This presentation focuses to the rising prominence of insurance considerations—and more particularly—to legal aspects of insurance as it relates to cybersecurity and privacy.
The presentation defines "Cyber and Privacy Insurance” and organizes such insurance into four main types of cyber insurance coverage: data breach and privacy management coverage, multimedia liability coverage, extortion liability coverage, and network security liability coverage. With these definitions, the presentation then gives snapshot of how the Cyber Insurance Market Is Maturing, its participants, costs, and related attributes.
Consideration is given to the importance of defined terms, before launching into difficulties that providers and users have relative to measuring, modeling, and pricing cyber insurance risk. Particular attention is given to the language of “claims” and how to navigate through associated risk/cost analyses and cost structures.
Additionally, general considerations, pre-conditions, cost of compliance, business interruption, governing board oversight and related issues are brought together is a cohesive manner.
1. CLOUD SECURITY LAW SERIES
CYBER AND PRIVACY INSURANCE ISSUES
MICHAEL KEELING, PE, ESQ.
KEELING LAW OFFICES, PC
PHOENIXANDCORONADO
Presented at
INTERFACE 2015
June 19, 2015
Phoenix, AZ
NOTE: Information contained in this
presentation is intended for informational
purposes ONLY. It is not intended to be, and
should not be construed as, legal advice to any
person or in connection with any transaction.
Always consult with an experienced attorney
before engaging in any transaction that might
involve the legal issues discussed herein.
2. “Cyber and Privacy Insurance” Defined
(International Risk Management Institute)
“... cyber and privacy policies [cyber-insurance] cover a
business's liability for a data breach in which the firm's
customers’ … information [PII, PHI, FTI, etc.] …
is exposed or stolen by a … criminal who has gained access to the
firm's electronic network.
The policies [can] cover a variety of expenses associated
with data breaches, including
notification costs, credit monitoring, costs to defend claims by state
regulators, fines and penalties, and loss resulting from identity theft.
In addition, the policies [can] cover liability arising from
website media content ... property exposures from ... business
interruption, data loss/destruction ... and cyber extortion.”
Massive Money--Spinning $1.4 Billion US Premiums in 2014
3. Four Main Types Of
Cyber Insurance Coverage
Data Breach And Privacy Management Coverage
Crisis services—focuses to managing and recovering from data
breaches/leakages—investigating, notifying, credit monitoring, data restore, and
associated legal fees
Regulatory defense—federal and state compliance-investigation, legal support,
fines, penalties (note sublimits)
Prior-acts coverage—retroactive date for delayed breach-discoveries).
Multimedia Liability Coverage
Focuses to media, intellectual property rights, and website defacement.
Extortion Liability Coverage
Focuses to damages incurred from extortion.
Network Security Liability/Contingent Business Disruption
Focuses to network availability and third-party data theft.
Third party acts or omissions—indemnification triggers
Cyber insurance policies generally exclude real property damage
Conversely, many property and terrorism insurance policies exclude real property
damage caused by malicious cyber-attacks.
Net Diligence Cyber Claims Study, almost half of cyber-insurance payouts from data breaches was for crisis management
services (2014).
4. Cyber Insurance Market—Is Maturing
50-60 insurers offer first-party and third-party coverage
ACE, AIG, Aon, Beazley and Hiscox—have written cyber-policies for multiple
years, have large books, and adjudicate claims monthly.
Cyber insurance annual-premium range (per $1 million of
coverage)
Gartner reports $10K to $35K (2012-2013).
Marsh reports $12.5K to $15K—across many sectors (2015)
Aon reports Small Companies: $1K to $7.5K (2015)
Aon reports Medium Companies: $5K to $25K (2015)
Aon reports Large Companies: $10K to $75K (2015)
Increased purchasing of cyber insurance
Marsh reports #-Policies increased about 30% per year since 2012
Chubb-reports Average policy-limits increasing at about 20 percent annually
AON PLC, broker, claimed cyber insurance growing at 38% annually (2014)
Increased purchasing of cyber insurance policies
Marsh reports the No. of Policies increased about 30% per year since 2012
5. “Stacking” Policies to Create “Towers”
• Average policy-limits—per carrier
• Chubb reports $16.8 million across all industries.
