CYBER LIABILITY Why The Need? Robin Federici, CPCU, AAI, ARM, AINS, AIS, CPIW

Transcription

1 CYBER LIABILITY Why The Need? Robin Federici, CPCU, AAI, ARM, AINS, AIS, CPIW

2 AND IT STARTS Morgan Stanley 1/5/15 Roughly 350,000 names, numbers and transaction details were stolen with 900 posted to the internet by an employee 2

3 EXPOSURE According to Javelin Strategy t & Research, on average almost 15,000,000 Americans are victims of identity theft annually Individuals The Federal Trade Commission (FTC) states that the average victims spends more than $1,200 in the quest to clear his/her name Businesses Often, the lion's share of response costs comes from the duty to notify those whose data has been breached or potentially breached. Small businesses can face an estimated $200,000 in associated costs 3

4 EXPOSURE Even with strict breach reporting laws many breaches are still not reported Cyber criminals are becoming more adept at hiding their tracks 2012 experienced the highest number of breaches with some large breaches by well- known companies 4

5 STATISTICS DataLossDB.org: Data Breaches 2006: : : : : : : : :

6 What is Cyber Liability Coverage? Cyber Liability addresses risks associated with e-business, the internet, networks and informational assets. Cyber Liability Insurance coverage offers cutting edge protection for exposures arising out of Internet communications. The concept of Cyber Liability takes into account first- and third-party risks. 6

7 What is Cyber Liability Coverage? The risk category includes: privacy issues theinfringement of intellectual property virus transmission, or any other serious trouble that may be passed from first to third parties via the Web 7

8 Why the Need? Anyone with a Web site now has the legal l liabilities of a publisher: These include conventional publishing exposures such as copyright infringement, defamation and invasion i of privacy Also includes emerging exposures related to operating on the Web 8

9 Why the Need? The Internet - has spun a whole new web of liability exposures. Creating a Web site is simple. The exposures that come with it are not. Commercial companies that disseminate information to the public via Web sites face the same legal exposures as publishers, yet most have little or no concept of their resulting legal responsibilities. New legislation continues to create potential liabilities 9

10 Why the Need? Traditional liability products do not address Internet exposures The universe of potential plaintiffs is staggering 10

11 NORTON REPORT IN THE PAST 12 MONTHS The number of cyber-crime crime victims: Globally 556m USA 71m On-line adults that have experienced cyber-crime: crime: Globally 46% USA 49% The net cost of cyber-crime: crime: Globally $110 billion USA $20.7 billion 11

12 PONEMON INSTITUTE Cost of Data Breach Study: Global Analysis Company data breach average costs are $3.5 million The cost incurred for each lost or stolen record is a consolidated average of $145. Companies that said they have a strong security posture were able to reduce the cost by as much as $14 per record. The appointment of a Chief Information Security Officer to lead the response team reduced the cost of a breach by more than $6. 12

13 PONEMON INSTITUTE Cost of Data Breach Study: Global Analysis The most common cause of a data breach is a malicious insider or criminal attack. The most costly data breaches were those caused by malicious and criminal attacks. Companies in the U.S. and Germany paid the most at $246 and $215 per compromised record, respectively. 13

14 CARNEGIE MELON CYLAB GOVERNANCE SURVEY Boards and senior management still are not exercising appropriate p governance over the privacy and security of their digital assets. 14

15 HISTORY EARLY DAYS Intellectual property (media) exposures such as trademark and copyright infringement were the driving decision-maker for most smaller companies that purchased coverage. For larger technology and e-commerce companies, business interruption was a major reason behind the decision to purchase coverage. 15

16 MATURATION OF THE WWW Similarly, as the Web matured and new U.S. laws such as the Digital Millennium Copyright Act came into effect, the uncertainty of trademark and copyright infringement on the Web subsided. On May 22, 2001, the European Union passed the Copyright Directive (EUCD) 16

17 MEDIA EXPOSURES Today, media exposures are still a concern. With the explosion of social media and interactive websites that include usergenerated content, personal injury litigation has risen. However, coverage in these traditional cyber liabilities has matured as actuarial data and case law have developed 17

18 PRIVACY EXPOSURE The newest and fastest growing exposure in the cyber world is now privacy liability. The pace of business may not allow companies to fully develop data management and security procedures with proper technical and legal review They lack the economic ability and legal and technical expertise to keep up to date 18

