Presentation on theme: "Managing Cyber Risk Through Insurance and Vendor Contracts"— Presentation transcript:
1Managing Cyber Risk Through Insurance and Vendor Contracts Dino Tsibouris (614)Tom Srail, SVP, FINEX NA – Cyber and E&O TeamMehmet Munur (614)
2Outline Cyber risks Costs relating to cyber risks Use of insurance for cyber risksLawsuits relating to insurance policiesStrategies in obtaining coverageTraditional v. Cyber InsuranceVendorsConclusion
3Cyber Risks Hacking incidents Data breaches Privacy breaches Unauthorized accessSocial engineeringVandalism or defacementCyber extortionRegulatory enforcement following incidents
4Cyber Risks Privacy is a heightened & evolving exposure Reliance on Vendors (Cloud, IT, HR)Regulatory ChangesUnderwriters are paying multi-million dollar lossesBusiness Interruption and Systems FailureCredit card related fines and lawsuits.“Cyber” Insurance has broadened to address these risks
6What is the Data? What Data do you collect/process? Personally Identifiable Information (PII): SSN, Drivers License, etc.Payment Card Information (PCI): Credit Card, Debit Card NumbersProtected Health Information (PHI)Personal or Sensitive Personal Data (EU)
7Where is the Data? Where is it? Do you share with third parties? How well is it protected?How long is it kept?What is a Breach?Unauthorized disclosureUnauthorized acquisitionData compromised
9Costs of a Data Breach Cost per record: $214 (2010) (up $10 from 2009) DIRECT COSTSNotificationCall CenterIdentity Monitoring (credit/non-credit)Identity RestorationDiscovery / Data ForensicsLoss of Employee ProductivityINDIRECT COSTSRestitutionAdditional Security and Audit RequirementsLawsuitsRegulatory FinesLoss of Consumer ConfidenceLoss of FundingCost per record:$214 (2010) (up $10 from 2009)$73$141Source: Ponemon Institute
10Costs of a Data Breach Notification: $1/individual Credit monitoring: $15-$50/individualCall Centers, Fraud Alerts, Database Scanning, Restoration ServicesCivil, regulatory and possibly criminal defenseData Privacy counsel can cost $1,000+ per hour.Business Interruption Costs/Data Damage?
14Security Incidents and Insurance Proceeds In millions of dollarsSource: SEC
15Creative Hospitality Ventures v. US Liability Insurance Restaurant gives customers receipts showing full account number in violation of FACTA.Class action lawsuit ensues.Restaurant seeks coverage under CGL policy.
16Creative Hospitality Ventures v. US Liability Insurance Policy limited to “personal and advertising injury.”Defined as any publication that invaded the right to privacy.Circuit court reversed magistrate holding that printing receipt was publication.Therefore, no coverage.
17Auto-Owners Insurance v. Websolv Individual sues Websolv for sending unsolicited faxes as a violation of TCPA.Websolv seeks coverage under CGL policy.Auto-Owners sued arguing that it had no duty to defend under:Advertising Injury – publication & privacy.Property Damage – fax.
18Auto-Owners Insurance v. Websolv Appeals court held that Iowa law, not Illinois law, applied and that policy did not cover the injury.Appeals court held:Privacy interest v. seclusion interest.Publication v. secrecy.Damages expected v. intended.Concluded that there was no coverage.
19Eyeblaster v. Federal Insurance Computer user sues Eyeblaster alleging injuries relating to its advertising software.Eyeblaster seeks coverage under CGL and Network Technology Errors or Omissions Liability policies.Federal denies coverage and brings this lawsuit.
20Eyeblaster v. Federal Insurance CGL includes coverage for “physical injury to tangible property” but excludes “any software, data or other information that is in electronic form.”District court finds that there is no physical injury; therefore, no coverage.Appeals court finds that inability to use computer constitutes injury under the policy and reverses.
21Zurich Insurance v. Sony Sony’s online networks are attacked and passwords are compromised.Sony shuts down PSN for weeks.Sony offers fraud monitoring.Sony offers discounted games in apology.Sony is sued in tens of class action lawsuits.Zurich sues Sony for declaratory judgment.
