Cyber Liability Coverage – Sell it or get sued

Slides:



Advertisements
Similar presentations
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Advertisements

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Overview of Identity Theft, Data Breaches and Cyber/Privacy Liability Insurance October 6, 2009.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.
NEFEC - Cyber Liability MICHAEL GUZMAN, ARM ARTHUR J. GALLAGHER & CO.
Overview of Cybercrime
©2015, Amy Stewart PC Title Here Cyber Insurance: The Future is Now Texas Lawyer In-House Counsel Summit May 8, 2015 Texas Lawyer In-House Counsel Summit.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
AUGUST 25, 2015 Cyber Insurance:
Cyber Risk Insurance. Some Statistics Privacy Rights Clearinghouse o From 2005 – February 19, 2013 = 607,118,029 records reported breached. Ponemon Institute.
Onebeaconpro.com t f Cyber Liability Insurance Coverages and Trends Affecting Community Banks Craig M. Collins President,
CYBER INSURANCE Luxury or necessary protection?. What is a data breach? A breach is defined as an event in which an individual’s name plus personal information.
Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2013 CCH Incorporated. All Rights Reserved W. Peterson Ave. Chicago,
Matt Foushee University of Tulsa Tulsa, Oklahoma Cyber Insurance Matt Foushee University of Tulsa Tulsa, Oklahoma.
Cyber-insurance coverage: do you have it? Robert E. Sumner, IV, Esq. and Tosh Siao of Willis Group September 17, 2015.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Carlsmith Ball LLP Cyber Issues For Lawyers Deborah Bjes October 22 nd, 2015.
Managing Your Cyber/E&O Risk with Willis FINEX Robert Barberi, Vice President, Willis Cyber Practice.
Territory Insurance Conference, resilient future Mr Ralph Bönig, Special Counsel, Finlaysons Cyber Times and the Insurance Industry Territory Insurance.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Restaurant 1. 2 There are several different types of restaurant classifications, including: Family Style Fine Dining Fast Food Buffet.
The Pitfalls of the Small Business Owner Protect Your Assets!
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Law Firm LLP | Cyber Insurance | July 16th, 2014 Page 1 Cyber Exposure Landscape "The single biggest threat still is people inadvertently bringing down.
The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.
Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.
MEDICAL OFFICE COVERAGES. This is a short review over many insurance coverage parts necessary to a doctor’s practice. Not all apply, and there are other.
Retail & Service 1. 2 The Retail & Service industry encompasses a wide variety of businesses. This segment includes: Businesses engaged in selling goods.
Cyber Liability: New Exposures Presented by: Henriott Group © 2007, , Zywave Inc. All rights reserved.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Cyber Liability and Data Security+. 22 AGENDA What is Cyber? Exposure to Cyber Attacks Cyber Risk Management Anatomy of a Data Breach Insurance Coverage.
Cyber Insurance Overview July 30, 2016 Wesley Griffiths, FCAS International Association of Black Actuaries.
Cyber Insurance - Risk Exposures and Strategic Solutions
Cyber Liability Insurance for an unsecure world
Cyber Insurance Risk Transfer Alternatives
Breaking Down Cyber Liability
Financial Institutions – Cyber Risk
E&O Risk Management: Meeting the Challenge of Change
John A. Wright, CEO WIPFLI Client Appreciation June 8, 2017
Managing a Cyber Event Steven P. Gibson President
Cyber Insurance – FFs & CHBs
Cyber Insurance Overview
Chapter 3: IRS and FTC Data Security Rules
Cyber Insurance: An Update on the Market’s Hottest Product
Society of Risk Management Consultants Annual Conference
Cyber Issues Facing Medical Practice Managers
Cyber Trends and Market Update
Understanding Cyber Insurance NASCUS/CUNA Cybersecurity Symposium
FAIR 2018 – Cyber Risks & Markets
Cyber Exposures The Importance of Risk Identification and Transfer
By Joseph Carnevale, CIP Partner & Director of Sales
Business Continuity Plan
Forensic and Investigative Accounting
Cyber Security: What the Head & Board Need to Know
Anatomy of a Common Cyber Attack
Presentation transcript:

Cyber Liability Coverage – Sell it or get sued By Augusto Russell and Rick Grimes

Table of Contents Introduction 3 Privacy Breach Coverages – First Party and Third Party 4 Post Breach Response Considerations 9 Coverage Features 10 Coverage Enhancements 12 Common Objections to Buying Cyber 13 Resources and Tools 16 Data Breach Costs 17 Key Questions 21 Conclusion 22

