Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Similar documents
Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

The promise and pitfalls of cyber insurance January 2016

Data security: A growing liability threat

Cyber Insurance Presentation

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

cyber invasions cyber risk insurance AFP Exchange

Cyber Insurance as one element of the Cyber risk management strategy

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Cyber-insurance: Understanding Your Risks

Cyber Risks in Italian market

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

ISO? ISO? ISO? LTD ISO?

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Data Breach and Senior Living Communities May 29, 2015

Joe A. Ramirez Catherine Crane

In an ever changing business and social environment it has become increasingly

CYBER LIABILITY INSURANCE MARKET TRENDS: SURVEY. October Sponsored by:

Managing Cyber & Privacy Risks

Network Security & Privacy Landscape

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

The Legal Pitfalls of Failing to Develop Secure Cloud Services

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Discussion on Network Security & Privacy Liability Exposures and Insurance

Mitigating and managing cyber risk: ten issues to consider

Zurich Security And Privacy Protection Policy Application

WHITE PAPER BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION CYBER COVERAGES

CYBER RISK SECURITY, NETWORK & PRIVACY

How To Protect Your Data From Hackers

Cyberinsurance: Insuring for Data Breach Risk

Understanding the Business Risk

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

EMERGING CYBER RISK CYBER ATTACKS AND PROPERTY DAMAGE: WILL INSURANCE RESPOND?

How To Insure An Investment Advisor

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Investment Advisors & Financial Professionals: Using your Insurance as a Marketing Tool

CyberSecurity for Law Firms

Cyber Risks in the Boardroom

ANATOMY of a DATA BREACH DISASTER. Avoiding a Cyber Catastrophe. June, Sponsored by:

What Data? I m A Trucking Company!

Specialty Risk Protector

DATA BREACH, NETWORK SECURITY, CYBER LIABILITY, PRIVACY PROTECTION: ARE YOU INSURED?

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

DATA BREACH COVERAGE

CYBER SECURITY SPECIALREPORT

Breege Lynn BA, GDIP, FCII Senior Vice President, Marsh Commercial Dublin

Cyber security Building confidence in your digital future

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Who s next after TalkTalk?

PCI Compliance for Healthcare

Cyber/ Network Security. FINEX Global

ACE Advantage PRIVACY & NETWORK SECURITY

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh

Insurance Coverage In Consumer Class Actions

Cybersecurity y Managing g the Risks

Senate Committee on Commerce, Science, and Transportation March 19, 2015, Hearing Examining the Evolving Cyber Insurance Marketplace

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Cyber Threats: Exposures and Breach Costs

How To Cover A Data Breach In The European Market

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

MANAGEMENT AND PROFESSIONAL LIABILITY INSURANCE

plantemoran.com What School Personnel Administrators Need to know

Transcription:

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for? Authored by Neeraj Sahni and Tim Stapleton Neeraj Sahni is Director, Insurance Channel at Kroll Cyber Investigations and focuses on cyber solutions like computer forensics and data breach remediation for insured s. Ask any insurance professional and they will say Cyber insurance is today what Employment Practices Liability Insurance (EPLI) was in the 1990 s. At the time, EPLI was designed to address gaps in Directors & Officers (D&O) and General Liability (GL) policies where coverage was not available for losses of employers arising from emerging theories of liability. These new theories of liability were primarily driven by key legislation and case examples that were widely publicized in the press, and which changed the country s collective view on cultural norms. Similarly, cyber policies cover specialized risk arising from sensitive data loss that is typically excluded in Errors & Omissions (E&O) or GL coverage. The need for Cyber coverage has also been driven by shifting cultural norms including our reliance on emerging technologies and the commercial perception of personal information as a commodity. Like EPLI, there have been key pieces of legislation and number of highly publicized cases that drive the need for this new coverage. But, what is the risk manager s true perception of the role cyber insurance plays in transferring their company s risk when sensitive data is lost, stolen or otherwise compromised? According to recent surveys executed by Advisen and Zurich, only 44% of respondents in the US currently purchase some form of cyber insurance. Market penetration outside the US is even lower as similar surveys in Europe show less than 12%. These numbers are a bit surprising given the evolving threat, litigation and regulatory landscape, however, as with any relatively new concept, we must first work to address issues that become hindrances before progress can be made. Tim Stapleton is Deputy Global Head of Professional Liability for Zurich Insurance and focuses on international underwriting for Security and Privacy Insurance. 0 P a g e

