CYBER INSURANCE. Cyber Insurance and Gaps in Traditional Insurance. Cyber and E&O Team Willis FINEX North America

(1)

CYBER INSURANCE

Cyber Insurance and

Gaps in Traditional Insurance

Cyber and E&O Team

(2)

Privacy & Network Security

(Cyber) Insurance

COVERAGE MODULES

 Privacy Expense

 Consumer Notification And Credit Monitoring Service Costs; Forensics/Investigations; Public Relations/Crisis Management Expenses; Call Center, ID Theft Services

 Third Party  Privacy Liability  Security Liability  Media Liability  First-party  Data Damage  Business Interruption  Extortion

(3)

2

Privacy & Network Security

(Cyber) Insurance

 Third Party:

 PRIVACY LIABILITY:

ԟ Release (Negligent or intentional) of personal identifiable (PII) or personal health information (PHI) by anyone, including vendors

ԟ Regulatory Defense, fines and penalties,  SECURITY LIABILITY:

ԟ Damage to third party data (Virus, Hacker)

ԟ Lack of availability of your network applications (Denial of Service attack)  MEDIA LIABILITY:

ԟ Wrongful acts in connection with media and publishing risks, including Copyright and Trademark Infringement (online and offline)

 PRIVACY EXPENSES:

 Consumer Notification and credit monitoring service costs  Forensics/Investigations

 Public relations/Crisis Management expenses  Call Center, ID Theft Services

(4)

Privacy & Network Security

(Cyber) Insurance

 First-Party:

 DATA DAMAGE:

ԟ Re-creation of damaged or deleted data ԟ Triggered by “Security” failure

 BUSINESS INTERRUPTION:

ԟ Business income loss due to disruption of network applications ԟ Triggered by “Security” Failure

ԟ Limited “System Failure” coverage avail (Chartis, Kiln)  EXTORTION:

ԟ Cyber Extortion threats, ransom & expenses

 Can sometimes be combined with Errors & Omissions coverage  Technology E&O (always)

 Media E&O (nearly always)

 Lawyers, Miscellaneous (sometimes)

(5)

“Cyber” Insurance Timeline

2000 1996 2002 2006 HIPAA Cyber Insurance Introduced 2004 2008 2010

Broad Privacy Ins. Vendor Coverage Corp Confidential Info

1998 GLB SB1386 HITECH TJX Heartland Card Systems Notice Costs Covered PCI Reg. Fines &Penalties Insurance History Regulatory/Industry History Claims/Losses History PCI Fines & Penalties 2012 Epsilon Sony

(6)

What is different today?

Privacy is a heightened & evolving exposure

–

Failing to protect personally identifiable information (PII)

(employee, customer, vendor) or Personal Health Information

(PHI) (customers, patients, members, employees)

–

Regulatory Changes; Fines/Penalties

–

Credit card issuers/banks are suing for cost to reissue cards

–

Defrauded merchants are suing breached organizations

–

“Cyber” (aka Privacy and Network Security) Insurance has

broadened to address these risks

–

Expenses and Liabilities Growing

(7)

6

Previously, the IT infrastructure

was the target

Today’s target is

private /

confidential information of your

customers or your clients

customers.

Consequence:

Financial & Reputational Loss

In the past few years, attackers have begun to

change targets, motivation and tactics.

(8)

Traditional Insurance

Gaps

 Theft or disclosure of third party information (GL)

 Security and privacy – “Intentional Act” exclusions (GL)  Data is not “tangible property” (GL, Prop, Crime)

 Bodily Injury & Property Damage triggers (GL)

 Value of data if corrupted, destroyed, or disclosed (Prop, GL)  Contingent risks (from external hosting, etc.)

 Commercial Crime policies require intent, only cover money, securities and tangible property.

 Territorial restrictions

 Non-Medical/financial and employee data (MC E&O)

(9)

Privacy/Network Security Risk Gaps in

Traditional Insurance (Typical)

Property General Liability

Crime/Bond K&R E&O Privacy/ Network 1st_{Party Privacy/Network Risks}

Physical damage to Data Virus/Hacker damage to Data Denial of Service attack B.I. Loss from security event Extortion or Threat

Employee sabotage

3rd_{Party Privacy/Network Risks} Theft/disclosure of private info Confidential Corporate Info breach Technology E&O

Media Liability (electronic content) Privacy breach expense/notification Damage to 3rd_{party’s data}

Regulatory Privacy Defense/Fines Virus/malicious code transmission

Coverage Provided

Limited Coverage

(10)

Finding the Gaps

 General Liability

 Exclusions

 Definition of “Personal/Advertising Injury”

 Definition of Property Damage (doesn’t include data)

 Property

 Definition of Property (doesn’t include data)

 Look for “electronic vandalism”, virus, or other sublimits  Don’t be fooled by “EDP” coverage

 E&O

 Construct of claim – negligence in providing services for a fee  Exclusions (unauthorized access)

 Crime

 Coverage for theft of money

(11)

10

Regulations to know…

 “SB1386” (California 2003)

 The first of the “state breach notification laws. 46 states/territories now have similar statutes

 HIPAA (Two “A”s, One “P” please)

 Health Insurance Portability and Accountability Act

 Set standards for privacy and security of “Protected Health Information” (PHI), or personal medical data

 HITECH

 Health Information Technology for Economic and Clinical Health Act  2009 “updates” to HIPAA, via the “Stimulus Act” (ARRA)

 Introduced FEDERAL notification law for Medical data  Increased fines/penalties under HIPAA

 International Laws

 Breach notice laws: Australia, New Zealand, Ireland, Canada, and growing…

(12)

Who is buying Cyber?

 Early Adopters:

 Retailers (Payment card info (credit/debit))  Healthcare (PHI)

 Financial Institutions (SSN, Financial records)  Technology (Serves all of the above and more)

 Common purchasers today also include:  Higher Education (CCN, Personal Data)  Hospitality (Hotel, Casino)

 Insurance Companies (PII, PHI, SSN, etc)  Restaurants (PCI)

 Managed Care Industry (Health Insurers, PBM)

(13)

12

Cyber Carriers Include

 Ace

 Allied World (Darwin)

 Axis  Beazley  Brit  CFC  Chartis  Chartis Lexington  Chubb  CNA  Digital Risk  Hartford  Hiscox  Travelers  Zurich

 Additional Excess Capacity in

Bermuda/Europe

 Admiral

 Arch

 Crum & Forster

 Euclid  Ironshore  Liberty International  Markel  NAS  Navigators  OneBeacon  Philadelphia  Progressive  RLI  Safeonline  ThinkRisk  XL

(14)

What if there IS coverage?

 Other Insurance Clauses

 Get Cyber to align with other policy(ies)  Primary/Excess

 Deductible erosion  Module by module?

 Most common interactions:

 Managed Care E&O  Media Liability

 Property (FM Global)  Broad GL, manuscript

(15)

Tools & Resources

Cyber / E&O Insurance Panel

• GMW! > Placement > Panels > E&O Portfolio

• Middle Market placements; under $100k premium

FINEX North America

• 18 Cyber Resources (Cleveland, NY, Boston, LA, Dallas)

• WRS accounts

Expertise Portal

• Sales 2.0 Core Risk Review > Cyber & Network Liability

(16)

CYBER INSURANCE

Cyber Insurance and

Gaps in Traditional Insurance

Cyber and E&O Team