This document summarizes a presentation on protecting businesses from cyber risks. It discusses the growing nature and costs of cyber threats and data breaches for businesses. These include increased electronic data production, more devices being connected online, and outsourced IT services increasing potential data loss. The document outlines sources of cyber risk like targeted attacks, human error, and theft of devices. It discusses the types of insurable and uninsurable cyber losses for businesses and where losses could potentially be covered by insurance like E&O, CGL, D&O or cyber/tech policies. The presentation emphasizes that businesses should be aware of their cyber risk exposure and proactively assess their insurance coverage, as policies may not fully cover all losses from a
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
Tim Johnson, a Cyber Insurance specialist from Browne Jacobson, looks in detail at what Cyber Insurance will cover businesses for and gave some tips on what to consider when deciding on a policy. Given as part of the East Midlands Cyber Security Forum on 21st May. More details at https://www.nexor.com/iisp-east-midlands/may-2015.
“Cyber Liability & Cyber Insurance” - A discussion on best practices around Prevention, Detection, and Response!
Sponsored by Datto and Webster Bank
Series brought to you by the Connecticut Technology Council.
____________
TOPIC FOCUS:
1. Evolution and acceptance of Cybersecurity insurance
a. Understanding risk & effect on businesses
i. Used to be major brands, now widespread.
ii. Risk recognized, business leaders looking to minimize risk
b. Describing changes in cybersecurity insurance
How coverages have evolved - not just for biggest companies
i. Insurers are working with (tech) companies to get it right
ii. Where is it going from here? Trends, specialty insurance
2. Describe insurance types/ specifics and how they perform when needed
. Not all policies are the same
a. What to look for
b. How they vary by type of business (Healthcare vs. Retail vs. Software Co.)
c. What gaps still remain (What can’t get covered?)
3. How to minimize cost, get most value for your company
. Some protections on your current policies
a. Gating elements - What the insurance companies want to see - how that might help costs
4. Best practices generally
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Over 40% of UK businesses experienced a cyber security breach or attack in the last 12 months, according to a new report from the Department for Digital, Culture, Media and Sport. The Cyber Security Breaches Survey 2018’s finding was that three quarters of businesses have now made cyber security a high priority for their senior management.
However, only 27% actually have formal cyber security policies in place and just 30% have board members or trustees with responsibility for cyber security. Breaches were more often identified among the organisations that hold personal data, where staff use personal devices for work or that use cloud computing. More worryingly, one in five businesses admitted to never updating their senior managers on cyber security issues.
All businesses are targets for hackers, no matter what their size or sector. Attacks are becoming more sophisticated and don’t even always come from humans but instead from hacker-created bots which are programmed to continually evolve new algorithms in order to identify potential areas of attack.
Technology and the ways in which businesses communicate and transact will continue to expand in 2019. Predicated trends are extensive though worth mentioning include the increased take up of single password log-ins, allowing employees to access all their authorised systems, increased reliance on cloud storage especially for customer data, the arrival of 5G supporting new technology and flexible working, ever more sophisticated AI including chat bots and workflow applications, 24/7 customer multi-platform expectations and many more.
BYOD - Bringing Technology to work | Sending Data EverywhereJim Brashear
Presentation to the Science and Technology Committee of the American Bar Association on legal issues associated with employers enabling employee Bring Your Own Device policies.
Webinar Agenda:
1. What does fraud look like during the COVID-19 crisis.
2. Emerging threats in payments fraud.
3. Best practices to combat payment fraud.
Basics of insurance coverage and evolving issues surrounding cyber, data breaches, and a big picture overview of how it impacts businesses and the lawyers advising them.
Cyber risk has become a leading issue for many organisations as awareness of cloud computing, social media, corporate Bring Your Own Device (BYOD) policies and big data has grown, especially in light of the recent malicious cyber attacks experienced by companies across the European Union (EU). In an increasingly punitive legal and regulatory environment, and in the face of more frequent contractual insurance requirements specifying cyber liability, forward-thinking companies are taking proactive steps to explore and transfer cyber risk.
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
From the largest to the smallest company, the inescapable truth is that with the click of a few keys or even a simple phone call, intruders can bypass all of your carefully constructed security. According to the Ponemon Institute's 2015 Cost of Data Breach Study, the average total cost of a data breach increased from $3.52 million to $3.79 million in 2014.
While a number of major data breaches have made the news, often overlooked are the events and decisions that set the stage for the breach to occur. In this hour-long webinar, Global Knowledge instructor Phill Shade will walk through a number of key areas in which today's decisions set the stage for tomorrow's breach.
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
See how Adaptive Solutions is delivering leading cyber risk management solutions through its strategic alliance with Willis Towers Watson and Darklight Technologies.
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
Measuring the filtration efficiency and particle indoor outdoor concentration...CLEEN_Ltd
CLEEN's MMEA program organised an international seminar on cleaner air - Outdoor and indoor air quality together with Zhejiang University and assistant organizer Insigma group.
This is one of the presentations in the seminar.
More info in www.mmea.fi
The cleantech field is expanding rapidly and Finnish companies are committed to working for a better environment in the fields of energy efficiency, air quality and monitoring. The world-class Cleantech know-how from Finland and the cooperation with Chinese partners and the results were highlighted in the MMEA seminar. Some of the leading Finnish cleantech companies together with Finnish and Chinese research institutions were present at the event. The seminars focused on cooperation between Finland and China concerning indoor and outdoor air quality and solutions to make them better.
CLEEN's MMEA program organised an international seminar on cleaner air - Outdoor and indoor air quality together with Zhejiang University and assistant organizer Insigma group.