19 PRIVACY Business Solutions SOLUTIONS Strong risk management of information technology - such as network security (i.e., intrusion prevention, encryption) and data retention policy Insurance policies - When a data breach occurs, legal, technical, & business consequences arise. The insurance industry has evolved to address all 3 of these. 19

20 PRIVACY Business Solutions Insurance A policy covering only one s network is not broad enough to cover two (2) of the three (3) most prolific causes of a data privacy breach: 1. loss of a portable data-bearing device 2. loss of paper records 20

21 PRIVACY BUSINESSES Privacy laws address protection of individual s non-public information Businesses have no right to privacy; however, they are granted property p rights such as protection of trade secrets, formulas, etc., which are analogous to personal property rights. 21

22 PRIVACY BUSINESSES The exposure to privacy liability risk varies for every entity All entities of every size and structure face privacy risks 22

23 Security Breach Notification Law Laws PRIVACY 47 states, D.C., Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information 23

24 Security Breach Notification Law PRIVACY Several relevant federal statutes pertain to privacy. This patchwork of laws and regulations can make it nearly impossible for most business owners and risk managers to keep up, particularly for those who do business in multiple states. 24

25 Privacy - Jurisdiction: The jurisdiction of the state laws is based on both: The consumer s state of residence The home state of the business. Compliance, especially for those in highly regulated industries, such as health care, legal, educational, and financial i services, can be a difficult task 25

26 STATE LAWS It All Started in CA! In 2001, California became the first state to have an agency dedicated to promoting the protection of consumer privacy rights when the Office of Privacy Protection was created. In 2002, California became the first state to pass privacy breach notification requirements which became operative on July 1,

27 STATE LAW EXAMPLES Massachusetts - applies to any entity doing business with a MA resident Texas residents & those residents with no state notification law New Jersey breaches are reported to the state police Connecticut t special note for insurance professionals Nevada PCI compliant 27

28 OTHER INFLUENCES ON EXPOSURE Private Sector PCI DSS: The various payment card companies require all merchants, no matter how small or large, to be PCI compliant. PCI DSS is a comprehensive set of security standards PCI Security Standards Council periodically updates these standards PCI Compliance consists of four merchant provider levels Level requirements are based on total transactional volume Failure to comply could result in fines and loss of 28 one s contract with the card brands.

29 OTHER INFLUENCES ON International: EXPOSURE European Union Data Protection Directive (EUDPD) - broad definition of personal data The directive applies even when the controller does not reside in the EU but uses equipment located in the EU Criminal - many European countries have criminal laws protecting privacy rights. 29

30 INSURANCE When a privacy breach occurs, there are two victims: 1. The individual whose personal information is exposed, and 2. The entity that was breached 30

31 INSURANCE - Traditional While limited coverage for some privacy, media, or data breach exposures may be included in traditional insurance programs Most underwriters of traditional types of insurance DO NOT intend to pick up cyber exposures 31

32 TRADITIONAL INSURANCE CGL CG Definitions Property Damage Definition of "property damage" - "data" is not "tangible property Coverage A Exclusion p. Electronic Data Damages arising out of the loss of,, loss of use of,, damage to, corruption of, inability to access or inability to manipulate electronic data. However, this exclusion does not apply to liability for damages because of "bodily injury". 32

33 INSURANCE - BTW The CGL Professional Exclusion: For businesses that t provide computer- related products and services, the CGL policy customarily excludes damage to another party's electronic data as part of one or more professional services exclusion endorsements 33

34 CGL Coverage A & B Restrictions In addition to the PD Definition change: 1. Lack of Coverage for Errors and Omissions 2. Restrictive Policy Territory 3. Lack of Coverage for Security Breaches 4. Limited Coverage for Copyright/Trademark Infringement under Coverage B Coverage B exclusion: 5. k. Electronic Chatrooms or Bulletin Boards 34

35 What is Cyber Liability Insurance? Cyber Liability is an insurance term for a policy that includes one or more of the following 35

36 What is Cyber Liability Insurance? Multimedia Liability - Allegations from your internet site or printed media which cause defamation. Libel, slander, trade libel, product disparagement or torts relation to harm the reputation of others. Security and Privacy Liability - Failing to prevent or hinder unauthorized access or use of your computer system and the confidential material thereon such as loss of employee information, theft or loss of customer personal identifiable data and transmissions of malicious codes to others. First and Third party coverage is available. 36

