Cyber Liability Insurance
John Buck
Cyber Liability Specialist
RP Ryan Insurance Inc.
18501 N 40th St. Suite 102 Phoenix, AZ 85032 Office: 602-992-9700 Cell: 602-885-3656 jbuck@rpryan.com www.rpryan.com
What is Cyber Liability?
Cyber Liability
•
Addresses the first- and third- party risks associated
with the generation, storage or transmittal of digital
information containing personally identifiable
information (PII) or personal health records (PHI) as
protected by various laws and regulations
•
Does not cover Intellectual Property, Trademarks,
Copyrights etc. that do not contain personal data
protected by laws and regulations
What is Cyber Liability Insurance?
(AKA Data Breach Insurance)
• Cyber Liability Insurance covers financial obligations due to the loss or theft of personal information from a first party information system
• Does not have to be the fault of the organization that the data is stolen from
• Can include fines and penalties assessed by government agencies
• Can include coverage for lawsuits brought by customers, clients, patients, employees, financial institutions and stockholders who are financially impacted by the breach of sensitive data
What Types of Companies Need Cyber Liability
Insurance the Most?
Health care providers
•
Doctor office, Dentist office, Outpatient Clinics,
Hospitals, Labs all generating and storing Personal
Health Care Data protected by law
What Types of Companies Need Cyber Liability
Insurance the Most?
Retail Stores
• Stolen credit card numbers are the number one risk for retail stores
• One stolen credit card number can be sold and made into
thousands of duplicate cards often sold on the Internet for as little as $5 each
• FBI, Banks and Merchant service providers have the software to trace stolen credit cards back to the source, thus holding the store liable
What Types of Companies Need Cyber Liability
Insurance the Most?
Telecommunications
Service Providers• Local and long-distance phone companies
• Internet service providers
• Cable and satellite television service providers Manufacturers
• Equipment used by service providers
• Some consumer devices
What Types of Companies Need Cyber Liability
Insurance the Most?
Information Technology
Software
•
Prepackaged software
•
Custom software
Services
•
Consulting
•
Programming services
Types of cyber attacks that can lead to cyber
breach penalties and lawsuits for your company
•
POS System Attacks –retail is highest risk
•
Card Skimmers – anyone who accepts credit cards
for payment involving physical scanning of card
•
Web Site Attacks – anyone with a website
•
Insider Misuse or Hacking – anyone with
employees, especially disgruntled ones
•
Physical Theft/Loss – employees and executives
•
Miscellaneous Errors – employees and executives
•
Crimeware – backdoors inserted by hackers
•
Cyber Espionage – inside and outside hackers
from anywhere in the world
Typical Cyber Liability expenses that can be
insured for
• Notification Expenses
• Customers must be notified of a breach of their sensitive information.
• May be voluntary or forced by laws and regulations
• Crisis Management/PR Expense
• Assuring your customers that you have taken steps to mitigate the breach
• Win back their confidence and/or loyalty
• Pay cyber extortion expense
Typical Cyber Liability expenses that can be
insured for
Continued from previous slide
•
Payment of fines and penalties from government agencies
•
Payment of awards from lawsuits from customers, patients,
employees, stockholders as discussed in previous slide
Typical Retail Risk: POS Intrusions
Point of Sale (POS) Intrusions: Remote attacks against the environments where retail transactions are conducted,
specifically where card-present purchases are made, i.e., cards are physically scanned.
POS Intrusions accounted for 14% of the cyber attacks reported in the Ponemon study.
POS attacks are the greatest threat to retail establishments like department stores and restaurants but anyone accepting credit cards for payment is subject to attack e.g., iPad credit card scans
POS Intrusions
Credit card transactions are regulated by PCI 3.0 – Payment Card Industry Regulation which can impose heavy fines on any retail
establishment whose customer credit card data is lost or stolen but government regulations will not prevent theft by hackers
Lost or stolen credit card data is sold on the black market and is typically used to produce duplicate credit cards that can be sold and used all over the world
Stolen customer data can be traced back to the source using
Target Breach
The cases against Target were consolidated in the US District Court for the District of Minnesota to consist of (as of May 2014, more to come):
•
81 class action suits brought by consumers
•
28 class action suits brought by financial institutions
Web Attacks on Your Website
Web App Attacks – any incident in which a web application was the target of the attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms
Denial of Service Attacks (DoS) – hackers take over thousands of PCs and use them to simultaneously request service from a targeted
website. Legitimate customers can not access the website and the
company loses revenue and credibility with their customers who may also sue the targeted company for loss of service during attack.
