Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Cyber Risk Through Insurance and Vendor Contracts

Similar presentations


Presentation on theme: "Managing Cyber Risk Through Insurance and Vendor Contracts"— Presentation transcript:

1 Managing Cyber Risk Through Insurance and Vendor Contracts
Dino Tsibouris (614) Tom Srail, SVP, FINEX NA – Cyber and E&O Team Mehmet Munur (614)

2 Outline Cyber risks Costs relating to cyber risks
Use of insurance for cyber risks Lawsuits relating to insurance policies Strategies in obtaining coverage Traditional v. Cyber Insurance Vendors Conclusion

3 Cyber Risks Hacking incidents Data breaches Privacy breaches
Unauthorized access Social engineering Vandalism or defacement Cyber extortion Regulatory enforcement following incidents

4 Cyber Risks Privacy is a heightened & evolving exposure
Reliance on Vendors (Cloud, IT, HR) Regulatory Changes Underwriters are paying multi-million dollar losses Business Interruption and Systems Failure Credit card related fines and lawsuits. “Cyber” Insurance has broadened to address these risks

5 “CYBER” INSURANCE TIMELINE
Cyber Insurance Introduced Notice Costs Covered Broad Privacy Ins. Vendor Coverage Corp Confidential Info PCI Fines & Penalties Systems Failure Reg. Fines &Penalties 1996 1998 2000 2002 2004 2006 2008 2010 2012 HIPAA GLB SB1386 PCI HITECH SEC Epsilon/ Sony Card Systems TJX Heartland Insurance History Regulatory/Industry History Claims/Losses History

6 What is the Data? What Data do you collect/process?
Personally Identifiable Information (PII): SSN, Drivers License, etc. Payment Card Information (PCI): Credit Card, Debit Card Numbers Protected Health Information (PHI) Personal or Sensitive Personal Data (EU)

7 Where is the Data? Where is it? Do you share with third parties?
How well is it protected? How long is it kept? What is a Breach? Unauthorized disclosure Unauthorized acquisition Data compromised

8

9 Costs of a Data Breach Cost per record: $214 (2010) (up $10 from 2009)
DIRECT COSTS Notification Call Center Identity Monitoring (credit/non-credit) Identity Restoration Discovery / Data Forensics Loss of Employee Productivity INDIRECT COSTS Restitution Additional Security and Audit Requirements Lawsuits Regulatory Fines Loss of Consumer Confidence Loss of Funding Cost per record: $214 (2010) (up $10 from 2009) $73 $141 Source: Ponemon Institute

10 Costs of a Data Breach Notification: $1/individual
Credit monitoring: $15-$50/individual Call Centers, Fraud Alerts, Database Scanning, Restoration Services Civil, regulatory and possibly criminal defense Data Privacy counsel can cost $1,000+ per hour. Business Interruption Costs/Data Damage?

11 Source: Advisen Cyber Risk Special Report

12 Source: Advisen Cyber Risk Special Report

13

14 Security Incidents and Insurance Proceeds
In millions of dollars Source: SEC

15 Creative Hospitality Ventures v. US Liability Insurance
Restaurant gives customers receipts showing full account number in violation of FACTA. Class action lawsuit ensues. Restaurant seeks coverage under CGL policy.

16 Creative Hospitality Ventures v. US Liability Insurance
Policy limited to “personal and advertising injury.” Defined as any publication that invaded the right to privacy. Circuit court reversed magistrate holding that printing receipt was publication. Therefore, no coverage.

17 Auto-Owners Insurance v. Websolv
Individual sues Websolv for sending unsolicited faxes as a violation of TCPA. Websolv seeks coverage under CGL policy. Auto-Owners sued arguing that it had no duty to defend under: Advertising Injury – publication & privacy. Property Damage – fax.

18 Auto-Owners Insurance v. Websolv
Appeals court held that Iowa law, not Illinois law, applied and that policy did not cover the injury. Appeals court held: Privacy interest v. seclusion interest. Publication v. secrecy. Damages expected v. intended. Concluded that there was no coverage.

19 Eyeblaster v. Federal Insurance
Computer user sues Eyeblaster alleging injuries relating to its advertising software. Eyeblaster seeks coverage under CGL and Network Technology Errors or Omissions Liability policies. Federal denies coverage and brings this lawsuit.

20 Eyeblaster v. Federal Insurance
CGL includes coverage for “physical injury to tangible property” but excludes “any software, data or other information that is in electronic form.” District court finds that there is no physical injury; therefore, no coverage. Appeals court finds that inability to use computer constitutes injury under the policy and reverses.

