Next Dimension Inc., profile picture
Uploaded byNext Dimension Inc.
PPTX, PDF201 views

Cybersecurity: What does Cyber Insurance Cover?

The document discusses the growing prevalence and impact of cyber risks on businesses, emphasizing the need for appropriate cyber liability insurance. It highlights various claims trends, the financial burdens of breaches, and the necessity of organizations understanding their exposure and risk management responsibilities. Additionally, it outlines what underwriters look for in risk assessments and the specific components of network security and privacy liability insurance.

Embed presentation

Download to read offline
© 2017 HUB International Limited.1 © 2019 HUB International Limited.1 Cyber threats to your Business Next Dimension Patrick Bourk, HUB International Insurance Brokers Principal, National Cyber Practice Leader Office: 416.619.8097 | Mobile: 416.302.0886 | patrick.bourk@hubinternational.com
© 2018 HUB International Limited.2 CYBER RISK – IT IS EVERYWHERE A bombardment of media attention  Not a day goes by without another story … April 2018: bleepingcomputer.com reported that Microsoft saw a 24% rise in tech support scam complaints. received over 153,000 reports from customers who were the victims of a tech support scam in 2017 compared to complaints the received in 2016. Around 15% of the users who complained to Microsoft admitted to losing money to scammers, on average between $200 and $400. According to the NetDiligence Cyber Claims Study 2017 which analyzes claims information provided by insurance company participants, the range of cost per record lost between 2014-2017 was between $0.01 and $1.5M! The average cost per lost record was $8,000 and the median was $46.50. The average total breach cost was $394,000, the median $56,000.  One things leads to another  No Business Sector is too small: NetDiligence Cyber Claims Study 2017 noted that of the 591 claims reviewed by business sector, Professional Service firms had the highest number(18%) followed by Healthcare (17%) , Financial Services (13%) and Retail (11%). CFC Underwriting reports that 90% of claims affect businesses with less than $50M in revenues. For smaller sized organizations the impact of a breach can often be far more devastating.  City of Atlanta: The City entered into emergency contracts worth $2.7 million to help restore the city’s computer network in the days following their cyber attack of March 22nd, 2018. Despite hiring outside security consultants and crisis communications experts, some departments remained hobbled when last reported April 12th, 2018. The $2.7 million figure does not include outside legal advice nor lost productivity costs. The ransomware demand was for $52,000.
© 2018 HUB International Limited.3 CYBER RISK – PERCEPTIONS & REALITIES ©2015 Integro Insurance Brokers Source: Advisen Survey of Cyber Insurance Market Trends 2016 THE CLIENT  It’s an “IT Thing” and so Cyber must be an untranslatable kind of coverage that can’t be understood and is therefore TERRIFYING!  It is NOT just an IT matter and the coverage, although very customizable and nuanced, is capable of translation!  Board Members and Senior Management are now interested and are asking questions  As the topic “du jour” management teams have an obligation to educate themselves. As for buying it ….
© 2017 HUB International Limited.4 CYBER RISK – PERCEPTIONS & REALITIES ©2015 Integro Insurance Brokers  5 REASONS CLIENTS DON’T BUY CYBER LIABILITY INSURANCE  Our Director of IT assures us that our systems are 100% secure  We don’t hold any health information or sensitive data and therefore our exposure is minimal  Our firm is too small to be considered a target (we are not Target, or Home Depot or Equifax)  We outsource everything to 3rd parties and therefore carry none of the liabilities  We would rather invest in our technology systems than insurance
© 2018 HUB International Limited.5 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE What has recent case law highlighted?  Unprecedented litigation activity and class certifications  Jones v. Tsige – The tort of “intrusion upon seclusion” – turned the tap from trickle to flood  Plaintiffs are finding creative damage mechanisms (Evans v. Scotia) and are testing them in the class action forum  Breach incidents giving rise to collateral damage  Directors, officers and management teams are now being held to account  “Business to business” claims on the rise – consumers as victims seek compensation from banks who bring suit against the original corporate victim  Legislative landscape – change has arrived  The courts have been creating the framework for response requirements rather than the legislation but … Bill S-4 passed into law June 18th, 2015, Regulations were published April 18th, 2018 and …  NOVEMBER 1st, 2018 – Mandatory notice and reporting where there is a “real risk of significant harm to the individual”  Mandatory record keeping for ALL breaches – Expect the ‘breach log’ to be a target
© 2018 HUB International Limited.6 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE The “three pillars” of breach exposure  Ransomware/Cyber Extortion  Significant increase in reported claims since 2016 and affecting every industry sector  Since 2016 a noticeable increase in targeted ransomware variants – identifying specific businesses and their likelihood of making payment  External intrusions targeting specific confidential information  Organizations with networks of affiliated organizations make for prime targets since network integration is rare and systems are often inconsistently monitored and/or updated. If more than 5-10 linked institutions, then malware is often customized given the size of opportunity for hackers  Foundations typically hold extremely valuable non-PII information – sensitive financial and donor information  Phishing attacks  Theft of money but equally concerning are attacks that deny access to corporate network systems  Seemingly innocuous businesses can be “locked down” for days causing huge delays and resulting in significant business interruption/extra expense losses
© 2018 HUB International Limited.7 To what extent do traditional insurance policies respond to breaches?  Common insurance policies purchased by most enterprises that may or may not respond to network security or privacy breach situations  General Liability  Business Interruption  Fidelity (Crime)  Professional Liability  Directors’ & Officers’ Liability  Third party insurance coverage versus first party direct loss coverage  Pros and Cons of adding Cyber coverage to traditional insurance policies by way of endorsement NETWORK SECURITY & PRIVACY LIABILITY INSURANCE
