• No results found

Cyber Liability Insurance

N/A
N/A
Protected

Academic year: 2021

Share "Cyber Liability Insurance"

Copied!
58
0
0

Loading.... (view fulltext now)

Full text

(1)

Cyber Liability Insurance

John Buck

Cyber Liability Specialist

RP Ryan Insurance Inc.

18501 N 40th St. Suite 102 Phoenix, AZ 85032 Office: 602-992-9700 Cell: 602-885-3656 jbuck@rpryan.com www.rpryan.com

(2)

What is Cyber Liability?

Cyber Liability

Addresses the first- and third- party risks associated

with the generation, storage or transmittal of digital

information containing personally identifiable

information (PII) or personal health records (PHI) as

protected by various laws and regulations

Does not cover Intellectual Property, Trademarks,

Copyrights etc. that do not contain personal data

protected by laws and regulations

(3)

What is Cyber Liability Insurance?

(AKA Data Breach Insurance)

• Cyber Liability Insurance covers financial obligations due to the loss or theft of personal information from a first party information system

• Does not have to be the fault of the organization that the data is stolen from

• Can include fines and penalties assessed by government agencies

• Can include coverage for lawsuits brought by customers, clients, patients, employees, financial institutions and stockholders who are financially impacted by the breach of sensitive data

(4)

What Types of Companies Need Cyber Liability

Insurance the Most?

Health care providers

Doctor office, Dentist office, Outpatient Clinics,

Hospitals, Labs all generating and storing Personal

Health Care Data protected by law

(5)

What Types of Companies Need Cyber Liability

Insurance the Most?

Retail Stores

• Stolen credit card numbers are the number one risk for retail stores

• One stolen credit card number can be sold and made into

thousands of duplicate cards often sold on the Internet for as little as $5 each

• FBI, Banks and Merchant service providers have the software to trace stolen credit cards back to the source, thus holding the store liable

(6)

What Types of Companies Need Cyber Liability

Insurance the Most?

Telecommunications

Service Providers

• Local and long-distance phone companies

• Internet service providers

• Cable and satellite television service providers Manufacturers

• Equipment used by service providers

• Some consumer devices

(7)

What Types of Companies Need Cyber Liability

Insurance the Most?

Information Technology

Software

Prepackaged software

Custom software

Services

Consulting

Programming services

(8)

Types of cyber attacks that can lead to cyber

breach penalties and lawsuits for your company

POS System Attacks –retail is highest risk

Card Skimmers – anyone who accepts credit cards

for payment involving physical scanning of card

Web Site Attacks – anyone with a website

Insider Misuse or Hacking – anyone with

employees, especially disgruntled ones

Physical Theft/Loss – employees and executives

Miscellaneous Errors – employees and executives

Crimeware – backdoors inserted by hackers

Cyber Espionage – inside and outside hackers

from anywhere in the world

(9)

Typical Cyber Liability expenses that can be

insured for

• Notification Expenses

• Customers must be notified of a breach of their sensitive information.

• May be voluntary or forced by laws and regulations

• Crisis Management/PR Expense

• Assuring your customers that you have taken steps to mitigate the breach

• Win back their confidence and/or loyalty

• Pay cyber extortion expense

(10)

Typical Cyber Liability expenses that can be

insured for

Continued from previous slide

Payment of fines and penalties from government agencies

Payment of awards from lawsuits from customers, patients,

employees, stockholders as discussed in previous slide

(11)

Typical Retail Risk: POS Intrusions

Point of Sale (POS) Intrusions: Remote attacks against the environments where retail transactions are conducted,

specifically where card-present purchases are made, i.e., cards are physically scanned.

POS Intrusions accounted for 14% of the cyber attacks reported in the Ponemon study.

POS attacks are the greatest threat to retail establishments like department stores and restaurants but anyone accepting credit cards for payment is subject to attack e.g., iPad credit card scans

(12)

POS Intrusions

Credit card transactions are regulated by PCI 3.0 – Payment Card Industry Regulation which can impose heavy fines on any retail

establishment whose customer credit card data is lost or stolen but government regulations will not prevent theft by hackers

Lost or stolen credit card data is sold on the black market and is typically used to produce duplicate credit cards that can be sold and used all over the world

Stolen customer data can be traced back to the source using

(13)

Target Breach

The cases against Target were consolidated in the US District Court for the District of Minnesota to consist of (as of May 2014, more to come):

81 class action suits brought by consumers

28 class action suits brought by financial institutions

(14)

Web Attacks on Your Website

Web App Attacks – any incident in which a web application was the target of the attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms

Denial of Service Attacks (DoS) – hackers take over thousands of PCs and use them to simultaneously request service from a targeted

website. Legitimate customers can not access the website and the

company loses revenue and credibility with their customers who may also sue the targeted company for loss of service during attack.

