The Basics of Cyber Insurance
Download as PPTX, PDF3 likes4,276 views
The netdiligence® Cyber Risk & Privacy Liability Forum discussed the various cyber risks organizations face, including legal liabilities from data breaches, regulatory scrutiny, and reputational damage. The document also covers the cyber insurance market, outlining the types of coverage available, such as network security liability, privacy liability, and event response expenses, as well as recent trends and innovations in cyber insurance products. The need for comprehensive privacy risk management and regulatory compliance is emphasized due to the increasing exposure from data breaches and the evolving regulatory landscape.
The Basics of Cyber Insurance
- 1. NetDiligence® Cyber Risk & Privacy Liability Forum October 8-9, 2014
- 2. Cyber Basics
- 3. Speakers Robert Hammesfahr HWR Consulting moderator Robert Parisi Marsh USA Kevin Baughn Safehold Special Risk Michael D. Handler Cozen O’Connor John Wurzler OneBeacon Technology Insurance
- 4. What are Cyber Risks? Any organization that: (1) uses technology in its operations &/or (2) handles/collects/stores confidential information has Cyber Risk. • Legal liability to others for computer security breaches • Legal liability to others for privacy breaches of confidential information • Regulatory actions, fines and scrutiny • Loss or damage to data / information • Loss of revenue due to a computer attack • Extra expense to recover / respond to a computer attack • Loss or damage to reputation • Cyber-extortion • Cyber-terrorism
- 5. Cyber Coverage Overview Network Security Liability: liability to a third party as a result of a failure of your network security to protect against destruction, deletion, or corruption of a third party’s electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third party computers and systems Privacy Liability: liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information you had entrusted to them in the normal course of your business. Regulatory Investigation Defense: coverage for legal expenses associated with representation in connection with a regulatory investigation, including indemnification of fines & penalties where insurable. Event Response and Crisis Management Expenses: expenses incurred in responding to a data breach event, including retaining forensic investigator, crisis management firm and law firm. Includes expenses to comply with privacy regulations, such as communication to impacted individuals and appropriate remedial offerings like credit monitoring or identity theft insurance. Cyber Extortion: ransom &/or investigative expenses associated with a threat directed at you that would cause an otherwise covered event or loss Network Business Interruption: reimbursement of your loss of income and / or extra expense resulting from an interruption or suspension of computer systems due to a failure of technology. Includes coverage for dependent business interruption. Data asset protection: recovery of costs and expenses you incur to restore, recreate, or recollect your data & other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.
- 6. The Cyber Insurance Market Market capacity: • Over 50 markets selling or participating in cyber insurance • Over $600M deployable capacity; largest placements still in $200M range Appetite & Approach: Different for each insurer and varies by: • Size: revenue, record count, transaction volume • Industry: Healthcare, Retail, Finance, Higher Ed, etc. • Jurisdiction: USA, Canada, Europe, Asia, etc. Principal Markets: • For larger risks: AIG, Beazley, Zurich, Chubb, Safehold (representing certain Lloyd’s Syndicates) • For SME, key markets: capacity is plentiful--One Beacon, Philadelphia, etc. Market Size: • Estimates vary at between $750M & $1B GWP 2013
- 7. Privacy Has Emerged Global reliance on real time data has created the greater need for real time innovative solutions. Privacy is a heightened and evolving exposure
- 8. Privacy – Today the Need has Changed 1.Failing to protect: Personally Identifiable Information (PII) employee, customer, Service Provider, or; Personal Health Information customers, members, employees 2. Worldwide Regulatory changes occurring Federal, State, Sovereign, Local Governmental Agencies 3. Reliance on Service Providers Hosting, Cloud, IT, HR, Archiving 4. Financial Institutions are suing for cost to reissue credit cards 5. Business Interruption and Systems Failure 6. Global Threat Environment – Hostile State sponsored terrorism threats 7. Malware is influencing the threat environment and includes.
