Presentation is loading. Please wait.

Presentation is loading. Please wait.

Financial Institutions and Cyber Insurance

Published byDortha Malone Modified over 6 years ago

Similar presentations

Presentation on theme: "Financial Institutions and Cyber Insurance"— Presentation transcript:

1 Financial Institutions and Cyber Insurance
National Council of Higher Education Resources October 6, 2017 Lorie Masters Partner, Hunton & Williams LLP (202) Jennifer White Associate, Hunton & Williams LLP (202)

2 Financial Institutions are Risk
2012: Wells Fargo, Bank of America, Citi Group and JP Morgan Chase experience internet blackouts 2014: JPMorgan Chase compromises 83M accounts affecting 76M households 2016: Tesco Bank loses $3M from 9K customer accounts; according to Beazley, banks and credit unions reported 46% of industry breaches in the first half of 2016 (versus 35% in 2015) 2017: Equifax

3 Cyber Breaches – Breaches by Industry*
*Net Diligence, 2016 Cyber Claims Study (December 2016)

4 Cyber Breaches – Perpetrators within Banking*
* Business Insider, quoting IBM X-Force Research; available at

5 Cyber Breaches – What It’s Worth to the Bad Actors*
* Symantec, Internet Security Threat Report (April 2017)

6 Cyber Breaches – US Cyber Insurance Claims by Industry*
*Net Diligence, 2016 Cyber Claims Study (December 2016)

7 Cyber Breaches – The Current Climate*
$3.62 Million Average cost per incident in (up 29% since 2013) $141/stolen record 27.7% change of recurring breach over next 2 years Up by 2.7% from 2016 * Ponemon Institute, 2017 Cost of Data Breach Study: Global Overview (June 2017)

8 Cyber Breaches – Costs of Claims, by Industry*
Financial services had the highest average cost of all sectors. *Net Diligence, 2016 Cyber Claims Study (December 2016)

9 Cost of a Data Breach – Per Capita Cost By Industry*
* Ponemon Institute, 2017 Cost of Data Breach Study: United States (June 2017)

10 Abnormal Churn Rates by Industry*
Churn rate = customer attrition following breach * Ponemon Institute, 2017 Cost of Data Breach Study: United States (June 2017)

11 Why Financial Institutions Need Cyber-Specific Insurance Portfolios
Financial Institutions are Exposed* 19% of financial services companies have unpatched security vulnerabilities. Nearly 1 out of 5 financial institutions use an service provider with severe security vulnerabilities. Financial Institutions are Under the Microscope Increased regulatory attention (e.g., NY law). Vendor/business associate exposure *Information from SecurityScorecard, available at

12 Cyber Coverage – General Overview
“Pure” First Party Coverages Covered Claims Data/Information Loss Business Interruption Network Failure/Interruption Cyber-Extortion Reputational Harm Covered Costs Forensics Legal and PR Data Restoration Lost Income Common Endorsements PCI-DSS Dependent Business Income

13 Cyber Coverage – General Overview
“Hybrid” First Party Coverage – Event Management/Breach Response Costs Covered Claims/Incidents Security Event (e.g., breach, use of code or DDOS against 3rd party) Privacy Event (involving PII or Confidential Business Information) Covered Costs Forensics to Determine Existence, Cause & Scope Legal and PR Mandated – and, sometimes, voluntary – Breach Notification Calls Centers Credit/Identity Monitoring Data Restoration

14 Cyber Coverage – General Overview
Third Party Coverages What Third Parties? Customers/clients Employees Regulators Covered Liabilities Security failures Privacy failures Professional Services failures Media (e.g., online data) Covered Costs Defense Costs Judgments & Settlements Some types of interest Fines? Not Covered Costs Punitive damages

15 Critical Partner: Crime Insurance
Why It Is Critical Financial loss due to social engineering threats Common Elements Covers dishonest third-party acts, e.g.: Employee theft Forgery or alteration Computer fraud and funds transfer fraud Kidnap, ransom, or extortion On- and off-premises robbery, etc. Counterfeit

16 Cyber-Risk Insurance Best Practices
1. Be careful with your insurance applications & renewals. Involve critical personnel. Answer fully and qualify answers when necessary. Don’t overstep. Practice what you preach. “Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?” “Whenever you entrust sensitive information to 3rd parties, do you perform due diligence to ensure that their safeguards for protecting sensitive information meet your standards ?” Review prior applications at renewal.

17 Cyber-Risk Insurance Best Practices
2. Aim for broad triggers and short waiting periods. Does first-party coverage require a wrongful act or an affirmative “failure”? Does coverage trigger on “discovery” or “occurrence”? Are you covered for “alleged” or “suspected” breaches? Keep the waiting period SHORT!

18 Cyber-Risk Insurance Best Practices
3. Mind the gaps. Both traditional coverages (CGL, Property, Crime, D&O) and cyber-specific insurance products may not provide adequate coverage financial industry cyber risks. Don’t assume you are covered. E.g., PCI-DSS coverage E.g., Apache case. Review every year, as if it were the first time.

