Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud security law cyber insurance issues phx 2015 06 19 v1


Published on

This presentation focuses to the rising prominence of insurance considerations—and more particularly—to legal aspects of insurance as it relates to cybersecurity and privacy.

The presentation defines "Cyber and Privacy Insurance” and organizes such insurance into four main types of cyber insurance coverage: data breach and privacy management coverage, multimedia liability coverage, extortion liability coverage, and network security liability coverage. With these definitions, the presentation then gives snapshot of how the Cyber Insurance Market Is Maturing, its participants, costs, and related attributes.

Consideration is given to the importance of defined terms, before launching into difficulties that providers and users have relative to measuring, modeling, and pricing cyber insurance risk. Particular attention is given to the language of “claims” and how to navigate through associated risk/cost analyses and cost structures.

Additionally, general considerations, pre-conditions, cost of compliance, business interruption, governing board oversight and related issues are brought together is a cohesive manner.

Published in: Law
  • Very Informative and Enlightening, Thank You Sir!
    Are you sure you want to  Yes  No
    Your message goes here

Cloud security law cyber insurance issues phx 2015 06 19 v1

  1. 1. CLOUD SECURITY LAW SERIES CYBER AND PRIVACY INSURANCE ISSUES MICHAEL KEELING, PE, ESQ. KEELING LAW OFFICES, PC PHOENIXANDCORONADO Presented at INTERFACE 2015 June 19, 2015 Phoenix, AZ NOTE: Information contained in this presentation is intended for informational purposes ONLY. It is not intended to be, and should not be construed as, legal advice to any person or in connection with any transaction. Always consult with an experienced attorney before engaging in any transaction that might involve the legal issues discussed herein.
  2. 2. “Cyber and Privacy Insurance” Defined (International Risk Management Institute) “... cyber and privacy policies [cyber-insurance] cover a business's liability for a data breach in which the firm's customers’ … information [PII, PHI, FTI, etc.] … is exposed or stolen by a … criminal who has gained access to the firm's electronic network. The policies [can] cover a variety of expenses associated with data breaches, including notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft. In addition, the policies [can] cover liability arising from website media content ... property exposures from ... business interruption, data loss/destruction ... and cyber extortion.” Massive Money--Spinning $1.4 Billion US Premiums in 2014
  3. 3. Four Main Types Of Cyber Insurance Coverage Data Breach And Privacy Management Coverage Crisis services—focuses to managing and recovering from data breaches/leakages—investigating, notifying, credit monitoring, data restore, and associated legal fees Regulatory defense—federal and state compliance-investigation, legal support, fines, penalties (note sublimits) Prior-acts coverage—retroactive date for delayed breach-discoveries). Multimedia Liability Coverage Focuses to media, intellectual property rights, and website defacement. Extortion Liability Coverage Focuses to damages incurred from extortion. Network Security Liability/Contingent Business Disruption Focuses to network availability and third-party data theft. Third party acts or omissions—indemnification triggers Cyber insurance policies generally exclude real property damage Conversely, many property and terrorism insurance policies exclude real property damage caused by malicious cyber-attacks. Net Diligence Cyber Claims Study, almost half of cyber-insurance payouts from data breaches was for crisis management services (2014).