This is one of the presentations in the seminar.
More info in www.mmea.fi
The cleantech field is expanding rapidly and Finnish companies are committed to working for a better environment in the fields of energy efficiency, air quality and monitoring. The world-class Cleantech know-how from Finland and the cooperation with Chinese partners and the results were highlighted in the MMEA seminar. Some of the leading Finnish cleantech companies together with Finnish and Chinese research institutions were present at the event. The seminars focused on cooperation between Finland and China concerning indoor and outdoor air quality and solutions to make them better.
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
Tim Johnson, a Cyber Insurance specialist from Browne Jacobson, looks in detail at what Cyber Insurance will cover businesses for and gave some tips on what to consider when deciding on a policy. Given as part of the East Midlands Cyber Security Forum on 21st May. More details at https://www.nexor.com/iisp-east-midlands/may-2015.
“Cyber Liability & Cyber Insurance” - A discussion on best practices around Prevention, Detection, and Response!
Sponsored by Datto and Webster Bank
Series brought to you by the Connecticut Technology Council.
____________
TOPIC FOCUS:
1. Evolution and acceptance of Cybersecurity insurance
a. Understanding risk & effect on businesses
i. Used to be major brands, now widespread.
ii. Risk recognized, business leaders looking to minimize risk
b. Describing changes in cybersecurity insurance
How coverages have evolved - not just for biggest companies
i. Insurers are working with (tech) companies to get it right
ii. Where is it going from here? Trends, specialty insurance
2. Describe insurance types/ specifics and how they perform when needed
. Not all policies are the same
a. What to look for
b. How they vary by type of business (Healthcare vs. Retail vs. Software Co.)
c. What gaps still remain (What can’t get covered?)
3. How to minimize cost, get most value for your company
. Some protections on your current policies
a. Gating elements - What the insurance companies want to see - how that might help costs
4. Best practices generally
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Over 40% of UK businesses experienced a cyber security breach or attack in the last 12 months, according to a new report from the Department for Digital, Culture, Media and Sport. The Cyber Security Breaches Survey 2018’s finding was that three quarters of businesses have now made cyber security a high priority for their senior management.
However, only 27% actually have formal cyber security policies in place and just 30% have board members or trustees with responsibility for cyber security. Breaches were more often identified among the organisations that hold personal data, where staff use personal devices for work or that use cloud computing. More worryingly, one in five businesses admitted to never updating their senior managers on cyber security issues.
All businesses are targets for hackers, no matter what their size or sector. Attacks are becoming more sophisticated and don’t even always come from humans but instead from hacker-created bots which are programmed to continually evolve new algorithms in order to identify potential areas of attack.
Technology and the ways in which businesses communicate and transact will continue to expand in 2019. Predicated trends are extensive though worth mentioning include the increased take up of single password log-ins, allowing employees to access all their authorised systems, increased reliance on cloud storage especially for customer data, the arrival of 5G supporting new technology and flexible working, ever more sophisticated AI including chat bots and workflow applications, 24/7 customer multi-platform expectations and many more.
BYOD - Bringing Technology to work | Sending Data EverywhereJim Brashear
Presentation to the Science and Technology Committee of the American Bar Association on legal issues associated with employers enabling employee Bring Your Own Device policies.
Webinar Agenda:
1. What does fraud look like during the COVID-19 crisis.
2. Emerging threats in payments fraud.
3. Best practices to combat payment fraud.
Basics of insurance coverage and evolving issues surrounding cyber, data breaches, and a big picture overview of how it impacts businesses and the lawyers advising them.
Cyber risk has become a leading issue for many organisations as awareness of cloud computing, social media, corporate Bring Your Own Device (BYOD) policies and big data has grown, especially in light of the recent malicious cyber attacks experienced by companies across the European Union (EU). In an increasingly punitive legal and regulatory environment, and in the face of more frequent contractual insurance requirements specifying cyber liability, forward-thinking companies are taking proactive steps to explore and transfer cyber risk.
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
From the largest to the smallest company, the inescapable truth is that with the click of a few keys or even a simple phone call, intruders can bypass all of your carefully constructed security. According to the Ponemon Institute's 2015 Cost of Data Breach Study, the average total cost of a data breach increased from $3.52 million to $3.79 million in 2014.
While a number of major data breaches have made the news, often overlooked are the events and decisions that set the stage for the breach to occur. In this hour-long webinar, Global Knowledge instructor Phill Shade will walk through a number of key areas in which today's decisions set the stage for tomorrow's breach.
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
See how Adaptive Solutions is delivering leading cyber risk management solutions through its strategic alliance with Willis Towers Watson and Darklight Technologies.
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
Measuring the filtration efficiency and particle indoor outdoor concentration...CLEEN_Ltd
CLEEN's MMEA program organised an international seminar on cleaner air - Outdoor and indoor air quality together with Zhejiang University and assistant organizer Insigma group.
This is one of the presentations in the seminar.
More info in www.mmea.fi
The cleantech field is expanding rapidly and Finnish companies are committed to working for a better environment in the fields of energy efficiency, air quality and monitoring. The world-class Cleantech know-how from Finland and the cooperation with Chinese partners and the results were highlighted in the MMEA seminar. Some of the leading Finnish cleantech companies together with Finnish and Chinese research institutions were present at the event. The seminars focused on cooperation between Finland and China concerning indoor and outdoor air quality and solutions to make them better.
CLEEN's MMEA program organised an international seminar on cleaner air - Outdoor and indoor air quality together with Zhejiang University and assistant organizer Insigma group.
This is one of the presentations in the seminar.
