CYBER
LIABILITY
INSURANCE
CONTINUING EDUCATION CLASS – MARCH 6, 2013PRESENTED BY COUSINO HARRIS STEWART V. NELSON, Senior Risk Advisor
Stewart.Nelson@Kapnick.com
Class Objectives
Class
Objectives
•
Understand
&
Explain
need
for
Cyber
Insurance
•
Identify
y
5
major
j
coverage
g
options
available
•
Assist your clients in
Assist
your
clients
in
selecting
best
policy
for
their
needs
•
Discover
recent
trends
in
cyber cases rulings & laws
cyber
cases,
rulings
&
laws
Background on Cyber policies
Background on Cyber policies
•
First issued in early 1990’s - web media
risks, Software and Hardware protection
• Carriers added other features over next 12
years - notification, legal, forensics, call
centers etc.
• Large businesses adopted fastest
• Small business slower
N
D i
i C b
Li bilit
New Drivers in Cyber Liability
•
State & federal Regulations
•
Social media
•
Contracts may require it
•
Contracts may require it
•
More data stored
•
Cloud computing
Cloud computing
Why do we need Cyber insurance
?
Why do we need Cyber insurance
?
1 Tangible s intangible propert
1. Tangible vs. intangible property
Fuzzy concept - Bits & Bytes
Hard to value No premium for the risk
Hard to value – No premium for the risk
2. Concept of an “Occurrence” or trigger
What is the trigger?
Real vs. Potential harm
3 Carriers got better at excluding it
3. Carriers got better at excluding it
Why
do
we
need
Cyber
Liability?
A. Exclusion 2.p. of Coverage A - Bodily Injury And Property Damage Liability in Section I
-Coverages is replaced by the following:
Coverages is replaced by the following:
2. Exclusions
This insurance does not apply to:
p. Electronic Data
Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or g , p , y ,
inability to manipulate "electronic data" that does not result from physical injury to tangible property.
"El t i d t " i f ti f t t d
"Electronic data" means information, facts or programs stored as or on, created or used on, or transmitted to or from
computer software (including systems and applications software) hard or floppy disks CD ROMs tapes drives software), hard or floppy disks, CD-ROMs, tapes, drives, cells,… CG 04 37 04 13
Why do we need Cyber Insurance?
17. "Property damage" means:
a. Physical injury to tangible property, including all resulting a. Physical injury to tangible property, including all resulting
loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it;
caused it;
b. Loss of, loss of use of, damage to, corruption of, inability to access, or inability to properly manipulate "electronic data", resulting from physical injury to tangible property. All such loss of "electronic data" shall be deemed to occur at the time of the "occurrence" that caused it.
at the time of the occurrence that caused it.
For the purposes of this insurance, "electronic data" is not tangible property
not tangible property
So what are we going to do?
Suing the carrier is not a sustainable risk
g
management strategy!
Low cost cyber insurance is readily
y
y
available and affordable
You must help your clients understand
You must help your clients understand
their data storage risks
Who is the enemy?
Who is the enemy?
• 98% Committed by outsiders
• 98% Committed by outsiders
• 58% of stolen data perpetrated by
“Hacktavists”
Hacktavists
H
d th
k?
How do they work?
81% sed some form of hacking
• 81% used some form of hacking
• 69% used some form of malware
69% used some form of malware
Commonalities of data breaches
Commonalities of data breaches
• 79% targets of opportunity
• 85% of breaches took weeks or more to discover
• 97% of all data breaches were avoidable by simple
ti t
preventive steps
•92% were discovered by a third party
What data is worth to a hacker
What
data
is
worth
to
a
hacker:
• Utility bill scanned = $10
• Full identity = $6 to $80
• Gmail user name & password = $80
• Facebook user name & password = $300Facebook user name & password $300
• Bank account credentials = $15 to $850
• Credit card with $1,000 Available = $25
• Credit card with personal information $80
C i i
l
d t t
Criminals use data to:
:• Obtain fraudulent credit cards
• Open store credit
• Medical identity theft
ed ca de t ty t e t
• Criminal identity theft
• Phone & utility fraud
• Phone & utility fraud
Att
k
SMB i
i
Attacks on SMB increasing
75% of data breaches 75% of data breaches
analyzed by Verizon in 2011 were in companies with less than 100 employees.