37 What is Cyber Liability Insurance? Privacy Regulatory Defense and Penalties - Regulatory Compensatory Awards or fines and penalties and related claims expenses in regards to Billing Errors Proceedings, STARK proceedings and EMTALA proceedings. Privacy Breach Response Costs, Customer notification and Customer Support and Credit Monitoring Expenses. Network Asset Protection - Restoring, updating or replacing digital assets to a level beyond that which existed prior to your Covered Cyber Loss including Business Interruption and Extra Expense Coverage. 37

38 What is Cyber Liability Insurance? Cyber Extortion - Covers expenses and monies as applicable in the event of a cyber-extortion extortion threat or series of threats. Cyber Terrorism - expenses such as income loss, interruption expenses during the period of restoration as a result of a total or partial loss or degradation in service which is directly caused by an act of terrorism. Regulatory claim expenses and shadow audit expenses - Covered claim expenses, shadow audit expenses and regulatory fines and penalties from certain regulatory proceedings 38

39 Specialty Policies ISO has developed a form called the Internet liability and network protection policy. It is rarely used. There is no standard cyber liability form There is not even agreed-upon nomenclature Coverage and terminology varies greatly Forms must be carefully reviewed to determine which insurer s policy form best matches up with an organization s loss exposures. 39

40 Specialty Policies Cyber Liability Insurance Cyber policies may be broken into two coverage types: Third-party liability, whichisis liability to others, and First-party liability, which is coverage for the insured s own losses. 40

41 CYBER 3 RD PARTY Cover liability arising from violations of privacy and data breach notification laws. These exposures also require some first-party coverage Can include coverage for a number of other types of liability: liability from transmitting a computer virus to another party or from copy-right infringement i included d in the insured s website 41

42 CYBER 3 RD PARTY TYPES OF COVERAGE: Wide variance in the type of information covered Coverage should: be provided for BOTH electronic and physical breaches include BOTH personal and corporate information should apply to employee data as well as customer information apply to accidental losses/leaks and not just breaches perpetrated by criminals

43 CYBER Avoid PCI Compliant Requirement Encryption Requirements Insider Exclusions 43

44 3 RD PARTY LIABILITY Virus/Malware/Hacking Coverage Coverage should apply to liability to others for unintentionally sending them a virus or malware. This should apply if the transmission is by or through malicious code placed on the insured s website. Some policies limit the coverage for viruses and hacking to direct intentional attacks that target the insured specifically Look for coverage that includes wild viruses that are not specifically targeting the insured. 44

45 3 RD PARTY LIABILITY Media Liability/Content Injury: Intellectual Property Infringement and Personal Injury Avoid policy language that limits coverage to only claims made in the U.S. & its territories Look for coverage that extends beyond the insured s website to also include social networking sites Coverage for user-generated content is particularly important because user posts are oftentimes opinionated and inflammatory 45

46 3 RD PARTY LIABILITY E&O or Professional Liability There are policies tailored to address the specific needs of entities operating in various industry classes such as technology services providers, healthcare providers, and vendors. 46

47 1 st 1 PARTY COVERAGE Fines, Penalties, Contract Obligations Coverage should include 1. Regulatory fines and penalties 2. Contractual obligations such as charge-backs from credit card companies and the cost of replacing customers credit cards 47

48 1 st 1 PARTY COVERAGE Business Interruption Coverage Coverage should: Respond when an interruption occurs as a result of the insured s own systems and failure on a third party system Carefully review the policy language. Some forms limit coverage resulting only from network breach to the Named Insured s computer system. 48

49 1 st 1 PARTY COVERAGE Crisis Management This coverage varies generally includes: Data breach notification expenses Public relations expenses Costs associated with brand protection 49

50 1 st 1 PARTY COVERAGE Crisis Management - Questions to Consider: 1. Service Provider 2. Data Breach Notification Expenses 3. Credit Monitoring Expenses 4. Requirements for Notification 5. Coverage Trigger 6. Deductible 7. Pre-Loss and Loss Prevention 50

51 1 st 1 PARTY COVERAGE Crime This coverage may apply to the perils of: Theft Fraudulent communication Extortion, and Vandalism 51

52 LIMITS More of an art than a science. Historical i data is limited it The cumulative average cost per breach is approximately $3,500,000, 52

53