Is Your Financial Institutions' Insurance Policy vulnerable to a cyber claim? Joan D Ambrosio, James Cooper and Kim West 22 January 2014

Transcription

1 Is Your Financial Institutions' Insurance Policy vulnerable to a cyber claim? Joan D Ambrosio, James Cooper and Kim West 22 January 2014

2 Cyber Exposures Joan D Ambrosio

3 Reported data breaches continue to increase In the US: breaches impacting 52,821,610 records breaches impacting 48,607,177 records breaches impacting 129,974,681 records breaches impacting 49,659,455 records breaches impacting 218,662,415 records breaches impacting 12,313,609 records breaches impacting 68,371,678 records breaches impacting 27,985,484 records breaches impacting 54,788,210 records Massive new breaches reported in 2014 already Sources: Privacy Rights Clearinghouse, Chronology of Data Breaches: 2 Round 5

4 UK In the UK, too Bank of England reported increase in cyber attacks revealing vulnerabilities in computing infrastructure of UK banks and markets in November 2013 Data breaches reported to ICO: 2007/08 79 instances reported 2011/ instances reported And 723 instances reported in first half of 2013/14 fiscal year alone Sources: Bank of England Financial Stability Report, 26 November 2013; Information Commissioner s Office ( 3 Round 5

5 Identity Theft Thriving Black Market for customer information 7% Americans age 16 or older were victims of identity theft during 2012 (estimated 17 million people) 2/3 victims experienced financial loss Identity theft cost Americans $24.7 billion during 2012 $10 billion more than all other property crimes combined 4 Round 5

6 How do data breaches occur? Misconception that most breaches caused by malicious attacks Human Error / System Error represent majority Loss of unencrypted portable devices Stray s, letters, faxes, documents Inadequate destruction of data Technical security failures Cyber Attacks Malware / virus attacks (unsecured networks) Denial of service attacks ( DDoS ) Property crimes (stolen computers, mobile phones, USB drives) Inside job (employee steals information) Phishing scams Spear-phishing (social engineering) Advanced persistent threats 5 Round 5

7 Data breaches affect all industries Healthcare Retail Financial Professional Services Education Government Transportation Insurance 6 Round 5

8 FI breaches Bank of New York Mellon (March 2008): Computer data tape containing names, Social Security numbers and bank account numbers of 12.5 million customers, shareholders and other investors went missing in transit to a third party storage facility. HSBC (July 2009): FSA imposed 3.2m fine as a result of an investigation which found large amounts of unencrypted customer data were sent by post or courier. 7 Round 5

9 FI breaches cont d JP Morgan Chase (December 2013): Information associated with prepaid cash cards accessed by hackers in July During the attack, passwords appeared in plain text. Bank of Scotland (August 2013): Fined 75,000 by ICO for faxing customer account information to the wrong recipients between 2009 and Barclays Bank (April 2013): 1.3m stolen by hackers who connected to an internet router inside one branch under the guise of IT engineer. 8 Round 5

10 Corporations Endless examples 93,000 Websites (December 2013): Keylogging software was used to collect usernames and passwords across 93,000 websites, including Facebook, Twitter, Gmail, YouTube, LinkedIn and other public and private limited companies. Target Neiman Marcus Other retailers Average Cost Increased Risk 9 Round 5

11 What is the exposure? Initial Response/Investigation Huge cost implications before breach is even notified to public Forensic examination Privacy counsel Management time Public relations 10 Round 5

12 What is the exposure? Data Breach Response Notification and reporting costs Tight deadlines Multiple forms of notice to comply with different rules Credit monitoring Not a legal requirements, but now commonplace Call Centres/FAQ scripts 11 Round 5

13 What is the exposure? Regulatory FTC Office of Civil Rights - $100 to $50,000 per violation (capped at $1.5M) Attorney Generals HHS California Department of Public Health snooping penalties of up to $250,000 per record Department of Education DOJ Foreign Governments (ICO, consumer protection entities, etc.) Increasingly frequent even for smaller breaches, as regulators have become more sophisticated and better trained/staffed Response can be very expensive Investigations can lead to fines or (worse) corrective actions that can require compliance for years 12 Round 5

14 What is the exposure? Third party Claims Lawsuits Class action lawsuits common in US Potential shareholder derivative actions in D&O context Reputation and publicity impact Links in to share price risks e.g. Heartland Payment Systems (2009): Stock dropped from $15-20 to $5.49 following disclosure of breach implicating over 130 million records. Audit and preventative measures 13 Round 5