Use of Website as a backdoor into the company network to steal data, plant viruses, etc.
Insider and Privilege Misuse to Guard Against in
Your Business
•
Any unapproved or malicious use of your organizational
resources
•
Too many people in your company have access to too much
data
•
Limit access and change passwords frequently to help
mitigate insider threats
Miscellaneous Errors by Your Employees
• Incidents where unintentional actions directly compromised a security attribute of an information asset-e.g., phishing to get passwords from unsuspecting and/or untrained employees
• Target breach was due to air conditioning vendor gaining access to
privileged information and planting a back door into the system for later retrieval of customer data – took several months to get the data
• There are now huge networks of hackers working in teams to gain access to high value systems- anyone can buy hacking software on the Internet and make a good living from their grandmother’s basement (aka “script
kiddies” mostly having fun) but most big jobs are for big financial payoffs from Russia and places where the FBI can’t operate until it’s too late
Crimeware
•
Any malware incident that did not fit other patterns like
espionage or POS (Point of Sale) attacks
•
Covers a wide variety of incidents involving malware of
various types and purposes
Payment Card Skimmers
•
Involves POS skimming devices physically placed on or near
devices that read credit card magnetic strips to accept payment
•
ATMs, gas pumps, POS terminals are big sources of hidden
(implanted) credit card magnetic strip readers
•
Placed by someone like a maintenance worker, employee or
hacker and usually removed at a later date to avoid detection
•
Hackers walk around stores like Walmart or sit in restaurants
with skimmers that work when they are there and are not found
by anyone making a search
Cyber-Espionage
• Defined as unauthorized network or system access linked to state-affiliated hackers and/or exhibiting the motive of espionage
• Usually hard core criminal organizations operating in Russia and East Europe where the FBI can’t get at them
• They target corporations, governments, NGO’s, etc., but also small to medium businesses as well to steal personal data, trade secrets,
Physical Theft and Loss
•
Missing assets containing sensitive data
•
Laptops, iPads, thumb drives left in unlocked cars,
restaurants, etc.
•
Can include paper assets left in cars, boxes of paper
data in storage lockers, etc.
Key Questions for all owners and C-suite
personnel who must manage financial risk
•
How much personal data do you store on employees,
customers, clients, etc.?
•
What is your plan for minimizing your risk of losing sensitive
data?
•
How much can you afford to spend on penalties and lawsuits
in the event of a data breach that gets traced back to your
Key Questions – cont.
• What would happen if customer and employee private information is stolen from your company?
• How many paper and electronic records containing sensitive
information do you have stored (file cabinets, storage sheds, PCs)
• Do you have written agreements (contract liability) concerning privacy and protection of data with outside vendors?
Key Questions – cont.
• What type of social media is your business using? Are their restrictions to its administration?
• Risks include invasion of privacy, copyright and trademark liability, defamation and slander-usually covered by other liability insurance policies
• Are you aware of the exclusions in your existing P&C and GL policies?
• Most cyber liability claims such as social media liabilities, electronic data and cost to recreate, outages caused by viruses or hackers will not be covered under existing policies
• Are you aware of the most recent privacy and data breaches in your industry for evaluation of your potential risks?
• Good sources of information pertinent to your industry can be found on Google or privacyrights.org (an excellent database of actual breaches)
Key Questions – cont.
• Are you aware that the average 1st party cost for a data breach claim
is $206 per record
• Costs include notification and credit monitoring for customers as well as public relations and call centers
• Are you familiar with all state regulations that you do business in (not just your home state) for notification in the event of a privacy breach?
Key Questions – cont.
• Do any of your employees access your system from a mobile device?
• The Ponemon study shows that 81% of employees have access to PII
(Personally Identifiable Information) on iPads, smart phones and employee laptops – the is referred to as the BYOD (Bring your own device) problem
• Have you considered the Third-Party costs to your business in the event of a Privacy Breach?