© 2018 HUB International Limited.8 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE What do underwriters look for in their risk assessment?  Your Information:  Type of information an organization is responsible for and the number of records  All about Planning: Incident Response Plans, Disaster Recovery Plans, Business Continuity Plans, Responsive and protective IT security procedures  Your people  Controls in place to set expectations for employees as far as their awareness and responsibility for dealing with sensitive information  Governance: How engaged is the executive management and leadership? Network Security and privacy issues are no longer an IT issue. They are a governance issue  Information Security  Do you understand what all kinds of data you control and why?  Due diligence internally and with outside service providers for data protection  Safeguards for personally identifiable information, especially healthcare and credit cards  Your Vendors  Do you ensure 3rd Party providers are meeting both regulatory and contractual obligations related to information security
© 2018 HUB International Limited.9 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE Third Party Liability  Privacy Liability: Covers loss arising out of the organization’s failure to protect sensitive personal or corporate information in any format. Can also be enhanced to provide coverage for regulatory proceedings brought by a government agency alleging the violation of any federal, state, or foreign identity theft or privacy protection legislation.  Network Security Liability: Covers any liability of the organization arising out of the failure of network security, including unauthorized access or unauthorized use of corporate systems, a denial of service attack, or transmission of malicious code.  Internet Media Liability: Covers infringement of copyright or trade mark, invasion of privacy, libel, slander, plagiarism, or negligence by the organization from the content on its’ internet website
© 2018 HUB International Limited.10 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE First Party Expenses  Data Breach Expenses  Legal Expenses: Covers expenses to retain “breach coach” lawyer to advise and guide the process of managing a breach incident  Forensic Expenses: Covers expenses to retain third party computer forensics services to determine the scope of a failure of Network Security  Notification Expenses: Covers expenses to notify customers whose sensitive personal information has been breached.  Crisis Management Expenses: Covers expenses to obtain legal, public relations or crisis management services to restore the company’s reputation.  Credit Monitoring Expenses: Covers the cost of credit monitoring, credit freezing or fraud alert service expenses for breaches of true identity data.  Network Extortion Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive information or bring down a network unless consideration is made.  Digital Asset Loss Covers costs incurred to replace, restore or recollect data which has been corrupted or destroyed as a result of a network security failure.  Business Interruption Loss Covers loss of income and extra expense arising out of the interruption of network service due to an attack on the insured’s network.
© 2018 HUB International Limited.11 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE There are nuances to cyber risks that are coverage-specific  Social Engineering and Social Engineering Fraud:  The art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques  Social Engineering Fraud coverage as a coverage enhancement that refers to “phishing” attacks that involve MONEY! o Cyberliability insurance = protection of DATA o Crime insurance = protection of MONEY  Lessons learned:  REVIEW YOUR COVERAGE! o Is your crime coverage enhanced with social engineering fraud coverage? o If not, can your cyberliability insurer provide social engineering fraud coverage? o Distinguish between ‘computer funds transfer’ coverage and ‘social engineering fraud’ coverage o Are your limits and deductibles appropriate in order take advantage of the coverage? o Watch for subjectivities, i.e. voice confirmation in advance of transfer
© 2018 HUB International Limited.12 PRESENTER Patrick Bourk Principal, National Cyber Practice Leader, HUB International Insurance Brokers As an insurance coverage expert, Patrick provides technical expertise in the analysis, placement and negotiation of various management risk insurance coverages including professional liability, crime and directors’ & officers’ liability insurance but with an emphasis on cyber liability insurance. In addition to negotiating terms and placing coverage Patrick’s cyber liability insurance practice also includes advising clients on how best to align breach response planning with insurance and risk mitigation solutions. A graduate of Windsor Law School in 1997, Patrick began his career as an associate lawyer with a commercial litigation focus. After moving to Toronto to work for a national law firm, he joined the Legal and Claims Department of London Guarantee Insurance Company, specializing in directors' and officers' coverage, technology and miscellaneous professional liability, employment practice liability, and fidelity coverage. Prior to joining HUB, Patrick was a Claims Lawyer for the Financial and Professional Services Group at Travelers Insurance Company and its predecessor companies. Patrick is a licensed lawyer and Member of the Law Society of Upper Canada, a Member of International Association of Privacy Professionals (IAPP), and has been a part-time instructor at both Sheridan College and Humber College, where he has taught courses on law for business managers. He has authored several publications in the areas of specialty insurance coverage and cyber liability and has been a frequent speaker at conferences and symposiums focusing on cyber liability insurance both in Canada and the U.S. Patrick also holds a Cyber COPE Insurance Certificate designation after completing an executive certification in Cybersecurity through Heinz College of Carnegie Mellon University.
© 2017 HUB International Limited.13 © 2018 HUB International Limited.13 QUESTIONS ?