More info in www.mmea.fi
The cleantech field is expanding rapidly and Finnish companies are committed to working for a better environment in the fields of energy efficiency, air quality and monitoring. The world-class Cleantech know-how from Finland and the cooperation with Chinese partners and the results were highlighted in the MMEA seminar. Some of the leading Finnish cleantech companies together with Finnish and Chinese research institutions were present at the event. The seminars focused on cooperation between Finland and China concerning indoor and outdoor air quality and solutions to make them better.
Why ultrafines? Dr. Lei Dong presented by Markku RajalaCLEEN_Ltd
CLEEN's MMEA program organised an international seminar on cleaner air - Outdoor and indoor air quality together with Zhejiang University and assistant organizer Insigma group.
This is one of the presentations in the seminar.
More info in www.mmea.fi
The cleantech field is expanding rapidly and Finnish companies are committed to working for a better environment in the fields of energy efficiency, air quality and monitoring. The world-class Cleantech know-how from Finland and the cooperation with Chinese partners and the results were highlighted in the MMEA seminar. Some of the leading Finnish cleantech companies together with Finnish and Chinese research institutions were present at the event. The seminars focused on cooperation between Finland and China concerning indoor and outdoor air quality and solutions to make them better.
Measuring megacity air by Miikka Dal Maso and CraesCLEEN_Ltd
CLEEN's MMEA program organised an international seminar on cleaner air - Outdoor and indoor air quality together with Zhejiang University and assistant organizer Insigma group.
This is one of the presentations in the seminar.
More info in www.mmea.fi
The cleantech field is expanding rapidly and Finnish companies are committed to working for a better environment in the fields of energy efficiency, air quality and monitoring. The world-class Cleantech know-how from Finland and the cooperation with Chinese partners and the results were highlighted in the MMEA seminar. Some of the leading Finnish cleantech companies together with Finnish and Chinese research institutions were present at the event. The seminars focused on cooperation between Finland and China concerning indoor and outdoor air quality and solutions to make them better.
CLEEN's MMEA program organised an international seminar on cleaner air - Outdoor and indoor air quality together with Zhejiang University and assistant organizer Insigma group.
This is one of the presentations in the seminar.
More info in www.mmea.fi
The cleantech field is expanding rapidly and Finnish companies are committed to working for a better environment in the fields of energy efficiency, air quality and monitoring. The world-class Cleantech know-how from Finland and the cooperation with Chinese partners and the results were highlighted in the MMEA seminar. Some of the leading Finnish cleantech companies together with Finnish and Chinese research institutions were present at the event. The seminars focused on cooperation between Finland and China concerning indoor and outdoor air quality and solutions to make them better.
Analytical model to determine the influence of building area size on subslab ...CLEEN_Ltd
CLEEN's MMEA program organised an international seminar on cleaner air - Outdoor and indoor air quality together with Zhejiang University and assistant organizer Insigma group.
This is one of the keynote presentations in the seminar.
More info in www.mmea.fi
The cleantech field is expanding rapidly and Finnish companies are committed to working for a better environment in the fields of energy efficiency, air quality and monitoring. The world-class Cleantech know-how from Finland and the cooperation with Chinese partners and the results were highlighted in the MMEA seminar. Some of the leading Finnish cleantech companies together with Finnish and Chinese research institutions were present at the event. The seminars focused on cooperation between Finland and China concerning indoor and outdoor air quality and solutions to make them better.
How'd we do in 2013 from a data breach perspective? As we close out the year, are the cupboards / budgets bare and will it be a lean holiday season? Or should we be budgeting a holiday celebration with all of the trappings and a sumptuous New Year?
Borrowing themes from the Charles Dickens holiday classic, this webinar will review industry statistics and other indicators to evaluate how we did in 2013 from a privacy breach and security incident response perspective. Will our mythical CSO and CPO get the Scrooge-like CFO to approve their budget increases? And what will 2014 hold from a security, privacy, and regulatory perspective? Register below to find out.
Our featured speakers for this Dickensian webinar will be:
- Ebenezer Scrooge, Chief Financial Officer, Acme Inc. played by Ted Julian, Chief Marketing Officer, Co3 Systems
- Bob Cratchit, Chief Privacy Officer, Acme Inc. played by Gant Redmon, General Counsel, Co3 Systems
- Tiny Tim, Chief Security Officer, Acme Inc. played by "Tiny" Tim Armstrong, Incident Response Specialist, Co3 Systems
Legal vectors - Survey of Law, Regulation and Technology RiskWilliam Gamble
Survey of law, regulation and technology risk including new cyber security regulations, HIPAA, European Privacy GDPR, Internet of Things Liability, State Law
William Gamble
Although Sony seemed to dominate the cyber-security headlines of 2014, it was just one of many corporations infiltrated by an increasingly sophisticated and driven pool of hackers. J.P. Morgan Chase, Home Depot, and Target also top the list of businesses struggling with data breaches.
The most recent major cyberattack against Anthem Healthcare shook the insurance industry. In a rare show of honesty, the insurer began alerting customers and the media to the potential of a data break just eight days after it first noted suspicious activity on Jan. 27, 2015.
Immediately upon discovering it had been attacked, Anthem jumped to address the security vulnerability, contacted the FBI, and hired leading cyber-security firm Mandiant to evaluate its systems, said president and CEO Joseph Swedish in a statement.
Noting the importance of protecting financial institutions, New York's Department of Financial Services responded to the Anthem breach by announcing its intent to integrate regular assessments of cyber-security preparedness at insurance companies as part of its examination process. It will also enforce "enhanced regulations" on insurers based in New York.
"Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses," said Benjamin M. Lawsky, New York State's superintendent of financial services, in a statement. He continued, "Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.“
Most people might expect that larger insurers, given the sensitive customer information they handle, would boast robust cyber-security programs. This is not necessarily true.
As part of its investigation, the Department found that 95% of insurers already think they have sufficient staff for information security, and just 14% of CEOs receive monthly briefings on data security. Anthem, the nation's second-largest health insurer, had not even encrypted its database containing nonmedical data. It claims that the HIPAA did not require it to do so.
While experts believe that Anthem was exclusively targeted in its attack, there is no doubt that all financial institutions are at risk. Here are eight things to know as the industry enters a year of increasingly heightened cyber-vulnerability.
The Unseen Enemy - Protecting the Brand, the Assets and the Customers BDO_Consulting
Michael Barba and Jeff Hall discuss the most pressing cyber-threats facing retailers and what companies can do in the event of a cyber breach, data loss or claim. Mr. Barba is a managing director and Mr. Hall is a senior manager with BDO Consulting.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
The ICT Association Suriname in collaboration with the Telecommunication Authority Suriname (TAS) presented a Cybersecurity awareness session for the members of the Chamber of Commerce. TAS presented the national response to IT incidents by explaining the implementation of the Computer Emergency Response Team (CERT).
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...ARMA International
While information governance has been a best practice in cybersecurity, outside of the Federal government and Sarbanes-Oxley financial reporting requirements, for the most part, regulations have not required information governance. That is rapidly changing. The New York Department of Financial Services new cybersecurity regulation has intensive information governance requirements that go beyond personal information. the European Global Data Protection Regulation also has significant information governance requirements. This session will discuss some of these regulatory requirements and where regulation is going in these areas.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
The pace and scale of technology advancements have created extraordinary avenues for businesses to grow. But with opportunities come risks, which need to be constantly navigated. Read this blog to uncover the top 5 cybersecurity trends to watch out for in 2021 and beyond.
2. Today’s Topics
• Nature and extent of cyber losses
• Traditional commercial cover
• Coverage jurisprudence
• D&O connection
• Risk management considerations
• Regulatory framework
• Privacy breach jurisprudence
• Best practices in breach response
2
3. Cyber Threats
• More electronic data will be produced in the year
2017 then will have been produced in total up to
that point in time
f• Web based information technology changing
risk profiles
• Outsourced IT services and cloud based IT
services have increased potential data lossservices have increased potential data loss
3
4. Cyber Threats
• More devices being connected on-line
• Widening potential entry points for disruption
• Broadening impacts of a disruption
4
8. Data Breaches
• Breaches increasing in number and severity
• Number of known data breaches in 2013 tripled
from that in 2012
• On average, attackers in system for over 200
ddays
8
9.
10. Cost of Breach
• Poneman Institute study:
• Average cost of breach is US$3.5 Million
• Average cost per record is US$145
10
11. Insurable Cyber Losses
• First-party losses
• Data breach response
• Crisis management costs
• Lost income
• Online defamation
Regulatory defence costs and fines• Regulatory defence costs and fines
• Cyber-extortion
11
12. Insurable Cyber Losses
• Third-party losses
• Customer or client losses resulting from data breach
• Invasion of privacy claims
• Client losses resulting from inability to access systems
12
13. Uninsurable Cyber Losses
• Damage to reputation/brand
• Loss of goodwill
• Loss of future earnings
• Opportunity cost
13
15. E&O
• Damages or losses that insured legally obligated
to pay as a result of a “claim”
• Ordinarily tied to “wrongful act” or negligence
f f farising from delivery of “professional services”
M t i i /d t b h l i• May contain privacy/data breach exclusion
15
16. D&O
• Damages or losses that insured legally obligated
to pay as a result of a “claim”
• Claim arising from decisions and actions taken
f fon behalf of the corporation
16
17. CGL
• ‘Bodily injury' or 'property damage’
• Caused by an 'occurrence,'
• ‘Advertising injury' or 'personal injury'
17
18. CGL
• In 2001, Insurance Services Office (U.S.) revised
its standard CGL policy form to exclude
“electronic data” from the definition of “property
damage”
• In 2005, Insurance Service Bureau of Canada
followed suitfollowed suit
18
19. CGL
Zurich American Insurance Company v Sony
Corporation of America, (NY Sup Ct, Feb 21 2014).
• Sony’s online systems breached by hackers
Personal data of 77 million users stolen• Personal data of 77 million users stolen
• Approximately 12 million credit card numbers
stolen
• Estimated $2 billion in losses
• 55 class actions commenced
• Sony claimed under CGL and excess policies
19
20. CGL
Zurich v Sony, cont’d
• Sony’s CGL policy included coverage for “oral or• Sony s CGL policy included coverage for oral or
written publication, in any matter, of material that
violates a person’s right of privacy”
• Zurich argued that “publication” required an
intentional act on the part of the insuredintentional act on the part of the insured
• Court agreed with Zurich and denied coverage; theCourt agreed with Zurich and denied coverage; the
acts of third-party hackers did not satisfy the
“publication” requirement in the CGL policy
20
21. CGL
• Sony decision has been appealed, with no date set
yet for the hearing
T ll h tl ht C t li th t it• Travellers has recently sought a Court ruling that it
is not required to defend or indemnify P.F. Chang
under CGL in class actions commenced in
connection with data breach
N fi lit t t h C t i t d l• No finality yet as to how Courts are going to deal
with this issue
21
22. CGL
• Effective May, 2014, ISO has released standard
form electronic data exclusion for CGL policies
• No guidance yet on how that exclusion will hold
up
22
23. Conclusions
• Remains to be seen how Courts will interpret
various coverage issues
• Businesses should be aware of the scope of
cyber risks and proactively assess insurance
coverage
• Businesses should not assume that
CGL/D&O/E&O policies will be sufficient to coverCGL/D&O/E&O policies will be sufficient to cover
all losses associated with a cyber event.