• Intellectual property infringement, reputation injury, customer’s systems being unavailable and the cost to defend your business against numerous
lawsuits – 50% of small to medium businesses shut down after a major breach if they can’t cover the expense (Target is self insured – are you?)
Questions from a typical Cyber Liability
Questionnaire for an insurance quote
1. Do you control who has access to your computer network?
2. Do you have a firewall between your information system and the Internet?
3. Do you have firewall protections on each of your individual workstations?
4. Do you have a virus protection program in place?
5. Do you outsource any part of your internal networking/computer system or Internet access to others?
Typical quote questions – cont.
7. Does your hiring process include criminal background checks? 8. Do you have a written security policy that covers both physical
(premise) and information security?
9. Do you test your policy’s security or privacy controls? 10. Have you ever experienced a privacy or data breach?
11. Do you allow employees to download personal client information or other confidential information onto laptops or other data files? (If yes, is the data encrypted?)
Typical quote questions – cont.
12. What personal client or employee information is held in your company’s information system or employee devices?
Social Security Numbers Driver’s License Numbers Financial Account Numbers Credit Card Numbers
Personal Health Information Customer Information
Other (please specify) – don’t hide anything so that you get a realistic quote that represents your real risk
13. Have you ever filed a Privacy/Data Breach claim?
(If yes, please note date of incident and provide brief explanation)
Why Get a Quote (or several quotes)?
• It doesn’t cost anything to have a qualified insurance agent prepare a quote for your cyber liability insurance needs
• By getting quotes from several insurance carriers you will get the expertise of several underwriters who can help you navigate the complex waters of cyber liability insurance, which is still in its early phase of development
• Before or after you get a quote for cyber liability insurance have a qualified outside security expert do an evaluation of your physical and network
security system and provide a written report that can be passed on to the insurance agent and his underwriters for proper evaluation of your
10 Reasons to buy Cyber Liability Insurance
1. High cost of breach notification in the event of a breach
2. Loss of third-party (your customers and employees) data results in class action lawsuits that can put you out of business if you aren’t protected by cyber liability insurance
3. The data in your network is not covered by standard commercial property & casualty policies yet it is the most valuable asset you have (how much to replace lost or stolen data versus the cost to replace a computer network?)
4. Information Systems (IT systems) are critical to operating your day to day business but their downtime is not usually covered by
10 Reasons to Buy– cont.
5. Cyber crime is the fastest growing crime in the world, but most attacks are not covered by standard commercial insurance policies
6. Retailers face severe penalties if they lose their customer credit card data
• Global credit card crime is worth over $7.5billion and this risk is increasingly being transferred from the credit card service providers to the business owners
• Retailers can be held liable for forensic investigation costs, credit card reissuance costs and the actual fraud (purchases) conducted on stolen cards
10 Reasons to Buy– cont.
7. Your reputation is your number one asset, so why not insure it?
• Cyber liability insurance can insure your reputation in the event of a cyber security breach
• It can pay for costs of engaging a PR firm to help restore your reputation, but also for the loss of future sales that arise as a direct result of customers switching to your competitors
• You can’t claim that a cyber breach is not your fault and therefore you should not have to bear the expense – you are the one your customers and government
agencies will hold liable no matter the cause of the breach
8. Social media usage is at an all time high and claims are on the rise
• Cyber liability insurance can help provide coverage for claims arising from leaked information, defamatory statements or copyright infringements
10 Reasons to Buy – cont.
9. Portable devices increase the risk of loss or theft of information
• Cyber liability insurance can cover the costs associated with a data breach should a portable device be lost, stolen or fall victim to a virus
10. It’s not just big businesses being targeted by hackers, but lots of small ones too, often part of a massive hack attack
• Hackers often practice on many small businesses to learn the techniques and pathways into the larger businesses.
• The small businesses suffer the same damage as the large ones
• A third of global cyber attacks were aimed at businesses with less than 250 employees
Cyber Liability Risk Applies to all sectors of
the e-commerce and Internet world
• e-Professionals – those who provide traditional services over the Internet
• Information Technology (Internet) Professionals – website developers, systems/computer consultants, etc.
