Presentation is loading. Please wait.

Presentation is loading. Please wait.

Your source for professional liability education and networking. Press to Bankrupt Your Company Cyber Liability for Small and Medium Business.

Similar presentations


Presentation on theme: "Your source for professional liability education and networking. Press to Bankrupt Your Company Cyber Liability for Small and Medium Business."— Presentation transcript:

1 Your source for professional liability education and networking. Press to Bankrupt Your Company Cyber Liability for Small and Medium Business

2 Professional Liability Underwriting Society Moderator: Jake Kouns, Director of Cyber Security and Technology Risks Underwriting, Markel Panelists: Jason Bucher, Senior Underwriter of Professional Liability, Admiral Craig Dunn, VP - Financial Services Broker, AmWINS Kai Hecker, Campbell & Chadwick Rich Mather, Assistant Vice President, Errors and Omissions Claims, Allied World

3 Professional Liability Underwriting Society Agenda A.Case Example - Cyber Liability for Small to Medium Businesses B.State of the Market C.Legal Overview D.Cyber Liability Coverage E.Data Breaches and Claims F.Predictions and Q&A

4 Your source for professional liability education and networking. Case Example Cyber Liability for Small to Medium Businesses

5 Professional Liability Underwriting Society Case Details (redacted) A small company who reviewed medical records for workers compensation and auto casualty insurance claims Records were transmitted from clients to the business via electronic portal for the business to review Web Portal was secure with proper encryption New Years Eve break in to the business physical location results in electronic equipment being stolen including backup tapes and storage devices Data not encrypted while At Rest – as such the data is construed as lost and breached as per HIPAA / HITECH and subject to notification requirements

6 Professional Liability Underwriting Society Need More Info What are some important pieces of additional information that we need to know to understand just how bad this could be? – The amount of records impacted amount to approximately 14,000 – Clarification on the type of data lost – Clarification on encryption – Legal understanding (customer states involved) – No collectible or applicable insurance held

7 Professional Liability Underwriting Society Case – Insurance Study What types of widely available Insurance products could have been their salvation? – First Party Data Privacy Coverage A $50,000 sub limit may have been sufficient – Third Party Data Privacy Coverage – Technology E&O vs. Monoline Data Privacy coverage Either form would have assisted on front end – but the third party liability cover may have demanded Tech E&O

8 Professional Liability Underwriting Society Case – Insurance Study What would be some of the concerns with the policy to ensure coverage was sufficient? – Exclusions that need be minded: Unencrypted Data, Failure to Update / Maintain Security, Failure to meet / Exceed security on app – Definitions that need be minded: Definition of Expenses included, Definition of coverage triggers and Data covered – Conditions that need be minded: Notification requirements, vendor stipulations – Limits / Sub-limits

9 Professional Liability Underwriting Society Case Continues, and Thickens What do you think happened to this company? What were the impacts? – Cost to Notify and Mitigate the loss was greater than available cash on hand – Pending Liability from clients and individuals forced drastic action – Chapter 7 Bankruptcy was filed 69 days after the break in!!

10 Your source for professional liability education and networking. State of the Market How is cyber liability really doing? Is it selling? Who is buying it? Where is it in the product life cycle?

11 Professional Liability Underwriting Society State of the Market Observations from the field have led to the following points for discussion: – Awareness is widespread – Market participation is growing – Claims experience is building – Product access and support needs attention

12 Professional Liability Underwriting Society Awareness is Widespread Agents, Brokers, Business Owners inundated with e-blasts, market announcements, claims examples… – Details and nuances often overlooked – Marketing vs. Underwriting – The trap of the term / phrase Cyber Concept of Privacy Liability overlooked

13 Professional Liability Underwriting Society Participation is Growing Growing is an understatement Multiple interpretations of the hazards faced, leads to confusion Multiple offerings – Monoline, Endorsements to other Professional lines, Modules to other Casualty lines No Market Standard per se – but emerging trends and concepts

14 Professional Liability Underwriting Society Experience is Building Carriers are starting to pay out Brokers have first hand experience of what a Data Breach Response entails Emerging metrics and statistics on loss payments are assisting in building rate commonality Loss support service expenses are dropping

15 Your source for professional liability education and networking. Legal Overview Practical steps to keep a companys cyber horses in the barn? What information must be protected? What is the current legal stance in Texas? Texas new HIPPA companion law Massachusetts obligations and requirements Patco Construction Co. vs Peoples United Bank

16 Professional Liability Underwriting Society Cyber Liability Whos coming after you? Individual Victims The State of Texas Attorney General Licensing Agency Other State AGs Federal Government Foreign Governments Shareholders / Partners Contract Parties / Data Owners

