1. Cyber Insurance Coverage: Issues & Risk Management Approaches
Anderson Kill Cyber Insurance & Risk Management Issues
SRMC Montreal, Quebec Insurance Conference Oct. 27 – 29, 2016
Cyber Insurance Coverage: Issues & Risk Management Approaches

2. Joshua Gold, Esq. 212-278-1886 jgold@andersonkill.com
Speaker
Joshua Gold, Esq

3. Insurance Coverage In Context
An Array of Cyber Risks
Ashley Madison, Sony Pictures, German Steel Mill, NY Dam, “Internet of Things“
Office of Personnel Management hack: biometric data of 22.1 million people
Target: 40 million credit cards compromised; $291mm loss (and counting?)
Ransomware crime wave; Bitcoins demanded
Class action settlements in eight figures
Class action litigation reinstated twice by 7th Circuit
Home Depot settlement of class litigation
$81 to 101 million SWIFT theft at Bangladesh Bank through NY Fed
Dropbox compromised
Yahoo accounts: 500mm reported

4. Potential Exposures Exposures Regulatory Investigations
Information (own and of others)
Business Reputation/ Crisis Mgt.
Business Interruption
Regulatory Investigations
Cyber Extortion
Third Party Liability
Network Itself

5. Policies Possibly Covering Cyber Losses
Take Policy Inventory NOW (Not Just After Incidents)
Coverage For Cyber-related Claims May Be Asserted Under: GL, D&O, E&O, Crime, All Risk Property, Cyber Policies For “Social Engineering”, Hacking, Fraudulent Wire Transfers, Malware, Hardware Damage Claims.
1st Party, 3rd Party, Hybrid Coverage Issues

6. Cyber Risk Management Issues
Being engaged and proactive minimizes threat and makes insurance recovery more likely
Examine vendor contracts, including cloud services
Map all business data
Limit access to sensitive data inside and outside of the office
Make sure senior management is involved in plans and processes to secure data.
Educate, educate, educate, test.

7. A Sample Cyber Insurance Template

8. Top Tips For Nailing Down Cyber Insurance Coverage
Insurance applications: “known risks”
“Retro dates”
Create a clear policy structure: Modules and key coverage grants
Gain symmetry among insurance policies (e.g., CGL and property insurance)
Establish endorsements for particular coverage needs when it comes to cloud storage and service providers and other relevant third-party vendors
“Company as Merchant” exposure: PCI Issues and Brand fines and penalties
Beware of “sub-limit” issues
Beware of breach of contract exclusions (PCI coverage implications)
Beware of conditions respecting "reasonable“ cyber security measures
Business Interruption and “Reputation Damage” insurance—more relevant

9. Various ways to intrude / hack / steal / disclose:
1. Company computers (direct attack)
2. Hosting platforms (infiltration)
3. Vendor credentials / access (spoofing)
Coverage options are available typically for Company computer and hosting platform exposures, but coverage for vendor credential attacks is rarer and often sub-limited when offered in policies we have seen.

10. Coverage for Data/Systems Damages
Focus on defined terms in policies
Particularly relevant for terms such as “Data”, “Records” and “Personal Information”
Definitions of “Computer Systems” and similar terms:
Do the definitions encompass devices such as tablets, laptops, thumb drives and other forms of portable storage?
Do the definitions encompass off-line as well as online components?

11. Coverage for EU Rules /Foreign Agency Regulations Exposures?
Some of the (better) cyber insurance policy forms promise coverage for regulatory and civil law enforcement actions, potentially including;
Coverage for violation of EU rules on storage and transmission of foreign customers’ data
Coverage for proceedings, inquiries, or investigations by foreign equivalents of FTC, DHHS, and other regulators

12. Problematic Clauses (Time Sensitive, Etc.)
Fear of Reporting Claims?
Timely Notice
Comprehensive Proofs of Loss
Suit Limitation Restrictions
Arbitration Requirements
Choice of Law (Assume the Worst)

13. Coverage for More Than “Mere” Hacks
Coverage, understandably, is focused on hacks, denial of service attacks, malware, etc.
But “risk” often is more than that—especially considering the role human error often will play
Is there coverage for inadvertent disclosure?
loss of thumb drive with unencrypted data?
Failure to protect data from online search engines?
Is there coverage for violation of Company’s own privacy or data handling policies?

14. Social Media Insurance Issues
New Avenues for Classic Risks
Traditional Policies May Already Cover
CGL
Professional Liability/E&O
EPLI
Cyber Policies May Provide Tailored Coverage
Comprehensive Pursuit Bridges Potential Gaps

15. Cyber Litigation Issues
Some cases emerging:
PF Changs (Ariz. Federal court decision)
CNA declaratory judgment lawsuit (Cal. Federal court)
Hotel Monteleone (La. Court & arbitration: sublimits)
Beware of Disclosure During Discovery:
E.g., Sensitive Data, Customer Information, Network Security Blueprints

16. Cyber Litigation Issues Continued
Not Much Precedent, But Stay Tuned
Current Precedent Not Uniform: compare Sony I case vs. Portal Health 4th Circuit decision and Recall Total
Provide Notice To All Potentially applicable policies
We have secured coverage for policyholders under E&O, D&O, Crime, GL, business package policies, and property policies for cyber related losses and claims.

17. Joshua Gold, Esq. 212-278-1886 jgold@andersonkill.com
Questions?
Have a question that that did not get addressed during Presentation on Cyber Insurance Coverage? Give us a shout.
Joshua Gold, Esq

18. Disclaimer
The views expressed by the participants in this program are not those of the participants’ employers, their clients, or any other organization. The opinions expressed do not constitute legal advice, or risk management advice. The views discussed are for educational purposes only, and provided only for use during this session.

19. Joshua Gold, Esq. 212-278-1886 jgold@andersonkill.com
Thank You
Joshua Gold, Esq

20. Attorney Bio Joshua Gold, Esq.
As Chair of Anderson Kill's Cyber Insurance Recovery Group, Joshua Gold has represented numerous corporate and non-profit policyholders in a broad range of industries in insurance coverage disputes, obtaining recoveries for his clients well in excess of $1.5 billion. His practice involves matters ranging from data breaches to international arbitration, D&O, business income/property and commercial crime claims, and marine insurance. He has been lead trial counsel in multi-party bench and jury trials, and has negotiated and crafted scores of settlement agreements including coverage-in-place agreements. In a cyber claim dispute of particular importance to businesses purchasing fidelity, crime and financial institution bond coverage, Josh won a multi-million dollar recovery in a landmark U.S. Court of Appeals, Sixth Circuit decision on behalf of a retailer that suffered a data breach as a result of a computer hacking scheme.