More Related Content

PPTX
Cybersecurity: Protection strategies from Cisco and Next Dimension
byNext Dimension Inc.
 
PPTX
A Brave New World of Cyber Security and Data Breach
byJim Brashear
 
PDF
Insights into cyber security and risk
byEY
 
PDF
Why Executives Underinvest In Cybersecurity
byHackerOne
 
PPT
Statewide Insurance Brokers - Cyber Insurance 101
byStatewide Insurance Brokers
 
PPTX
CYBER SECURITY FOR LAW FIRMS
byScott Suhy
 
PPTX
New York Department of Financial Services Cybersecurity Regulations
byShawn Tuma
 
PDF
The Legal Case for Cybersecurity
byShawn Tuma
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
byNext Dimension Inc.
 
A Brave New World of Cyber Security and Data Breach
byJim Brashear
 
Insights into cyber security and risk
byEY
 
Why Executives Underinvest In Cybersecurity
byHackerOne
 
Statewide Insurance Brokers - Cyber Insurance 101
byStatewide Insurance Brokers
 
CYBER SECURITY FOR LAW FIRMS
byScott Suhy
 
New York Department of Financial Services Cybersecurity Regulations
byShawn Tuma
 
The Legal Case for Cybersecurity
byShawn Tuma
 

What's hot

PPTX
Cyber Security - Things you need to know
byNathan Desfontaines
 
PDF
Key Findings from the 2015 IBM Cyber Security Intelligence Index
byIBM Security
 
