Cyber Insurance What is it? Should your bank purchase it? Roberta D. Anderson Partner, K&L Gates LLP

Transcription

1 Cyber Insurance What is it? Should your bank purchase it? Roberta D. Anderson Partner, K&L Gates LLP March 8, 2016

2 AGENDA Spectrum of Cyber Risk Cutting Edge Cyber Insurance Products Market Evolution Remember the Snowflake Avoid the Traps Limitations of Legacy Insurance Policies Tips For a Successful Placement What Happens in the Event of a Claim or Investigation? Q&A

3 SPECTRUM OF CYBER RISK

4 klgates.com 4

5 PRACTICAL RISK AND EXPOSURE Malicious Attacks Advanced Persistent Threats Social Engineering Viruses, Trojans, DDoS attacks Data Breach/Unauthorized Access Software Vulnerability (HeartBleed) System Glitches Employee Mobility Lost or Stolen Mobile and Other Portable Devices Vendors/Outsourcing (Function, Not the Liability) The Internet Of Things Human Error

6 klgates.com 6

7

8

9

10 Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014) klgates.com 10

11 LEGAL/REGULATORY FRAMEWORK Federal Cybersecurity/Data Privacy Laws HIPAA/HITECH GLBA FTC Act FCC Act FCRA/FACTA State Cybersecurity/Data Privacy Laws/Consumer Protection Statutes 47 States, D.C., & U.S. Territories Breach Notification Laws State Security Standards (MA, CA, CT, RI, OR, MD, NV) NIST Cybersecurity Framework Industry Standards, e.g., PCI DSS SEC Cybersecurity Risk Factor Guidance

12 SEC CYBERSECURITY [A]ppropriate disclosures may include : Discussion of aspects of the registrant's business or operations that give rise to material cybersecurity risks and the potential costs and consequences ; To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks ; Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences ; Risks related to cyber incidents that may remain undetected for an extended period ; and Description of relevant insurance coverage. Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,

13 SEC CYBERSECURITY We note that your network-security insurance coverage is subject to a $10 million deductible. Please tell us whether this coverage has any other significant limitations. In addition, please describe for us the 'certain other coverage' that may reduce your exposure to Data Breach losses. Target Form 10-K (March 2014)

14 SEC CYBERSECURITY We note your disclosure that an unauthorized party was able to gain access to your computer network 'in a prior fiscal year.' So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage. Alion Science and Technology Corp. S-1 filing (March 2014)

15 CUTTING EDGE CYBER INSURANCE PRODUCTS

16 THIRD-PARTY COVERAGE Privacy and Network Security Generally Covers Third-Party Liability Arising from Data Breaches and Other Failures to Protect Confidential, Protected Information, as well as Liability Arising from Security Threats to Networks, e.g., Transmission of Malicious Code Questions: Coverage for the Acts, Errors, Omissions of Third Parties, e.g., Vendors? Coverage for Data in the Care, Custody, Control of Third Parties, e.g., Cloud Providers? Coverage for Proliferating and Expanding Privacy Laws/Regulations? Coverage for Data in Any Form, e.g., Paper Records? Coverage for Confidential Corporate Data, e.g., Third-Party Trade Secrets? Coverage for Rogue Employees? Coverage for Wrongful Collection of Data? Coverage for TCPA Violations?

17 THIRD-PARTY COVERAGE Regulatory Liability Generally Covers Amounts Payable in Connection with Administrative or Regulatory Investigations Questions: Coverage for Fines and Penalties? Coverage for Consumer Redress Funds? Regulatory Exclusion Carve Backs? Sufficient Sublimit? PCI-DSS Liability Generally Covers Amounts Payable in Connection with PCI Demands for Assessments, Including Contractual Files and Penalties, for Alleged Non-compliance with PCI Data Security Standards

18 THIRD-PARTY COVERAGE Media Liability Generally Covers Third-Party Liability Arising from Infringement of Copyright and Other Intellectual Property Rights, and Torts Such as Libel, Slander, and Defamation Arising from the Insured's Media Activities, e.g., Broadcasting and Advertising Questions: Coverage for Rogue Employees? Coverage for Media Content in Any Form, e.g., Printed Publications, or Limited to Digital Media Content? Coverage Limited to Certain Locations of Media Content Display, e.g., on the Insured's Website or Social Media Sites? Coverage for Liability Arising out of the Insured's Own Advertising Activities? Occurrence -Based or Claims Made Coverage? Appropriate for Media Companies?