17 Professional Liability Underwriting Society Cyber Liability 46 States & DC have notification laws AL, KY, NM & SD do not. Senate just killed uniform national rules HIPAA & Banking notification requirements Canada & E.U. requirements

18 Professional Liability Underwriting Society Cyber Liability Texas Mandatory Notification requirement Duty to Protect Sensitive Personal Information A business shall implement and maintain reasonable procedures […] to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business… Bonus: Includes nonprofit athletic & sports associations

19 Professional Liability Underwriting Society Cyber Liability Who can sue you? Individual Victims The State of Texas Attorney General Licensing Agency Other State AGs Federal Government Foreign Governments Shareholders / Partners Contract Parties / Data Owners Covered? Cyber Defense Cyber ? CGL/E&O ? same same* Unlikely D&O CGL

20 Professional Liability Underwriting Society Which Laws are Applicable to me?

21 Your source for professional liability education and networking. Cyber Liability Coverage New Exposures? New Coverage Options? How brokers, underwriters, and the client can better work together?

22 Professional Liability Underwriting Society Common Privacy Breach Allegations Invasion of the customers (or employees) right to privacy Failure to implement and maintain reasonable security procedures Unfair, deceptive, and unlawful business practices Negligence Emotional distress Individually or as class actions

23 Professional Liability Underwriting Society Classes with Privacy Exposure Auditor Bank/Financial Institution Data Storage/Destruction firms Debt collectors Drug Testing Agency Health Clubs Hospitals/Medical Group Hotel Insurance Agent/Broker Insurance Company Internet Kiosk operator Investment Advisor Lawyers Medical Billing Firm Mortgage Broker Pension Plan Administrators Pharmaceutical company with clinical trials Private Investigators Public Entities Real Estate Agent/Title Agent Retail store School Staffing Firm Travel Agent Web based e-Commerce

24 Professional Liability Underwriting Society Cyber Liability Insuring Agreements 1st Party Business Interruption – Covers lost business income in the event a virus infection shuts you down. 1st Party Data Asset – Covers your expenses to recover lost data. Cyber Extortion – Covers expenses and ransom if a hacker threatens to shut you down. This insuring agreement often covers reward amounts offered to catch the extortionist. Network Security – Covers your liability when hackers use your system to inflict damage on others. Privacy – Notification Expenses – when data is lost, you must notify all potential victims within a short period of time as required by state laws. – Credit Monitoring – Policies will cover up to 1 year of credit monitoring services for those exposed. In some cases 2 years of monitoring will be available. – Credit Repair Services – 1 Year of services to repair credit of an actual identity theft. – Crisis Management – Public Relations expense coverage to protect your image. – Regulatory Defense and expenses – Many new regulations exist related to the protection of confidential data. The insurance will provide defense cost coverage for regulatory proceedings and in some cases cover penalties where insurable. Electronic Media – Covers website content liability (copyright, libel, slander, etc...)

25 Professional Liability Underwriting Society Why Cyber Isnt Covered on Other Policy Forms General Liability covers bodily injury and property damage, not stolen identities. Property Insurance does not consider data as property Media Liability policies are only covering content for libel, slander and copyright. E&O policies are covering services for others for a fee. Some will cover invasion of privacy, but will only respond to actual damages. You wont get notification expense coverage or credit monitoring services coverage on an E&O policy. Also, many businesses hold PII without being in a service industry which would be required to buy E&O. Intellectual Property Coverage (Patent/Copyright). These policies are designed to protect you from claims brought by competitors and other third parties. This coverage responds to theft of ideas, products or content, not identities, private records or money. Crime Insurance covers employee theft of money, securities and property. A data record can be stolen, but you may not see a financial loss for many years. – For financial institutions some carriers are combining a crime policy with the security/privacy policy because there can be an overlap. The theft of funds through a network could hit both policies. If an employee is involved in the theft, you could trigger the crime as well as the liability portion of the privacy/security. – In absence of the privacy/security policy, there wouldnt be coverage for the notification and credit monitoring.

26 Professional Liability Underwriting Society Gaps in Current Cyber Forms Many Internet policy forms only cover web content, not identities. Many insurers will only offer $250,000 of notification and credit monitoring expense coverage while others will offer up to the policy limit. A handful of insurers will insure regulatory civil fines and penalties where insurable. Others only provide defense. Pay attention to the sublimits offered. Every insurer offers something different. Some insurers have coinsurance provisions applicable to the expense coverage. Some policy forms are only covering paper records if generated electronically Some insurers are not covering employee records. (insured vs insured exclusions) Some insurers are not covering data breaches caused by employees of the insured. (Rogue employees) Some insurers will cover mental anguish and emotional distress arising from a privacy breach, others will exclude anything arising out of or related to bodily injury. Some insurers have exclusions applicable if the insured does not continuously upgrade or maintain the same level of security as was in place at the time coverage was bound.