  4. 4. Cyber Insurance Market—Is Maturing 50-60 insurers offer first-party and third-party coverage ACE, AIG, Aon, Beazley and Hiscox—have written cyber-policies for multiple years, have large books, and adjudicate claims monthly. Cyber insurance annual-premium range (per $1 million of coverage) Gartner reports $10K to $35K (2012-2013). Marsh reports $12.5K to $15K—across many sectors (2015) Aon reports Small Companies: $1K to $7.5K (2015) Aon reports Medium Companies: $5K to $25K (2015) Aon reports Large Companies: $10K to $75K (2015) Increased purchasing of cyber insurance Marsh reports #-Policies increased about 30% per year since 2012 Chubb-reports Average policy-limits increasing at about 20 percent annually AON PLC, broker, claimed cyber insurance growing at 38% annually (2014) Increased purchasing of cyber insurance policies Marsh reports the No. of Policies increased about 30% per year since 2012
  5. 5. “Stacking” Policies to Create “Towers” • Average policy-limits—per carrier • Chubb reports $16.8 million across all industries. • Chubb-reports Average policy-limits increasing 20% per year • Maximum Policy-limits available • $10 million to $50 million from a single carrier • Carriers have limited claims-data • Difficult to quantify trade secrets and intellectual property losses • Do not support actuarial analysis • Frustrates carriers’ ability to standardize polices • Results in coverage-caps, sublimits, and exclusions based on risks identifiable in individual policy applications (individualized basis) • Policyholders can “stack” limits of liability—from multiple carriers—to create • Towers of cyber-insurance up to $350 million. “Stacking means treating multiple policies that apply to a single loss as cumulative—as a ‘stack’ of coverage—rather than as mutually exclusive.” State v. Continental Ins. Co., 88 Cal. Rptr.3d 288, 302 (Cal. Ct. App. 2009), aff’d, 145 Cal.Rptr.3d 1 (2012). An insured can obtain indemnity for a loss under more than one policy period if the loss exceeds the limits of liability of all of the policies in a single policy period or coverage tower. Stacking treats a single occurrence as multiple occurrences.
  6. 6. Companies Under-Insure Cyber Risks • Target Corp. reported $252 million in expenses related to its 2013 data breach, offset by only $90 million in insurance • January 2015 10-K securities filing • 2015 Global Cyber Impact Report, noted that 80% of companies are likely to suffer a data breach within a 12- month period and while in most cases, the cost will be less than $1 million, there’s a 5% chance of a material loss of $20 million or more. • For comparison, the probability of a fire causing a material loss is less than 1%.
  7. 7. Cyber Insurance Risk Is Difficult To Measure, Model, And Price Sparse data to model, price, or hedge cyber risk. No standardized assessment of cyber risks. No public disclosure of ways and means for underwriters to measure risk and price policies. Difficult for insurers to: Assess effectiveness of various prevention schemes Hedge their assumed-risk Establish required reserves. BitSight has a security ratings service for cyber insurers based on its Security Ratings Platform. Its scoring model is similar to consumer  credit ratings.  Willis Re, a re‐insurance broker, announced a tool (PRISM‐Re) for accessing insurance company portfolios’ exposure to cybersecurity  risks.
  8. 8. Why Cyber-Policies Do Not Pay-Out Delaying notice is a potential claims killer  Once a breach is detected, don't wait too long to notify your insurer of the issue. Not paying retroactively.  Given that breaches can be discovered months or even years after they begin or end, organizations should carefully consider when coverage starts. Contractual liability exclusions  Vendor contractual relationships, e.g., credit card companies, and banks act may void coverage if a breach. Terrorism/act of foreign enemy exclusions.  Many cyber attacks originate from outside a country's borders, and many of them are believed to be state sponsored. Insurance policies only cover theft of data  Many policies include language that makes them only cover losses from theft of data. No coverage for negligence.  If an employee loses a laptop with sensitive data, some policies won't cover it. Failure of insured to adhere to minimum required practices  Insured did not continuously implement procedures and risk controls as identified in the Insured’s application.  Data breach a result of file transfer protocol settings on Cottage's 3rd PARTY Internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google Inc.'s Internet search engine.  Columbia Casualty agreed to fund $4.13 million settlement—Subject to a complete reservation of rights  Then, Columbia sued Cottage Health System (Columbia Casualty v. Cottage Health System, U.S. District Court for Middle District of California (2:15-cv-03432-DDP-AGR))
  9. 9. Important Lesson “Failure to Follow Minimum Required Practices”  Cottage Health System obtained cyber-insurance from Columbia, in-part based on an application asking:  Do you check for security patches on your systems at least weekly and implement them within 30 days?  Do you replace factory default settings to ensure your information security systems are securely configured?  Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?  Do you outsource your information security management to a qualified firm specializing in security or have staff responsible for and trained in information security?  Do you have a way to detect unauthorized access or attempts to access sensitive information?  Do you control and track all changes to your network to ensure it remains secure?  Whenever you entrust sensitive information to third parties do you  contractually require all such third parties to protect your information with safeguards at least as good as your own  perform due diligence on each such third party to ensure that their safeguards for protecting sensitive information meet your standards  audit all such third parties at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information  require them to have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality?  A data leak occurred via Cottage’s IT vendor, left data unencrypted for two months—accessible by the Internet  Suits ensued—and Columbia Casualty agreed to fund $4.13 million settlement—Subject to a complete reservation of rights  Then—Columbia alleged it had no duty to defend or indemnify the policyholder because policyholder:  failed to follow minimum required practices, including failing to continuously implement appropriate procedures and risk controls identified in the application submitted with the application.  failed to regularly check and maintain security patches;  failed to regularly re-assess its information security exposure and enhance risk controls;  failed to have system in place to detect unauthorized access or attempts to access sensitive information on its servers; and  failed to control and track all changes to its network to ensure it remained secure. Columbia Casualty v. Cottage Health System, U.S. District Court for Middle District of California (2:15-cv-03432-DDP-AGR)
