CYBER INSURANCE
Cyber Insurance and
Gaps in Traditional Insurance
Cyber and E&O Team
Privacy & Network Security
(Cyber) Insurance
COVERAGE MODULES
Privacy Expense
Consumer Notification And Credit Monitoring Service Costs; Forensics/Investigations; Public Relations/Crisis Management Expenses; Call Center, ID Theft Services
Third Party Privacy Liability Security Liability Media Liability First-party Data Damage Business Interruption Extortion
2
Privacy & Network Security
(Cyber) Insurance
Third Party:
PRIVACY LIABILITY:
ԟ Release (Negligent or intentional) of personal identifiable (PII) or personal health information (PHI) by anyone, including vendors
ԟ Regulatory Defense, fines and penalties, SECURITY LIABILITY:
ԟ Damage to third party data (Virus, Hacker)
ԟ Lack of availability of your network applications (Denial of Service attack) MEDIA LIABILITY:
ԟ Wrongful acts in connection with media and publishing risks, including Copyright and Trademark Infringement (online and offline)
PRIVACY EXPENSES:
Consumer Notification and credit monitoring service costs Forensics/Investigations
Public relations/Crisis Management expenses Call Center, ID Theft Services
Privacy & Network Security
(Cyber) Insurance
First-Party:
DATA DAMAGE:
ԟ Re-creation of damaged or deleted data ԟ Triggered by “Security” failure
BUSINESS INTERRUPTION:
ԟ Business income loss due to disruption of network applications ԟ Triggered by “Security” Failure
ԟ Limited “System Failure” coverage avail (Chartis, Kiln) EXTORTION:
ԟ Cyber Extortion threats, ransom & expenses
Can sometimes be combined with Errors & Omissions coverage Technology E&O (always)
Media E&O (nearly always)
Lawyers, Miscellaneous (sometimes)
“Cyber” Insurance Timeline
2000 1996 2002 2006 HIPAA Cyber Insurance Introduced 2004 2008 2010Broad Privacy Ins. Vendor Coverage Corp Confidential Info
1998 GLB SB1386 HITECH TJX Heartland Card Systems Notice Costs Covered PCI Reg. Fines &Penalties Insurance History Regulatory/Industry History Claims/Losses History PCI Fines & Penalties 2012 Epsilon Sony
What is different today?
Privacy is a heightened & evolving exposure
–
Failing to protect personally identifiable information (PII)
(employee, customer, vendor) or Personal Health Information
(PHI) (customers, patients, members, employees)
–
Regulatory Changes; Fines/Penalties
–
Credit card issuers/banks are suing for cost to reissue cards
–
Defrauded merchants are suing breached organizations
–
“Cyber” (aka Privacy and Network Security) Insurance has
broadened to address these risks
–
Expenses and Liabilities Growing
6
Previously, the IT infrastructure
was the target
Today’s target is
private /
confidential information of your
customers or your clients
customers.
Consequence:
Financial & Reputational Loss
In the past few years, attackers have begun to
change targets, motivation and tactics.
Traditional Insurance
Gaps
Theft or disclosure of third party information (GL)
Security and privacy – “Intentional Act” exclusions (GL) Data is not “tangible property” (GL, Prop, Crime)
Bodily Injury & Property Damage triggers (GL)
Value of data if corrupted, destroyed, or disclosed (Prop, GL) Contingent risks (from external hosting, etc.)
Commercial Crime policies require intent, only cover money, securities and tangible property.
Territorial restrictions
Non-Medical/financial and employee data (MC E&O)
Privacy/Network Security Risk Gaps in
Traditional Insurance (Typical)
Property General Liability
Crime/Bond K&R E&O Privacy/ Network 1stParty Privacy/Network Risks
Physical damage to Data Virus/Hacker damage to Data Denial of Service attack B.I. Loss from security event Extortion or Threat
Employee sabotage
3rdParty Privacy/Network Risks Theft/disclosure of private info Confidential Corporate Info breach Technology E&O
Media Liability (electronic content) Privacy breach expense/notification Damage to 3rdparty’s data
Regulatory Privacy Defense/Fines Virus/malicious code transmission
Coverage Provided
Limited Coverage
Finding the Gaps
General Liability
Exclusions
Definition of “Personal/Advertising Injury”
Definition of Property Damage (doesn’t include data)
Property
Definition of Property (doesn’t include data)
Look for “electronic vandalism”, virus, or other sublimits Don’t be fooled by “EDP” coverage
E&O
Construct of claim – negligence in providing services for a fee Exclusions (unauthorized access)
Crime
Coverage for theft of money
10
Regulations to know…
“SB1386” (California 2003)
The first of the “state breach notification laws. 46 states/territories now have similar statutes
HIPAA (Two “A”s, One “P” please)
Health Insurance Portability and Accountability Act
Set standards for privacy and security of “Protected Health Information” (PHI), or personal medical data
HITECH
Health Information Technology for Economic and Clinical Health Act 2009 “updates” to HIPAA, via the “Stimulus Act” (ARRA)
Introduced FEDERAL notification law for Medical data Increased fines/penalties under HIPAA
International Laws
Breach notice laws: Australia, New Zealand, Ireland, Canada, and growing…
Who is buying Cyber?
Early Adopters:
Retailers (Payment card info (credit/debit)) Healthcare (PHI)
Financial Institutions (SSN, Financial records) Technology (Serves all of the above and more)
Common purchasers today also include: Higher Education (CCN, Personal Data) Hospitality (Hotel, Casino)
Insurance Companies (PII, PHI, SSN, etc) Restaurants (PCI)
Managed Care Industry (Health Insurers, PBM)
12
Cyber Carriers Include
Ace
Allied World (Darwin)
Axis Beazley Brit CFC Chartis Chartis Lexington Chubb CNA Digital Risk Hartford Hiscox Travelers Zurich
Additional Excess Capacity in
Bermuda/Europe
Admiral
Arch
Crum & Forster
Euclid Ironshore Liberty International Markel NAS Navigators OneBeacon Philadelphia Progressive RLI Safeonline ThinkRisk XL
What if there IS coverage?
Other Insurance Clauses
Get Cyber to align with other policy(ies) Primary/Excess
Deductible erosion Module by module?
Most common interactions:
Managed Care E&O Media Liability
Property (FM Global) Broad GL, manuscript
Tools & Resources
Cyber / E&O Insurance Panel
• GMW! > Placement > Panels > E&O Portfolio
• Middle Market placements; under $100k premium
FINEX North America
• 18 Cyber Resources (Cleveland, NY, Boston, LA, Dallas)
• WRS accounts
Expertise Portal
• Sales 2.0 Core Risk Review > Cyber & Network Liability
CYBER INSURANCE
Cyber Insurance and
Gaps in Traditional Insurance
Cyber and E&O Team