19 Cyber-Risk Insurance Best Practices
Examples of Common Gaps Definitions “Employee” – is it all-inclusive? “Control Group” – knowledge, exclusions, notice “Network” PII/Confidential Business Information Damages – does it include fines? Penalties? Regulators – does it include HIPAA, ERISA, SEC; “formal” v. informal? Exclusions Contract War Exclusion Other Retro Date The Word “Direct” Cryptocurrency (e.g., bitcoin) Single v. Multiple Event Actual v. Suspected

20 Cyber-Risk Insurance Best Practices
4. Think outside of the box on endorsements. Dependent service provider and contingent business interruption coverages Difference in Conditions (DIC) insurance, including provisional protection in the event of a coverage dispute. Property endorsements that offer DIC and Difference in Limits (DIL) insurance to the scheduled property for loss and damage related to cyber events.

21 Cyber-Risk Insurance Best Practices
5. Spread the risk. Contractual requirements for types and amounts of insurance Additional insured provisions BUT, may require carve- backs for certain exclusions (e.g., insured-versus-insured exclusion) Shift loss through litigation

22 Cyber-Risk Insurance Best Practices
6. Don’t stop thinking about insurance after the policies are in place. Insurance may come up again … Change in control. Change in scope of services/work. Acquisitions/mergers. New risks. New contracts.

23 Cyber-Risk Insurance Best Practices
7. Make sure you have the right advocates . . . Counsel Vendors . . . and then get them pre-approved.

24 Read more from Lorie and Jenn at Hunton’s Insurance Recovery Blog:
Lorelie S. Masters is a nationally recognized insurance coverage litigator who has advised clients on a wide range of liability coverages, including insurance for environmental, employment, directors and officers, fiduciary, property damage, cyber, and other liabilities. Most recently, she obtained a settlement worth millions of dollars under D&O and E&O policies bought by a national nonprofit facing RICO and other high- stakes claims.  She served as lead trial counsel for policyholder in an action enforcing CGL insurance coverage for the then-largest property damage class action settlement ever.  The National Law Journal called that jury’s verdict one of the “most significant jury verdicts” of the year.  In addition to litigating insurance coverage disputes, Jennifer White advises industry leaders in finance, retail, manufacturing, and energy at the purchase and renewal stages of various types of insurance policies. Jenn excels at advising clients about how to improve cyber and crime insurance programs, and internal controls. Read more from Lorie and Jenn at Hunton’s Insurance Recovery Blog:  

Download ppt "Financial Institutions and Cyber Insurance"

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Copyright © 2008 Pearson Addison-Wesley. All rights reserved. Chapter 27 Crime Insurance and Surety Bonds.

Copyright © 2008 Pearson Addison-Wesley. All rights reserved. Chapter 27 Crime Insurance and Surety Bonds.
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius 4444 50% Hiscox 33 50% to May 2010, replaced.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
NEFEC - Cyber Liability MICHAEL GUZMAN, ARM ARTHUR J. GALLAGHER & CO.

NEFEC - Cyber Liability MICHAEL GUZMAN, ARM ARTHUR J. GALLAGHER & CO.
Overview of Cybercrime

Overview of Cybercrime
©2015, Amy Stewart PC Title Here Cyber Insurance: The Future is Now Texas Lawyer In-House Counsel Summit May 8, 2015 Texas Lawyer In-House Counsel Summit.

©2015, Amy Stewart PC Title Here Cyber Insurance: The Future is Now Texas Lawyer In-House Counsel Summit May 8, 2015 Texas Lawyer In-House Counsel Summit.
Insurance Coverage for IT Security Breaches International Technology Law Association San Francisco, CA – May 4, 2006 Steven Brower Stephan Oringher Richman.

Insurance Coverage for IT Security Breaches International Technology Law Association San Francisco, CA – May 4, 2006 Steven Brower Stephan Oringher Richman.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
Protecting Your Financial Portfolio. 2 Why Insurance? n Insurance is an easy way to protect u Your lifestyle u Your family’s sense of well being u Your.

Protecting Your Financial Portfolio. 2 Why Insurance? n Insurance is an easy way to protect u Your lifestyle u Your family’s sense of well being u Your.
AUGUST 25, 2015 Cyber Insurance:

AUGUST 25, 2015 Cyber Insurance:
Cyber Risk Insurance. Some Statistics Privacy Rights Clearinghouse o From 2005 – February 19, 2013 = 607,118,029 records reported breached. Ponemon Institute.

Cyber Risk Insurance. Some Statistics Privacy Rights Clearinghouse o From 2005 – February 19, 2013 = 607,118,029 records reported breached. Ponemon Institute.
Chapter 27 Crime Insurance and Surety Bonds. Copyright ©2014 Pearson Education, Inc. All rights reserved.27-2 Agenda ISO Commercial Crime Insurance Program.

Chapter 27 Crime Insurance and Surety Bonds. Copyright ©2014 Pearson Education, Inc. All rights reserved.27-2 Agenda ISO Commercial Crime Insurance Program.
Copyright © 2011 Pearson Prentice Hall. All rights reserved. Chapter 27 Crime Insurance and Surety Bonds.

Copyright © 2011 Pearson Prentice Hall. All rights reserved. Chapter 27 Crime Insurance and Surety Bonds.
FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

Similar presentations

Ads by Google