PDF
Cyber Resilience
byIan-Edward Stafrace
 
PPTX
Cyber security
byVaibhav Jain
 
PPTX
The Science and Art of Cyber Incident Response (with Case Studies)
byKroll
 
PPTX
Cybersecurity Risks for Businesses
byAlex Rudie
 
PPTX
cybersecurity strategy planning in the banking sector
byOlivier Busolini
 
PDF
Implementing a Security Management Framework
byJoseph Wynn
 
PDF
Top Cyber Security Trends for 2016
byImperva
 
PPTX
Cyber Crime Threat Landscape - A Focus on the Financial Industry
byWilliam McBorrough
 
PPTX
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
byKroll
 
PPT
Data Risks In A Digital Age
bypadler01
 
PPTX
Your cyber security webinar
byEmpired
 
PPTX
A Look at Cyber Insurance -- A Corporate Perspective
byDawn Yankeelov
 
PDF
Using international standards to improve Asia-Pacific cyber security
byIT Governance Ltd
 
PDF
Real Life Examples of Cybersecurity with Neo4j
byNeo4j
 
Cyber Security - Things you need to know
byNathan Desfontaines
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
byIBM Security
 
Cyber Resilience
byIan-Edward Stafrace
 
Cyber security
byVaibhav Jain
 
The Science and Art of Cyber Incident Response (with Case Studies)
byKroll
 
Cybersecurity Risks for Businesses
byAlex Rudie
 
cybersecurity strategy planning in the banking sector
byOlivier Busolini
 
Implementing a Security Management Framework
byJoseph Wynn
 
Top Cyber Security Trends for 2016
byImperva
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
byWilliam McBorrough
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
byKroll
 
Data Risks In A Digital Age
bypadler01
 
Your cyber security webinar
byEmpired
 
A Look at Cyber Insurance -- A Corporate Perspective
byDawn Yankeelov
 
Using international standards to improve Asia-Pacific cyber security
byIT Governance Ltd
 
Real Life Examples of Cybersecurity with Neo4j
byNeo4j
 

Similar to Cybersecurity: What does Cyber Insurance Cover?

PPTX
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
byDon Grauel
 
PDF
Protecting Your Business From Cyber Risks
byThis account is closed
 
PDF
CyberSecurity Insurance - The Ugly Truth!
bytopseowebmaster
 
PDF
Cyber Security and Data Protection
byStrategic Insurance Software
 
PDF
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
byBrowne Jacobson LLP
 
PDF
Managing and insuring cyber risk - coverage of insurance policies
byIISPEastMids
 
PPTX
The Basics of Cyber Insurance
byHB Litigation Conferences
 
PPTX
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
byAftab Hasan
 
PDF
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
byPaige Rasid
 
PDF
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
byJames Fisher
 
PPTX
IT & Network Security Awareness
byThe Network Support Company
 
PDF
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
bySecureDocs
 
PDF
GDPR Cyber Insurance 11/1/2017
byisc2-hellenic
 
PPTX
Clinton- Cyber IRT Balto 10_2012
byDon Grauel
 
PDF
Digital economy and its effect on cyber risk
byaakash malhotra
 
PPT
Cyber Risks
byRickWaldman
 
PPT
Cyber Liability Insurance
byGraeme Newman
 
PPTX
Captive Insurance and Cyber Risk
byThe Law Office of Hale Stewart
 
PPTX
Avoiding the Cyber Clutter: A Practical Guide to Cybersecurity
byUri Gutfreund, Law Firm Insurance Guru
 
PDF
84017
bySteven Browne
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
byDon Grauel
 
Protecting Your Business From Cyber Risks
byThis account is closed
 
CyberSecurity Insurance - The Ugly Truth!
bytopseowebmaster
 
Cyber Security and Data Protection
byStrategic Insurance Software
 
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
byBrowne Jacobson LLP
 
Managing and insuring cyber risk - coverage of insurance policies
byIISPEastMids
 
The Basics of Cyber Insurance
byHB Litigation Conferences
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
byAftab Hasan
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
byPaige Rasid
 
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
byJames Fisher
 
IT & Network Security Awareness
byThe Network Support Company
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
bySecureDocs
 
GDPR Cyber Insurance 11/1/2017
byisc2-hellenic
 
Clinton- Cyber IRT Balto 10_2012
byDon Grauel
 
Digital economy and its effect on cyber risk
byaakash malhotra
 
Cyber Risks
byRickWaldman
 
Cyber Liability Insurance
byGraeme Newman
 
Captive Insurance and Cyber Risk
byThe Law Office of Hale Stewart
 
Avoiding the Cyber Clutter: A Practical Guide to Cybersecurity
byUri Gutfreund, Law Firm Insurance Guru
 
84017
bySteven Browne
 

More from Next Dimension Inc.