Use of Website as a backdoor into the company network to steal data, plant viruses, etc.

(15)

Insider and Privilege Misuse to Guard Against in

Your Business

Any unapproved or malicious use of your organizational

resources

Too many people in your company have access to too much

data

Limit access and change passwords frequently to help

mitigate insider threats

(16)

Miscellaneous Errors by Your Employees

• Incidents where unintentional actions directly compromised a security attribute of an information asset-e.g., phishing to get passwords from unsuspecting and/or untrained employees

• Target breach was due to air conditioning vendor gaining access to

privileged information and planting a back door into the system for later retrieval of customer data – took several months to get the data

• There are now huge networks of hackers working in teams to gain access to high value systems- anyone can buy hacking software on the Internet and make a good living from their grandmother’s basement (aka “script

kiddies” mostly having fun) but most big jobs are for big financial payoffs from Russia and places where the FBI can’t operate until it’s too late

(17)

Crimeware

Any malware incident that did not fit other patterns like

espionage or POS (Point of Sale) attacks

Covers a wide variety of incidents involving malware of

various types and purposes

(18)

Payment Card Skimmers

Involves POS skimming devices physically placed on or near

devices that read credit card magnetic strips to accept payment

ATMs, gas pumps, POS terminals are big sources of hidden

(implanted) credit card magnetic strip readers

Placed by someone like a maintenance worker, employee or

hacker and usually removed at a later date to avoid detection

Hackers walk around stores like Walmart or sit in restaurants

with skimmers that work when they are there and are not found

by anyone making a search

(19)

Cyber-Espionage

• Defined as unauthorized network or system access linked to state-affiliated hackers and/or exhibiting the motive of espionage

• Usually hard core criminal organizations operating in Russia and East Europe where the FBI can’t get at them

• They target corporations, governments, NGO’s, etc., but also small to medium businesses as well to steal personal data, trade secrets,

(20)

Physical Theft and Loss

Missing assets containing sensitive data

Laptops, iPads, thumb drives left in unlocked cars,

restaurants, etc.

Can include paper assets left in cars, boxes of paper

data in storage lockers, etc.

(21)

Key Questions for all owners and C-suite

personnel who must manage financial risk

How much personal data do you store on employees,

customers, clients, etc.?

What is your plan for minimizing your risk of losing sensitive

data?

How much can you afford to spend on penalties and lawsuits

in the event of a data breach that gets traced back to your

(22)

Key Questions – cont.

• What would happen if customer and employee private information is stolen from your company?

• How many paper and electronic records containing sensitive

information do you have stored (file cabinets, storage sheds, PCs)

• Do you have written agreements (contract liability) concerning privacy and protection of data with outside vendors?

(23)

Key Questions – cont.

• What type of social media is your business using? Are their restrictions to its administration?

• Risks include invasion of privacy, copyright and trademark liability, defamation and slander-usually covered by other liability insurance policies

• Are you aware of the exclusions in your existing P&C and GL policies?

• Most cyber liability claims such as social media liabilities, electronic data and cost to recreate, outages caused by viruses or hackers will not be covered under existing policies

• Are you aware of the most recent privacy and data breaches in your industry for evaluation of your potential risks?

• Good sources of information pertinent to your industry can be found on Google or privacyrights.org (an excellent database of actual breaches)

(24)

Key Questions – cont.

• Are you aware that the average 1st party cost for a data breach claim

is $206 per record

• Costs include notification and credit monitoring for customers as well as public relations and call centers

• Are you familiar with all state regulations that you do business in (not just your home state) for notification in the event of a privacy breach?

(25)

Key Questions – cont.

• Do any of your employees access your system from a mobile device?

• The Ponemon study shows that 81% of employees have access to PII

(Personally Identifiable Information) on iPads, smart phones and employee laptops – the is referred to as the BYOD (Bring your own device) problem

• Have you considered the Third-Party costs to your business in the event of a Privacy Breach?

• Intellectual property infringement, reputation injury, customer’s systems being unavailable and the cost to defend your business against numerous

lawsuits – 50% of small to medium businesses shut down after a major breach if they can’t cover the expense (Target is self insured – are you?)