According to Accounting Web, 80% of small businesses that experience a data breach
suffer serious financial losses suffer serious financial losses and many go bankrupt.
O
i
Opportunity
How many companies think Cyber
y
p
y
security is important?
Answer:
84%
What percentage have
ll b
h
b
Answer:
84%
actually bought cyber
policies?
Answer:
19%!
What is Cyber Liability?
What
is
Cyber
Liability?
Cyber
‐
A prefix that means “computer” or
Cyber
‐
A
prefix
that
means
computer
or
“computer
network”
Cyber
Liability
‐
refers
to
risk
associated
with
storing
data,
doing
business
on
Internet
or
publishing
a
web
site.
Now
we
need
to
include
Two
Parts
of
Cyber
Liability
Insurance
Property
•
Data yours or someone else’s
•
Data – yours or someone else s
•
Network – 1
stor 3
rdparty
•
Bus Income 1
stor 3
rdparty
•
Bus Income – 1
stor 3
rdparty
Casualty (Liability)
Casualty
(Liability)
What types of data?
What
types
of
data?
1.
Personal
Information
(PI)
Names DL numbers SSN’s addresses email addresses credit Names, DL numbers, SSN s, addresses, email addresses, credit
card data, phone numbers, age, sex, political affiliation, marital
status, finger prints, blood type, education, financial
i f i l hi i i l d
information, employment history, criminal records.
2.
Personal
health
Information
(PHI)
Medical
records
3.
Account
numbers
&
passwords
F d R
l t
A
i
& A t
Fed Regulatory Agencies & Acts
Sarbanes-Oxley Act (SOX) Sarbanes Oxley Act (SOX)
Gramm-Leach-Bliley Act (GLB) Act
Electronic Fund Transfer Act, Reg. E (EFTA)
Child ' O li P i P t ti A t (COPPA)
Children's Online Privacy Protection Act (COPPA) Fair and Accurate Credit Transaction Act (FACTA),
Red Flags Rule
Industry Specific Regs.
• Payment Card Industry (PCI DSS)
• Health Insurance Portability and Accountability Act y y
(HIPAA)
• Health Information Technology for Economic and Clinical Health Act (HITECH)
• Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)
State Regulations & Acts
•State Attorneys General
47 States - Privacy Acts
•Massachusetts 201 CMR 17 (aka Mass Data Protection Law)
•Nevada Personal Information Data Privacy •Nevada Personal Information Data Privacy
International Laws
• Canada - Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA)
• Mexico - Law on the Protection of Personal Data Held by Private Parties
• European Union Data Protection Directive; Safe Harbor • European Union - Data Protection Directive; Safe Harbor
D t t
i
t EU
Data transparency requirements EU
• When the data subject has given his consent
• When processing is necessary for
compliance with a legal obligation
• When processing is necessary in order to
protect the vital interests of the data subject
Why I don’t need Cyber Insurance!
Why I don t need Cyber Insurance!
1 I t ll t b ti d N h k ld
1. I am too small to be noticed – No hacker would target us.
2. Too expensivep
3. Brokers don’t explain it very well 4. They believe they are covered 5 Just not paying attention
5. Just not paying attention
6. My IT guy says we don’t need it
Wh t’
t i k f
i
d ?
What’s at risk for insureds?
Hard Costs
Hard Costs
Ponemon Institute > $200 per record
Soft Costs
Wh
d C b
Li bili
I
?
Who
needs
Cyber
Liability
Insurance?
Don’t
Start
With
The
Application!