23
24. Thank YouThank You
Belinda BainBelinda Bain
Partner
Tel: 416-369-6174
Email: belinda.bain@gowlings.com
montréal ottawa toronto hamilton waterloo region calgary vancouver beijing moscow london
25. CYBER IS A STRATEGIC RISK
MARSH CANADA LIMITED
12 NOVEMBER, 2014
Gregory L. Eskins
National Cyber Practice Leader
gregory.eskins@marsh.com
27. A Structured Approach to Cyber Risk
“What does the
organization’s current
posture look like?
“What are the top risks
which could materially
impact the organization?
“How can we mitigate
these risks?”
“What are the economic
implications of the risks
identified?
• Dependency on Vendors
(cloud mobile hosting
• Review existing risk
assessment material and
• Generate loss scenario’s
based on the priority risk
• Based on the outcomes ,
seek to identify the root
Risk Quantification
Understanding the
risk exposure
Risk Assessment
1 2 3
Recommendation
s and
prioritization
4
(cloud, mobile, hosting,
etc…)
• Domicile of Customers
• Compliance with
Regulatory Requirements
assessment material and
identify top cyber risk
elements
• Conduct interviews with
internal business units
and operational
based on the priority risk
categories
• Model the costs of a
privacy breach, if relevant
• Quantify economic loss
seek to identify the root
causes
• Align largest risks with risk
appetite
• Create risk mitigation
(including PCI)
• Critical Asset Inventory
(what protections are in
place?)
• Conduct platform
and operational
departments
• Based on the above, and
understanding of the
business, create a
common risk taxonomy
stemming from an
interruption to the business
due to a technology failure
(internal or external –
vendor)
recommendations for the
highly exposed risk
elements
Conduct platform
operational maturity
assessment
• Reliance of technology to
conduct business
operations?
y
with cyber risk categories
and the cyber risk
elements within each
category
• Prioritize risk categories in
MARSH
p
terms of economic impact
and frequency (likelihood)
28. Getting Key Stakeholders Involved.
• It has long been recognized that D&O’s have a fiduciary duty to protect the assets of
their organization. Today this duty extends to digital assets.
• Is the board informed about the most serious cybersecurity risks facing the industry,
and has it worked with executives to develop a cybersecurity risk appetite
statement?
• Does the company have a written cybersecurity risk management strategy andDoes the company have a written cybersecurity risk management strategy and
governance framework? How is it measured and how well is it working? When was it
last reviewed?
• What are the most likely types of external threats? What are the internal threats?
• Security risk is complex, widespread, technical, and ever-changing. As a result, it is
difficult to quantify probability – there is little data.
• The process of applying for cyber insurance is itself a constructive exercise for raisingThe process of applying for cyber insurance is itself a constructive exercise for raising
awareness and identifying potential vulnerabilities.
• What insurance policies cover the company against network security breaches and
other cybersecurity incidents? Is this coverage up to date and is it adequate?
MARSH
other cybersecurity incidents? Is this coverage up to date and is it adequate?
28
30. Current Purchasing Patterns
5%
1%
11%
4%
13%
5%
Sports Entertainment &
Events
Transportation
The number of Marsh clients
8%
8%
10%
10%
14%
13%
Power and Utilities
Retail and Wholesale
The number of Marsh clients
purchasing cyber insurance
increased 21% from 2012 to
2013
32%
4%
8%
37%
8%
45%
16%
Health Care
Hospitality and Gaming
10%
32%
19%
13%
22%
17%
Education
Financial Institutions
7%
10%
10%
10%
19%
13%
11%
All I d t i
Communications, Media and
Tecnology
Education
2013
2012
2011
MARSH
7%
10%All Industries
2011
30
31. Security and Privacy Insurance Policy Risk Matrix
For Illustrative Purposes Only
Privacy and Cyber Perils Property
General
Liability
Traditional
Crime
Computer
Crime E&O Special Risk
Broad Privacy and
Cyber Policy
Indemnification of your notification costs including Privacy Liability
Not
covered
Covered Dependent upon specifics of claims,
may have some coverage
Indemnification of your notification costs, including
credit monitoring services
Privacy Liability
(sub-limited)
Defense of regulatory action due to a breach of
privacy regulation
Privacy Liability
(sub-limited)
Coverage for Fines and Penalties due to a breach of
privacy regulation
Privacy Liability
(sub-limited)privacy regulation (sub-limited)
Threats or extortion relating to release of
confidential information or breach of computer
security
Cyber Extortion
•Liability resulting from disclosure of electronic
information and electronic information assets
Network Security
Liability from disclosure of confidential commercial
and/or personal information (i.e. breach of privacy)
Privacy Liability
Liability for economic harm suffered by others from a
failure of your computer or network security
(including written policies and procedures designed
Network Security
to prevent such occurrences)
Website infringes on IP or is defamatory Media/Content
Coverage
Destruction, corruption, or theft of your electronic
information assets/data due to failure of computer or
t k
Digital Assets
MARSH
network
Theft of your computer systems resources Digital Assets
Loss of revenue and extra expense incurred due to
a failure of security
Business Interruption
31
32. Privacy and Cyber Coverage Overview
• Privacy Liability: Harm suffered by others due to the collection or disclosure
of confidential information.
• Network Security Liability: Harm suffered by others from a failure of your network
3rd
Network Security Liability: Harm suffered by others from a failure of your network
security.
