer. Broad definitions of “claim” often result in late notice that forecloses coverage. Cyber-policies are claims-made policies Policies that provide coverage during period in which the insurer receives a claim. Insured forfeits coverage if notice is provided after A short period of days within a policy period, or End of the policy period.
  • 22. Security Failure Or Data Breach Example Cyber-Claim Cost-Categories Example first-party costs Business interruption--Loss of profits and extra expense Customers-credit monitoring Forensic breach-investigation Intellectual property infringement Legal advice to determine your notification and regulatory obligations. Notification costs of communicating the breach Privacy liability Public relations expenses Tort liability (negligence, slander, libel, defamation and related torts) Example third-party costs Legal defense Liability to 3rd parties, e.g., banks for re-issuing credit cards, data leakage Regulatory inquiries Regulatory fines/penalties (including Payment Card Industry fines) Settlements, damages and judgments related to the breach
  • 23. Policy Analysis and Comparison Quantifying Costs of a Cyber-Breach Event Source: $195 per record is from Ponemon Institute in its "2015 Research Report" based on calendar 2014 data. This, per-record cost has substantially increased. No formula to set reasonable coverage or policy limits Insufficient credible public settlement information Caselaw damages still developing. Direct "event breach” costs for US data breaches Estimated to be $195 per record  Forensic experts, outsourced hotline support, free credit monitoring subscriptions, and discounts for future products and services Costs become staggering as number of breached records increases. $1-Million Coverage = 5000 Records (Direct Costs—No Defense Costs).  1-Million Records = $195-Million Coverage Indirect "event breach” costs Third-party-related defense Settlement/judgment costs for damages claimed by injured parties Government-induced costs.
  • 24. Policy Analysis and Comparison Cross-Walk Claim-Costs to Policy Limits POLICY LIMITS Example Limits Overall Limit $10,000,000 shared/aggregate Defense Costs inside/outside limit Inside Regulatory Proceeding $10,000,000 Security/Privacy liability $10,000,000 Digital asset loss $10,000,000 Event/breach mgmt costs $10,000,000 Network Interruption $10,000,000 Cyber extortion $10,000,000 Internet media liability $10,000,000 Retention-unless stated $500,000 Regulatory Proceeding $500,000 Network Interruption 24 hours/$500,000 Adapted from International Risk Management Institute. Many cyber insurance policies also impose sublimits, such as for crisis‐management expenses, notification costs and  regulatory investigations. These sublimits can be negotiated.
  • 25. Policy Analysis and Comparison Premiums and Other Costs Annual Premium—Large Companies Average cost for $1 million of coverage $12,500 and $15,000 across various industry sectors including healthcare; transportation; retail/wholesale; financial institutions; communications, media and technology; education; and power and utilities. (See Testimony-Beshar-2015-01-28 of Peter J. Beshar, Executive Vice President and General Counsel, Marsh & McLennan Companies, before United States Senate Committee on Homeland Security & Governmental Affairs, Jan. 28, 2015). Gartner reports—cyber insurance premiums range from $10,000 to $35,000 for $1 million in coverage (2012-2013). Cost of compliance Is a strict condition-precedent for many cyber-security policies Varies widely by industry and by cyber-insurance underwriter required standards/frameworks. Purging unnecessary data In EHRs/etc., administrative, billing, and other legacy systems throughout your ecosystem.
  • 26. Director Liability Arising From Data Breach Palkonv.Holmes,No.14-cv-01234(D.N.J.),WyndhamSHssuedD&O’s,claimingtheirfailuretoimplementadequateinformation-securitypoliciesallowed3databreaches Shareholder derivative actions  Plaintiff is not required to prove damages resulting from theft of PII.  Directors owe Duties Of Care (BJR) and Loyalty—including Duty of Oversight (No BJR)  Did not implement reporting or information system controls; or  Implemented controls, BUT “consciously failed to monitor or oversee its operations.” Stone. After a data breach, claims against board probably will be  Breach of Duty of Care and  Breach of Duty Loyalty/Oversight  Court “look[s] for evidence of whether a board has acted in a deliberate and knowledgeable way identifying and exploring alternatives.” Citron v. Fairchild Camera  Directors may rely on reports prepared by others, BUT MUST TAKE an active and direct role  Board that fails to manage and monitor cybersecurity probably breaches its duties of care and oversight Protect Against Liability  Board must become well-informed  Board should appoint a committee responsible for privacy and security  Recruit and hire at least one tech-savvy member  Follow best industry practices Indemnification and Insurance  Articles of incorporation—provision eliminating director personal-liability for monetary damages for breach of the Duty of Care/Loyalty.  D & O Policy—WITHOUT exclusions to liability resulting from a privacy breach  Example Problem Exclusion: Insurer shall not be liable for Loss relating to a Claim made against an Insured:  “for emotional distress of any person,  or for injury from libel, slander, defamation or disparagement,  or for injury from a violation of a person’s right of privacy.”
  • 27. QUESTIONS CYBER AND PRIVACY INSURANCE ISSUES Cloud Security Law Series Michael Keeling, PE, Esq. Keeling Law Offices, PC Phoenix and Coronado www.keelinglawoffices.com NOTE: Information contained in this presentation is intended for informational purposes ONLY. It is not intended to be, and should not be construed as, legal advice to any person or in connection with any transaction. Always consult with an experienced attorney before engaging in any transaction that might involve the legal issues discussed herein.