CYBER LIABILITY INSURANCE

(1)

CYBER

LIABILITY

INSURANCE

CONTINUING EDUCATION CLASS – MARCH 6, 2013

PRESENTED BY COUSINO HARRIS STEWART V. NELSON, Senior Risk Advisor

Stewart.Nelson@Kapnick.com

(2)

Class Objectives

Class

Objectives

• Understand

&

Explain

need

for

Cyber

Insurance

• Identify

y

5 major

j

coverage

g

options

available

• Assist your clients in

Assist

your

clients

in

selecting

best

policy

for

their

needs

• Discover

recent

trends

in

cyber cases rulings & laws

cyber

cases,

rulings

&

laws

(3)

Background on Cyber policies

•

First issued in early 1990’s - web media

risks, Software and Hardware protection

• Carriers added other features over next 12

years - notification, legal, forensics, call

centers etc.

• Large businesses adopted fastest

• Small business slower

(4)

N

D i

i C b

Li bilit

New Drivers in Cyber Liability

•

State & federal Regulations

• Social media

• Contracts may require it

• More data stored

• Cloud computing

Cloud computing

(5)

Why do we need Cyber insurance

?

Why do we need Cyber insurance

?

1 Tangible s intangible propert

1. Tangible vs. intangible property

Fuzzy concept - Bits & Bytes

Hard to value No premium for the risk

Hard to value – No premium for the risk

2. Concept of an “Occurrence” or trigger

What is the trigger?

Real vs. Potential harm

3 Carriers got better at excluding it

3. Carriers got better at excluding it

(6)

Why

do

we

need

Cyber

Liability?

A. Exclusion 2.p. of Coverage A - Bodily Injury And Property Damage Liability in Section I

-Coverages is replaced by the following:

Coverages is replaced by the following:

2. Exclusions

This insurance does not apply to:

p. Electronic Data

Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or g , p , y ,

inability to manipulate "electronic data" that does not result from physical injury to tangible property.

"El t i d t " i f ti f t t d

"Electronic data" means information, facts or programs stored as or on, created or used on, or transmitted to or from

computer software (including systems and applications software) hard or floppy disks CD ROMs tapes drives software), hard or floppy disks, CD-ROMs, tapes, drives, cells,… CG 04 37 04 13

(7)

Why do we need Cyber Insurance?

17. "Property damage" means:

a. Physical injury to tangible property, including all resulting a. Physical injury to tangible property, including all resulting

loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it;

caused it;

b. Loss of, loss of use of, damage to, corruption of, inability to access, or inability to properly manipulate "electronic data", resulting from physical injury to tangible property. All such loss of "electronic data" shall be deemed to occur at the time of the "occurrence" that caused it.

at the time of the occurrence that caused it.

For the purposes of this insurance, "electronic data" is not tangible property

not tangible property

(8)

So what are we going to do?

Suing the carrier is not a sustainable risk

g

management strategy!

Low cost cyber insurance is readily

y

available and affordable

You must help your clients understand

their data storage risks

(9)

Who is the enemy?

• 98% Committed by outsiders

• 58% of stolen data perpetrated by

“Hacktavists”

Hacktavists

(10)

H

d th

k?

How do they work?

81% sed some form of hacking

• 81% used some form of hacking

• 69% used some form of malware

69% used some form of malware

(11)

Commonalities of data breaches

• 79% targets of opportunity

• 85% of breaches took weeks or more to discover

• 97% of all data breaches were avoidable by simple

ti t

preventive steps

•92% were discovered by a third party

(12)

What data is worth to a hacker

What

data

is

worth

to

a

hacker:

• Utility bill scanned = $10

• Full identity = $6 to $80

• Gmail user name & password = $80

• Facebook user name & password = $300Facebook user name & password $300

• Bank account credentials = $15 to $850

• Credit card with $1,000 Available = $25

• Credit card with personal information $80

(13)

C i i

l

d t t

Criminals use data to:

:

• Obtain fraudulent credit cards

• Open store credit

• Medical identity theft

ed ca de t ty t e t

• Criminal identity theft

• Phone & utility fraud

(14)

Att

k

SMB i

i

Attacks on SMB increasing

75% of data breaches 75% of data breaches

analyzed by Verizon in 2011 were in companies with less than 100 employees.