• Chubb-reports Average policy-limits increasing 20% per year
• Maximum Policy-limits available
• $10 million to $50 million from a single carrier
• Carriers have limited claims-data
• Difficult to quantify trade secrets and intellectual property losses
• Do not support actuarial analysis
• Frustrates carriers’ ability to standardize polices
• Results in coverage-caps, sublimits, and exclusions based on risks
identifiable in individual policy applications (individualized basis)
• Policyholders can “stack” limits of liability—from multiple
carriers—to create
• Towers of cyber-insurance up to $350 million.
“Stacking means treating multiple policies that apply to a single loss as cumulative—as a ‘stack’ of coverage—rather than as
mutually exclusive.” State v. Continental Ins. Co., 88 Cal. Rptr.3d 288, 302 (Cal. Ct. App. 2009), aff’d, 145 Cal.Rptr.3d 1 (2012).
An insured can obtain indemnity for a loss under more than one policy period if the loss exceeds the limits of liability of all of the
policies in a single policy period or coverage tower. Stacking treats a single occurrence as multiple occurrences.
6. Companies Under-Insure Cyber Risks
• Target Corp. reported $252 million in expenses related to
its 2013 data breach, offset by only $90 million in
insurance
• January 2015 10-K securities filing
• 2015 Global Cyber Impact Report, noted that 80% of
companies are likely to suffer a data breach within a 12-
month period and while in most cases, the cost will be
less than $1 million, there’s a 5% chance of a material
loss of $20 million or more.
• For comparison, the probability of a fire causing a material
loss is less than 1%.
7. Cyber Insurance Risk Is Difficult To
Measure, Model, And Price
Sparse data to model, price, or hedge cyber risk.
No standardized assessment of cyber risks.
No public disclosure of ways and means for
underwriters to measure risk and price policies.
Difficult for insurers to:
Assess effectiveness of various prevention schemes
Hedge their assumed-risk
Establish required reserves.
BitSight has a security ratings service for cyber insurers based on its Security Ratings Platform. Its scoring model is similar to consumer
credit ratings.
Willis Re, a re‐insurance broker, announced a tool (PRISM‐Re) for accessing insurance company portfolios’ exposure to cybersecurity
risks.
8. Why Cyber-Policies Do Not Pay-Out
Delaying notice is a potential claims killer
Once a breach is detected, don't wait too long to notify your insurer of the issue.
Not paying retroactively.
Given that breaches can be discovered months or even years after they begin or end, organizations
should carefully consider when coverage starts.
Contractual liability exclusions
Vendor contractual relationships, e.g., credit card companies, and banks act may void coverage if a
breach.
Terrorism/act of foreign enemy exclusions.
Many cyber attacks originate from outside a country's borders, and many of them are believed to be
state sponsored.
Insurance policies only cover theft of data
Many policies include language that makes them only cover losses from theft of data.
No coverage for negligence.
If an employee loses a laptop with sensitive data, some policies won't cover it.
Failure of insured to adhere to minimum required practices
Insured did not continuously implement procedures and risk controls as identified in the Insured’s
application.
Data breach a result of file transfer protocol settings on Cottage's 3rd PARTY Internet servers that
permitted anonymous user access, thereby allowing electronic personal health information to become
available to the public via Google Inc.'s Internet search engine.
Columbia Casualty agreed to fund $4.13 million settlement—Subject to a complete reservation of rights
Then, Columbia sued Cottage Health System (Columbia Casualty v. Cottage Health System, U.S.
District Court for Middle District of California (2:15-cv-03432-DDP-AGR))
9. Important Lesson
“Failure to Follow Minimum Required Practices”
Cottage Health System obtained cyber-insurance from Columbia, in-part based on an application asking:
Do you check for security patches on your systems at least weekly and implement them within 30 days?
Do you replace factory default settings to ensure your information security systems are securely
configured?
Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance
your risk controls in response to changes?
Do you outsource your information security management to a qualified firm specializing in security or
have staff responsible for and trained in information security?
Do you have a way to detect unauthorized access or attempts to access sensitive information?
Do you control and track all changes to your network to ensure it remains secure?
Whenever you entrust sensitive information to third parties do you
contractually require all such third parties to protect your information with safeguards at least as good as your own
perform due diligence on each such third party to ensure that their safeguards for protecting sensitive information meet your standards
audit all such third parties at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information
require them to have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or
confidentiality?