• E-Commerce Companies – companies existing only on the net, “clicks & mortar” companies, and content providers such as portals, search engines and specialty providers of content
• Internet Advertisers – traditional organizations utilizing the Internet for marketing
Examples of Cyber Liability Claims
Extortion 1
• Entire database of publicly traded corporation was encrypted by a disgruntle employee
• Ransom note demanded $1 million for the password to unlock the data
Examples of Cyber Liability Claims
Extortion-2
• Accounting firm upgrades their computers and scrubs old hard drives before tossing them out
• Hacker gets ahold of discarded hard drives and restored the data which included financial records of clients
Examples of Cyber Liability Claims
Mischievous Hacking
• Repeated Denial of Service attacks by a hacker have virtually shut down a state’s Public Access Network Computer
• This is an example of mischievous behavior that shuts down an system but there is no ransom involved
• Hacker typically “brags to his friends” of his accomplishment
Examples of Cyber Liability Claims
Mischievous Hacking• An Internet Service Provider (ISP) was hacked
• The hacker planted swastikas and racist messages on web pages while masquerading as the provider’s administrator, erased data on two computers and shut down the system
• The ISP was shut down for 12 hours and files created in the several days prior to the attack were lost
Examples of Cyber Liability Claims
Loss of Data
• A personal laptop computer was stolen from a data processing center
• The laptop contained the account numbers for over 300,000 credit card customers
Examples of Cyber Liability Claims
Loss of Data
• A technical instruments manufacturer had a disgruntled employee delete their entire database
• It cost the company $7.8 million in lost revenues and $3.2 million to replace the lost data
Statistics of Cyber Liability Losses
• 24% of data breaches occur in retail environments and restaurants
• The average total cost of a cyber security breach is estimated at $5.4 million
• 50% of small businesses who must bear the cost of a breach are out of business within 6 months
• There are 46 different state laws and another set of federal laws and regulations governing the collection and storage of data and the prevention and reporting of a breach
From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ
Reduction of Cyber Security Losses
• It takes a team of cyber security consultants, IT experts, insurance, security and law firms to deal with the
extensive and increasing cyber threat to US businesses
• Cyber security concerns are now part of doing business, and general counsel and C-Suite executives must be ready to guide their companies through these complex issues
• Prevention is the first step to minimizing cyber security liability
From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ
Reduction of Cyber Security Losses
• The following steps can help minimize the cost and likelihood of security breaches:
• Security measures before a breach
• Have an incident response plan
• Establish a strong security infrastructure
• Appoint a Chief Information Security Officer
• Cyber-security audits
• Businesses should conduct regular cyber-security audits and limit access to sensitive data by third parties and employees
From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ
Reduction of Cyber Security Losses
• Cyber-security insurance
• Businesses should review insurance policies to determine
whether and to what extent they are covered for cyber-security threats
• Encryption
• If a data breach occurs, encryption can help minimize liability
From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ
Notification in the Event of a Breach
• Health Insurance Portability and Accountability Act (HIPPA) and Health Information Technology for Economic and
Clinical Health Act (HITECH) requires covered entities to protect against reasonably anticipated threats or hazards to security
• The HITECH Act requires covered entities and business
associates to notify the individuals whose protected health information was accessed no later than 60 days after the breach was discovered
From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ
Notification in the Event of a Breach
• If the breach affects more than 500 individuals, the law also requires notification within 60 days after the breach was discovered to the US Department of Health and Human Services and the media
From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ
Notification in the Event of a Breach
• Gramm-Leach-Bliley Act requires financial institutions to publicize their privacy policies and establish internal
safeguards and procedures to protect consumer information
• Related guidelines require covered financial institutions to notify customers whose personal information has been
subject to unauthorized access or use if misuse of the customer’s information has occurred or is reasonably possible, unless law enforcement determines that
notification will interfere with a criminal investigation
From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ
Notification in the Event of a Breach
• Securities & Exchange Commission (SEC) has issued
guidance stating that publicly traded companies should report certain cyber instances
• State Law – Currently 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws
requiring notification of security breaches involving personal information
From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ
Potential Litigation
• Potential claims by private parties and the government include:
• State-law claims filed under individual states’ consumer protection laws, tort and contract law, fiduciary
requirements, and other cyber security rules
• FTC Safeguards Rule – the FTC has brought numerous enforcement actions to address whether businesses security systems are reasonable and appropriate to protect consumer information
From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ
Potential Litigation
• SEC Enforcement Actions. The SEC’s Division of Corporate Finance has taken the position that public companies
should disclose their risk of cyber incidents
• Failure to disclose cyber security breaches or risks could lead to actions on security anti-fraud provisions like Rule 10b-5 or books and records violations under Rule 13b2-2
From “Don’t be a Cyber-Thief’s Next Victim” by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ
Do You Really Need Cyber Liability
Insurance?
