Breaking Down Cyber Liability Businesses and organizations of all sizes are at risk of a cyber attack or data breach. Even the most sophisticated systems have vulnerabilities and the human element of lost laptops, misplacing a paper file or opening an email attachment can affect your insured’s company. No system is fool proof no matter how good you think it is which is why insured’s need cyber insurance. As with so many things, it’s not if an insured has a loss it’s when an insured has a loss. Kim Fielder, CPCU, CRM, CIC, AAI February 2017
WEBSITE VULNERABILITY Company Profile: National Nonprofit Food Bank A metropolitan food bank experienced a cybersecurity breach that resulted in the inadvertent disclosure of more than 10,000 donors’ personal information. Due to malware on their website service the unauthorized individual was able to gain access to donor information over a three year period. The personally identifiable information included names, addresses, emails, credit and debit card numbers, security codes and expiration dates. Computer forensic experts were retained to assist with the investigation. Corrective measures were taken including changing all passwords, implementing additional monitoring and reviewing the food banks policies and procedures to ensure that all information was appropriately protected moving forward. In addition, due to the various state laws that had been implicated, the food bank was required to notify all affected donors and provide identity protection and credit monitoring for a one year period.
$857,400 $543,000 Estimated Legal Defense & Settlement Costs $117,050 According to the Net Diligence Data Breach Cost Calculator the estimated costs for this event could be: $543,000 Estimated Legal Defense & Settlement Costs $117,050 Estimated Fines & Penalties $197,350 Estimated Investigation & Notification Costs $857,400 Estimated Total Costs
PHISHING EMAIL Company Profile: Medical Group An employee of a medical group opened a phishing email that infiltrated their centralized network. Anti-Virus software failed to keep out the malicious code, exposing names, addresses, dates of birth, medical record numbers, medication, dates of service and diagnoses of 1200 patients. A computer forensics investigator was hired, who determined that PHI had been compromised. The medical group notified the affected individuals and hired a public relations firm in anticipation of bad publicity. Thereafter, The Office for Civil Rights launched an investigation and the medical group was fined as a result of a HIPAA violation for having unsecured access to the network.
According to the Net Diligence Data Breach Cost Calculator the estimated costs for this event could be: $46,000 Estimated Customer Notification/Crisis Management Costs $180,000 Estimated incident investigation Costs $364,000 Estimated Fines & Penalties $590,000 Estimated Total Costs
CLOUD HACK Company Profile: Construction Company with offices nationwide A national construction company used a third-party cloud service provider to store their customers’ personal information. The cloud provider suffered a major data breach, compromising the Personally Identifiable Information belonging to thousands of the construction company’s customers in several states. As the owner of the data, the construction company had a legal obligation to provide an adequate and timely notice. The Attorneys General in several states instigated a regulatory investigation against the Company to determine whether they responded appropriately to the breach in accordance with the various state laws. As the construction company did not have a document retention procedure and stored far more data than was required, the Company was obligated to notify over 10,000 past and present customers that their company’s data had been compromised. In addition they had to pay defense costs associated with defending the regulatory investigation.
$862,775 $181,900 Estimated Incident Investigation Costs $41,775 According to the Net Diligence Data Breach Cost Calculator the estimated costs for this event could be: $181,900 Estimated Incident Investigation Costs $41,775 Estimated Customer Notification/Crisis Management Costs $862,775 Estimated Total Costs $639,100 Estimated Defense & Settlement Costs More recently, the St. Louis Public Library locations were found to be inoperable after being hacked and having ransom ware installed on their systems. The origin of ransom ware was traced to Russia but has grown exponentially since 2012.
WHAT IS A BREACH? It’s the acquisition, access, release, or disclosure of information to an unauthorized individual or entity that relates to a person and that may cause the person inconvenience or harm: -Personally Identifiable Information (PII) -Protected Healthcare Information (PHI) Or that may cause your insured’s organization inconvenience or harm: -Customer Data -Employee Data -Corporate Information/Intellectual Property PII Includes: Full, Name, Home Address, Email Address, Passport Number, Credit Card Information, Personal Financial Information: SSN, Drivers License Number, Banking Information, Employment Information, Insurance Information Corporate Information: Business Information including Trade Secrets
TYPES OF BREACHES Lost, missing, stolen electronic assets or equipment Backup tapes lost in transit Lost paper records Hackers Employee theft Poor business practices Internal security failures Viruses and computer security loopholes Improper disposal of both electronic & non-electronic data Physical theft of desktop PCs, laptops, tapes, disks, USB drives, or other devices and media create significant risks to the information stored on these devices. When it comes to breaches of non-public information, according to data available from the Privacy Rights Clearinghouse, physical theft, systems hacks and accidental release are the leading causes of breaches of sensitive or non-public information.