(26)

Questions from a typical Cyber Liability

Questionnaire for an insurance quote

1. Do you control who has access to your computer network?

2. Do you have a firewall between your information system and the Internet?

3. Do you have firewall protections on each of your individual workstations?

4. Do you have a virus protection program in place?

5. Do you outsource any part of your internal networking/computer system or Internet access to others?

(27)

Typical quote questions – cont.

7. Does your hiring process include criminal background checks? 8. Do you have a written security policy that covers both physical

(premise) and information security?

9. Do you test your policy’s security or privacy controls? 10. Have you ever experienced a privacy or data breach?

11. Do you allow employees to download personal client information or other confidential information onto laptops or other data files? (If yes, is the data encrypted?)

(28)

Typical quote questions – cont.

12. What personal client or employee information is held in your company’s information system or employee devices?

Social Security Numbers Driver’s License Numbers Financial Account Numbers Credit Card Numbers

Personal Health Information Customer Information

Other (please specify) – don’t hide anything so that you get a realistic quote that represents your real risk

13. Have you ever filed a Privacy/Data Breach claim?

(If yes, please note date of incident and provide brief explanation)

(29)

Why Get a Quote (or several quotes)?

• It doesn’t cost anything to have a qualified insurance agent prepare a quote for your cyber liability insurance needs

• By getting quotes from several insurance carriers you will get the expertise of several underwriters who can help you navigate the complex waters of cyber liability insurance, which is still in its early phase of development

• Before or after you get a quote for cyber liability insurance have a qualified outside security expert do an evaluation of your physical and network

security system and provide a written report that can be passed on to the insurance agent and his underwriters for proper evaluation of your

(30)

10 Reasons to buy Cyber Liability Insurance

1. High cost of breach notification in the event of a breach

2. Loss of third-party (your customers and employees) data results in class action lawsuits that can put you out of business if you aren’t protected by cyber liability insurance

3. The data in your network is not covered by standard commercial property & casualty policies yet it is the most valuable asset you have (how much to replace lost or stolen data versus the cost to replace a computer network?)

4. Information Systems (IT systems) are critical to operating your day to day business but their downtime is not usually covered by

(31)

10 Reasons to Buy– cont.

5. Cyber crime is the fastest growing crime in the world, but most attacks are not covered by standard commercial insurance policies

6. Retailers face severe penalties if they lose their customer credit card data

• Global credit card crime is worth over $7.5billion and this risk is increasingly being transferred from the credit card service providers to the business owners

• Retailers can be held liable for forensic investigation costs, credit card reissuance costs and the actual fraud (purchases) conducted on stolen cards

(32)

10 Reasons to Buy– cont.

7. Your reputation is your number one asset, so why not insure it?

• Cyber liability insurance can insure your reputation in the event of a cyber security breach

• It can pay for costs of engaging a PR firm to help restore your reputation, but also for the loss of future sales that arise as a direct result of customers switching to your competitors

• You can’t claim that a cyber breach is not your fault and therefore you should not have to bear the expense – you are the one your customers and government

agencies will hold liable no matter the cause of the breach

8. Social media usage is at an all time high and claims are on the rise

• Cyber liability insurance can help provide coverage for claims arising from leaked information, defamatory statements or copyright infringements

(33)

10 Reasons to Buy – cont.

9. Portable devices increase the risk of loss or theft of information

• Cyber liability insurance can cover the costs associated with a data breach should a portable device be lost, stolen or fall victim to a virus

10. It’s not just big businesses being targeted by hackers, but lots of small ones too, often part of a massive hack attack

• Hackers often practice on many small businesses to learn the techniques and pathways into the larger businesses.

• The small businesses suffer the same damage as the large ones

• A third of global cyber attacks were aimed at businesses with less than 250 employees

(34)

Cyber Liability Risk Applies to all sectors of

the e-commerce and Internet world

• e-Professionals – those who provide traditional services over the Internet

• Information Technology (Internet) Professionals – website developers, systems/computer consultants, etc.

• E-Commerce Companies – companies existing only on the net, “clicks & mortar” companies, and content providers such as portals, search engines and specialty providers of content

• Internet Advertisers – traditional organizations utilizing the Internet for marketing

(35)

Examples of Cyber Liability Claims

Extortion 1

• Entire database of publicly traded corporation was encrypted by a disgruntle employee

• Ransom note demanded $1 million for the password to unlock the data

(36)

Examples of Cyber Liability Claims

Extortion-2

• Accounting firm upgrades their computers and scrubs old hard drives before tossing them out

• Hacker gets ahold of discarded hard drives and restored the data which included financial records of clients

(37)