• Cyber Extortion: The cost of investigation and the extortion demand (limited
crisis consultant expenses).
• Regulatory Defense: Legal counsel for regulatory actions including coverage• Regulatory Defense: Legal counsel for regulatory actions including coverage
for fines and penalties where permissible.
• Event/Breach Costs: The costs of complying with the various breach notification
laws and regulations including legal expense, call centers, credit
monitoring, and forensic investigation.g, g
• Digital Assets: The value of data stolen, destroyed, or corrupted by a cyber
attack.
• Business Interruption: Business income that is interrupted by a cyber attack
or a failure of technology (including the extra expense)
1st
or a failure of technology (including the extra expense).
Coverage for privacy liability requires no negligence on the part of the insured and
provides defense to the entity for the intentional acts of the insured’s employees.
MARSH 32
33. Where are the Risks Going?
Standard Cyber
• Network Security & Privacy Liability
• Privacy Breach Response Costs
Coverage Spectrum Exposures
Complexi
Standard Cyber
Policy
• Privacy Breach Response Costs
• Regulatory Investigations
• Cyber Extortion
ityofInsur
Some insurers are silent;
others explicitly address • Cyberterrorism
ranceSolu
Manuscript Language
• Business interruption attributable to a network
outage for any reason, e.g. operational error.
utions
Emerging Products
• Cyber CAT
• 1st
Party Property Damage and Bodily Injury
• Reputational Damage
MARSH
p g
33
35. The Board’s Role is Critical
“Until such time as cyber security becomes a regularUntil such time as cyber security becomes a regular
board of director's agenda item…the potential for
disruption is real and serious and we all pay the price.”
— Howard A. Schmidt, former Cyber Security Coordinator for President
Obama
MARSH 35
36. Cyber Breach Related Derivative Lawsuit
Cyber Liability: Data Breach Incident
“If ff t t t t th it f l i f ti b t“If our efforts to protect the security of personal information about our
customers and employees are unsuccessful, we could be subject to costly
government enforcement actions and private litigation and our reputation
could suffer. “ Company X, Inc. 10 (K) Risk Factors
A shareholder for Company X. has initiated a derivative lawsuit against
certain directors and officers of the company, as well as against the
D&O Liability: Derivative Lawsuit
MARSH
certain directors and officers of the company, as well as against the
company itself as nominal defendant, related to the multiple data breaches
the company sustained.
36
37. Cybersecurity Securities Class Actions are Likely
Cyber Liability: Data Breach Incident
“If our efforts to protect the security of personal information about our
customers and employees are unsuccessful, we could be subject to costly
government enforcement actions and private litigation and our reputation
could suffer. “ Company X. 10 (K) Risk Factors
D&O Liability: Securities Class Action
There appears to be a growing consensus that stock drops are inevitable
when the market better understands cybersecurity threats the cost of
MARSH
when the market better understands cybersecurity threats the cost of
breaches, and the impact of threats and breaches on companies’ business
models.
37
38. Directors and Officers Liability – Cyber
• The SEC guidance does not create a new obligation as far as reporting of
material events, but it does shine a spotlight on the issue
• Both the CSA and OSFI have weighed in on the increasing risks associated
with cyber security and crime. Specifically, the CSA has issued Staff Notice 11-
326, and OSFI has put forth their Cyber Security Self Assessment template (for
FRFI’s)FRFI s).
• Privacy and IT security exposure can be difficult for boards and senior
management to fully understand and keep pace with, BUT,
• This does not relieve them of the duty of oversight
– Directors need to ensure their organization’s have appropriate privacy and IT
security risk management measures in place
– Process, risk assessment, governance, and risk mitigation are critical
MARSH 38
39. D&O Liability Claims - Cyber
• Limited amount of cyber-related D&O litigation to date
– Issue not high on the list of exposures for D&O underwriters
Expected to rise as the exposure continues to grow– Expected to rise as the exposure continues to grow
• D&O insurance may be implicated:
– If directors and officers are sued for failing to properly disclose exposure to
IT securityIT security
– If privacy risks lead to a financial loss and/or drop in a company’s stock price
– A plaintiff’s attorney will look at the adequacy of the disclosures
around the risk
• To date, most claims have been brought by customers and regulators against
the company—claims that are typically not covered under a D&O policy (unless
entity coverage is purchased – private companies only)
• A steady growth in the dependence of business on technology and a steady
growth in cyber attacks means that the exposure is growing
• In terms of disclosure, the issue of materiality may be in the eye of the beholder
MARSH
, y y y
or investor: Could prove a fertile area of litigation
39
40. Directors and Officers Liability - Cyber
Board members need to be informed of the risks associated with privacy and
IT security
• Protection from claims of negligence
• Defense under the business judgment rule
They need to understand:
• The magnitude of the risks
• The procedures in place to mitigate the risksThe procedures in place to mitigate the risks
And thus, Organizations may want to look at:
• How often the board receives reports on privacy and IT security risks?
H h i th t ?• How comprehensive are those reports?