15 Standalone cyber policies Are evolving Network security breaches e.g. denial of service, hacking, malware Privacy liability e.g. loss of data, failure to comply with notification requirements Notification costs e.g. legal obligation Regulatory defences and penalties Cyber extortion PCI fines Sub-limits 14 Round 5

16 But what about traditional policies? Coverage may exist under CGL, D&O, Crime and other policies for certain aspects of data breach exposures Only 30% US companies buying cyber standalone cover Industry predictions re massive increase Even where coverage has been found, there will be gaps New exclusions coming on line 15 Round 5

17 Financial Institution Policies James Cooper 16 Round 5

18 What will be covered Crime Policies Civil Liability Policies Recent market movements 17 Round 5

19 Fidelity insuring clause direct financial loss caused by employees dishonest, fraudulent or malicious acts 18 Round 5

20 Loss of Property insuring clause direct financial loss loss of property BUT tangible property only 19 Round 5

21 Computer Manipulation insuring clause What was the original intent of this? What do more recent versions cover? 20 Round 5

22 Civil Liability insuring clause Still require a Wrongful Act? claimant s costs defence costs reasonable costs of mitigation cost of representation at any official investigation/inquiry (is this relevant to the Information Commissioner?) 21 Round 5

23 Potential Costs Initial response/investigation (forensic examination, privacy counsel, management time, public relations) Notification, credit monitoring and crisis management (eg costs of helpline, mail drop to all affected) Implementing preventative measures Regulatory investigation and response Defence costs of third party claims Restoring firms reputation 22 Round 5

24 Recent Market Movements Cyber Endorsement to Crime Policies: Cyber loss or damage restoration of data Business interruption reduction of business income any expenses to resume and restore operations includes expenses to avoid loss of clients 23 Round 5

25 Directors & Officers Kim West 24 Round 5

26 Other Regulatory Developments That Will Increase D&O Exposure On a governmental level, the need to protect business and national security assets has become a major focus of the White House, Congress and the Securities and Exchange Commission (SEC). Most recently the Cyber Intelligence Sharing and Protection Act of 2013 was approved by the House Intelligence Committee. On February 12, 2013, the White House issued an executive order titled Improving Critical Infrastructure Cybersecurity" establishing a "top-to-bottom" review of the federal government's efforts to defend the nation's information and infrastructure. The SEC Division of Corporation Finance 118S issued guidance instructing companies to disclose cyber attacks or risks associated with cybersecurity breaches if such attacks or breaches are likely to be material to investors. 25 Round 5

27 Other Regulatory Developments That Will Increase D&O Exposure. 26 Round 5 SEC Continues To Target Cybersecurity Disclosures Corp Fin acknowledged that no "existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents," but stated that (1) various disclosure requirements may impose an obligation to disclose cybersecurity risks and incidents, and (2) material information about cybersecurity risks and incidents could be required to be disclosed to make other required disclosures not misleading. Corp Fin advised companies to review the adequacy of their disclosures on these topics "on an ongoing basis. Chairwoman White stated that, "even in the absence of a line item requirement" in the disclosure rules regarding cyber attacks, the materiality standard governs disclosures about such attacks. The SEC will continue to prioritize increased disclosure of cyber security practices and to monitor the steps companies take to manage cyber security risk.

28 Other Regulatory Developments That Will Increase D&O Exposure. Sec Position On Disclosures Specifically, the SEC believes that companies should disclose the risk of cyber incidents in a company's "risk factors" and that specific material cybersecurity breaches be disclosed in their management discussion and analysis. Furthermore, cybersecurity breaches may have a broad impact on a company's income and assets, and that these impacts should be reflected in a company's financial statements. 27 Round 5

29 Regulatory Developments - UK EU Data Protection Regulation Overhaul of Data Protection Directive to establish one single data protection law across all EU Member States and one single data protection authority to deal with. Key proposals include: higher penalties for breach (fines up to 100M or 5% of annual worldwide turnover); primacy of EU law; mandatory data protection officers; introduction of data protection reviews and privacy impact assessments. Proposed final text of the regulation due to be voted on by European Council in April 2014 but will not be passed until early EU Directive on Cyber Crime The Cyber Crime Directive (2013/40/EU) came into force on 3 September Member states must implement it by 4 September The new Directive aims to tackle the increasingly sophisticated and large-scale forms of attacks on information systems by requiring member states to strengthen national cyber-crime laws and introduce tougher criminal sanctions. It also aims to facilitate the prevention of such offences and to improve co-operation between judicial and other competent authorities. 28 Round 5