PPTX
Siskinds | Incident Response Plan
byNext Dimension Inc.
 
PPTX
Veeam: Cybersecurity protection solutions through Backup and Availability
byNext Dimension Inc.
 
PPTX
Next Dimension: How to create a Cybersecurity Strategy
byNext Dimension Inc.
 
PPTX
Cybersecurity and the Law: Fasken Law Firm
byNext Dimension Inc.
 
PDF
Next Dimension and Veeam | Solutions for PIPEDA Compliance
byNext Dimension Inc.
 
PDF
Next Dimension and Cisco | Solutions for PIPEDA Compliance
byNext Dimension Inc.
 
PDF
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
byNext Dimension Inc.
 
PPTX
Next Dimension IIoT Presentation
byNext Dimension Inc.
 
PDF
Next Dimension + Cisco Smart Manufacturing
byNext Dimension Inc.
 
Siskinds | Incident Response Plan
byNext Dimension Inc.
 
Veeam: Cybersecurity protection solutions through Backup and Availability
byNext Dimension Inc.
 
Next Dimension: How to create a Cybersecurity Strategy
byNext Dimension Inc.
 
Cybersecurity and the Law: Fasken Law Firm
byNext Dimension Inc.
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
byNext Dimension Inc.
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
byNext Dimension Inc.
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
byNext Dimension Inc.
 
Next Dimension IIoT Presentation
byNext Dimension Inc.
 
Next Dimension + Cisco Smart Manufacturing
byNext Dimension Inc.
 

Recently uploaded

PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 

Cybersecurity: What does Cyber Insurance Cover?