Examples of Cyber Liability Claims

Mischievous Hacking

• Repeated Denial of Service attacks by a hacker have virtually shut down a state’s Public Access Network Computer

• This is an example of mischievous behavior that shuts down an system but there is no ransom involved

• Hacker typically “brags to his friends” of his accomplishment

(38)

Examples of Cyber Liability Claims

Mischievous Hacking

• An Internet Service Provider (ISP) was hacked

• The hacker planted swastikas and racist messages on web pages while masquerading as the provider’s administrator, erased data on two computers and shut down the system

• The ISP was shut down for 12 hours and files created in the several days prior to the attack were lost

(39)

Examples of Cyber Liability Claims

Loss of Data

• A personal laptop computer was stolen from a data processing center

• The laptop contained the account numbers for over 300,000 credit card customers

(40)

Examples of Cyber Liability Claims

Loss of Data

• A technical instruments manufacturer had a disgruntled employee delete their entire database

• It cost the company $7.8 million in lost revenues and $3.2 million to replace the lost data

(41)

Statistics of Cyber Liability Losses

• 24% of data breaches occur in retail environments and restaurants

• The average total cost of a cyber security breach is estimated at $5.4 million

• 50% of small businesses who must bear the cost of a breach are out of business within 6 months

• There are 46 different state laws and another set of federal laws and regulations governing the collection and storage of data and the prevention and reporting of a breach

From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

(42)

Reduction of Cyber Security Losses

• It takes a team of cyber security consultants, IT experts, insurance, security and law firms to deal with the

extensive and increasing cyber threat to US businesses

• Cyber security concerns are now part of doing business, and general counsel and C-Suite executives must be ready to guide their companies through these complex issues

• Prevention is the first step to minimizing cyber security liability

From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

(43)

Reduction of Cyber Security Losses

• The following steps can help minimize the cost and likelihood of security breaches:

• Security measures before a breach

• Have an incident response plan

• Establish a strong security infrastructure

• Appoint a Chief Information Security Officer

• Cyber-security audits

• Businesses should conduct regular cyber-security audits and limit access to sensitive data by third parties and employees

From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

(44)

Reduction of Cyber Security Losses

• Cyber-security insurance

• Businesses should review insurance policies to determine

whether and to what extent they are covered for cyber-security threats

• Encryption

• If a data breach occurs, encryption can help minimize liability

From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

(45)

Notification in the Event of a Breach

• Health Insurance Portability and Accountability Act (HIPPA) and Health Information Technology for Economic and

Clinical Health Act (HITECH) requires covered entities to protect against reasonably anticipated threats or hazards to security

• The HITECH Act requires covered entities and business

associates to notify the individuals whose protected health information was accessed no later than 60 days after the breach was discovered

From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

(46)

Notification in the Event of a Breach

• If the breach affects more than 500 individuals, the law also requires notification within 60 days after the breach was discovered to the US Department of Health and Human Services and the media

From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

(47)

Notification in the Event of a Breach

• Gramm-Leach-Bliley Act requires financial institutions to publicize their privacy policies and establish internal

safeguards and procedures to protect consumer information

• Related guidelines require covered financial institutions to notify customers whose personal information has been

subject to unauthorized access or use if misuse of the customer’s information has occurred or is reasonably possible, unless law enforcement determines that

notification will interfere with a criminal investigation

From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

(48)

Notification in the Event of a Breach

• Securities & Exchange Commission (SEC) has issued

guidance stating that publicly traded companies should report certain cyber instances

• State Law – Currently 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws

requiring notification of security breaches involving personal information

From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

(49)

Potential Litigation

• Potential claims by private parties and the government include:

• State-law claims filed under individual states’ consumer protection laws, tort and contract law, fiduciary

requirements, and other cyber security rules

• FTC Safeguards Rule – the FTC has brought numerous enforcement actions to address whether businesses security systems are reasonable and appropriate to protect consumer information

From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

(50)

Potential Litigation

• SEC Enforcement Actions. The SEC’s Division of Corporate Finance has taken the position that public companies

should disclose their risk of cyber incidents

• Failure to disclose cyber security breaches or risks could lead to actions on security anti-fraud provisions like Rule 10b-5 or books and records violations under Rule 13b2-2

From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

(51)

Do You Really Need Cyber Liability

Insurance?

• LinkedIn, eHarmony, DropBox, Paypal and Yahoo have all been hacked and millions of customer records have been lost

• This list does not even include the big retailers like Target and Home Depot that have been hacked with hundreds of thousands of credit card data lost

• Liability for loss of customer data or employee data is not typically covered under normal corporate insurance

policies

(52)

Do You Really Need Cyber Liability Insurance?

