Cyber Liability Insurance: It May Surprise You

Transcription

1 Cyber Liability Insurance: It May Surprise You Moderator Eugene Montgomery, President & CEO Community Financial Insurance Center Panelists Antonio Trotta, Senior Claim Counsel, CNA Specialty William Heinbokel, Fidelity Product Leader, CNA Pro Charles Higham, VP, Diversified Financial Group - Zurich Barbara Ewing, VP, CUO, Fidelity & Mgmt. Liab. Berkley FinSecure Lisa Micciche, Product Manager, ABA Insurance Services

2 Regulations Affecting Banks Regulation Requirements Consequences Graham-Leach Bliley Payment Card Industry Data Security Standards (In the Works) NY Contractual Regs for Vendors Must assure the security and confidentiality of customer records and information 12 Separate security requirements in transmission and storage of data. Will place required cybersecurity regulations on vendor contracts that involve PII US attorney general action, penalties up to $100,000 for each violation, D&O liability up to $10,000 per violation. Criminal Penalties Fines up to $500,000, loss of business.???

3 Guidance Affecting Banks Institution/Agency Federal Financial Institutions Examination Counsel (FFIEC) FDIC FFIEC Summary Authentication systems for internet banking should be multifaceted and require something a user: a) knows, b) has, and c) is. Instituting and expanding employee training on risks of spy/malware. Dedication of software, controls and policies to prevent loss from same. Each institution is expected to monitor web traffic, have and activate response plan in the event of DDoS, and staff appropriately during attack.

4 Common Themes in Regulatory and Industry Guidance Guidance and Rules need to account for the Resources of the Operation. YET, critical and sensitive information needs to be given priority protection. Risk Assessments are usually the First Step. Cybersecurity protocols must be scaleable, adaptable and reviewed on a consistent basis. Crisis response plans and drilling are essential components. Employee Education and Vendor Security are critical.

5 Cyber/Privacy Coverage Under Errors & Omissions Network Security Privacy Injury Privacy Event Expenses Privacy Regulation Fines

6 Hack, Employee Negligence, Employee Theft (Rogue), Vendor Negligence/Misconduct The Perfect Storm Consumer Complaints Contract Claims Attorney Reviews, Forensics, Notice Costs, Business Interruption, Extortion DATA BREACH DATA BREACH Regulatory Investigations, Proceedings and Fines

7 Privacy Event Expense Reimbursement First Party Coverage for: Reasonable and necessary fees, costs and expenses in connection with a Privacy Event (failure of hardware or software designed to protect information on Insured s Network, or of business policies to prevent wrongful disclosure of third party trade secrets, NPI or NCI). Some forms impose time requirements to incur expenses.

8 Privacy Event Expense Reimbursement Includes forensics, attorney reviews, costs of notices, call centers and public relations firms. Usually does not include cost to remediate security (patches, new software/equipment) Expense Coverage: Two Types Voluntary (best coverage) Limited to required Security Breach Notice Laws.

9 Coverage for Third Party Claims Resulting from Cyber Events Forms generally cover lawsuits and demands involving a defined Privacy Injury or Network Security compromise

10 Coverage for Third Party Claims Resulting from Cyber Events Privacy Injury usually defined as unauthorized disclosure of Nonpublic Corporate Information or Nonpublic Personal Information. Some forms include inability to access such information as additional coverage. Network Security includes DDoS; Unauthorized Access; destruction, deletion or alteration of information on a Network; Network Interruption; Transmission of viruses

11 Coverage for Regulatory Actions Many forms provide coverage for Regulatory Actions from any governmental agency involving a Privacy Breach or failure to comply with Security Breach Notice Laws. Very Limited Coverage for Investigations. Forms that provide such coverage also usually provide coverage for the Fines involved in such actions, but may require a separate retention for such fines.

12 Electronic Theft Covers Disbursement or transfer of the Insured s Money, Securities, or Intangible Property to a person or entity not authorized to receive them. Money must exist in electronic format, and includes cash, notes, negotiable instruments and records of credit. Securities means negotiable and non-negotiable instruments, and their digital equivalents Intangible Property usually defined by Endorsement.

13 Extortion Covers payments necessary to protect Insured and/or pay ransom for credible threats of loss or damage to the Network, Confidential Information, Money, Securities, Intangible Property or defacement of Insured s website.

14 Common Exclusions Bodily Injury, although most forms provide carve back for emotional distress and mental anguish arising from a Privacy Injury. Deliberate Acts. Many forms provide carve back for Rogue Employees. Natural Catastrophe/Mechanical Breakdown Unsolicited Communications (Spam/TCPA) Power failure caused by third parties causing service interruptions. Governmental Actions (the NSA exclusion )

15 Case Study Miami Bank, May 2014 Discovered in May, 2014 from a review of network logs. The Bank retained 3 different forensic firms in succession. Third firm finally had the expertise to identify and deal with the issue. Trojan Horse carried through phishing attack compromised 72,500 account numbers, names, SS#s but no passwords. Required PR firm, corrective action and notification to 14 different Ags. Total Costs over 500,000, not including reputational damage.

