Law Firm LLP | Cyber Insurance | July 16th, 2014 Page 1 Cyber Exposure Landscape "The single biggest threat still is people inadvertently bringing down a virus from outside or through a phishing scheme... That's where the training gets critical … You can never tell your workforce enough ‘don't do this’ or ‘don't do that’. " Reed Smith Chief Information Officer Gary Becker “law firms... are vulnerable to a data breach from three main areas: an employee who downloads a virus or mistakenly leaves an unencrypted laptop in a taxi, for example; the law firm's vendors who have access to client information getting breached; or foreign hackers looking to get information from firms working on major business deals or IP matters.” John F. Mullen, chair of Lewis Brisbois Bisgaard & Smith's data privacy and network security practice LAW FIRM PERSPECTIVE
Law Firm LLP | Cyber Insurance | July 16th, 2014 Page 2 Cyber Insurance Cyber Insurance policies respond to a broad range of evolving risk: 1.Insure both First Party and Third Party risks 2.Respond to “bad actors” both inside and outside the insured corporation 3.Provide cover for fines & penalties (where allowed by law) 4.Cover intangible risks - loss and damage to non-physical “property” 5.The primary coverage is for the costs of investigation to establish whether loss or damage has occurred 6.Insurers also provide access to risk control, governance, compliance and technical services as part of the offering These policies are modular and can be tailored in both limits and elements of coverage to respond to the particular needs of the client The following slides outline the services, the primary coverage elements of cyber policies and an overview of available coverage under typical conventional insurance policies.
Law Firm LLP | Cyber Insurance | July 16th, 2014 Page 3 Cyber Insurance ServiceKey Components TrainingOnline training courses in information security. Includes compliance monitoring & reporting Procedures & Protocols Templates for compliance protocols and manuals Breach Response / Breach Coach Access to expert resources to respond to an event, legal / regulatory and forensic / security experts Crisis Communications Public Relations experts with experience handling internal and external fallout from breaches of client information Other ServicesMay include provision of hardware devices, 24-hour emergency help-line, penetration testing, discounts for advanced services Claims HandlingInsurers’ own in-house experts on managing and handling claims are also available for advice and training, selection of counsel etc. Added Value Risk Management Services
Law Firm LLP | Cyber Insurance | July 16th, 2014 Page 4 Cyber Insurance ModuleKey Coverage Components Breach Response Breach coach Forensic investigation Regulatory / legal advice RemediationSecurity consulting Reconstruction of data Reinstallation of software Network Interruption Loss of revenue from network failure / degradation Loss of revenue from denial of network access “Contingent” interruption ExtortionThreat of Distributed Denial of Service (DDoS) attack Threat of release of information Threat of destruction of data Crisis Response Public relations Client / Internal communications Crisis fund First Party Insurance
Law Firm LLP | Cyber Insurance | July 16th, 2014 Page 5 Cyber Insurance Gap Analysis: What is available under a typical first party program? 1.Loss or damage to digital assets – Generally, very limited coverage is provided in Property insurance policies for "Computer Virus and Denial of Access“. A typical limit of insurance is $25,000. Chubb policies typically provide some cover for “Malicious Programming”, limits of up to $100,000 for “insider” and $10,000 for external parties are standard. 2.Business interruption from network downtime – Property policies provide little coverage as stated above. The KR&E policy may provide some network interruption coverage for the risk of “computer violation”. 3.Cyber extortion – Kidnap, Ransom & Extortion policies typically do not have a Cyber exclusion and some (e.g. the Chubb Forefront) provide specific coverage. However, acts of an employee or with the collusion of an employee are specifically excluded. 4.Reputational damage – Property programs typically do not provide cover for Public Relations / remediation activity following a breach. KR&E policies sometimes provide limited cover specific to an extortion event. 5.Theft of money and digital assets – Your Crime policy does provide specific insurance for certain Cyber events, specifically “direct loss of Money, Securities or Property sustained by an Insured resulting from Computer Fraud committed by a Third Party”. There is also no exclusion for Cyber in respect of theft of money by employees. Crime policies will not provide cover for theft of anything other than financial instruments (e.g. if an employee “steals” and sells personal information of the firm’s employees, the Crime policy will not respond).
Law Firm LLP | Cyber Insurance | July 16th, 2014 Page 6 Cyber Insurance ModuleKey Coverage Components Security & Privacy Forensic investigation Regulatory / legal advice Defense costs & damages Regulatory Action Investigation Defense costs Awards, fines & penalties Loss of DataDamage to or corruption of third party data Compensation for denial of access Data errors Media Liability Defamation, libel & slander Breach of copyright trademark or trade dress Electronic and print media Notification Expenses Legal, posting and advertising expenses for compliance Credit monitoring & identity theft monitoring / insurance Call center Third Party Insurance
Law Firm LLP | Cyber Insurance | July 16th, 2014 Page 7 Cyber Insurance Gap Analysis: What is available under a typical third party program? 1.Security and privacy breaches – General Liability insurance policies provide no coverage for costs, expenses or penalties incurred in connection with a security or privacy breach. However, depending on circumstances your LPL policy may respond. For a breach of employee information there may be some coverage available under the EPL policy (if an affected employee can prove “injury” or that the breach constitutes an “employment related tort”). 2.Investigation of privacy breach – Again, there is typically no coverage provided for investigations or regulatory action and fines and penalties will be specifically excluded. 3.Customer notification expenses – The issue of whether these costs can be covered under the GL Personal Injury coverage has been explored in the courts and to date the courts have found in favor of the insurers. GL insurance is not designed or intended to respond to cyber breaches. 4.Multi-media liability – GL insurance does sometimes provide coverage under the Advertising and Personal Injury extension but this will exclude professional services (which would in principle be covered under the LPL). The extent of cover may be limited depending on the circumstances of the loss and the interpretation of the activity that gave rise to the loss and the wording and exclusions should be reviewed. 5.Loss of third party data – GL insurance provides cover for Bodily Injury or Property Damage: data is generally not considered to be physical property and therefore, generally speaking, GL policies will not cover loss of third party data.
Law Firm LLP | Cyber Insurance | July 16th, 2014 Page 8 Why do Law Firms Buy Cyber Insurance? Aon is seeing a dramatic increase in the number of firms enquiring about and purchasing Cyber insurance. We currently have more than 55 law firm clients who purchase stand-alone Cyber insurance policies. The main factors driving decisions to purchase the coverage are as follows: 1.Reducing uncertainty – affirmative and cost effective coverage in areas where there is none available from other policies or where the response of other policies is limited or uncertain. 2.Risk Management Services - firms that do not employ a full time CIO or CISO value the services that are provided alongside the insurance, particularly: Training (provision of online courses including monitoring and compliance reports) Breach response (specialists with expertise and experience to respond quickly and professionally to all aspects of a breach, including legal advice on managing regulatory implications) Security services (consulting, ethical hacking, security protocols, hardware etc.) 3.Contractual requirement - Financial Institutions in particular are requiring very high standards of data protection, and some are now mandating that their outside counsel buy cyber insurance. 4.Network Interruption - Awareness that traditional insurance programs provide little or no coverage for this risk. 5.Remediation - reconstructing data, repairing systems & reinstalling software & security is time-consuming & expensive. 6.Employee Information – Law firms are no different from any other employer in that they hold Personally Identifiable Information (PII) and Protected Health Information (PHI) relating to employees.