According to Accounting Web, 80% of small businesses that experience a data breach

suffer serious financial losses suffer serious financial losses and many go bankrupt.

(15)

O

i

Opportunity

How many companies think Cyber

y

p

y

security is important?

Answer:

84%

What percentage have

ll b

h

b

Answer:

84%

actually bought cyber

policies?

Answer:

19%!

(16)

What is Cyber Liability?

What

is

Cyber

Liability?

Cyber

‐

A prefix that means “computer” or

Cyber

‐

A

prefix

that

means

computer

or

“computer

network”

Cyber

Liability

‐

refers

to

risk

associated

with

storing

data,

doing

business

on

Internet

or

publishing

a

web

site.

Now

we

need

to

include

(17)

Two

Parts

of

Cyber

Liability

Insurance

Property

• Data yours or someone else’s

• Data – yours or someone else s

• _{Network – 1}

st

_or 3

rd

_party

• _{Bus Income 1}

st

_{or 3}

rd

_party

• _{Bus Income – 1}

st

_or 3

rd

_party

Casualty (Liability)

Casualty

(Liability)

(18)

What types of data?

What

types

of

data?

1.

Personal

Information

(PI)

Names DL numbers SSN’s addresses email addresses credit Names, DL numbers, SSN s, addresses, email addresses, credit

card data, phone numbers, age, sex, political affiliation, marital

status, finger prints, blood type, education, financial

i f i l hi i i l d

information, employment history, criminal records.

2.

Personal

health

Information

(PHI)

Medical

records

3.

Account

numbers

&

passwords

(19)

F d R

l t

A

i

& A t

Fed Regulatory Agencies & Acts

Sarbanes-Oxley Act (SOX) Sarbanes Oxley Act (SOX)

Gramm-Leach-Bliley Act (GLB) Act

Electronic Fund Transfer Act, Reg. E (EFTA)

Child ' O li P i P t ti A t (COPPA)

Children's Online Privacy Protection Act (COPPA) Fair and Accurate Credit Transaction Act (FACTA),

Red Flags Rule

(20)

Industry Specific Regs.

• Payment Card Industry (PCI DSS)

• Health Insurance Portability and Accountability Act y y

(HIPAA)

• Health Information Technology for Economic and Clinical Health Act (HITECH)

• Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)

(21)

State Regulations & Acts

•State Attorneys General

47 States - Privacy Acts

•Massachusetts 201 CMR 17 (aka Mass Data Protection Law)

•Nevada Personal Information Data Privacy •Nevada Personal Information Data Privacy

(22)

International Laws

• Canada - Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA)

• Mexico - Law on the Protection of Personal Data Held by Private Parties

• European Union Data Protection Directive; Safe Harbor • European Union - Data Protection Directive; Safe Harbor

(23)

D t t

i

t EU

Data transparency requirements EU

• When the data subject has given his consent

• When processing is necessary for

compliance with a legal obligation

• When processing is necessary in order to

protect the vital interests of the data subject

(24)

Why I don’t need Cyber Insurance!

Why I don t need Cyber Insurance!

1 I t ll t b ti d N h k ld

1. I am too small to be noticed – No hacker would target us.

2. Too expensivep

3. Brokers don’t explain it very well 4. They believe they are covered 5 Just not paying attention

5. Just not paying attention

6. My IT guy says we don’t need it

(25)

Wh t’

t i k f

i

d ?

What’s at risk for insureds?

Hard Costs

Ponemon Institute > $200 per record

Soft Costs

(26)

Wh

d C b

Li bili

I

?

Who

needs

Cyber

Liability

Insurance?

(27)

Don’t

Start

With

The

Application!