Introduction Cyber liability policies, officially known as “Network Security and Privacy Liability Products”, are specifically designed to address the growing exposure of privacy breach, network breach and Cyber Crime exposures. Yet even with the increase of well publicized incidents, many companies are still hesitant to pull the trigger on purchasing coverage. Deciphering confusing non-standardized policy language is half the battle. Being able to fully articulate the services and resources provided by a cyber policy and counter client objections is the other. If the current trends continue, so-called Cyber insurance coverage just may take its place alongside workers compensation, general liability, fire, and auto insurance in the core commercial P&C package, meaning a business would be foolish to open its doors without it. The reason is simple: Virtually every modern enterprise from the local doctor’s office and supermarket, to Fortune 100 corporations lives and breathes on its IT applications, databases and computer systems. When IT goes down, business screeches to a halt. If your clients suffer a cyber related loss and were unaware of an affordable insurance that could help guide them through a loss, provide and coordinate resources to assist during this crisis, guess who takes the blame?

Privacy Breach Coverages Privacy Breach Expense Legal Forensic investigations Crisis management Notification Call center support Credit monitoring Fraud remediation PR assistance 3rd Party (Liability) Defense costs Fines Penalties

Post Breach Response Considerations Determine if a privacy breach occurred Assess severity of the event Explain breach response requirements and best practices Breach Counseling Time-saving professional service to guide you in handling a breach Work closely with policyholder and claims to outline an action plan Public relations assistance to help restore your business’ reputation Crisis Management Drafting and review service for creating notification letters Support in drafting and delivering alternative forms of notification Assistance in discussions with 3rd parties that need to be notified Notification Assistance Service recommendations to impacted individuals such as call handling , monitoring products, and identity theft resolution services Remediation Planning Documentation of steps taken and remediation services provided to manage the privacy breach Expert Testimony witness if a claim goes to court Evidentiary Support

First Party Coverages Business Interruption - Provides coverage for business interruption incurred by an insured as the direct result of an enterprise security event which causes system failure. Data Restoration - Pays the reasonable costs incurred by the insured, in excess of any normal operating costs, for the restoration of any data stored on the insured’s computer system that is lost during the policy period as a result of an enterprise security event Cyber Extortion Payments - Provides coverage for expense and/or loss incurred as the result of any extortion threat first made against an insured during the policy period. Crisis Management Expenses - Covers crisis management and public relations expense incurred by an insured as the result of an enterprise security event .

First Party Coverages (Continued) Notification Expenses - Covers expenses incurred by Insured to notify customers whose sensitive personal information has been breached Credit Monitoring Expenses – Covers expenses incurred after a breach to provide credit monitoring to those third individuals impacted by breach Forensic Costs – Covers costs incurred for a forensics firm to determine the cause, source and extent of a Network Attack; or investigate, examine and analyze the Named Insured’s Network, to find the cause, source and extent of a Data Breach. Social Engineering / Funds Transfer Fraud – Covers Crime loss when employees, acting in good faith, comply with instructions sent via email to make a wire transfer or another type of transfer, to a fraudulent third party replicating a legitimate correspondence.

Third Party Coverages Network Security Liability - Covers liability of the organization arising out of the failure of network security, including unauthorized access or unauthorized use of corporate systems, a denial of service attack, or transmission of malicious code. Privacy Liability Coverage - Covers loss arising out of the organization’s failure to protect sensitive personal or corporate information in any format. Regulatory Actions - Provides coverage for regulatory proceedings brought by a government agency alleging the violation of any state, federal, or foreign identity theft or privacy protection legislation. Additional Coverage Electronic Media Liability Coverage (also known as Content Liability on some policies) - Covers infringement of copyright or trademark, invasion of privacy, libel, slander, plagiarism, personal injury, or negligence arising out of electronic and non-electronic content. Includes Advertising activities.

Post Breach Response Considerations Data Security IT Computer Forensics Breach Response Team Business Admin Privacy Law

Coverage Features Coverage for “Innocent Insureds” for authorized employees acting in “unauthorized manner” – Rogue Employees Coverage includes “off-line data / non-electronic data” in case of breach of data, not just data in electronic form. (Think paper files that have not or will not be scanned that contain sensitive third party corporate information or non-public personal information!) Coverage extends to Claims brought against the Insured due to unauthorized disclosure by independent contractors and vendors that are holding, processing or transferring information on behalf of the Insured Include coverage for breach of not only Non-public Personal data (i.e. Individual’s name, address, telephone number, social security number, etc) but also confidential / sensitive third party commercial information which Insured is obligated to keep such information private such as trade secret, data, design, interpretation, forecast, formula, method, practice, credit or debit card magnetic strip information, process, record, report, etc.

