Cybersecurity Risk Transfer
Wednesday, October 30, 2013
Part IV in a 4 part series on Cybersecurity
Presented by:
Arthur J. Gallagher & Co.,
Huron Legal and
Cybersecurity Risk Transfer
Presented by:
Joe DePaul, Arthur J. Gallagher & Co.
Rene Siemens & Joe Kendall, Pillsbury Winthrop Shaw Pittman
Today’s Agenda
Let’s Recap: Cybersecurity - Overview
Cybersecurity - Claims
Cybersecurity - Global Records Management & eDiscovery
What is Risk Transfer?
Insurance/Non-Insurance
Alternative Methods of Risk Transfer
Risk Transfer via Contracting with IT Suppliers Coverage
Network Security Liability
Privacy Liability
Media Liability
Crisis Management
Cyber Extortion
Data Asset Protection
Business Interruption
Technology Products/Services E&O
Cyber Insurance Market Trends
Premiums ≈ $15,000 to $35,000 per $1,000,000 of limits, for low
retentions
Soft market: Premiums steadily declining
Large corporations were early adopters
Most growth is among middle market companies
0 200 400 600 800 2005 2008 2009 2010 Total Premiums Underwritten 1 Billion 2011 2012The R
EGULATORY
L
ANDSCAPE
is…complex,
challenging and growing
50 State Privacy Laws (County/Local) - Laws or Regulation
Foreign Privacy Laws – UK ICO – Information Commissioner’s Office & many others (trans-border privacy issues) Canada
White House Cybersecurity Executive Order Federal Trade Commission
FACTA/Red Flags Rule HIPAA / HITECH
Standard for smooth, consistent, and secure electronic transmission of health care data.
PII/PHI – personally identifiable information/health information about individuals - PII includes drivers license #’s, SS #’s, Credit Card #’s, address, account numbers & PIN’s
PHI includes written documents, electronic files, and verbal information. (Even information from an informal conversation can be considered PHI.)
Examples of PHI include:
Completed health care claims forms
Detailed claim forms
Explanations of benefits
Notes documenting discussions with plan participants
SEC/GLB PCI/DSS
Alternative Methods to Risk Transfer
Company Strategic Priorities
Protect company assets and viability against loss or disruption
Achieve the appropriate level of security commensurate with the
sensitivity and amount of data collected and retained
Protect company systems and data against threats to the network
structure and network security
Anticipate evolving threats targeting company system vulnerabilities
Meet compliance obligations
Alternative Methods to Risk Transfer
Protect Data Investment
There are two primary ways to protect your data investment to avoid a
cyber incident:
1.
Minimize Risks Associated with Data Breaches by safeguarding
your data
Good security is …
A business enabler
A process
A privacy enabler
Risk based
Built in
Continuous improvement
Flexible and Changeable
Good security is not …
A business impediment
A product or technology
Privacy
The absence of danger
Added on
Ahead of the adversary
Static
1.
You need a security framework that addresses
Protection – user authentication, encryption, firewalls, virus protection
Detection – intrusion detection, open source monitoring
Response – disaster recovery plan, incident response2.
Inventory your data by developing data maps
Know the Who, Where, What & Why
Limit access – commensurate with sensitivity of data
Secure your data through appropriate means – two factor identification, strong passwords and robust network security
Train all stakeholders – personal online security hygiene
Monitor your systemsMinimize Risks Associated with Data Breaches by
safeguarding your data
Minimize Risks Associated with Data Breaches by
safeguarding your data
3. Create a Data Breach Response Plan
Cross-disciplinary team – legal, business partners, vendors and law enforcement
Repeatable process that is well documented
Conduct assessments and drills4.
Implement Information Governance Program - by
developing record retention schedules and policies
Records and information are retained for as long as legally or operationally required
Systematic destruction of records and information in the ordinary course ofbusiness
Protection of PII, vital and confidential records and information“Moving to the Left” – Data Disposition
“Costs are volume driven
If we shrink volumes, we shrink costs.”