(You

have

some

work

to

do

first)

• Avoid the Risk

• _Mitigate

• _Transfer

(28)

Avoidance

a. Don’t collect personal data

b Collect only data you actually use b. Collect only data you actually use c. Destroy data when not needed

Mitigate

a. Use Strong Passwords b. Limit Access E i c. Encryption d. Penetration Testing

Transfer

a. Hold Harmless Agreements b. Buy Cyber Liability Insurance

(29)

L t’ l

k t th 5

j

b t

Let’s

look

at

the

5 major

sub

‐

types

of

Cyber

Liability

policies

1. Data

Breach

– Failure

to

protect

an

Individual’s

privacy

2. Virus

&

Malware

– Malicious

code

3 N t

k S

it

L

d

t

3. Network

Security

– Loss

or

damage

to

a

network

&

data

4 Media Liability

‐

Web content

4. Media

Liability

Web

content

5. eVandalism

&

Extortion

(30)

I. Data

Breach

–

First

&

Third

Party

Protection

Also called

– Data Compromise, Data Security,

Also

called

Data Compromise, Data Security,

Privacy Events, Event Management depending on

carrier

Casualty

Claims

– Liability ‐ Third Party Claims,

Usually “Duty to Defend” but maybe not, Trigger

is Wrongful Act is Wrongful Act

Property

Claims

– Cyber Crime, Indemnity,

reimbursement, dedicated services, Trigger is

(31)

Data Breach –

First Party Expenses may cover insureds for their:

Data

Breach

First Party Expenses may cover insureds for their:

•

Legal

services

F

i

• Forensic

reviews

• Notification

to

third

parties

• Credit monitoring

• Credit

monitoring

• Credit

freezes

• Call

centers

• Lost

business

income

&

EE

• Reconstruct

lost

data

• Public

relations

• Regulatory

fines

and

penalties

(32)

Data Breach –

Potential Third Party (Liability) Expenses for:

Data

Breach

Potential Third Party (Liability) Expenses for:

• Privacy of your employees

• Privacy

of

your

employees

• Privacy

of

Customers

• Legal

g

expenses

p

• Arbitration

• Loss

of

3

rd

_Party

_data

• Violation

of

Federal

or

State

regulations

•

3

rd

_{Party BI & EE}

•

3

rd

_Party

_BI

_&

_EE

• Assumed

liability

by

contract

*

(33)

2 Vi

& M l

2.Virus

&

Malware

– Malicious Software, First & 3rd Party

Vector:

Trojan Horses Worms

Key Stroke Loggers Key Stroke oggers Phishing

Advanced Persistent Threats,

(APT’s) (APT s) Stuxnet

Causes:

Network damage Lost BI & EE Lost BI & EE Data Breach

(34)

3 N t

k S

it

3. Network Security

d

Loss of or damage to insured’s or 3

rd

_party

network or information

Reasonable & necessary expenses that are required to restore the network or data

(35)

4 P bli hi

M di Li bili

4. Publishing

or

Media

Liability

(Web Content)

• Copyright,py g , slogan,g , trademark,, trade or service name • Emotional distress

• Libel, slander/defamation, product disparagement

• Invasion of privacy

• Plagiarism, failure to attribute

• Misstatement or misleading statement

• Failure to follow published privacy policy

• Wrongful entry or eviction

(36)

5 eVandalism & Cyber Extortion

5. eVandalism & Cyber Extortion

• Trigger is the threat

• Loss

Money paid to terminate threat Cost to investigate

Travel expenses Travel expenses

(37)

Mechanics

of

a

Cyber

Liability

policy

Manuscript

policies

– all

are

different

most

are:

Cl i

M d (

d

t d) D t t d f d

Claims

Made

(and

reported),

Duty

to

defend,

most

defense

inside

limits.

R d P

i i

D fi i i

& E l i

Read

Provisions,

Definitions

&

Exclusions

• Coverage

Summary

– (Limits,

Sub

Limits,

d

)

Retro

dates)

• Insuring

agreement

• Definitions (Claim Loss Insured etc )

• Definitions

(Claim,

Loss,

Insured,

etc.)

• Settlement

provisions

• Severability

y (

(White

Hats/Black

/

Hats)

)

(38)

C

S

Coverage

Summary

Wh t t l

k f

What to look for:

•

Limits

&

Sub

Limits,

Shared

limits?