16 Fidelity Bond Coverage For Cyber and Computer Related Losses Computer Crime Coverage is offered to Financial Institutions in two ways: Computer Fraud/Wire Transfer Riders added to the FI Bond Stand alone Computer Crime Policy Over-simplification of Computer Crime coverage afforded by Bonds in general: If the bond has a specified verification/authentication procedure, and that procedure is in fact followed, but the loss nonetheless occurs, then the bond pays for the loss.

17 Computer Systems Fraud Rider Additional Insuring Agreement for Loss resulting directly from: (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within any Computer System operated by the Insured, that causes: (i) Property to be transferred, paid or delivered, (ii) an account of the Insured, or of its customer, to be added, deleted, debited or credited, or (iii) an unauthorized account or a fictitious account to be debited or credited. o

18 Telefacsimile Transfer Fraud Loss resulting directly from the Insured having, in good faith, transferred or delivered Funds, Certificated Securities or Uncertificated Securities through a Computer System covered under the terms of the Computer System Fraud Insuring Agreement in reliance upon a fraudulent instruction received through a Telefacsimile Device, and which instruction 1. purports and reasonably appears to have originated from: (a) (b) (c) a Customer of the Insured, another financial institution, or another office of the Insured but, in fact, was not originated by the Customer or entity whose identification it bears and 2. contains a valid test code which proves to have been used by a person who was not authorized to make use of it and, 3. contains the name of a person authorized to initiate such transfer; and provided that, if the transfer was in excess of $ XXXXXX, instruction was verified by a call-back according to a prearranged procedure. In this Insuring Clause, Customer means an entity or individual which has a written agreement with the Insured authorizing the Insured to rely on Telefacsimile Device instructions to initiate transfers and has provided the Insured with the names of persons authorized to initiate such transfers, and with which the Insured has established an instruction verification mechanism, and Funds means money on deposit in an account.

19 Computer Crime Policy For Financial Institutions Includes Coverage For: COMPUTER SYSTEMS FRAUD VOICE INITIATED TRANSFER FRAUD TELEFACSIMILE TRANSFER FRAUD TRANSFER FRAUD DESTRUCTION OF DATA OR PROGRAMS BY HACKER DESTRUCTION OF DATA OR PROGRAMS BY VIRUS VOICE COMPUTER SYSTEMS FRAUD

20 Funds Transfer Insuring Agreements The Voice Initiated Transfer, Telefacsimile Transfer, and the Transfer Insuring Agreements provide coverage for: Transferring paying or delivering funds or property from a customers account through a Computer System in reliance upon a fraudulent instruction (Voice, Telefacsimile, ) that was purportedly and reasonably appears to have originated from: A customer of the insured An employee of the Insured in another office of the Insured Typical Conditions Precedent for Coverage: Call back to the customer according to a prearranged procedure The Insured followed a commercially reasonable security procedure set forth in a written funds transfer agreement.

21 Funds Transfer Insuring Agreements What are Commercial Reasonable Security Procedures? Article 4A of the Uniform Commercial Code 4A-201. SECURITY PROCEDURE. "Security procedure" means a procedure established by agreement of a customer and a receiving bank for the purpose of (i) verifying that a payment order or communication amending or cancelling a payment order is that of the customer, or (ii) detecting error in the transmission or the content of the payment order or communication. A security procedure may require the use of algorithms or other codes, identifying words or numbers, encryption, callback procedures, or similar security devices. Comparison of a signature on a payment order or communication with an authorized specimen signature of the customer is not by itself a security Federal Financial Institution Examination Council (FFIEC) standards FDIC Authentication Guidance Examples: Call Back, Out of Band Authentication Passwords, Personal Identification Numbers (PIN), Public Key Infrastructure (PKI) Tokens Biometric Identifier

22 Key Exclusions Mechanical Failure of Computer System Potential Income o Interest and dividends o Unrealized gains Indirect Loss or Consequential Loss o Loss of investment opportunity, o Increases in market share o Legal settlements with third parties Loss of Intangible Property o Customer Information o Trade Secrets Contractual Liability

23 Claim Scenarios: Wire transfers requested via vs. voice initiated vs. online banking access. Claims involving ATMs skimming devices. Claims arising from underlying lawsuits and demands for Court Costs and Attorneys fees. Claims where Claims Expense Coverage is sought. Claims covered under 2 policies if other insurance clause can t be asserted.

24 ???QUESTIONS???