Figure out how to get their electronic houses in order to cut costs (e-Discovery and data breach) risks associated with ESI, from initial creation through final disposition
Takeaways for Big Data and Cybersecurity
Good security is a process that is necessarily risk based
100% security does not exist … anywhere
Threats and attackers are real and interested in your data
Educate employees on personal security hygiene
Develop a plan for information governance
Big Databases are valuable assets and therefore; targets
You need a security framework that addresses Protection, Detection, and
Response to minimize the risk of a breach
Know who is responsible for protection in 3
rdParty hosting
Prepare for incident response before the crisis
Risk Transfer via Contracting with IT Suppliers
Step 1 - Include Security Obligations
Supplier shall maintain an information security program that
-
ensures security of Customer Data and
protects against unauthorized use or access of Customer Data
Supplier shall comply with Customer’s Policies & Procedures
Specific IT requirements. Supplier shall- encrypt all data
maintain firewalls and security gateways
monitor usage of User IDs / Passwords to access System
Customer has right to modify Customer policies – only question is cost
Cloud Contracts
Cloud Providers will not sign up for Customer’s Policies and Procedures
Business model depends on standardized service offeringRisk Transfer via Contracting with IT Suppliers
Step 2 – Audit and Compliance Provisions
Customer should have robust rights to audit Supplier
Supplier should provide Customer with audits performed for Supplier by
third parties
SAS 70 Type 2 – previously used to evaluate Supplier’s security, but was not designed to be a security audit
AICPA established SSAE 16 and Service Organization Controls (“SOC”) reporting Framework in June 2011
SOC 1 – tests controls at a Supplier relevant to internal controls over financial reporting
SOC 2 – tests controls at a service organization relevant to security, availability, processing integrity, confidentiality and privacy
Type I versus Type II – Type I verifies the existence of the controls, and Type II auditswhether the controls are being observed
ISO 27001 Certification
Risk Transfer via Contracting with IT Suppliers
Step 3 - Subcontracting and other Protections
Subcontracting
Approval Right or Notice at a minimum
Key is understand who may access data
Subs obligated to comply with same security obligations as Supplier
Supplier responsible for actions of subcontractors
Restrictions on Supplier’s Delivery Location
Supplier will not change location from which it provides Services without Customer’s consent
Obligations to Destroy/Clean Media
Supplier shall remove all Customer Data from any media which is retired and destroy or securely erase such media as Customer directsRisk Transfer via Contracting with IT Suppliers
Step 4 What if there is a Cybersecurity Incident? Supplier shall
-
notify Customer within X Hours
investigate the Incident and provide a report
remediate the Incident in accordance with plan approved by Customer
conduct forensic investigation to determine cause and what data / systems
are implicated
provide daily updates of its investigation to Customer and permit Customer
reasonable access to the investigation
cooperate with Customer’s investigation
Customer (and not Supplier) makes final decision on whether notices will be
sent to affected individuals
Risk Transfer via Contracting with IT Suppliers
Step 5 – Risk Shifting Liability Provisions
Traditionally Supplier’s Liability for data breach was unlimited
Today, due to increasing number of cybersecurity incidents, Suppliers seek to
limit liability as much as possible by:
inserting liability cap
limit liability to their breach of data security obligations
preserve defense that damages are consequential (not recoverable)
Supplier should be liable for any issues caused by Supplier’s “fault or
negligence” (includes an omission as well as not performing an obligation)
Separate liability pool for these damages
Stipulate types of costs that are recoverable to avoid claim that the damages
are “consequential” and therefore not recoverable. Include: Preparation /
sending of Notices, Credit monitoring services, etc.
Where are the Gaps with Traditional Insurance?
General
Liability Property E&O/D&O Crime Cyber
Network security POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE
Privacy breach POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE
Media liability POSSIBLE NONE POSSIBLE NONE COVERAGE
Professional services POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE
Virus Transmission POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE
Damage to data POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE
Breach notification POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE
Regulatory
investigation POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE Extortion POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE
Virus/hacker attack POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE
Denial of service attack POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Business interruption
Exposure Category Description
Network Security Liability Provides liability coverage if an Insured's Computer System fails to prevent a Security Breach or a Privacy Breach
Privacy Liability Provides liability coverage if an Insured fails to protect electronic or non-electronic information in their care custody and control
Media Liability Covers the Insured for Intellectual Property and Personal Injury perils the result from an error or omission in content (coverage for Patent and Trade Secrets are generally not provided)
Regulatory Liability Coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws
Crisis Management
Notification Expense 1st Party expenses to comply with Privacy Law notification requirements Credit Monitoring Expense 1st Party expenses to provide up to 12 months credit monitoring
Forensic Investigations 1st Party expenses to investigate a system intrusion into an Insured Computer System Public Relations & Call Center 1st Party expenses to hire a Public Relations firm & manage a Call Center
Data Recovery 1st party expenses to recover data damaged on an Insured Computer System as a result of a Failure of Security
Business Interruption 1st party expenses for lost income from an interruption to an Insured Computer System as a result of a Failure of Security
Cyber Extortion Payments made to a party threatening to attack an Insured's Computer System in order to avert a cyber attack Technology Services/Products & Professional
Errors & Omission Liability Technology Products & Services and Miscellaneous E&O can be added to a policy when applicable
3rd Party Coverage
Network and Privacy Liability
Coverage for:
Claims arising from the unauthorized access to data containing identity information,
Failure to protect non-public information (PII/PHI/Corporate Confidential Information in your care, custody and control
Transmission of a computer virus, and
Liability associated with the failure to provide authorized users with access to the company’s website3rd Party Coverage
Technology Products/Services Errors & Omissions
Coverage for:
Claims arising from the failure of a technology product or service to perform as indicated.
