Managing Cyber Risk Through Insurance and Vendor Contracts

Slides:

Advertisements

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Advertisements

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Are you ready for HIPPO??? Welcome to HIPAA

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

Page 1 Recording of this session via any media type is strictly prohibited. Edward M. Joyce Partner Jones Day Invasion of Privacy, Hacking & IP Claims:

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

PRIVACY RISK MANAGEMENT AND INSURANCE Or September 2012.

Overview of Identity Theft, Data Breaches and Cyber/Privacy Liability Insurance October 6, 2009.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.

Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.

September 14, 2011 Network Risk/Privacy Insurance Exposure and Coverage Issues.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.

Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

NEFEC - Cyber Liability MICHAEL GUZMAN, ARM ARTHUR J. GALLAGHER & CO.

Overview of Cybercrime

©2015, Amy Stewart PC Title Here Cyber Insurance: The Future is Now Texas Lawyer In-House Counsel Summit May 8, 2015 Texas Lawyer In-House Counsel Summit.

Insurance Coverage for IT Security Breaches International Technology Law Association San Francisco, CA – May 4, 2006 Steven Brower Stephan Oringher Richman.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.

Non Physical Business Interruption Malcolm Randles, Underwriter, Kiln Syndicate February 2011.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

AUGUST 25, 2015 Cyber Insurance:

Volunteer Leadership Learning Series Session: Chartered Alumni Organizations - Insurance Coverage Presenter: James A. Breeding, Director Risk Management.

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

Cyber Risk Insurance. Some Statistics Privacy Rights Clearinghouse o From 2005 – February 19, 2013 = 607,118,029 records reported breached. Ponemon Institute.

CYBER INSURANCE Luxury or necessary protection?. What is a data breach? A breach is defined as an event in which an individual’s name plus personal information.

. E-Business Risk and Insurance.

Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.

Cyber-insurance coverage: do you have it? Robert E. Sumner, IV, Esq. and Tosh Siao of Willis Group September 17, 2015.

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Managing Your Cyber/E&O Risk with Willis FINEX Robert Barberi, Vice President, Willis Cyber Practice.

Territory Insurance Conference, resilient future Mr Ralph Bönig, Special Counsel, Finlaysons Cyber Times and the Insurance Industry Territory Insurance.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Restaurant 1. 2 There are several different types of restaurant classifications, including: Family Style Fine Dining Fast Food Buffet.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Data Security in the Cloud and Data Breaches: Lawyer’s Perspective Dino Tsibouris Mehmet Munur

Final HIPAA-HITECH Rules, Cybersecurity, and Privacy Dino TsibourisMehmet Munur (614) (614)

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

Law Firm LLP | Cyber Insurance | July 16th, 2014 Page 1 Cyber Exposure Landscape "The single biggest threat still is people inadvertently bringing down.

Cyber Summit 2016 Data Bytes and Frights Presented by: President and CEO Peter J. Elliott, CPCU.

The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.

Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.

MEDICAL OFFICE COVERAGES. This is a short review over many insurance coverage parts necessary to a doctor’s practice. Not all apply, and there are other.

Retail & Service 1. 2 The Retail & Service industry encompasses a wide variety of businesses. This segment includes: Businesses engaged in selling goods.

CGL Coverage B and Specific Products Covering Data Breaches Primerus Convocation Amelia Island, FL April 2015.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Cyber Insurance Overview July 30, 2016 Wesley Griffiths, FCAS International Association of Black Actuaries.

Cyber Insurance - Risk Exposures and Strategic Solutions

Cyber Liability Insurance for an unsecure world

Cyber Insurance Risk Transfer Alternatives

Breaking Down Cyber Liability

Financial Institutions – Cyber Risk

John A. Wright, CEO WIPFLI Client Appreciation June 8, 2017

Managing a Cyber Event Steven P. Gibson President

Cyber Insurance Overview

Cyber Insurance 101 South Texas Chapter Risk & Insurance Management Society May 17, 2017 Matt C. Green, Marsh.