- 9. Privacy Regulation Milestones © 2014 OneBeacon Technology Insurance Group 500 Million Records disclosed since 2005 – represents a sampling www.privacyrights.org/data-breach 47 States plus DC have consumer data protection laws; HIPAA, HiTech; Congress to pass Fed Law? (Oct 2014) Obama Executive Order 13636 – Improving Critical Infrastructure in Cybersecurity -February 2013 results in S. bill 1638 the Cybersecurity Public Awareness Act of 2013 (November 5) California S.B. 1386, Personal Information, Privacy, July 1, 2003. Considered by many to be the first Data Privacy Legislation.
- 10. What Kind of Data? 1. Paper and Electronic 2. Personally identifiable information (employee, customer, Service Provider), or; 3. Personal Health Information (customers, members, employees) 4. Credit Card Numbers 5. Confidential 3rd party information 6. Merger/Acquisition target/plans 7. Financial Account Information
- 11. Privacy Risk Management Ask Privacy/IT professionals: − Incident Response Plan (tested?) − Service Provider Contracts / Insurance Requirements − Requirements − Evaluation − Selection − SLA Considerations − Contracting Parties (when your Service Provider pharms out) − Location…Location…Location (Where is your data?) Privacy Risk Assessment (sources, vulnerabilities, processes, perils) Check Existing Insurance Gap Analysis (GL, Prop, E&O, Crime, K&R) New coverage terms must integrate − With Response Plans − With Traditional Policies
- 12. Insurance Coverages – First & Third, Nobody Out? First Party Coverage – Damage to digital assets – Business interruption – Extortion – Privacy Breach Expenses Third Party Coverage – Privacy liability – Network security liability – Internet media liability – Regulatory liability – Contractual liability
- 13. Recent Cyber Product Innovation • Traditional Approach: – Fines & Penalties drop down coverage through Bermuda as an Excess & DIC component of standard cyber capacity – Business Interruption - System Outage/Technology Failure trigger expands beyond a cyber attack - Dependent Business Interruption trigger - Reputational trigger – Catastrophic Approach - Broad form coverage for accounts taking catastrophic approach to risk transfer—i.e. taking a retention above $100M • Non-Traditional Approach: – Industrial Risks - Coverage for property damage caused by technology failure of industrial components, i.e. industrial control systems – P&C Excess-DIC - Excess/DIC coverage over traditional coverage lines (property, casualty, etc.) that picks up covered loss/damage otherwise excluded because caused by a cyber attack
- 14. Types of First Party Losses • Hardware or software malfunction/corruption • Denial of service • Loss of business – Service downtime – Abnormal turnover of customers – Related to reputation / PR • Data theft • Loss of trust (customers, employees, shareholders) • Brand damage • Exposure or proprietary/sensitive data • Breach expenses • Forensic costs
- 15. Issues With First Party Policies • Named Perils – coverage would normally not be triggered by cyber loss because not a named peril • All Risk– requires “direct physical loss” to “covered property” • Business Interruption – loss must be caused by fortuitous event inflicting “physical injury to tangible property”
- 16. Cyber Risk Policies • First party policies often do not apply – “direct physical loss or damage” • “physical” = tangible … not electronic data • Bodily Injury often requires damage or destruction of property • Exclusions often apply – Fidelity and commercial crime insurance may apply • High costs – $188/record, average of >28k records (Ponemon Institute Survey) – $277 when caused by malicious attacks (Ponemon Institute Survey – Just a sample; not catastrophic • It will eventually happen
- 17. Cyber Risk Policies • Each data breach is different • Prevention consultation – Strong security decreases downstream costs • Assistance with incident response plans – Incident response plans save $42 record (Ponemon) • Response consultation – Consultants decrease costs and increase remediation effectiveness – Consultants can save $13/record (Ponemon) • Crisis management and public relations to mitigate fallout
- 18. Causes of Data Breaches: Advanced Persistent Threats • Internet Malware Infections – Drive by downloads – Email attachments – File sharing – Pirated software • Physical Malware Infections – Infected USB memory sticks, CDs, and DVDs – Infected applications – Backdoored IT equipment • External Exploitation • Human Error
- 19. SEC CF Disclosure: Cybersecurity Risk Factors • Consistent with Regulation S-K Item 503(c) Risk Factors should include: – A discussion of cybersecurity and cyber incidents if such issues are among the most significant factors that make an investment in the company speculative or risky. • In deciding on disclosures, companies consider: – The frequency and severity of prior cyber incidents – The probability of, qualitative, and quantitative magnitude of risk from future attacks. – Per Disclosure Guidance: adequacy of any preventative measures taken • Type(s) of Insurance purchased may be relevant to disclosures, depending in part on standards in the industry.