Media Liability
Coverage for:
Claims arising from Personal Injury perils – on/off line
Defamation/Infringement/libel/slander *Not Patent/Trade secret1st Party Coverage
Crisis Management/Security Breach Remediation and Notification
Expenses
Coverage for:
Crisis Management Expenses
Covers expenses to obtain legal assistance to navigate the event, determine whichregulatory bodies need to be notified and which laws would apply
Public relations services to mitigate negative publicity as a result of cyber liability
Forensic costs incurred to determine the scope of a failure of Network Security anddetermine whose information was accessed
Notification to those individuals of the security breach
Credit monitoring
Call center to handle inquiries1st Party Coverage
Computer Program and Electronic Data Restoration Expenses
Coverage for:
Expenses incurred to restore data lost from damage to computer systems due to computer virus or unauthorized access
Cyber Extortion
Coverage for:
Money paid due to threats made regarding an intent to fraudulently transfer funds, destroy data, introduce a virus or attack on computer system, or disclose electronic data/information
Business Interruption and Additional Expense
Coverage for:
Loss of income, and the extra expense incurred to restore operations, asresult of a computer system disruption caused by a virus or other unauthorized computer attack
Ten Tips For Buying Cyber Insurance
#1 – Make sure your limits and sub-limits are adequate
Average remediation cost is $7.2 million per data breach event
Average remediation cost is $214 per record
Source: Symantec Corp. and Ponemon Institute: Global Cost of a Data Breach (2010)
WARNING! Many policies impose inadequate limits for “crisis management expenses” and “regulatory action” expensesTen Tips For Buying Cyber Insurance
#2 – Ask for retroactive coverage
What if a breach happens before you buy insurance, but you were unaware of it?
Retroactive coverage insures prior unknown events that result in claims or expenses during the policy period
Commonly available for 1, 2, 5 or 10 year periods and sometimes is unlimitedTen Tips For Buying Cyber Insurance
#3 – Watch out for “panel” and “consent” provisions
Policies often provide that you must use the insurance company’s pre-approved forensic consultants, defense counsel, etc.
Make sure that your advisers and attorneys are pre-approved
Or reject panel provisions and insist on control
Policies often say that forensic, notification and defense costs are covered only if you obtain the insurer’s “prior consent”
Ask for policy language specifying that the insurer’s consent “shall not be unreasonably withheld”Ten Tips For Buying Cyber Insurance
#4 – Make sure you are covered for your vendors’ errors and omissions
Example:
Bad
“The Insurer shall pay all Loss that an Insured incurs as a result of your actual or alleged breach of duty to maintain security of confidentiality Confidential Information”
Good
“The Insurer shall pay all Loss that an Insured incurs as a result of any alleged failure to protect Confidential Information in the care, custody and control of the Insured or a third party to which an Insured has provided Confidential Information”Ten Tips For Buying Cyber Insurance
#4, cont’d – Conversely if you handle data for others, make sure your
liability to them is covered too
Example:
Bad
“The Insurer will not make any payment for any claim alleging or arising from … your performance of services under a contract with your client”
Better
“The Insurer will not pay for Claims arising out of breach of contract; provided, however, that this exclusion shall not apply to liabilities that the Insured would have in the absence of contract, or arising out of breach of a confidentiality agreement or a professional services agreement for the handling ofconfidential information”
Best
“The Insurer will pay on behalf of the Insured all Damages and Claim Expense which the Insured becomes legally obligated to pay because of liabilityTen Tips For Buying Cyber Insurance
#5 – Make sure you are covered for loss of data, not just theft or
unauthorized access
Example:
Bad
“A covered breach shall include the unauthorized acquisition, access, use,or disclosure of confidential information”
Good
“A covered breach shall include the unauthorized acquisition, access, use,Ten Tips For Buying Cyber Insurance
#6 – Avoid “one size fits all” crisis management coverage
Example:
Bank suffers loss of thousands of customer credit card numbers
Insurance policy covers cost of providing notice and credit monitoring
Bank would rather just cancel and re-issue the cards, but that cost isn’t coveredLesson: When procuring insurance, negotiate for the coverage you
will actually need
Ten Tips For Buying Cyber Insurance
#7 – Beware of hidden traps
Example:
Bad
“The Insurer shall pay Crisis Management Expenses incurred by an Insured arising out of a Claim”
Good
“The Insurer shall pay Crisis Management Expenses incurred by an Insured in response to an actual or alleged security breach”Ten Tips For Buying Cyber Insurance
#8 – Harmonize cyber insurance with your indemnity agreements
Bad
“The Insurer’s liability applies only to amounts in excess of the policy’s Self-Insured Retention. Such Retention Amount shall be borne by theInsured’s uninsured and at their own risk”
Good
“The Insurer’s liability applies only to amounts in excess of the policy’s Self-Insured Retention. Such Retention Amount may be paid either by theInsured, or by the Insured’s other insurance or indemnified by third parties”
Emerging Issues:
If you contractually waive or cap your indemnity rights against vendors, will your insurer use that as an excuse to deny coverage?