(You
have
some
work
to
do
first)
•
Avoid the Risk
•
Mitigate
•
Transfer
Avoidance
a. Don’t collect personal data
b Collect only data you actually use b. Collect only data you actually use c. Destroy data when not needed
Mitigate
Mitigate
a. Use Strong Passwords b. Limit Access E i c. Encryption d. Penetration Testing
Transfer
Transfer
a. Hold Harmless Agreements b. Buy Cyber Liability Insurance
L t’ l
k t th 5
j
b t
Let’s
look
at
the
5
major
sub
‐
types
of
Cyber
Liability
policies
1. Data
Breach
– Failure
to
protect
an
Individual’s
privacy
2. Virus
&
Malware
– Malicious
code
3 N t
k S
it
L
d
t
3. Network
Security
– Loss
or
damage
to
a
network
&
data
4 Media Liability
‐
Web content
4. Media
Liability
Web
content
5. eVandalism
&
Extortion
I.
Data
Breach
–
First
&
Third
Party
Protection
Also called
– Data Compromise, Data Security,Also
called
Data Compromise, Data Security,
Privacy Events, Event Management depending on
carrier
Casualty
Claims
– Liability ‐ Third Party Claims,
Usually “Duty to Defend” but maybe not, Trigger
is Wrongful Act is Wrongful Act
Property
Claims
– Cyber Crime, Indemnity,
reimbursement, dedicated services, Trigger is
reimbursement, dedicated services, Trigger is
Data Breach –
First Party Expenses may cover insureds for their:Data
Breach
First Party Expenses may cover insureds for their:
•
Legal
services
F
i
i
•
Forensic
reviews
•
Notification
to
third
parties
•
Credit monitoring
•
Credit
monitoring
•
Credit
freezes
•
Call
centers
•
Lost
business
income
&
EE
•
Reconstruct
lost
data
•
Public
relations
•
Regulatory
fines
and
penalties
penalties
Data Breach –
Potential Third Party (Liability) Expenses for:Data
Breach
Potential Third Party (Liability) Expenses for:
•
Privacy of your employees
•
Privacy
of
your
employees
•
Privacy
of
Customers
•
Legal
g
expenses
p
•
Arbitration
•
Loss
of
3
rdParty
data
•
Violation
of
Federal
or
State
regulations
•
3
rdParty BI & EE
•
3
rdParty
BI
&
EE
•
Assumed
liability
by
contract
*
2 Vi
& M l
2.Virus
&
Malware
– Malicious Software, First & 3rd Party
Vector:
Trojan Horses Worms
Key Stroke Loggers Key Stroke oggers Phishing
Advanced Persistent Threats,
(APT’s) (APT s) Stuxnet
Causes:
Network damage Lost BI & EE Lost BI & EE Data Breach3 N t
k S
it
3. Network Security
d
Loss of or damage to insured’s or 3
rdparty
network or information
Reasonable & necessary expenses that are required to restore the network or data
4 P bli hi
M di Li bili
4.
Publishing
or
Media
Liability
(Web Content)
• Copyright,py g , slogan,g , trademark,, trade or service name • Emotional distress
• Libel, slander/defamation, product disparagement
• Invasion of privacy
• Invasion of privacy
• Plagiarism, failure to attribute
• Misstatement or misleading statement
• Failure to follow published privacy policy
• Wrongful entry or eviction
5 eVandalism & Cyber Extortion
5. eVandalism & Cyber Extortion
• Trigger is the threat
• Loss
Money paid to terminate threat Cost to investigate
Travel expenses Travel expenses
Mechanics
of
a
Cyber
Liability
policy
Manuscript
policies
– all
are
different
most
are:
Cl i
M d (
d
t d) D t t d f d
Claims
Made
(and
reported),
Duty
to
defend,
most
defense
inside
limits.
R d P
i i
D fi i i
& E l i
Read
Provisions,
Definitions
&
Exclusions
•
Coverage
Summary
– (Limits,
Sub
Limits,
d
)
Retro
dates)
•
Insuring
agreement
•
Definitions (Claim Loss Insured etc )
•
Definitions
(Claim,
Loss,
Insured,
etc.)
•
Settlement
provisions
•
Severability
y (
(White
Hats/Black
/
Hats)
)
C
S
Coverage
Summary
Wh t t l
k f
What to look for:
•
Limits
&
Sub
Limits,
Shared
limits?