• LinkedIn, eHarmony, DropBox, Paypal and Yahoo have all been hacked and millions of customer records have been lost
• This list does not even include the big retailers like Target and Home Depot that have been hacked with hundreds of thousands of credit card data lost
• Liability for loss of customer data or employee data is not typically covered under normal corporate insurance
policies
Do You Really Need Cyber Liability Insurance?
• Be careful when evaluating your existing business
insurance policy since some policies that offer general liability coverage and directors and officers liability may provide some limited cyber liability coverage but may not provide all that is required
• Analyze your existing policy in detail with the help of
experts before you have a cyber breach because after the breach it is too late
• A recent survey by the Chubb Group of Insurance
Companies found that 65% of public companies forego cyber insurance even though they consider cyber risk as their number one concern
Do You Really Need Cyber Liability Insurance?
• 25% of those companies surveyed are expecting a cyber breach in the coming year and 71% have cyber breach response plans in place but only 35% have cyber liability insurance
• It is not only high-profile and high-risk companies that are at risk of cyber breaches
• Small to medium sized companies are at equal risk of cyber breaches
• 72% of all data breaches occurred in Small to Medium (SMB)
businesses according to studies by the Secret Service and Verizon Communications Inc.
Do You Really Need Cyber Liability Insurance?
• So why do only 35% of companies invest in cyber liability insurance?
• For one, many executives don’t know it exists, and even if they do they probably don’t think an attack will happen to them, or they are not overly worried about the potential fallout of such a breach
• Premiums are still high since so few companies are buying cyber liability insurance and the payouts can be in the millions of dollars
• The premiums for e-Commerce companies are high because these
companies are considered high risk since they acquire and store large amounts of credit card data for purchases from their site
Do You Really Need Cyber Liability Insurance?
• The other high risk companies are medical related institutions hosting data, such as date of birth information, social security numbers and medical records
• You can reduce your cyber liability premiums by reinforcing your security practices before you apply-like a good driver discount
• In other words, having a lower risk factor for data breaches lowers your insurance premium
• One easy way to lower your risk of a data breach is to have strong password protection on your system by using encryption and
changing passwords regularly
Do You Really Need Cyber Liability Insurance?
• When your system consists of multiple units of servers, apps, cloud services, databases, tablets and laptops you can purchase affordable password management solutions to help offset the cost of cyber
liability premiums
• Other actions that can reduce the cost of cyber liability premiums are:
• Regular risk assessments by outside cyber security analysts
• A written cyber security policy that identifies and lists critical assets and
defines policies for physical security, account management, and backup and recovery of critical data among other areas
• Leverage firewalls, virtual private networks, anti-virus and anti-spam software and secure mobile solutions to secure network access and mobile devices
Types of Commercial Liability Insurance
Don’t Expect Your Existing Commercial General Liability
Insurance to Cover Cyber Liability Losses!
Commercial General Liability (GL) Coverage Exclusions (aka,
will not pay!):
• Personal and Advertising Injury
• Electronic Data – applies to damages arising out of the loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data
Now that you know the potential threat to
your business due to cyber attacks it’s time
to take action!!
Click the Quote Request Button and let me get you several quotes from reputable insurance companies to protect you from extensive financial losses due to cyber attacks on your company. The cyber liability policy can be
stand-alone or combined with the rest of your business insurance. John Buck, Cyber Liability Insurance Specialist
RP Ryan Insurance Inc. 18501 N 40th St Suite 102 Phoenix AZ 85032 Phone: 602-992-9700 x 252 Cell: 602-885-3656 Email: jbuck@rpryan.com