Coverage Features Full Prior Acts Coverage / No Retro Date Payment Card Industry (PCI) Loss coverage - monetary assessments, fines, penalties, chargebacks, reimbursements, and fraud recoveries which an Insured becomes legally obligated to pay Health Insurance Portability and Accountability Act (HIPAA) coverage Coverage can be bundled to include Technology E&O and Miscellaneous Professional Liability

Coverage Enhancements Cyber Crime: Social Engineering (Fraudulent Instruction) Funds Transfer Fraud (Financial Institution) Telephone Fraud Reputational Loss Criminal Rewards Business Interruption coverage broadened to include triggers for: Interruption to outsourced IT provider that impacts Insured’s revenue System failure of Insured or outsourced IT provider due to include administrative or operational mistakes not just a cyber event Bodily Injury caused by a data or privacy breach Option for Defense Costs and Breach Costs Outside Limit Access to third party cyber security consultants

Common Objections to Buying Cyber The applications are too long We do not sell products or services online We outsource credit card processing and data storage to outside vendors We have the latest network security / encryption / firewalls in place We are a small company, under the radar We do not keep any sensitive data of our customers on our server Other policies we have may provide coverage / We have cyber endorsed onto one of our policies already We are better off saving premium dollars to use in case we have a breach

Common Objections to Buying Cyber The applications are too long For many clients an indication can be generated by asking as few as 4 questions We do not sell products or services online Cyber Liability insurance is not limited to e-commerce We outsource credit card processing and data storage to outside vendors Ultimately Insured is responsible for safe-keeping of data We have the latest network security / encryption / firewalls in place Unfortunately most losses are caused by human error / rogue employees We are a small company, under the radar Hackers are targeting smaller firms that lack the sophistication and resources of larger more well known entities

Common Objections to Buying Cyber (Continued) We do not keep any sensitive data of our customers on our server Employers are still responsible for safekeeping of employee data Phishing claims are on the rise Other policies we have may provide coverage Since 2014 GL carriers have been excluding and court decisions have supported claim denials We have cyber endorsed onto one of our policies already These endorsements typically are low on limit and thin on overage. They can actually get you sued for E&O! We are better off saving premium dollars to use in case we have a breach Will discuss breach costs in later slide which should scare the self insurance approach. Also cyber policies provide more than just paying off lawsuits

Resources and Tools Privacy Rights Clearinghouse www.privacyrights.org Ability to sort by breach type, organization type and year Cyber Breach Calculator www.eriskhub.com/mini-dbcc Breaks down the cost by incident investigation, customer notification costs and crisis management, regulator fines and penalties, PCI, and class action lawsuits Cost of a Data Breach Study by Ponemon Register for Free Report available to the public that details average costs, industry trends impacting costs and factors that can influence and mitigate costs

Data Breach Costs

Typical Breach Response Costs $300 - $600 per hour Legal $250 - $600 per hour Forensics $150 per hour or legal rate Crisis Management $1 -$3 per letter Notification $7 - $25 per call Call Handling $8 - $75 per person Credit & Fraud Monitoring $400 per case Identity Theft Resolution

Typical Breach Response Costs Indirect Costs Customer churn Increased customer acquisition activities Damaged reputation Loss of goodwill Employee time & resources Direct Costs Crisis management Public relations Print & mail notification letters Remediation services Legal & forensic services Law suits $258 per record Factors That Influence U.S. Data Breach Costs Decrease $14 Increase $13 Incident response team Extensive use of encryption Third Party Involvement Employee Training Decrease $13 Decrease $9 Source: Ponemon Cost of Data Breach Study

Ponemon 2018 Cost of Data Breach Study: United States Analysis $7.91 million is the average total cost of data breach (+7.6%) $258 is the average cost per lost or stolen record (+14.6%) Cost per record break out: $152 - Indirect costs, which include abnormal turnover or churn of customers (+4.8%) $81 - Direct costs incurred to resolve the data breach, such as investments in technologies or legal fees. (+2.5%) Ponemon Institute© Research Report

Key Questions What factors are considered by Insurance carriers when rating cyber coverage? Who owns data? Who is responsible for a loss of data stored on the cloud? What if I outsource my data to a third party IT vendor? Do I have to wait for an insurance company to approve my response to a breach or can I just respond? How does a retro date limit coverage under a data breach policy?

Conclusion Network Security and Privacy Liability insurance is an important component of a risk management strategy in today’s business environment. Today, more businesses rely on information technology as the engine for operations and communications, thus it is more critical to protect digital assets with the right insurance coverage. In designing insurance coverage for an enterprise, buyers should start with a thorough assessment of potential risks and vulnerabilities of the existing systems, perhaps with the help of a security specialist, and then secure the appropriate insurance coverage. Network Security and Privacy Liability Insurance is just another important component of a Risk Management strategy in today’s business environment. The more businesses rely on information technology as an engine for operations and communication, the more crucial it becomes to protect IT assets with the right coverage.