Chapter 3: IRS and FTC Data Security Rules

Cyber Issues Facing Medical Practice Managers

Cyber Trends and Market Update

Understanding Cyber Insurance NASCUS/CUNA Cybersecurity Symposium

Cyber Exposures The Importance of Risk Identification and Transfer

Cyber Liability Coverage – Sell it or get sued

Forensic and Investigative Accounting

Cyber Security: What the Head & Board Need to Know

Presentation transcript:

Managing Cyber Risk Through Insurance and Vendor Contracts Dino Tsibouris (614) 360-3133 dino@tsibouris.com Tom Srail, SVP, FINEX NA – Cyber and E&O Team tom.srail@willis.com Mehmet Munur (614) 360-3101 mehmet.munur@tsibouris.com

Outline Cyber risks Costs relating to cyber risks Use of insurance for cyber risks Lawsuits relating to insurance policies Strategies in obtaining coverage Traditional v. Cyber Insurance Vendors Conclusion

Cyber Risks Hacking incidents Data breaches Privacy breaches Unauthorized access Social engineering Vandalism or defacement Cyber extortion Regulatory enforcement following incidents

Cyber Risks Privacy is a heightened & evolving exposure Reliance on Vendors (Cloud, IT, HR) Regulatory Changes Underwriters are paying multi-million dollar losses Business Interruption and Systems Failure Credit card related fines and lawsuits. “Cyber” Insurance has broadened to address these risks

“CYBER” INSURANCE TIMELINE Cyber Insurance Introduced Notice Costs Covered Broad Privacy Ins. Vendor Coverage Corp Confidential Info PCI Fines & Penalties Systems Failure Reg. Fines &Penalties 1996 1998 2000 2002 2004 2006 2008 2010 2012 HIPAA GLB SB1386 PCI HITECH SEC Epsilon/ Sony Card Systems TJX Heartland Insurance History Regulatory/Industry History Claims/Losses History

What is the Data? What Data do you collect/process? Personally Identifiable Information (PII): SSN, Drivers License, etc. Payment Card Information (PCI): Credit Card, Debit Card Numbers Protected Health Information (PHI) Personal or Sensitive Personal Data (EU)

Where is the Data? Where is it? Do you share with third parties? How well is it protected? How long is it kept? What is a Breach? Unauthorized disclosure Unauthorized acquisition Data compromised

Costs of a Data Breach Cost per record: $214 (2010) (up $10 from 2009) DIRECT COSTS Notification Call Center Identity Monitoring (credit/non-credit) Identity Restoration Discovery / Data Forensics Loss of Employee Productivity INDIRECT COSTS Restitution Additional Security and Audit Requirements Lawsuits Regulatory Fines Loss of Consumer Confidence Loss of Funding Cost per record: $214 (2010) (up $10 from 2009) $73 $141 Source: Ponemon Institute

Costs of a Data Breach Notification: $1/individual Credit monitoring: $15-$50/individual Call Centers, Fraud Alerts, Database Scanning, Restoration Services Civil, regulatory and possibly criminal defense Data Privacy counsel can cost $1,000+ per hour. Business Interruption Costs/Data Damage?

Source: Advisen Cyber Risk Special Report

Source: Advisen Cyber Risk Special Report

Security Incidents and Insurance Proceeds In millions of dollars Source: SEC

Creative Hospitality Ventures v. US Liability Insurance Restaurant gives customers receipts showing full account number in violation of FACTA. Class action lawsuit ensues. Restaurant seeks coverage under CGL policy.

Creative Hospitality Ventures v. US Liability Insurance Policy limited to “personal and advertising injury.” Defined as any publication that invaded the right to privacy. Circuit court reversed magistrate holding that printing receipt was publication. Therefore, no coverage.

Auto-Owners Insurance v. Websolv Individual sues Websolv for sending unsolicited faxes as a violation of TCPA. Websolv seeks coverage under CGL policy. Auto-Owners sued arguing that it had no duty to defend under: Advertising Injury – publication & privacy. Property Damage – fax.

Auto-Owners Insurance v. Websolv Appeals court held that Iowa law, not Illinois law, applied and that policy did not cover the injury. Appeals court held: Privacy interest v. seclusion interest. Publication v. secrecy. Damages expected v. intended. Concluded that there was no coverage.

Eyeblaster v. Federal Insurance Computer user sues Eyeblaster alleging injuries relating to its advertising software. Eyeblaster seeks coverage under CGL and Network Technology Errors or Omissions Liability policies. Federal denies coverage and brings this lawsuit.

Eyeblaster v. Federal Insurance CGL includes coverage for “physical injury to tangible property” but excludes “any software, data or other information that is in electronic form.” District court finds that there is no physical injury; therefore, no coverage. Appeals court finds that inability to use computer constitutes injury under the policy and reverses.