• Be careful when evaluating your existing business

insurance policy since some policies that offer general liability coverage and directors and officers liability may provide some limited cyber liability coverage but may not provide all that is required

• Analyze your existing policy in detail with the help of

experts before you have a cyber breach because after the breach it is too late

• A recent survey by the Chubb Group of Insurance

Companies found that 65% of public companies forego cyber insurance even though they consider cyber risk as their number one concern

(53)

Do You Really Need Cyber Liability Insurance?

• 25% of those companies surveyed are expecting a cyber breach in the coming year and 71% have cyber breach response plans in place but only 35% have cyber liability insurance

• It is not only high-profile and high-risk companies that are at risk of cyber breaches

• Small to medium sized companies are at equal risk of cyber breaches

• 72% of all data breaches occurred in Small to Medium (SMB)

businesses according to studies by the Secret Service and Verizon Communications Inc.

(54)

Do You Really Need Cyber Liability Insurance?

• So why do only 35% of companies invest in cyber liability insurance?

• For one, many executives don’t know it exists, and even if they do they probably don’t think an attack will happen to them, or they are not overly worried about the potential fallout of such a breach

• Premiums are still high since so few companies are buying cyber liability insurance and the payouts can be in the millions of dollars

• The premiums for e-Commerce companies are high because these

companies are considered high risk since they acquire and store large amounts of credit card data for purchases from their site

(55)

Do You Really Need Cyber Liability Insurance?

• The other high risk companies are medical related institutions hosting data, such as date of birth information, social security numbers and medical records

• You can reduce your cyber liability premiums by reinforcing your security practices before you apply-like a good driver discount

• In other words, having a lower risk factor for data breaches lowers your insurance premium

• One easy way to lower your risk of a data breach is to have strong password protection on your system by using encryption and

changing passwords regularly

(56)

Do You Really Need Cyber Liability Insurance?

• When your system consists of multiple units of servers, apps, cloud services, databases, tablets and laptops you can purchase affordable password management solutions to help offset the cost of cyber

liability premiums

• Other actions that can reduce the cost of cyber liability premiums are:

• Regular risk assessments by outside cyber security analysts

• A written cyber security policy that identifies and lists critical assets and

defines policies for physical security, account management, and backup and recovery of critical data among other areas

• Leverage firewalls, virtual private networks, anti-virus and anti-spam software and secure mobile solutions to secure network access and mobile devices

(57)

Types of Commercial Liability Insurance

Don’t Expect Your Existing Commercial General Liability

Insurance to Cover Cyber Liability Losses!

Commercial General Liability (GL) Coverage Exclusions (aka,

will not pay!):

• Personal and Advertising Injury

• Electronic Data – applies to damages arising out of the loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data

(58)

Now that you know the potential threat to

your business due to cyber attacks it’s time

to take action!!

Click the Quote Request Button and let me get you several quotes from reputable insurance companies to protect you from extensive financial losses due to cyber attacks on your company. The cyber liability policy can be

stand-alone or combined with the rest of your business insurance. John Buck, Cyber Liability Insurance Specialist

RP Ryan Insurance Inc. 18501 N 40th St Suite 102 Phoenix AZ 85032 Phone: 602-992-9700 x 252 Cell: 602-885-3656 Email: jbuck@rpryan.com

References

Related documents

select department_id deptno, department_name dname from departments; alter table emp add constraint emp_pk primary key (empno);. alter table dept add constraint dept_pk primary

We compare the use of the classic estimator for the sample mean and SCM to the FP estimator for the clustering of the Indian Pines scene using the Hotelling’s T 2.. statistic (4)

As can be seen above, breach of privacy is a key cyber risk, involving the potential for significant internal costs along with liability to third parties as a result of a data

According to Meredith Schnur, Vice President, Professional Risk Group, Wells Fargo Insurance Services, “In the last six months, we’ve had six to ten data breach claims reported

Cyber liability insurance: evaluate coverage and compile documents.. The unique exposures and liabilities associated with privacy breaches and cyberattacks are not properly

Healthcare data breaches accounted for the most data security incidents in 2015, the second annual Baker Hostetler Data Security Incident Response Report

Projections from 1.5 °C scenarios are not considered in this study, because at the time of the analysis there were only a limited number of 1.5 °C scenarios available from

How Policies Can Overlap Lawyers Professional Liability Policy Breach of Employee Data Data Breach Notification & Crisis Cyber Liability Privacy Injury CYBERSECURITY