• Retro

Dates

&

Continuity

Dates

• Aggregates

(hard

to

spot)

• Coinsurance

(39)

I

i

A

Insuring

Agreement

What to look for:

Who, what, when and for what?

The Company shall pay, on behalf of the Insured, Loss on

account of a Claim first made (and reported) during the

P li P i d E t d d R ti P i d if

Policy Period, or Extended Reporting Period if

(40)

Definitions:

What

to

look

for:

Claim (broad as possible)

•Written demand for monetary or non‐monetary

damagesg includingg j injunctive relief.

•Civil proceedings

•Criminal proceedings

•Arbitration or mediation

Loss

Monetaryy & Non‐Monetary,y, Punitive,,

Civil Fines, HIPAA, Penalties ,PCI‐DSS etc.

(41)

Definitions Cont:

Definitions

Cont:

What

to

look

for:

Insured

• Covers contractual obligations if needed. Hard to find.

• Watch out for “Past” Officers/Directors – Insured v Insured

R E l

(42)

S

l

P

i i

Settlement

Provisions

Hammer Clauses

Full

–

Insured responsible for expenses above the offer

Modified

‐

Company will pay expenses 50‐70% above offer

(43)

Severability

What to look for:

White

Hats

&

Black

Hats

– Who

knew

what,

when?

(44)

Exclusions:

Liability assumed in a contract except liability they would have in the absence of a contract (Business would have in the absence of a contract (Business Associates should watch out for this one!)

R l t T Fi & P lti

Regulatory Taxes, Fines & Penalties

Loss caused by an employee, officer, director, owner, Independent Contractors

Fraudulent acts of insured Fraudulent acts of insured Deliberate failure to report

(45)

Li bilit

d i

t

Liability assumed in a contract

B d di tl i di tl i i t f

Based upon, directly or indirectly arising out of or in any way involving: ::

An Insured’s actual or alleged liability under any oral or written contract or agreement, including but not limited to express warranties or

but not limited to express warranties or guarantees.

N t ith t di th f i l i

Not withstanding the foregoing exclusion,

coverage otherwise available to an Insured shall

apply to such Insureds liability that exists in the pp y y absence of a contract.

(46)

E

l

i

(C

t )

Exclusions (Cont.)

Interruptions

p

(managed or hosted services,

electrical failure, cable or telephone service)

Failure to follow

minimum required practices

identified in the application or endorsement

Criminal acts

Intellectual Property

software licenses

Wireless networks

d ti

(47)

Oth

i

t

t It

t l

k f

Other important Items to look for:

Paper Records

• Paper Records

• Laptops, Thumb & Hard Drives

• Fines & Penalties

Fines & Penalties

• European Union

• Assumed Liability

y

• Cloud Storage

(48)

Other important items to look for (Cont )

Other important items to look for (Cont.)

•

Avoid carriers that dabble in cyber

• Say things expressly

• Say what it covers & cover it

Vicarious Liability

• Vicarious Liability

(49)

How is Cyber Liability Rated?

• Rating Basis

Rating Basis

Revenue

Nature of business

Number of records

• Security Practices

Fire Walls

Strong passwords

Penetration testing

Dedicated security team

(50)

T

d i d t

i

f

t

Trends in data privacy enforcement

•Lower thresholds in data loss cases

•More subrogation's

•Law suits being filed quicker

Law suits being filed quicker

•Tougher HIPAA laws - Business Associates

• FTC getting more involved

FTC getting more involved

(51)

T

d i d t

i

f

t

Trends in data privacy enforcement

(Cont.)

• OCR following up on smaller breaches

• Cloud computing – one sided contracts

p

g

• Aggressive State’s Attorneys General

• Potential Harm from Actual Harm

(52)

CYBER

LIABILITY

INSURANCE

CONTINUING EDUCATION CLASS – MARCH 6, 2013

PRESENTED BY COUSINO HARRIS STEWART V. NELSON, Senior Risk Advisor

Stewart.Nelson@Kapnick.com