MARSH 40
42. P i B h C di L lPrivacy Breach: Canadian Legal
Update, Notification Obligations
and Risk Mitigationg
Peter Murphy
(416) 369-4674( )
peter.murphy@gowlings.com
43. Legal Update: PIPEDA
PIPEDA established an “ombudsman” privacy
enforcement system
• A complaint is made to PCC for breach of PIPEDA
• PCC may investigate and issue a report
Th l i l i f h• The complainant may apply to court in respect of the
complaint or the report
• The court may grant remedies order the defendant toThe court may grant remedies, order the defendant to
change its practices, and/or award damages, including
damages for any humiliation the complainant has
s fferedsuffered
43
44. Legal Update: PIPEDA
Chitrakar v. Bell TV, 2013 FC 1103
• Bell TV ran a credit check on complainant without
permission
• If performed with sufficient frequency, this type of
credit check impacts on the credit ratingcredit check impacts on the credit rating
• Bell TV gave complainant “the royal runaround” and
did not resolve his privacy concernsy
• Bell TV responded to PCC in a “disingenuous”
manner. First it denied it knew which employee
ordered the credit check then it said the employeeordered the credit check, then it said the employee
was terminated
44
45. Legal Update: PIPEDA
• PCC upheld complaint and issued recommendations
• Complainant applied to court
• Bell did not appear in court
• Justice Phelon concluded that Bell TV “violated
Chitrakar’s privacy rights under PIPEDA”Chitrakar’s privacy rights under PIPEDA”
• The court acknowledged common law principles of
compensation, deterrence and vindication whenp ,
granting damages
• Court awarded $10,000 damages, $10,000 exemplary
d d $1 000 tdamages, and $1,000 costs
45
46. Legal Update: Ontario Privacy Tort
Jones v. Tsige, 2012 ONCA 32
• Created tort of “intrusion upon seclusion” in Ontario
• Jones sued Tsige, a BMO employee, for accessing
Jones’ banking records for personal reasons at least
174 times over four years174 times over four years
• Jones sued Tsige for invasion of privacy and breach of
fiduciary dutyy y
• OCA recognized “intrusion upon seclusion” as a cause
of action and awarded $10,000 damages
46
47. Legal Update: Ontario Privacy Tort
To find “intrusion upon seclusion”:
• The defendant must have acted intentionally or
recklessly;
• The defendant must have invaded the plaintiff’s private
affairs or concerns; andaffairs or concerns; and
• A reasonable person would regard the invasion as
highly offensive, causing distress, humiliation org y g
anguish
P f f t l l i t l t f th fProof of actual loss is not an element of the cause of
action!
47
48. Legal Update: Ontario Privacy Tort
Limits on “intrusion upon seclusion”:
• Claims can only arise for significant invasions of
personal privacy
• The right of privacy may be subject to competing rights
D f thi t t “ b li ” “ l” d ill• Damages for this tort are “symbolic” or “moral” and will
likely be no more than $20,000
Note the British Columbia Court of Appeal has ruled that,
despite Jones, in B.C. there is no common law tort of
b h f i 1breach of privacy.1
1 Uf k A i I C ti f B iti h C l bi 2013 BCSC 1308
48
1 Ufuk Ari v. Insurance Corporation of British Columbia, 2013 BCSC 1308
49. Legal Update: Privacy Class Actions
During 2013:
• 81% year-over-year increase in breach reports to PCC
from private sector organizations
• PIPEDA complaints increased from 220 to 426
P i l ti it l d d• Privacy class action suits exploded
49
50. Legal Update: Privacy Class Actions
Condon v. Canada, 2011 FC 250
• Motion to certify a class action against the Minister of
Human Resources and Skills Development Canada
(“MHR”)
• Alleges MHR lost a hard drive that contained student• Alleges MHR lost a hard drive that contained student
loan information of 583,000 individuals
• Hard drive was not encrypted and went missing fromy g
cabinet
• MHR notified PCC 3 weeks after becoming aware
MHR d th t l i tiff ff d bl• MHR argued that plaintiffs suffered no compensable
damages
50
51. Legal Update: Privacy Class Actions
• Plaintiffs allege (a) breach of contract and warranty, (b)
intrusion upon seclusion, (c) negligence, (d) breach of
fidconfidence:
• application forms provided that application information
would be held confidential and secure
• for intrusion upon seclusion, plaintiffs argue a reckless
breach of privacy by MHR
• the court held that the claims based on negligence and• the court held that the claims based on negligence and
breach of confidence would fail because there is no
evidence of damages
f• class proceeding approved on the questions of alleged
breach of contract and warranty and tort of intrusion upon
seclusion
51
52. Legal Update: Privacy Class Actions
Hopkins v. Kay, 2014 ONSC 321
• Alleges that 280 patient records in a hospital were
wrongfully accessed and disclosed amounting to
intrusion upon seclusion
• The defendant argues that PHIPA governs such that• The defendant argues that PHIPA governs, such that
common law tort claims are precluded
• PHIPA sets out a complaint resolution scheme similar
to PIPEDA, but also has a $10,000 cap on damages
and immunity provisions that protects custodians from
acts or omissions done in good faith and reasonable inacts or omissions done in good faith and reasonable in
the circumstances
52
53. Legal Update: Privacy Class Actions
Evans v. Scotia 2014 ONSL 2135
• Alleges that Bank employee disclosed customer
information for fraudulent and improper purposes
• Both employee and employer named as defendants
Th l i i f i t i l i li• The claim is for intrusion upon seclusion, negligence
and breach of contract
• Bank argues it is not liable for its employee and thereBank argues it is not liable for its employee and there
is no cause of action
• The court decided it is not “plain and obvious” that the
B k ill t b h ld i i l li bl f thBank will not be held vicariously liable for the
employees’ tort or for resulting “symbolic and moral”
damagesg
53
54. Legal Update: Privacy Class Actions
Key Privacy Class Action Issues
• Where the breach was inadvertent, what will the
standard for “recklessness” be?
• Will privacy breaches amount to “breach of contract”
where a privacy policy was not followed?where a privacy policy was not followed?
• Will the dispute resolution scheme in PHIPA (or other
privacy statues) pre-empt or limit actions for inclusiony )
upon seclusion?