30 Regulatory Developments - Canada Canada's Anti-Spam legislation Most of Canada's Anti Spam legislation will come into force on 1 July 2014 as part of the Canadian Radio-television and Telecommunications Commission (CRTC) regulations. There are three broad activities that will engage the CRTC: sending of commercial electronic messages without consent alteration of transmission data in an electronic message without express consent installation of computer programs without express consent The underlying principle is that these activities can only be carried out with prior consent and that such consent may be withdrawn. The CRTC will have a number of compliance tools; one such being administrative monetary penalties (AMPs). The maximum AMP is $1 million per violation for an individual and $10 million per violation for entities, such as corporations. 29 Round 5

31 Concern In The Boardroom According to a survey by FTI Consulting, cybersecurity has become the number one concern for general counsel and directors. Specifically, the survey found the following: 55% of general counsel said that data security was their top concern 33% of general counsel believe that boards are not adequately managing cyber risk 47% of general counsel said that operational risks such as cybersecurity were their most pressing concern 30 Round 5

32 Sources of Potential Claims Against Directors and Officers Increased news exposure about significant cyber security breaches raises the possibility of the following claims: Securities Class Action Litigation Shareholder Derivative Actions Regulatory Actions by SEC 31 Round 5

33 Securities Class Actions The most significant ingredient to a securities class action claim from the perspective of the plaintiff's securities class action bar is a significant stock drop in close proximity to a disclosure. A company that experiences a cybersecurity breach will likely not be a target of a securities class action unless the disclosure of the breach can be linked to a statistically significant drop in the company's stock price. The strict pleading requirements of the Private Securities Litigation Reform Act of 1995 should bar any securities complaint that does not plead facts supporting a strong inference of fraud. Nonetheless, defense costs could be significant. Note: According to a Bloomberg Review, the 27 largest US Companies disclosing cyber attacks to the SEC as of May 2013 all reported they sustained no major financial losses. 32 Round 5

34 Shareholder Derivative Actions Another potential securities litigation risk for companies dealing with a cybersecurity breach is shareholder derivative litigation against officers and directors. Shareholders might allege, for example, that the directors of a company that experienced a cybersecurity breach breached their fiduciary duties to the company by failing to ensure adequate security measures. If any defendants sold shares before the attack occurred or before the risk was fully disclosed to the corporation, plaintiffs could allege they violated the duty of loyalty by profiting from the sale of those shares. The duty of care claim could be based on a decision made by the board or the failure of the board to exercise proper oversight, allowing vulnerabilities to go unfixed and ultimately exploited. 33 Round 5

35 Shareholder Derivative Actions Caremark claims require shareholders to demonstrate 1) that the directors knew or should have known that violations of the law were occurring, 2) that the directors did not make a good faith effort to prevent or remedy the situation, and 3) that such failure proximately caused damage to the company. A challenge to the sufficiency of a board action (i.e., decision) is unlikely to prevail. Absent a finding of bad faith or failure to act rationally, decisions of the board - no matter how questionable with the aid of hindsight - will generally be protected by the business judgment rule. Even if one were to establish gross negligence necessary to overcome the presumption granted by the business judgment rule, most companies have adopted charter provisions under the Delaware Code, Title 8 102(b)(7), insulating directors from personal liability resulting from a breach of their duty of care. 34 Round 5

36 SEC Actions If the SEC chooses to pursue formal actions against companies that have failed to disclose cybersecurity breaches, it can bring actions based on securities antifraud provisions such as Rule 10b-5. The SEC may try to establish books and records violations under Rule 13b2-2, which requires only simple negligence to establish liability. Companies that have experienced significant cybersecurity breaches should prepare themselves for potential SEC investigations and lawsuits. 35 Round 5

37 Insurance Coverage Comprehensive General Liability Professional Indemnity D&O Fidelity 36 Round 5

38 1,400 1st Lawyers and fee earners worldwide Law Firm of the Year Legal Business Awards 2011 Partners worldwide Offices across Europe, Americas, Middle East, Africa and Asia. Clyde & Co US LLP accepts no responsibility for loss occasioned to any person acting or refraining from acting as a result of material contained in this summary. No part of this summary may be used, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, reading or otherwise without the prior permission of Clyde & Co US LLP. Clyde & Co US LLP 2014