•
Retro
Dates
&
Continuity
Dates
•
Aggregates
(hard
to
spot)
•
Coinsurance
I
i
A
Insuring
Agreement
What to look for:
Who, what, when and for what?
The Company shall pay, on behalf of the Insured, Loss on
account of a Claim first made (and reported) during the
P li P i d E t d d R ti P i d if
Policy Period, or Extended Reporting Period if
Definitions:
Definitions:
What
to
look
for:
Claim (broad as possible)
Claim (broad as possible)
•Written demand for monetary or non‐monetary
damagesg includingg j injunctive relief.
•Civil proceedings
•Criminal proceedings
•Arbitration or mediation
•Arbitration or mediation
Loss
Monetaryy & Non‐Monetary,y, Punitive,,
Civil Fines, HIPAA, Penalties ,PCI‐DSS etc.
Definitions Cont:
Definitions
Cont:
What
to
look
for:
InsuredInsured
• Covers contractual obligations if needed. Hard to find.
• Watch out for “Past” Officers/Directors – Insured v Insured
R E l
S
l
P
i i
Settlement
Provisions
Hammer Clauses
Hammer Clauses
Full
–
Insured responsible for expenses above the offerModified
‐
Company will pay expenses 50‐70% above offerSeverability
Severability
What to look for:
White
Hats
&
Black
Hats
– Who
knew
what,
when?
Exclusions:
Liability assumed in a contract except liability they would have in the absence of a contract (Business would have in the absence of a contract (Business Associates should watch out for this one!)
R l t T Fi & P lti
Regulatory Taxes, Fines & Penalties
Loss caused by an employee, officer, director, owner, Independent Contractors
Fraudulent acts of insured Fraudulent acts of insured Deliberate failure to report
Li bilit
d i
t
t
Liability assumed in a contract
B d di tl i di tl i i t f
Based upon, directly or indirectly arising out of or in any way involving: ::
An Insured’s actual or alleged liability under any oral or written contract or agreement, including but not limited to express warranties or
but not limited to express warranties or guarantees.
N t ith t di th f i l i
Not withstanding the foregoing exclusion,
coverage otherwise available to an Insured shall
apply to such Insureds liability that exists in the pp y y absence of a contract.
E
l
i
(C
t )
Exclusions (Cont.)
Interruptions
p
(managed or hosted services,electrical failure, cable or telephone service)
Failure to follow
minimum required practicesidentified in the application or endorsement
Criminal acts
Intellectual Property
software licensesWireless networks
d tiOth
i
t
t It
t l
k f
Other important Items to look for:
Paper Records
• Paper Records
• Laptops, Thumb & Hard Drives
• Fines & Penalties
Fines & Penalties
• European Union
• Assumed Liability
y
• Cloud Storage
Other important items to look for (Cont )
Other important items to look for (Cont.)
•
Avoid carriers that dabble in cyber
• Say things expressly
• Say what it covers & cover it
Vicarious Liability
• Vicarious Liability
How is Cyber Liability Rated?
How is Cyber Liability Rated?
• Rating Basis
Rating Basis
Revenue
Nature of business
Nature of business
Number of records
• Security Practices
• Security Practices
Fire Walls
Strong passwords
Strong passwords
Penetration testing
Dedicated security team
Dedicated security team
T
d i d t
i
f
t
Trends in data privacy enforcement
•Lower thresholds in data loss cases
•More subrogation's
•Law suits being filed quicker
Law suits being filed quicker
•Tougher HIPAA laws - Business Associates
• FTC getting more involved
FTC getting more involved
T
d i d t
i
f
t
Trends in data privacy enforcement
(Cont.)
• OCR following up on smaller breaches
• Cloud computing – one sided contracts
p
g
• Aggressive State’s Attorneys General
• Potential Harm from Actual Harm
CYBER
LIABILITY
INSURANCE
CONTINUING EDUCATION CLASS – MARCH 6, 2013PRESENTED BY COUSINO HARRIS STEWART V. NELSON, Senior Risk Advisor
Stewart.Nelson@Kapnick.com