• When will an organization be vicariously liable for its
employees’ breach of privacy?employees breach of privacy?
• How does the “cap” on damages under Jones v. Tsige
($20,000) apply to class actions?( ) pp y
54
55. Breach Notification
Statutory Breach Notification Requirements:
• At present, only Alberta and Manitoba have statutory
breach notification requirements for the private sector.
55
56. Breach Notification
Alberta PIPA
1. An organization must, without unreasonable delay, give
notice to the Privacy Commissioner of any loss,
unauthorized access to or unauthorized disclosure of
personal information under its control if a reasonable
person would consider that there is a real risk of
significant harm to an individual as a result of the
security breach. (PIPA s. 34.1(1))y ( ( ))
2. The Privacy Commissioner may require the
organization to notify affected individuals where there
is a real risk of significant harm as a result of theis a real risk of significant harm as a result of the
security breach (s. 37.1(1))
3. The notice must comply with PIPA regulations s. 19.1(1)
as to contentas to content
56
57. Breach Notification
Manitoba PIPITPA
1. An organization must, as soon as reasonably
practicable, notify an individual if personal information
about the individual under the organization’s custody is
stolen, lost or accessed in an unauthorized manner.
2. The requirement does not apply where the organization
is satisfied it is not reasonably possible for the personal
information to be used unlawfully.information to be used unlawfully.
57
58. Breach Notification
Bill s. 4 will amend PIPEDA
• Requires mandatory breach reporting to PCC and
affected individuals:
• notice required as soon as “feasible”
• where it is reasonable in the circumstance to believe that• where it is reasonable in the circumstance to believe that
the breach creates a real risk of significant harm to an
individual
• requires records be kept relating to such a breach and
their disclosure to PCC on request
• establishes fines up to $100,000 for breach of thep ,
reporting or record keeping requirements
58
59. Breach Notification
Canadian health sector statutory breach reporting
obligations
• Ontario Personal Health Information Protection Act, s.
12(2)
• New Brunswick’s Personal Health Information Privacy• New Brunswick s Personal Health Information Privacy
and Access Act, s. 49(1)(c)
• Nova Scotia’s Personal Health Information Act, s. 69,
• Newfoundland and Labrador’s Personal Health
Information Act, s. 15(3)
59
60. Breach Notification
U.S. Statutory Breach Notification Obligations
• Most U.S. States require notice of security breaches
involving personally identifiable information (only
Alabama, New Mexico and South Dakota do not)
• Requirements vary state by state as to who is subject• Requirements vary state by state as to who is subject
to the law, who to notify, the subject information, what
constitutes breach and exemptions
60
61. Breach Notification
The case of California
• California was the first state to require data breach
notification (2003); there, both businesses and state
agencies must report to individuals and the Attorney
GeneralGeneral
• As of January 2015, California will require persons or
businesses that suffer a breach that exposed the
individual’s name and either SSN or D/L number,
where the information was not encrypted, to offer
identity theft prevention or mitigation services at noy p g
cost to the affected individuals for at least 12 months
61
62. Guidelines
Privacy Commissioners in Canada have published
guidelines for responding to security breaches
• The guidelines contain consistent approaches to
security breaches, the main components being:
1 Contain the Breach1. Contain the Breach
2. Evaluate the Risks
3 Notification3. Notification
4. Prevention
62
63. Guidelines
1. Contain the Breach
• Take immediate practical and technological steps to
contain the breach
• Activate breach management policy (you should have
one!)one!)
• Designate a response team (e.g., Privacy Officer,
security, IT, communications and legal) to investigatey g ) g
the breach and handle the situation
• Appoint a company spokesperson
C t t t l l l l d di l ti• Contact external legal counsel and media relations
advisor
63
64. Guidelines
• Plan reactive customer and media statements
• Conduct interviews (consider using lawyers to protect
the discussions with privilege)
• Preserve all internal and external data and records
necessary for subsequent investigationnecessary for subsequent investigation
64
65. Guidelines
2. Evaluate the Risks
• How sensitive is the information?
• Is the information encrypted or protected?
• Are the recipients known or unknown, and possibly
i i l?criminal?
• What harm could result from the breach?
• identity theftidentity theft
• financial loss
• loss of business or employment opportunities
• damage to reputation
• physical safety, security
65
66. Guidelines
3. Notification
• Is notification required?
• statutory requirements
• Commissioner guidelines
t t l i t ( i t t dit• contractual requirements (e.g., services contracts, credit
agreements, insurance policies)
• would notification prevent or mitigate potential harm to the
affected individuals?
• When to notify?
• notification should occur as soon as possible following• notification should occur as soon as possible following
assessment and evaluation of the breach
66
67. Guidelines
• Who to notify? Consider:
• Privacy Commissioners, to help them provide advice or
id t th i ti i di t th b hguidance to the organization in responding to the breach,
including notification, and to meet legal obligations
• affected individuals, to help them prevent or mitigatep p g
potential harm from the breach
• police, if theft or other crime is suspected
• insurers banks• insurers, banks
• professional or regulatory bodies, if required by
applicable regulatory standards
• third parties who may be impacted, e.g., contractors,
suppliers, trade unions
• public at large for publicly traded companies underpublic at large for publicly traded companies under
securities laws/guidelines
67
68. Guidelines
4. Prevention
• Investigate the cause of the breach and develop a plan
to prevent breaches
• Prevention Tips:
dit d i i t ti h i l d t h i l f d• audit administrative, physical and technical safeguards
• review and update policies and procedures (e.g., security
policies, records retention policies, incident response
plan, etc.)
• ensure policies are followed in practice
• employee training• employee training
• review service providers, partners, distribution channels
68