- 20. SEC CF Disclosure: Cybersecurity • Event Disclosure • Management Discussion and Analysis • Description of Business • Legal Proceedings • Financial Statement Disclosures • Disclosure Controls and Procedures • Form 8-K
- 21. Case Update: Sony PlayStation February 2014 Ruling • 60 underlying lawsuits involved in PlayStation cyberattack • $2 Billion in losses after hackers stole personal information from millions of PlayStation users – One of largest recorded data security breaches at the time – Required shutdown of server for nearly a month • Personal information included: – Names, addresses, birthdates, credit card numbers, bank account information • Large breach, but since eclipsed by more recent cyberattacks (e.g. Target, Xmas 2013 & JP Morgan Chase, Summer 2014).
- 22. Case Update: Sony PlayStation Ruling • Coverage B: “oral or written publication in any manner of material that violates a person’s right of privacy” • Issue: whether Sony required to commit the breach-causing act, or if third parties’ acts suffice • Court found Sony was not involved in the “publication” – declined to expand insurer’s liability by construing “in any manner” to include criminal hackers • Provision could only be read to require policyholder to perpetrate or commit the “publication” - could not be expanded to third parties • Implications: otherwise reluctant policyholders encouraged to buy data breach coverage • No automatic coverage for these types of large-scale response costs, or responding to third party litigation
- 23. Data Breach Liability Exclusion ISO Form • CG 21 06 05 14: – Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – With Limited Bodily Injury Exception • Excludes damages arising out of: – (1) Any access to or disclosure of any persons’ or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or – (2) The loss of, loss of use of, damage to corruption of, inability to access, or inability to manipulate electronic data • Exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by your or others arising out of that which in (1) or (2) above • However, unless Paragraph (1) above applies ,this exclusion does not apply to damages because of “bodily injury”
- 24. Data Breach Liability Exclusion ISO Form • As used in the exclusion, electronic data means information facts or program stored as or on, created or used on, or transmitted to or from computer software including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment • The exclusion does not apply to “personal and advertising injury” – Arising out of any access to or disclosure of any person’s or organization’s confidential or personal information – Exclusion applies even if damages are claimed for notifications costs, credit monitoring expenses, forensic expenses, etc.
- 25. Data Breach Liability Exclusion’s Impact • As CGL policies expire and are replaced, businesses must carefully consider how to manage their financial exposure to newly excluded data losses, including those carried by third-party vendors • Managing data risk requires a collaborative effort to predict foreseeable losses and potential impacts, to meet today’s digital challenges • Exclusion should ultimately reduce litigation on whether data breaches are covered by CGL policies, while providing needed protection and certainty for insurers and policyholders alike
- 26. Speakers MODERATOR: Robert Hammesfahr HWR Consulting rhammesfahr@ameritech.net John Wurzler OneBeacon Technology Insurance Jwurzler@onebeacontech.com 952.852.6025 Kevin Baughn Safehold Special Risk kevin.baughn@safehold.com 206-470-3296 Robert Parisi Marsh USA robert.parisi@marsh.com 212 345 5924 Michael D. Handler Cozen O’Connor mhandler@cozen.com (206) 808-7839