  10. 10. Secondary Benefits of Cyber-Insurance Insurer as partner Best practices both before and after breach event/notice Negotiated rates for post-breach vendors instead of getting gouged Access to expert Help Carrier staff and outsourced resources Attorneys, proactive security experts, breach-response experts, credit monitoring services, etc. But—be wary of insurer-communications after a breach Non-lawyer communications are not note privileged—are discoverable Communications can determine a covered versus an uncovered claim Be watchful of email/IM with insurance companies/brokers or consultants
  11. 11. Getting Started … Categorize Your Exposures—In Your Language Business interruption Credit monitoring Cyber extortion Data loss/destruction Defend 3rd-party/class-action claims Defend claims by state and federal regulators Fines and penalties Identity theft related losses Notification Website media content related losses Be Inclusive—think of every related risk exposure
  12. 12. Map Your Exposures into Coverage Terms Exposure Exposure/Claim Language Regulatory proceeding Costs incurred to defend organization for failure to disclose an event to governmental authorities when required by any security breach notice law Security and privacy liability Cost to defend organization from allegations of privacy violation including costs of settlement or judgment Digital asset loss Cost to replace lost/damaged e-files Event breach costs Cost incurred by organization arising out of (1) forensic investigation of breach; (2) use of public relations, crisis management firms, law firms; (3) notifications costs (i.e., printing, advertising, and mailing); (4) cost of identity theft call centers, credit file monitoring, and similar costs; (5) other costs as may be approved by the insurer Network interruption Loss of income from material interruption of organization computer systems due to security/breach event and costs incurred as a result of the network interruption. Depending on the organization, this may not be a significant exposure and may not need to be insured. Cyber extortion Costs incurred when insurer approves extortion payment(s) made to hacker or other criminal party to stop a planned event from occurring. Coverage also can include costs to conduct an investigation after the fact into the act of extortion. Internet media liability Cost to defend organization from allegations of privacy violation from unauthorized website changes, including costs of settlement or judgment Source: Adapted from International Risk Management Institute.
  13. 13. Defined Terms—Are Maturing ( Computer system  Hard/software owned, operated, control of organization or hosted by 3rd party. Cyber extortion  Expenses and monies for threat or extortion act. Defense within limit  Overall limit applies to all coverages including defense costs. Digital asset loss  Cost to replace loss of e-data. Event/breach management cost  Forensic investigation, credit reports, PR, notification, etc. Media liability  Insured’s liability for website content. Network interruption  Loss of net income/increased operating costs from material interruption. Privacy event  Failure to protect confidential info (i.e., e/data or other-paper) Regulatory proceeding  Request for info, civil investigation, etc. brought by government agency. Security/privacy liability  Organization liability for damages from breach of confidential information.
  14. 14. Request and Evaluate Complete Cyber-Insurance Exposure Proposals Request complete proposals Contract terms/conditions, limits, deductibles, premiums Specimen policy All endorsements. Evaluate each proposal and sample policy Become familiar with how policies address cyber/privacy events Map limitations/conditions/exclusions Compare Contract terms, general conditions, limits, deductibles Pre-conditions Conditions Specimen policies Endorsements Premiums
  15. 15. Policy Analysis and Comparison GENERAL CONSIDERATIONS Coverage—Last Line of Defense When Technology Fails Insure cyber-risks not eliminated through available security measures Insure cyber-risks that Commercial General Liability (CGL) policies do not cover Negotiate cyber-insurance policy provisions to cover your particular cyber threats/risks while avoiding exclusions that limit coverage Coverage Type Data breach/leakage and privacy management coverage Multimedia liability coverage Extortion liability coverage Network security liability coverage Retro date Look-back period, before policy start-date
  16. 16. Policy Analysis and Comparison PRE-CONDITIONS Required “Base-line” levels and Governance of Data privacy/Data security Access governance, encryption and segmentation Application security Role-based access controls and access logging Network security Advanced authentication 3rd Party/Supply chain practices Required Compliance (annual audit, etc.) based on NIST Framework/Executive Order 13636 ISO/IEC 27xxx PCI/DSS HIPAA/HITECH SEC Blueprint Beazley plc, predicts next targets for hackers include … entities having patchworks of systems and security practices plus "treasure troves" of data—such as health information exchange organizations (large volumes of data), electronic health record systems at hospitals (provide easy access to clinicians) and integrated healthcare delivery systems.