A data leak occurred via Cottage’s IT vendor, left data unencrypted for two months—accessible by the
Internet
Suits ensued—and Columbia Casualty agreed to fund $4.13 million settlement—Subject to a complete
reservation of rights
Then—Columbia alleged it had no duty to defend or indemnify the policyholder because policyholder:
failed to follow minimum required practices, including failing to continuously implement appropriate
procedures and risk controls identified in the application submitted with the application.
failed to regularly check and maintain security patches;
failed to regularly re-assess its information security exposure and enhance risk controls;
failed to have system in place to detect unauthorized access or attempts to access sensitive information on its servers; and
failed to control and track all changes to its network to ensure it remained secure.
Columbia Casualty v. Cottage Health System, U.S. District Court for Middle District of California (2:15-cv-03432-DDP-AGR)
10. Secondary Benefits of Cyber-Insurance
Insurer as partner
Best practices both before and after breach event/notice
Negotiated rates for post-breach vendors instead of getting gouged
Access to expert Help
Carrier staff and outsourced resources
Attorneys, proactive security experts, breach-response experts, credit
monitoring services, etc.
But—be wary of insurer-communications after a breach
Non-lawyer communications are not note privileged—are
discoverable
Communications can determine a covered versus an uncovered claim
Be watchful of email/IM with insurance companies/brokers or consultants
11. Getting Started …
Categorize Your Exposures—In Your Language
Business interruption
Credit monitoring
Cyber extortion
Data loss/destruction
Defend 3rd-party/class-action claims
Defend claims by state and federal regulators
Fines and penalties
Identity theft related losses
Notification
Website media content related losses
Be Inclusive—think of every related risk exposure
12. Map Your Exposures into Coverage Terms
Exposure Exposure/Claim Language
Regulatory
proceeding
Costs incurred to defend organization for failure to disclose an event to
governmental authorities when required by any security breach notice law
Security and
privacy liability
Cost to defend organization from allegations of privacy violation including costs
of settlement or judgment
Digital asset loss Cost to replace lost/damaged e-files
Event breach
costs
Cost incurred by organization arising out of (1) forensic investigation of breach;
(2) use of public relations, crisis management firms, law firms; (3) notifications
costs (i.e., printing, advertising, and mailing); (4) cost of identity theft call
centers, credit file monitoring, and similar costs; (5) other costs as may be
approved by the insurer
Network
interruption
Loss of income from material interruption of organization computer systems
due to security/breach event and costs incurred as a result of the network
interruption. Depending on the organization, this may not be a significant
exposure and may not need to be insured.
Cyber extortion Costs incurred when insurer approves extortion payment(s) made to hacker or
other criminal party to stop a planned event from occurring. Coverage also can
include costs to conduct an investigation after the fact into the act of extortion.
Internet media
liability
Cost to defend organization from allegations of privacy violation from
unauthorized website changes, including costs of settlement or judgment
Source: Adapted from International Risk Management Institute.
13. Defined Terms—Are Maturing
(http://www.irmi.com/online/insurance-glossary/default.aspx)
Computer system
Hard/software owned, operated, control of organization or hosted by 3rd party.
Cyber extortion
Expenses and monies for threat or extortion act.
Defense within limit
Overall limit applies to all coverages including defense costs.
Digital asset loss
Cost to replace loss of e-data.
Event/breach management cost
Forensic investigation, credit reports, PR, notification, etc.
Media liability
Insured’s liability for website content.
Network interruption
Loss of net income/increased operating costs from material interruption.
Privacy event
Failure to protect confidential info (i.e., e/data or other-paper)
Regulatory proceeding
Request for info, civil investigation, etc. brought by government agency.
Security/privacy liability
Organization liability for damages from breach of confidential information.
14. Request and Evaluate Complete
Cyber-Insurance Exposure Proposals
Request complete proposals
Contract terms/conditions, limits, deductibles, premiums
Specimen policy
All endorsements.