22Zurich Insurance v. Sony Sony has insurance through many providers, including Mitsui Sumitomo, National Union, ACE, AXIS, Lloyd’s, Chartis, and others.Zurich claims that its insurance policies cover:Bodily injury,Property damage, andPersonal and advertising injury.Litigation ongoing.
23Common Issues Interpretation of undefined terms crucial in coverage. Interpretation varies depending on trial court, appeals court, and state law.Litigating insurance policy consumestime and resources.
24Common Issues Data may not be tangible personal property. Publication may not have occurred.Privacy rights may not have been breached.
25Common Issues CGL policy covers specific risks. Cyber risks may not be covered.Coverage varies widely among policies.
26Traditional Insurance Gaps Theft or disclosure of third party information (GL)Security and privacy – “Intentional Act” exclusions (GL)Data is not “tangible property” (GL, Prop, Crime)Bodily Injury & Property Damage triggers (GL)Value of data if corrupted, destroyed, or disclosed (Prop, GL)
27Traditional Insurance Gaps Contingent risks (from external hosting, etc.)Commercial Crime policies require intent, only cover money, securities and tangible property.Territorial restrictionsSublimit or long waiting period applicable to any virus coverage available (Prop)
28Preparation is KeyPolicy must be part of an Enterprise Risk Management programUtilize privacy, security, and legal:PoliciesProceduresControlsUnderstand probability and magnitude of riskAudit products and services
29Preparation is Key Ask Your Privacy / IT professionals: Incident Response Plan (tested?)Vendor Contracts / Insurance RequirementsPrivacy Risk AssessmentCheck Existing Insurance Gap AnalysisNew coverage terms must integrate withResponse PlansTraditional Policies
30Cyber Risk Coverage Data breach Governmental civil actions Virus liabilityContent liabilityExtortionLost data
31Privacy & Network Coverages Expense (Loss Mitigation) CoverageData Breach Expenses:Consumer notification and credit monitoring service costs (sub-limit)Forensics/InvestigationsPublic Relations/Crisis Management Expenses
32Privacy & Network Coverages Liability CoveragePrivacy LiabilityNetwork Security LiabilityMedia, IP and Content Liability
33Privacy & Network Coverages Direct (First Party) CoverageRevenue Loss (Interruption to income due to systems outage)Data Reconstruction
34Limits and Exclusions Must the insured notify you right away? Indemnification for losses or claims, too?Who chooses the lawyer to defend a lawsuit?Are there preferred vendors?Limitation of liability – dollar amount?
35Vendor Contracts Breaches may occur at a vendor. Contract clauses and limitations should harmonize with insurance clauses.Damage limits should factor policy limits.Notify if a breach may have occurred.Should they tender your defense?You are liable, but they can help.
36Vendor Contracts IT/Software Companies Request Tech E&O, plus Privacy/Network CoverageSome Tech E&O policies have security/privacy exclusionsBreach could occur without “wrongful act” being committed
37Vendor Contracts Business Services – Payroll, Auditors, Counsel Request appropriate E&O coverageRequest Privacy/Network coverageCredit Card Processors/Acquiring BanksRequest Privacy/Network Coverage (Gaps in Bond or Professional Liability coverage)
38Vendor ContractsOther Vendors that transport, touch, interact with your systems or sensitive informationRequest Privacy/Network coverage
39Upcoming IssuesRevisions to the EU Data Protection Directive that propose fines of up to 2% of annual turnover of a companyFederal data breach notification in the U.S.FTC Final Privacy Report and Privacy by DesignDepartment of Commerce multi-stakeholder enforceable codes of conduct process
40Outline Cyber risks Costs relating to cyber risks Use of insurance for cyber risksLawsuits relating to insurance policiesStrategies in obtaining coverageTraditional v. Cyber InsuranceVendorsConclusion
41Questions Dino Tsibouris (614) 360-3133 firstname.lastname@example.org Tom Srail, SVP, FINEX NA – Cyber and E&O TeamMehmet Munur (614)