“Cloud” vendors often refuse to indemnifyTen Tips For Buying Cyber Insurance
#9 – Harmonize cyber insurance with your other insurance & vendors’
insurance
Review your agreements with vendors
Make sure your vendors are required to have adequate insurance
Ask to be added as an additional insured on their policies
Make sure your policy’s “other insurance” clause specifies that their policy will apply first
Example:
“This Policy shall be primary, unless the Insured is also covered for the loss under the insurance of a third party, in which case this insurance shall apply excess of amounts actually paid by that other insurance”Ten Tips For Buying Cyber Insurance
#10 – Negotiate favorable defense provisions
“Pay defense costs on behalf of” vs. “duty to defend”
Will you control your own defense?
At least negotiate the right to choose your own counsel if the policy has a “panel” provision
Negotiate specific deadlines for payment by the insurer (e.g., within 30 days of invoicing)What If You Don’t Have Cyber Insurance?
Insurance industry often asserts that there is no coverage under most
conventional insurance for privacy and network security breaches, but
many courts disagree.
The most recent example: DSW, Inc. v. National Union (6th Cir. July 17, 2012) holds that costs of customer communications, public relations, lawsuits, attorneys’ fees, and fines imposed by Visa and Mastercard resulting from a hacking incident in which 1.4M customers’ information was stolen were covered losses under a crime policy
Therefore, even if you have cyber insurance policy, tender to your
other insurers! You have little to lose and much to gain.
“Many company
networks are
compromised…
without them
even knowing it.”
Cybersecurity Webinar Series
9/18: Cybersecurity Overview
Catherine Meyer and David Stanton – Pillsbury Winthrop Shaw Pittman
Joe DePaul – Arthur J. Gallagher & Co.
10/2: Cybersecurity Claims
Joe DePaul – Arthur J. Gallagher & Co.
Rene Siemens - Pillsbury Winthrop Shaw Pittman
Chris Adams – Huron Legal
10/16: Cybersecurity Issues Related to Global Records Management and E-Discovery
Catherine Meyer and David Stanton – Pillsbury Winthrop Shaw Pittman
Carolyn Southerland – Huron Legal
10/30: Cybersecurity Risk Transfer
Joe DePaul – Arthur J. Gallagher & Co.
Laurey Harris) – Huron Legal
Rene Siemens, Joe Kendall – Pillsbury Winthrop Shaw Pittman Please complete our Cybsecurity survey:
Contact Details
Joe DePaul
Managing Director, CyberRisk Services
Arthur J. Gallagher & Co.
35 Waterview Blvd. - 3rdFloor
Parsippany, NJ 07054 Ph +1.973-939-3646
Rene Siemens
Pillsbury Winthrop Shaw Pittman LLP
725 South Figueroa Street, Suite 2800
Los Angeles, CA 90017-5406 Ph +1.213.488.7277
Joseph E. Kendall
Pillsbury Winthrop Shaw Pittman LLP [email protected] 2300 N Street, NW Washington, DC 20037 Ph +1.202.663.8350 Laurey Harris Huron Legal [email protected]
9101 Kings Parade Blvd., Ste. 300 Charlotte, NC 28273