  17. 17. Policy Analysis and Comparison POLICY CONDITIONS POLICY CONDITIONS Example Conditions Policy Form Review Review for completeness Claim Conditions Claims-made and reported Additional Conditions Insurer specific Advance notice of cancellation Only if premium not paid ERP/Tail-auto (extend reporting) 125% Annual Premium for 1-year; 200% for 2-years Territory Worldwide/US NI may waive right of recovery No release allowed/Prior to loss in writing Definition of Insured NI (named insured), D&O, Employee, written-AI (additional insured) Confidential info: paper/e-data Personal info, "any form" Definition of PII, PHI, FTI, etc. Broad/narrow 3rd party contractor negligence Yes: "Information Holder" Event management Costs from security/privacy event Covered loss PR, 3rd party notice, credit reports, e-data restore Event costs No time limitation to report costs Source: Adapted from International Risk Management Institute.
  18. 18. Policy Analysis and Comparison NETWORK INTERRUPTION Exposure Limits Assign to 3rd party responsible for your network Network Outage Loss of profits Incurred expenses Consequential damages Source: Adapted from International Risk Management Institute.
  19. 19. Policy Analysis and Comparison CYBER EXTORTION Cyber Extortion Funds for security/privacy threat Security Threat Threat/attack Employee own/used computers Privacy Threat Threat to release confidential info Terrorism Included or Excluded Professional Services Included or Excluded Extended Reporting Period/Tail Included or Excluded Source: Adapted from International Risk Management Institute.
  20. 20. Policy Analysis and Comparison SECURITY FAILURE/PRIVACY EVENTS SECURITY FAILURE/ PRIVACY EVENTS Example Responses Security failure/Privacy event Failure to protect confidential info Legal Defense Duty and right to defend Hammer clause (allows insurer to compel insured to settle) 50% (cap on amount of indemnification that InsurCo will provide) Settlement authority Insurer with consent of Insured Attorney chosen by insurer No, subject to insurer consent Loss include punitive, exemplary Yes, unless prohibited by law Regulatory Proceeding Gov't proceeding, etc. Source: Adapted from International Risk Management Institute.
  21. 21. Policy Analysis and Comparison When is an Event a Claim? Cyber-policies define the term “claim” “Claim” is a key trigger term; insureds must Convert generalized “claim” definitions to specific “claims” Provide timely notice to insurer. Broad definitions of “claim” often result in late notice that forecloses coverage. Cyber-policies are claims-made policies Policies that provide coverage during period in which the insurer receives a claim. Insured forfeits coverage if notice is provided after A short period of days within a policy period, or End of the policy period.
  22. 22. Security Failure Or Data Breach Example Cyber-Claim Cost-Categories Example first-party costs Business interruption--Loss of profits and extra expense Customers-credit monitoring Forensic breach-investigation Intellectual property infringement Legal advice to determine your notification and regulatory obligations. Notification costs of communicating the breach Privacy liability Public relations expenses Tort liability (negligence, slander, libel, defamation and related torts) Example third-party costs Legal defense Liability to 3rd parties, e.g., banks for re-issuing credit cards, data leakage Regulatory inquiries Regulatory fines/penalties (including Payment Card Industry fines) Settlements, damages and judgments related to the breach
  23. 23. Policy Analysis and Comparison Quantifying Costs of a Cyber-Breach Event Source: $195 per record is from Ponemon Institute in its "2015 Research Report" based on calendar 2014 data. This, per-record cost has substantially increased. No formula to set reasonable coverage or policy limits Insufficient credible public settlement information Caselaw damages still developing. Direct "event breach” costs for US data breaches Estimated to be $195 per record  Forensic experts, outsourced hotline support, free credit monitoring subscriptions, and discounts for future products and services Costs become staggering as number of breached records increases. $1-Million Coverage = 5000 Records (Direct Costs—No Defense Costs).  1-Million Records = $195-Million Coverage Indirect "event breach” costs Third-party-related defense Settlement/judgment costs for damages claimed by injured parties Government-induced costs.