WHERE DO THREATS COME FROM? Inside Threats Employee Negligence Employee Ignorance Malicious Employees Outside Threats Hackers / Hacktivists Thieves Vendors Foreign Governments Hacktivists – Intent is to break into a computer system to sensationalize their specific agenda which is usually politically or socially motivated.
MAKING SENSE OF CYBER COVERAGES Third Party (Liability)Coverages Protection for liability to others Reimbursement or payment for expenses related to a data breach Legal counsel and defense costs Digital forensics team Notification costs Crisis communications – public relations Call centers Credit monitoring Identity restoration costs Reward Expenses Most cyber policies currently in the marketplace offer some combination of traditional liability coverage protecting against claims by third parties (customers, clients, and employees) for failure to protect Personally Identifiable Information (PII), Protected health Information (PHI), and Payment Card Industry Information (PCI). These policies also provide first-party coverages protecting against losses suffered by the insured.
MAKING SENSE OF CYBER COVERAGES Third Party (Liability)Coverages Regulatory Proceedings Defense and penalties Compensatory awards PCI Fines & costs Media Liability/Website Liability Content Injury – Injuries sustained because of infringement of a service mark, slogan, symbol, copyright, title of an artistic or literary work, etc. Spread of viruses or malicious code to someone else’s system.
MAKING SENSE OF CYBER LIABILITY First Party Coverages Data Loss and Restoration Related to recovery from damages to computer programs and electronic data Network/Business Interruption Covers interruptions in business due to breaches of a company’s network Theft and Fraud / Crime Losses Covers costs of theft or destruction of the insureds data and theft of the insured’s funds Social engineering Cyber fraud Social Engineering is the art of manipulating people so they give up confidential information Not all cyber claims are related to a breach. For example, malware downloaded from an email could lead to lost, encrypted or otherwise damaged files requiring expenses to repair and restore. Ransomware can prevent you from using your systems and create a Business Interruption or Business Income Loss in addition to the extortion payment.
MAKING SENSE OF CYBER LIABILITY First Party Coverages Forensic Investigation Covers the costs of determining the cause of a loss of data and what data was accessed Cyber Extortion / Cyber Threat Denial of Service
CYBER LIABILITY / SECURITY POLICIES These policies are not standardized and the coverages offered continue to evolve as criminals become more and more inventive. The terminology within each policy may be significantly different. Most have a modular coverage set up allowing separate insuring agreements, deductibles or retentions, and types of protection. For the most part, standard liability, property and crime policies do not provide coverage for cyber exposures. These differences make it extremely difficult to compare policies and coverages. We do not expect this to change for quite some time.
OPENING THE DIALOG WITH CLIENTS Do you hold any private data of clients, vendors, donors, employees or others? What steps would you take/who would you call if you lost those private records? Do you have a corporate wide privacy policy? Do you have a disaster plan specific to data breaches? Are all records stored electronically? Do you have paper records? Do you shred? Any employees have access to private client records? Do you allow use of USB drives on computers with access to private data? Any records ever handled by a third party? Are any of your systems programmed by non-employees? Are all laptops and wireless connections encrypted?
OPENING THE DIALOG WITH CLIENTS Are you confident your antivirus and firewall systems are 100% effective? If you network was damaged or disabled by a virus or hacker attack, would it be material to your revenues/income? Do you have a back up system? How long would it take you to recover? Are you prepared for a Department of Health and Human Services Compliance Audit? Does your client understand that it’s not if they have a breach but when they have a breach?
Citations/References Travelers - travelers.com/cyber-insurance/claim-stories Riskandinsurance.com National Underwriter Property & Casualty AmWins - Cyber Liability Risks & Solutions Privacy Rights Clearinghouse