21 Zurich Insurance v. Sony
Sony’s online networks are attacked and passwords are compromised. Sony shuts down PSN for weeks. Sony offers fraud monitoring. Sony offers discounted games in apology. Sony is sued in tens of class action lawsuits. Zurich sues Sony for declaratory judgment.

22 Zurich Insurance v. Sony
Sony has insurance through many providers, including Mitsui Sumitomo, National Union, ACE, AXIS, Lloyd’s, Chartis, and others. Zurich claims that its insurance policies cover: Bodily injury, Property damage, and Personal and advertising injury. Litigation ongoing.

23 Common Issues Interpretation of undefined terms crucial in coverage.
Interpretation varies depending on trial court, appeals court, and state law. Litigating insurance policy consumes time and resources.

24 Common Issues Data may not be tangible personal property.
Publication may not have occurred. Privacy rights may not have been breached.

25 Common Issues CGL policy covers specific risks.
Cyber risks may not be covered. Coverage varies widely among policies.

26 Traditional Insurance Gaps
Theft or disclosure of third party information (GL) Security and privacy – “Intentional Act” exclusions (GL) Data is not “tangible property” (GL, Prop, Crime) Bodily Injury & Property Damage triggers (GL) Value of data if corrupted, destroyed, or disclosed (Prop, GL)

27 Traditional Insurance Gaps
Contingent risks (from external hosting, etc.) Commercial Crime policies require intent, only cover money, securities and tangible property. Territorial restrictions Sublimit or long waiting period applicable to any virus coverage available (Prop)

28 Preparation is Key Policy must be part of an Enterprise Risk Management program Utilize privacy, security, and legal: Policies Procedures Controls Understand probability and magnitude of risk Audit products and services

29 Preparation is Key Ask Your Privacy / IT professionals:
Incident Response Plan (tested?) Vendor Contracts / Insurance Requirements Privacy Risk Assessment Check Existing Insurance Gap Analysis New coverage terms must integrate with Response Plans Traditional Policies

30 Cyber Risk Coverage Data breach Governmental civil actions
Virus liability Content liability Extortion Lost data

31 Privacy & Network Coverages
Expense (Loss Mitigation) Coverage Data Breach Expenses: Consumer notification and credit monitoring service costs (sub-limit) Forensics/Investigations Public Relations/Crisis Management Expenses

32 Privacy & Network Coverages
Liability Coverage Privacy Liability Network Security Liability Media, IP and Content Liability

33 Privacy & Network Coverages
Direct (First Party) Coverage Revenue Loss (Interruption to income due to systems outage) Data Reconstruction

34 Limits and Exclusions Must the insured notify you right away?
Indemnification for losses or claims, too? Who chooses the lawyer to defend a lawsuit? Are there preferred vendors? Limitation of liability – dollar amount?

35 Vendor Contracts Breaches may occur at a vendor.
Contract clauses and limitations should harmonize with insurance clauses. Damage limits should factor policy limits. Notify if a breach may have occurred. Should they tender your defense? You are liable, but they can help.

36 Vendor Contracts IT/Software Companies
Request Tech E&O, plus Privacy/Network Coverage Some Tech E&O policies have security/privacy exclusions Breach could occur without “wrongful act” being committed

37 Vendor Contracts Business Services – Payroll, Auditors, Counsel
Request appropriate E&O coverage Request Privacy/Network coverage Credit Card Processors/Acquiring Banks Request Privacy/Network Coverage (Gaps in Bond or Professional Liability coverage)

38 Vendor Contracts Other Vendors that transport, touch, interact with your systems or sensitive information Request Privacy/Network coverage

39 Upcoming Issues Revisions to the EU Data Protection Directive that propose fines of up to 2% of annual turnover of a company Federal data breach notification in the U.S. FTC Final Privacy Report and Privacy by Design Department of Commerce multi-stakeholder enforceable codes of conduct process

40 Outline Cyber risks Costs relating to cyber risks
Use of insurance for cyber risks Lawsuits relating to insurance policies Strategies in obtaining coverage Traditional v. Cyber Insurance Vendors Conclusion

41 Questions Dino Tsibouris (614) 360-3133 dino@tsibouris.com
Tom Srail, SVP, FINEX NA – Cyber and E&O Team Mehmet Munur (614)


Download ppt "Managing Cyber Risk Through Insurance and Vendor Contracts"

Similar presentations


Ads by Google