  • 1.
    © 2017 HUBInternational Limited.1 © 2019 HUB International Limited.1 Cyber threats to your Business Next Dimension Patrick Bourk, HUB International Insurance Brokers Principal, National Cyber Practice Leader Office: 416.619.8097 | Mobile: 416.302.0886 | patrick.bourk@hubinternational.com
  • 2.
    © 2018 HUBInternational Limited.2 CYBER RISK – IT IS EVERYWHERE A bombardment of media attention  Not a day goes by without another story … April 2018: bleepingcomputer.com reported that Microsoft saw a 24% rise in tech support scam complaints. received over 153,000 reports from customers who were the victims of a tech support scam in 2017 compared to complaints the received in 2016. Around 15% of the users who complained to Microsoft admitted to losing money to scammers, on average between $200 and $400. According to the NetDiligence Cyber Claims Study 2017 which analyzes claims information provided by insurance company participants, the range of cost per record lost between 2014-2017 was between $0.01 and $1.5M! The average cost per lost record was $8,000 and the median was $46.50. The average total breach cost was $394,000, the median $56,000.  One things leads to another  No Business Sector is too small: NetDiligence Cyber Claims Study 2017 noted that of the 591 claims reviewed by business sector, Professional Service firms had the highest number(18%) followed by Healthcare (17%) , Financial Services (13%) and Retail (11%). CFC Underwriting reports that 90% of claims affect businesses with less than $50M in revenues. For smaller sized organizations the impact of a breach can often be far more devastating.  City of Atlanta: The City entered into emergency contracts worth $2.7 million to help restore the city’s computer network in the days following their cyber attack of March 22nd, 2018. Despite hiring outside security consultants and crisis communications experts, some departments remained hobbled when last reported April 12th, 2018. The $2.7 million figure does not include outside legal advice nor lost productivity costs. The ransomware demand was for $52,000.
  • 3.
    © 2018 HUBInternational Limited.3 CYBER RISK – PERCEPTIONS & REALITIES ©2015 Integro Insurance Brokers Source: Advisen Survey of Cyber Insurance Market Trends 2016 THE CLIENT  It’s an “IT Thing” and so Cyber must be an untranslatable kind of coverage that can’t be understood and is therefore TERRIFYING!  It is NOT just an IT matter and the coverage, although very customizable and nuanced, is capable of translation!  Board Members and Senior Management are now interested and are asking questions  As the topic “du jour” management teams have an obligation to educate themselves. As for buying it ….
  • 4.
    © 2017 HUBInternational Limited.4 CYBER RISK – PERCEPTIONS & REALITIES ©2015 Integro Insurance Brokers  5 REASONS CLIENTS DON’T BUY CYBER LIABILITY INSURANCE  Our Director of IT assures us that our systems are 100% secure  We don’t hold any health information or sensitive data and therefore our exposure is minimal  Our firm is too small to be considered a target (we are not Target, or Home Depot or Equifax)  We outsource everything to 3rd parties and therefore carry none of the liabilities  We would rather invest in our technology systems than insurance
  • 5.
    © 2018 HUBInternational Limited.5 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE What has recent case law highlighted?  Unprecedented litigation activity and class certifications  Jones v. Tsige – The tort of “intrusion upon seclusion” – turned the tap from trickle to flood  Plaintiffs are finding creative damage mechanisms (Evans v. Scotia) and are testing them in the class action forum  Breach incidents giving rise to collateral damage  Directors, officers and management teams are now being held to account  “Business to business” claims on the rise – consumers as victims seek compensation from banks who bring suit against the original corporate victim  Legislative landscape – change has arrived  The courts have been creating the framework for response requirements rather than the legislation but … Bill S-4 passed into law June 18th, 2015, Regulations were published April 18th, 2018 and …  NOVEMBER 1st, 2018 – Mandatory notice and reporting where there is a “real risk of significant harm to the individual”  Mandatory record keeping for ALL breaches – Expect the ‘breach log’ to be a target
  • 6.
    © 2018 HUBInternational Limited.6 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE The “three pillars” of breach exposure  Ransomware/Cyber Extortion  Significant increase in reported claims since 2016 and affecting every industry sector  Since 2016 a noticeable increase in targeted ransomware variants – identifying specific businesses and their likelihood of making payment  External intrusions targeting specific confidential information  Organizations with networks of affiliated organizations make for prime targets since network integration is rare and systems are often inconsistently monitored and/or updated. If more than 5-10 linked institutions, then malware is often customized given the size of opportunity for hackers  Foundations typically hold extremely valuable non-PII information – sensitive financial and donor information  Phishing attacks  Theft of money but equally concerning are attacks that deny access to corporate network systems  Seemingly innocuous businesses can be “locked down” for days causing huge delays and resulting in significant business interruption/extra expense losses
  • 7.
    © 2018 HUBInternational Limited.7 To what extent do traditional insurance policies respond to breaches?  Common insurance policies purchased by most enterprises that may or may not respond to network security or privacy breach situations  General Liability  Business Interruption  Fidelity (Crime)  Professional Liability  Directors’ & Officers’ Liability  Third party insurance coverage versus first party direct loss coverage  Pros and Cons of adding Cyber coverage to traditional insurance policies by way of endorsement NETWORK SECURITY & PRIVACY LIABILITY INSURANCE
  • 8.