27 Your source for professional liability education and networking. Data Breaches and Claims What are the data breach and claims trends? How should you manage Third Party Vendors? Real Examples & How Insurance Has Responded

28 Professional Liability Underwriting Society Data Breach Trends

29 Professional Liability Underwriting Society Data Breaches and Claims Third Party Liability Claims/Regulatory Agency Investigations: – Liability based on allegations of direct harm Provable identity theft with traditional damages Claims from third parties who incurred response costs to a breach by the insured – Liability theory based on harm avoidance/possibility of harm – Liability theory based on statutory violations with no need for traditional damages

30 Professional Liability Underwriting Society How to Manage Third Party Vendors First, understand How Your Policy Treats Breaches By Vendors This is particularly critical for coverage for first party expenses. Review your Contracts with Vendors re Indemnity, Security Protocols for Handling Data Confirm Vendors have their own Insurance Coverage

31 Professional Liability Underwriting Society How to Manage Third Party Vendors Understand How Your Policy Treats Breaches By Vendors This is particularly critical for coverage for first party expenses. Review your Contracts with Vendors re Indemnity, Security Protocols for Handling Data Confirm Vendors have their own Insurance Coverage Critical that this happens before the ink dries.

32 Professional Liability Underwriting Society Cyber Liability Investigation Mitigation Regulatory Compliance Legal Costs 5000 records $970, $750, $194 per record $15k per case $1,720, Settlements + Fines

33 Professional Liability Underwriting Society Data Loss Expenses Statistics from the Ponemon Institute 2011 Cost of Breach Study: Average total cost per reporting company: $5.5 million Average per-record cost of a data breach: $194 (Expect about $60 per record for notification and credit monitoring) Per Capita Costs of a Breach by Industry Classification Healthcare$240 Financial$247 Hospitality$116 Services$185 Pharma$276 Average$194 Cause of Data Breach System glitch24% Negligence39% Cybercrime or Hack37%

34 Professional Liability Underwriting Society Claims Examples Claims Scenario #1: 24,000 patient records compromised at a mid-sized hospital. State regulations requirements were triggered. The hospital was required to notify every patient of the breach via Certified Mail – Damages: $240,000 – Defense Costs:$42,500 – TOTAL AMOUNT PAID: $282,500 Claims Scenario #2: A pharmacy sold a computer to a private individual that still contained prescription records including the names, addresses, social security numbers and medication lists of pharmacy customers. State law regulations required certified notification to all of the affected parties. Two lawsuits were filed: 1) Plaintiff alleged damages due to job loss as a result of the disclosure; 2) Plaintiff alleged her identity was stolen and sued to recover the costs of correction and emotional distress. A HIPAA investigation was triggered – TOTAL AMOUNT PAID IN EXCESS OF: $410,000

35 Professional Liability Underwriting Society Identity Theft Adds Up Source: Federal Trade Commission (February 2012): Consumer Sentinel Network Data Book: reports/sentinel-cy2011.pdfhttp://www.ftc.gov/sentinel/reports/sentinel-annual- reports/sentinel-cy2011.pdf Multiply the $14,000 in average individual losses from the previous slide times the roughly 280,000 cases in 2011 and you get approximately $3.9 Billion in potential damages. This is before including pain, suffering, legal fees and other demands from the victims.

36 Professional Liability Underwriting Society Cyber Liability Microsoft Encrypted File System Microsoft Bitlocker TrueCrypt Encrypt Data Secure Paper SuGAR mandatory Super Geek Assistance Required

37 Your source for professional liability education and networking. Predictions and Q&A

38 Professional Liability Underwriting Society Moderator: Jake Kouns, Director of Cyber Security and Technology Risks Underwriting, Markel - Panelists: Jason Bucher, Senior Underwriter of Professional Liability, Admiral - Craig Dunn, VP - Financial Services Broker, AmWINS - Kai Hecker, Campbell & Chadwick - Rich Mather, Assistant Vice President, Errors and Omissions Claims, Allied World - Contact Us


Download ppt "Your source for professional liability education and networking. Press to Bankrupt Your Company Cyber Liability for Small and Medium Business."

Similar presentations


Ads by Google