Evaluate each proposal and sample policy
Become familiar with how policies address cyber/privacy events
Map limitations/conditions/exclusions
Compare
Contract terms, general conditions, limits, deductibles
Pre-conditions
Conditions
Specimen policies
Endorsements
Premiums
15. Policy Analysis and Comparison
GENERAL CONSIDERATIONS
Coverage—Last Line of Defense When Technology Fails
Insure cyber-risks not eliminated through available security measures
Insure cyber-risks that Commercial General Liability (CGL) policies do
not cover
Negotiate cyber-insurance policy provisions to cover
your particular cyber threats/risks
while avoiding exclusions that limit coverage
Coverage Type
Data breach/leakage and privacy management coverage
Multimedia liability coverage
Extortion liability coverage
Network security liability coverage
Retro date
Look-back period, before policy start-date
16. Policy Analysis and Comparison
PRE-CONDITIONS
Required “Base-line” levels and Governance of
Data privacy/Data security
Access governance, encryption and segmentation
Application security
Role-based access controls and access logging
Network security
Advanced authentication
3rd Party/Supply chain practices
Required Compliance (annual audit, etc.) based on
NIST Framework/Executive Order 13636
ISO/IEC 27xxx
PCI/DSS
HIPAA/HITECH
SEC Blueprint
Beazley plc, predicts next targets for hackers include … entities having patchworks of systems and security practices plus
"treasure troves" of data—such as health information exchange organizations (large volumes of data), electronic health
record systems at hospitals (provide easy access to clinicians) and integrated healthcare delivery systems.
17. Policy Analysis and Comparison
POLICY CONDITIONS
POLICY CONDITIONS Example Conditions
Policy Form Review Review for completeness
Claim Conditions Claims-made and reported
Additional Conditions Insurer specific
Advance notice of cancellation Only if premium not paid
ERP/Tail-auto (extend reporting) 125% Annual Premium for 1-year; 200% for 2-years
Territory Worldwide/US
NI may waive right of recovery No release allowed/Prior to loss in writing
Definition of Insured
NI (named insured), D&O, Employee, written-AI
(additional insured)
Confidential info: paper/e-data Personal info, "any form"
Definition of PII, PHI, FTI, etc. Broad/narrow
3rd party contractor negligence Yes: "Information Holder"
Event management Costs from security/privacy event
Covered loss PR, 3rd party notice, credit reports, e-data restore
Event costs No time limitation to report costs
Source: Adapted from International Risk Management Institute.
18. Policy Analysis and Comparison
NETWORK INTERRUPTION
Exposure Limits
Assign to 3rd
party responsible
for your network
Network Outage
Loss of profits
Incurred expenses
Consequential damages
Source: Adapted from International Risk Management Institute.
19. Policy Analysis and Comparison
CYBER EXTORTION
Cyber Extortion Funds for security/privacy threat
Security Threat
Threat/attack
Employee own/used computers
Privacy Threat Threat to release confidential info
Terrorism Included or Excluded
Professional Services Included or Excluded
Extended Reporting
Period/Tail
Included or Excluded
Source: Adapted from International Risk Management Institute.
20. Policy Analysis and Comparison
SECURITY FAILURE/PRIVACY EVENTS
SECURITY FAILURE/
PRIVACY EVENTS
Example Responses
Security failure/Privacy event Failure to protect confidential info
Legal Defense Duty and right to defend
Hammer clause (allows insurer
to compel insured to settle)
50% (cap on amount of indemnification
that InsurCo will provide)
Settlement authority Insurer with consent of Insured
Attorney chosen by insurer No, subject to insurer consent
Loss include punitive, exemplary Yes, unless prohibited by law
Regulatory Proceeding Gov't proceeding, etc.
Source: Adapted from International Risk Management Institute.
21. Policy Analysis and Comparison
When is an Event a Claim?
Cyber-policies define the term “claim”
“Claim” is a key trigger term; insureds must
Convert generalized “claim” definitions to specific “claims”
Provide timely notice to insurer.
Broad definitions of “claim” often result in late notice that forecloses
coverage.
Cyber-policies are claims-made policies
Policies that provide coverage during period in which the insurer
receives a claim.
Insured forfeits coverage if notice is provided after
A short period of days within a policy period, or
End of the policy period.
22. Security Failure Or Data Breach
Example Cyber-Claim Cost-Categories
Example first-party costs
Business interruption--Loss of profits and extra expense
Customers-credit monitoring
Forensic breach-investigation
Intellectual property infringement
Legal advice to determine your notification and regulatory obligations.
Notification costs of communicating the breach
Privacy liability
Public relations expenses
Tort liability (negligence, slander, libel, defamation and related torts)
Example third-party costs
Legal defense
Liability to 3rd parties, e.g., banks for re-issuing credit cards, data leakage
Regulatory inquiries
Regulatory fines/penalties (including Payment Card Industry fines)
Settlements, damages and judgments related to the breach
23. Policy Analysis and Comparison
Quantifying Costs of a Cyber-Breach Event
Source: $195 per record is from Ponemon Institute in its "2015 Research Report" based on calendar 2014 data. This,
per-record cost has substantially increased.