    © 2018 HUBInternational Limited.8 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE What do underwriters look for in their risk assessment?  Your Information:  Type of information an organization is responsible for and the number of records  All about Planning: Incident Response Plans, Disaster Recovery Plans, Business Continuity Plans, Responsive and protective IT security procedures  Your people  Controls in place to set expectations for employees as far as their awareness and responsibility for dealing with sensitive information  Governance: How engaged is the executive management and leadership? Network Security and privacy issues are no longer an IT issue. They are a governance issue  Information Security  Do you understand what all kinds of data you control and why?  Due diligence internally and with outside service providers for data protection  Safeguards for personally identifiable information, especially healthcare and credit cards  Your Vendors  Do you ensure 3rd Party providers are meeting both regulatory and contractual obligations related to information security
  • 9.
    © 2018 HUBInternational Limited.9 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE Third Party Liability  Privacy Liability: Covers loss arising out of the organization’s failure to protect sensitive personal or corporate information in any format. Can also be enhanced to provide coverage for regulatory proceedings brought by a government agency alleging the violation of any federal, state, or foreign identity theft or privacy protection legislation.  Network Security Liability: Covers any liability of the organization arising out of the failure of network security, including unauthorized access or unauthorized use of corporate systems, a denial of service attack, or transmission of malicious code.  Internet Media Liability: Covers infringement of copyright or trade mark, invasion of privacy, libel, slander, plagiarism, or negligence by the organization from the content on its’ internet website
  • 10.
    © 2018 HUBInternational Limited.10 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE First Party Expenses  Data Breach Expenses  Legal Expenses: Covers expenses to retain “breach coach” lawyer to advise and guide the process of managing a breach incident  Forensic Expenses: Covers expenses to retain third party computer forensics services to determine the scope of a failure of Network Security  Notification Expenses: Covers expenses to notify customers whose sensitive personal information has been breached.  Crisis Management Expenses: Covers expenses to obtain legal, public relations or crisis management services to restore the company’s reputation.  Credit Monitoring Expenses: Covers the cost of credit monitoring, credit freezing or fraud alert service expenses for breaches of true identity data.  Network Extortion Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive information or bring down a network unless consideration is made.  Digital Asset Loss Covers costs incurred to replace, restore or recollect data which has been corrupted or destroyed as a result of a network security failure.  Business Interruption Loss Covers loss of income and extra expense arising out of the interruption of network service due to an attack on the insured’s network.
  • 11.
    © 2018 HUBInternational Limited.11 NETWORK SECURITY & PRIVACY LIABILITY INSURANCE There are nuances to cyber risks that are coverage-specific  Social Engineering and Social Engineering Fraud:  The art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques  Social Engineering Fraud coverage as a coverage enhancement that refers to “phishing” attacks that involve MONEY! o Cyberliability insurance = protection of DATA o Crime insurance = protection of MONEY  Lessons learned:  REVIEW YOUR COVERAGE! o Is your crime coverage enhanced with social engineering fraud coverage? o If not, can your cyberliability insurer provide social engineering fraud coverage? o Distinguish between ‘computer funds transfer’ coverage and ‘social engineering fraud’ coverage o Are your limits and deductibles appropriate in order take advantage of the coverage? o Watch for subjectivities, i.e. voice confirmation in advance of transfer
  • 12.
    © 2018 HUBInternational Limited.12 PRESENTER Patrick Bourk Principal, National Cyber Practice Leader, HUB International Insurance Brokers As an insurance coverage expert, Patrick provides technical expertise in the analysis, placement and negotiation of various management risk insurance coverages including professional liability, crime and directors’ & officers’ liability insurance but with an emphasis on cyber liability insurance. In addition to negotiating terms and placing coverage Patrick’s cyber liability insurance practice also includes advising clients on how best to align breach response planning with insurance and risk mitigation solutions. A graduate of Windsor Law School in 1997, Patrick began his career as an associate lawyer with a commercial litigation focus. After moving to Toronto to work for a national law firm, he joined the Legal and Claims Department of London Guarantee Insurance Company, specializing in directors' and officers' coverage, technology and miscellaneous professional liability, employment practice liability, and fidelity coverage. Prior to joining HUB, Patrick was a Claims Lawyer for the Financial and Professional Services Group at Travelers Insurance Company and its predecessor companies. Patrick is a licensed lawyer and Member of the Law Society of Upper Canada, a Member of International Association of Privacy Professionals (IAPP), and has been a part-time instructor at both Sheridan College and Humber College, where he has taught courses on law for business managers. He has authored several publications in the areas of specialty insurance coverage and cyber liability and has been a frequent speaker at conferences and symposiums focusing on cyber liability insurance both in Canada and the U.S. Patrick also holds a Cyber COPE Insurance Certificate designation after completing an executive certification in Cybersecurity through Heinz College of Carnegie Mellon University.
  • 13.
    © 2017 HUBInternational Limited.13 © 2018 HUB International Limited.13 QUESTIONS ?

Editor's Notes