  24. 24. Policy Analysis and Comparison Cross-Walk Claim-Costs to Policy Limits POLICY LIMITS Example Limits Overall Limit $10,000,000 shared/aggregate Defense Costs inside/outside limit Inside Regulatory Proceeding $10,000,000 Security/Privacy liability $10,000,000 Digital asset loss $10,000,000 Event/breach mgmt costs $10,000,000 Network Interruption $10,000,000 Cyber extortion $10,000,000 Internet media liability $10,000,000 Retention-unless stated $500,000 Regulatory Proceeding $500,000 Network Interruption 24 hours/$500,000 Adapted from International Risk Management Institute. Many cyber insurance policies also impose sublimits, such as for crisis‐management expenses, notification costs and  regulatory investigations. These sublimits can be negotiated.
  25. 25. Policy Analysis and Comparison Premiums and Other Costs Annual Premium—Large Companies Average cost for $1 million of coverage $12,500 and $15,000 across various industry sectors including healthcare; transportation; retail/wholesale; financial institutions; communications, media and technology; education; and power and utilities. (See Testimony-Beshar-2015-01-28 of Peter J. Beshar, Executive Vice President and General Counsel, Marsh & McLennan Companies, before United States Senate Committee on Homeland Security & Governmental Affairs, Jan. 28, 2015). Gartner reports—cyber insurance premiums range from $10,000 to $35,000 for $1 million in coverage (2012-2013). Cost of compliance Is a strict condition-precedent for many cyber-security policies Varies widely by industry and by cyber-insurance underwriter required standards/frameworks. Purging unnecessary data In EHRs/etc., administrative, billing, and other legacy systems throughout your ecosystem.
  26. 26. Director Liability Arising From Data Breach Palkonv.Holmes,No.14-cv-01234(D.N.J.),WyndhamSHssuedD&O’s,claimingtheirfailuretoimplementadequateinformation-securitypoliciesallowed3databreaches Shareholder derivative actions  Plaintiff is not required to prove damages resulting from theft of PII.  Directors owe Duties Of Care (BJR) and Loyalty—including Duty of Oversight (No BJR)  Did not implement reporting or information system controls; or  Implemented controls, BUT “consciously failed to monitor or oversee its operations.” Stone. After a data breach, claims against board probably will be  Breach of Duty of Care and  Breach of Duty Loyalty/Oversight  Court “look[s] for evidence of whether a board has acted in a deliberate and knowledgeable way identifying and exploring alternatives.” Citron v. Fairchild Camera  Directors may rely on reports prepared by others, BUT MUST TAKE an active and direct role  Board that fails to manage and monitor cybersecurity probably breaches its duties of care and oversight Protect Against Liability  Board must become well-informed  Board should appoint a committee responsible for privacy and security  Recruit and hire at least one tech-savvy member  Follow best industry practices Indemnification and Insurance  Articles of incorporation—provision eliminating director personal-liability for monetary damages for breach of the Duty of Care/Loyalty.  D & O Policy—WITHOUT exclusions to liability resulting from a privacy breach  Example Problem Exclusion: Insurer shall not be liable for Loss relating to a Claim made against an Insured:  “for emotional distress of any person,  or for injury from libel, slander, defamation or disparagement,  or for injury from a violation of a person’s right of privacy.”
  27. 27. QUESTIONS CYBER AND PRIVACY INSURANCE ISSUES Cloud Security Law Series Michael Keeling, PE, Esq. Keeling Law Offices, PC Phoenix and Coronado NOTE: Information contained in this presentation is intended for informational purposes ONLY. It is not intended to be, and should not be construed as, legal advice to any person or in connection with any transaction. Always consult with an experienced attorney before engaging in any transaction that might involve the legal issues discussed herein.