No formula to set reasonable coverage or policy limits
Insufficient credible public settlement information
Caselaw damages still developing.
Direct "event breach” costs for US data breaches
Estimated to be $195 per record
Forensic experts, outsourced hotline support, free credit monitoring subscriptions, and
discounts for future products and services
Costs become staggering as number of breached records increases.
$1-Million Coverage = 5000 Records (Direct Costs—No Defense Costs).
1-Million Records = $195-Million Coverage
Indirect "event breach” costs
Third-party-related defense
Settlement/judgment costs for damages claimed by injured parties
Government-induced costs.
24. Policy Analysis and Comparison
Cross-Walk Claim-Costs to Policy Limits
POLICY LIMITS Example Limits
Overall Limit $10,000,000 shared/aggregate
Defense Costs inside/outside limit Inside
Regulatory Proceeding $10,000,000
Security/Privacy liability $10,000,000
Digital asset loss $10,000,000
Event/breach mgmt costs $10,000,000
Network Interruption $10,000,000
Cyber extortion $10,000,000
Internet media liability $10,000,000
Retention-unless stated $500,000
Regulatory Proceeding $500,000
Network Interruption 24 hours/$500,000
Adapted from International Risk Management Institute.
Many cyber insurance policies also impose sublimits, such as for crisis‐management expenses, notification costs and
regulatory investigations. These sublimits can be negotiated.
25. Policy Analysis and Comparison
Premiums and Other Costs
Annual Premium—Large Companies
Average cost for $1 million of coverage $12,500 and $15,000 across
various industry sectors including healthcare; transportation;
retail/wholesale; financial institutions; communications, media and
technology; education; and power and utilities.
(See Testimony-Beshar-2015-01-28 of Peter J. Beshar, Executive Vice
President and General Counsel, Marsh & McLennan Companies, before
United States Senate Committee on Homeland Security & Governmental
Affairs, Jan. 28, 2015).
Gartner reports—cyber insurance premiums range from $10,000 to
$35,000 for $1 million in coverage (2012-2013).
Cost of compliance
Is a strict condition-precedent for many cyber-security policies
Varies widely by industry and by cyber-insurance underwriter required
standards/frameworks.
Purging unnecessary data
In EHRs/etc., administrative, billing, and other legacy systems
throughout your ecosystem.
26. Director Liability Arising From Data Breach
Palkonv.Holmes,No.14-cv-01234(D.N.J.),WyndhamSHssuedD&O’s,claimingtheirfailuretoimplementadequateinformation-securitypoliciesallowed3databreaches
Shareholder derivative actions
Plaintiff is not required to prove damages resulting from theft of PII.
Directors owe Duties Of Care (BJR) and Loyalty—including Duty of Oversight (No BJR)
Did not implement reporting or information system controls; or
Implemented controls, BUT “consciously failed to monitor or oversee its operations.” Stone.
After a data breach, claims against board probably will be
Breach of Duty of Care and
Breach of Duty Loyalty/Oversight
Court “look[s] for evidence of whether a board has acted in a deliberate and knowledgeable way identifying and exploring
alternatives.” Citron v. Fairchild Camera
Directors may rely on reports prepared by others, BUT MUST TAKE an active and direct role
Board that fails to manage and monitor cybersecurity probably breaches its duties of care and oversight
Protect Against Liability
Board must become well-informed
Board should appoint a committee responsible for privacy and security
Recruit and hire at least one tech-savvy member
Follow best industry practices
Indemnification and Insurance
Articles of incorporation—provision eliminating director personal-liability for monetary damages for breach of the
Duty of Care/Loyalty.
D & O Policy—WITHOUT exclusions to liability resulting from a privacy breach
Example Problem Exclusion: Insurer shall not be liable for Loss relating to a Claim made against an Insured:
“for emotional distress of any person,
or for injury from libel, slander, defamation or disparagement,
or for injury from a violation of a person’s right of privacy.”
27. QUESTIONS
CYBER AND PRIVACY INSURANCE ISSUES
Cloud Security Law Series
Michael Keeling, PE, Esq.
Keeling Law Offices, PC
Phoenix and Coronado
www.keelinglawoffices.com
NOTE: Information contained in this
presentation is intended for informational
purposes ONLY. It is not intended to be, and
should not be construed as, legal advice to any
person or in connection with any transaction.
Always consult with an experienced attorney
before engaging in any transaction that might
involve the legal issues discussed herein.