Zurich Insurance v. Sony Sony’s online networks are attacked and passwords are compromised. Sony shuts down PSN for weeks. Sony offers fraud monitoring. Sony offers discounted games in apology. Sony is sued in tens of class action lawsuits. Zurich sues Sony for declaratory judgment.

Zurich Insurance v. Sony Sony has insurance through many providers, including Mitsui Sumitomo, National Union, ACE, AXIS, Lloyd’s, Chartis, and others. Zurich claims that its insurance policies cover: Bodily injury, Property damage, and Personal and advertising injury. Litigation ongoing.

Common Issues Interpretation of undefined terms crucial in coverage. Interpretation varies depending on trial court, appeals court, and state law. Litigating insurance policy consumes time and resources.

Common Issues Data may not be tangible personal property. Publication may not have occurred. Privacy rights may not have been breached.

Common Issues CGL policy covers specific risks. Cyber risks may not be covered. Coverage varies widely among policies.

Traditional Insurance Gaps Theft or disclosure of third party information (GL) Security and privacy – “Intentional Act” exclusions (GL) Data is not “tangible property” (GL, Prop, Crime) Bodily Injury & Property Damage triggers (GL) Value of data if corrupted, destroyed, or disclosed (Prop, GL)

Traditional Insurance Gaps Contingent risks (from external hosting, etc.) Commercial Crime policies require intent, only cover money, securities and tangible property. Territorial restrictions Sublimit or long waiting period applicable to any virus coverage available (Prop)

Preparation is Key Policy must be part of an Enterprise Risk Management program Utilize privacy, security, and legal: Policies Procedures Controls Understand probability and magnitude of risk Audit products and services

Preparation is Key Ask Your Privacy / IT professionals: Incident Response Plan (tested?) Vendor Contracts / Insurance Requirements Privacy Risk Assessment Check Existing Insurance Gap Analysis New coverage terms must integrate with Response Plans Traditional Policies

Cyber Risk Coverage Data breach Governmental civil actions Virus liability Content liability Extortion Lost data

Privacy & Network Coverages Expense (Loss Mitigation) Coverage Data Breach Expenses: Consumer notification and credit monitoring service costs (sub-limit) Forensics/Investigations Public Relations/Crisis Management Expenses

Privacy & Network Coverages Liability Coverage Privacy Liability Network Security Liability Media, IP and Content Liability

Privacy & Network Coverages Direct (First Party) Coverage Revenue Loss (Interruption to income due to systems outage) Data Reconstruction

Limits and Exclusions Must the insured notify you right away? Indemnification for losses or claims, too? Who chooses the lawyer to defend a lawsuit? Are there preferred vendors? Limitation of liability – dollar amount?

Vendor Contracts Breaches may occur at a vendor. Contract clauses and limitations should harmonize with insurance clauses. Damage limits should factor policy limits. Notify if a breach may have occurred. Should they tender your defense? You are liable, but they can help.

Vendor Contracts IT/Software Companies Request Tech E&O, plus Privacy/Network Coverage Some Tech E&O policies have security/privacy exclusions Breach could occur without “wrongful act” being committed

Vendor Contracts Business Services – Payroll, Auditors, Counsel Request appropriate E&O coverage Request Privacy/Network coverage Credit Card Processors/Acquiring Banks Request Privacy/Network Coverage (Gaps in Bond or Professional Liability coverage)

Vendor Contracts Other Vendors that transport, touch, interact with your systems or sensitive information Request Privacy/Network coverage

Upcoming Issues Revisions to the EU Data Protection Directive that propose fines of up to 2% of annual turnover of a company Federal data breach notification in the U.S. FTC Final Privacy Report and Privacy by Design Department of Commerce multi-stakeholder enforceable codes of conduct process

Outline Cyber risks Costs relating to cyber risks Use of insurance for cyber risks Lawsuits relating to insurance policies Strategies in obtaining coverage Traditional v. Cyber Insurance Vendors Conclusion

Questions Dino Tsibouris (614) 360-3133 dino@tsibouris.com Tom Srail, SVP, FINEX NA – Cyber and E&O Team tom.srail@willis.com Mehmet Munur (614) 360-3101 mehmet.munur@tsibouris.com