19 FIRST-PARTY COVERAGE Crisis Management Generally Covers Crisis Management Expenses That Typically Follow in the Wake of a Breach Incident, e.g., Breach Notification Costs, Credit Monitoring, Call Center Services, Forensic Investigations, and Public Relations Questions: Triggered by Failures of Security? Coverage for Forensic Investigation and PCI Forensic Investigator? Coverage for Public Relations, Crisis Management, Breach Coach Counsel? Coverage for Notification? How about ID Theft Education, ID Theft Restoration Services, Call Center Services, Credit Monitoring, Reimbursement Insurance? Insured's Reasonable Selection of Counsel/Vendors? Outside or Inside Limits? Sufficient Sublimits?

20 FIRST-PARTY COVERAGE Network Interruption Generally Covers First-Party Business Income Loss Associated with the Interruption of the Insured's Business Caused by the Failure of Computer Systems Questions: Coverage for Third-Party Systems? Coverage for Cloud Failure? Coverage for Non-Malicious Acts, e.g., Unintentional, Unplanned Outage? Exclusion for Power Failure, Blackout/Brownout, etc.? Coverage Beyond the Interruption, e.g., 120 Days? Waiting Period, e.g., 12 Hours? Hourly Sublimits? Sufficient Sublimit(s), e.g., Contingent and Non-Malicious Acts Coverage? What about Loss Caused by Physical Perils, e.g., Flood?

21 FIRST-PARTY COVERAGE Digital Asset Generally Covers First-Party Cost Associated with Replacing, Recreating, Restoring and Repairing Damaged or Destroyed Programs, Software or Electronic Data Extortion Generally Covers Losses Resulting from Extortion, e.g., Payment of an Extortionist's Demand to Prevent a Cybersecurity Incident Reputational Harm Generally Covers Crisis Management Type Costs in the Event of a Publication Likely to be Seen by an Insured's Stakeholders, e.g., Customers, Investors, Vendors, or Regulators, and to Have an Adverse Impact on Public Perception of the Insured or its Brand. Can Also Cover Business Income Loss Caused by a Publication Likely to be Seen by an Insured's Stakeholders, and to Have an Adverse Impact on Public Perception of the Insured or its Brand

22 DIC COVERAGE v v

23 DIC COVERAGE First-Party Property Damage and Business Interruption ~$350M Third-Party Bodily Injury and Property Damage ~$100M [T]his policy will drop down and pay Loss caused by a Security Failure [a failure or violation of the security of a Computer System that: (A) results in, facilitates or fails to mitigate any: (i) unauthorized access or use; (ii) denial of service attack; or (iii) receipt, transmission or behavior of a malicious code] that would have been covered within an Underlying Policy, as of the inception date of this policy, had one or more of the following not applied: A. a Cyber Coverage Restriction [a limitation of coverage in an Underlying Policy expressly concerning, in whole or in part, the security of a Computer System (including Electronic Data stored within that Computer System)]; and/or B. a Negligent Act Requirement [a requirement in an Underlying Policy that the event, action or conduct triggering coverage under such Underlying Policy result from a negligent act, error or omission].

24 MARKET EVOLUTION

25 Cyber Insurance Introduced Crisis MGNTBroad Privacy Ins. Vendor Costs Coverage/Corp Covered Confidential Info. Reg. Fines &Penalties PCI Fines & Penalties Full Limit System Failure Policies HIPAA GLB SB1386 PCI HITECH SEC Card Systems TJX Heartland Epsilon/ Sony Adobe/ Target Insurance History Regulatory/Industry History Claims/Losses History MA Data Protection Law

26 DEC 2013 Target Breach Kiln & AIG offer contingent BI & PD Feb 2014 March 2014 Higher limits demanded by CEOs/D&O Concern Several retail breaches Insurance History Regulatory/Industry History Claims/Losses History Spring 2014 JPMorgan Chase Breach Market shift on POS retail/ Demand increases Sept 2014 Home Depot Breach Oct 2014 DEC 2015 German steel mill suffers massive physical damage Sony Breach Interest in Network Business Interruption cover spikes Jan 2015 Anthem Breach Markets considering change in supporting large placements Feb 2015 Obama files new Federal Consumer Protection Legislation/ Signs Cyber Threat Intelligence Sharing Bill

27 CYBER INSURANCE MARKET Market capacity: Over 50 Markets Selling or Participating in Cyber Insurance Total Capacity Over $600M (DIC cover 1 st party ~~$350M; 3 rd party ~$100M Premium: Excess of $2B at the Close of 2015 $5B Projected Growth Potential Source: The Cyber Liability Insurance Market Jim Blinn, Advisen. 27

28 REMEMBER THE SNOWFLAKE

29 REMEMBER THE SNOWFLAKE back klgates.com

30 AVOID THE TRAPS

31 klgates.com

32

33 POLICY EXAMPLE 1 33

34 POLICY EXAMPLE 2

35 POLICY EXAMPLE 2 35

36

37 POLICY EXAMPLE 1

38 POLICY EXAMPLE 1

39 POLICY EXAMPLE 2

40 POLICY EXAMPLE 2

41 POLICY EXAMPLE 3

42 POLICY EXAMPLE 3

43 43

44 POLICY EXAMPLE 1

45 POLICY EXAMPLE 1

46 POLICY EXAMPLE 2

47 POLICY EXAMPLE 2

48

49 POLICY EXAMPLE Any member of the Control Group. e.g., CEO, CFO,RM, CRO, CIO, GC

50

51 POLICY EXAMPLE 1

52 POLICY EXAMPLE 2

53 POLICY EXAMPLE 3

54 Request a Retroactive Date of at Least a Year

55 LIMITATIONS OF LEGACY INSURANCE POLICIES

56 56

57 POTENTIAL COVERAGE Directors' and Officers' (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy) Property Commercial General Liability (CGL)

58 POTENTIAL COVERAGE Coverage B Provides Coverage for Damages Because of Personal and Advertising Injury Personal and Advertising Injury : [o]ral or written publication, in any manner, of material that violates a person's right of privacy What is a Person s Right of Privacy? What is a Publication? Does the Insured Have to Do Anything Affirmative and Intentional to Get Coverage? Coverage A Provides Coverage for Damages Because of Property Damage Property Damage : Loss of use of tangible property that is not physically injured

59 POTENTIAL LIMITATIONS

60 POTENTIAL LIMITATIONS

61 POTENTIAL LIMITATIONS ISO states that when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.

62 POTENTIAL LIMITATIONS

63 POTENTIAL LIMITATIONS

64 POTENTIAL LIMITATIONS cv cv

65 POTENTIAL LIMITATIONS Zurich American Insurance Co. v. Sony Corp. of America et al.

66 TIPS FOR A SUCCESSFUL PLACEMENT

67 BEST REMEMBERING PRACTICES THE SNOWFLAKE CHECKLIST

68 BEST PRACTICES CHECKLIST Embrace a Team Approach Spotlight the Cloud Understand the Risk Profile Remember the Retro Date Review Existing Coverages Selection of Counsel and Vendors Purchase Appropriate Other Coverage as Needed Engage a Knowledgeable Broker and Outside Counsel Remember the Cyber Misnomer Carefully Review the Application

69

70 BEWARE THE FINE PRINT REMEMBER THE DEVIL IS IN THE DETAILS klgates.com 70

71 A well-drafted policy will reduce the likelihood that an insurer will be able to avoid or limit insurance coverage in the event of a claim. Roberta D. Anderson, Partner, K&L Gates LLP (March 8, 2016) klgates.com 71

72 WHAT HAPPENS IN THE EVENT OF A CLAIM OR INVESTIGATION?

73 NOTICE TO INSURERS Include notification to insurers as part of incident response plan Most cyber policies impose time restrictions regarding notification of cyber incidents (e.g. network attack, data breach, extortion threat, network interruption) and third party claims to insurers Specified time limit, immediately or as soon as practicable Compliance with notice provisions essential to avoid potential denials of cover klgates.com 73

74 NOTICE OF CIRCUMSTANCES Many cyber policies provide for notification of circumstances which may or are likely to give rise to claim or loss Can prove beneficial to insured as operates as extension of cover Crystal ball gazing: real risk of a claim or loss Particular issues in cyber context: discovery, awareness and communication klgates.com 74

75 COOPERATION Many cyber policies provide for insured to co-operate with insurer in defence and settlement of any claims BUT many policies silent as to choice of law firm or provide for insurer panel firms Consider reserving right to appoint own choice of law firm or agreeing up front Selection of defence lawyers important in cyber context Many claims require specialist defence counsel with particular experience in this area klgates.com 75

76