Observations Before going any further, it would be helpful to provide some background on what may lead to a data breach and how primary insurance carriers are responding to this risk. Listed below are a few observations: 1. Attacks that lead to the loss of sensitive data or even business interruptions are evolving, incessant and are commonly generated outside the four walls of the victim company. In some ways, network breaches are similar to physical robberies of the past. Computer crime is big business and the black hats are using automated botnets and APT (advanced persistent threat) to help them achieve their objectives. In contrast, other common causes of data loss are very low tech and may include lost laptops, portable data storage devices, or rogue employees, who are authorized users, stealing the data for a price. 2. Compliance with industry, government, or best practice risk management standards will not prevent a security breach, nor will it stop third parties from bringing claims. For example, two large payment card processing companies were both certified against the Payment Card Industry Data Security Standard (PCI DSS) at the time they suffered breaches in recent years, but were subsequently decertified after the breaches by card providers thereby increasing their potential liability and business income losses. 3. Data outsourcing activities and in particular, Cloud Computing can present a greater exposure to the loss of sensitive data. The original data owner may incur significant first party expenses and can also expect to be held liable even if the outsourced service provider suffers the breach. Complicating matters further is the fact that if a breach occurs at a cloud provider it s almost impossible to identify the extent of the compromised Personally Identifiable Information (PII) without having full access to the dataset. Remember, cloud providers are not authorized to view their customer data. Also, if a breach occurs in the cloud (public or hybrid), the challenge remains how to perform a forensics investigation on a shared space. Mitigating factors may apply such as contractual provisions that indemnify the customer, however, such provisions are typically limited to the value of the contract and replacement costs for the lost information. They may not in all cases address resulting liability or other first party expenses such as notification and remediation measures the company may offer its customers. 4. Organizations may incur both first party expenses and third party liability when dealing with a data breach. First party expenses can include the cost of hiring an attorney, conducting a forensics investigation, notifying and providing fraud remediation services to affected third parties, executing a public relations campaign, establishing a call center, and restoring crucial, proprietary digital assets. First party expenses can also include business income losses resulting from network downtime. Third party liability costs include legal defense and settlement costs for third party claims as well as defense expenses incurred to respond to a regulatory investigation, along with any resulting fines or penalties. These are just a few of the many expenses that add up rather quickly. According to the 2012 NetDiligence Cyber Claims Study, the average cost to an organization that suffered a data breach was $3.7M. 5. Derivative suits may also be filed by shareholders alleging that Directors and Officers didn t abide by their fiduciary duty to protect customer data. This illustrates the point that data breaches are not an IT risk but a business risk and should be discussed with the board of directors as they may be held directly accountable. Standard D&O policies may not cover 1 st or 3 rd party costs arising from wrongful 1 P a g e

disclosure of data even if a director or officer didn t perform their fiduciary duty to protect the organization s intangible assets. Compounding matters is the SEC guidance issued in 2011 requiring in some instances public companies to report cyber incidents on their public filings thereby raising awareness among the plaintiff s bar. Challenges How do companies justify the purchase of a dedicated cyber-policy? Risk managers in all US corporations are responsible to insure all company assets tangible or intangible. Sensitive data such as employee or customer information is considered an intangible asset. So if a typical company is buying property, general liability and crime insurance, then why is insurance for an increasingly valuable asset like data discretionary? It seems a challenging prospect for many risk managers to calculate return on investment for a cyber-policy and many are therefore unable to build a compelling argument to purchase. There is far less historical trending data associated with the value of Personally Identifiable Information and other sensitive data than there is for tangible assets, however, that is changing. There are a number of studies done by private enterprise, as well as a push to create public/private partnerships for this very reason so the resources available to assist with cost/benefit analysis are steadily increasing. One of the other challenges hindering buying behavior is the notion that if a company s data is hosted by a third party, they are able to transfer the risk. Not true - the owner of the data generally remains responsible for any liability that occurs due to loss of that data. Given all known breaches within various industry verticals, it s only a matter of time before a company could be the victim of a data breach. Tight security controls and excellent audit results may create a false sense of security for risk managers and the C-suite. This approach, however, is typically the inevitable precursor to a rude awakening. Damages have also been difficult for a plaintiff to prove in the liability context if their personal information was compromised. Many court cases against companies that have suffered breaches have been dismissed on the grounds that identity theft did not take place and the individuals whose records were compromised did not suffer any actual damages. Perhaps that is the case, however, it does not prohibit those individuals from forming classes and dragging the company to court which certainly results in legal defense expenses, time, and reputational issues. Another issue leading to the hindrance of buying behavior is that many risk managers subscribe to the theory that coverage is available under traditional policy forms such as CGL, Professional Liability, Crime, Property, and D&O. Perhaps in some cases there may be limited cover available under those policies; however, it is worth noting that it would be largely contingent upon the circumstances of the breach and the wording in the policy. For example, many of the specific first party costs and expenses incurred by the organization just to respond to the breach in those first crucial days or weeks would not be expressly provided. As well, many traditional P&C carriers have begun adding specific exclusionary language to clarify their intent. One other downside to relying on the lack of potential loopholes in traditional P&C coverage forms to cover data breach claims is that the insured might not receive the benefit of proactive risk management and post breach vendor resources that come with dedicated programs. Combine that with the syphoning of capacity from existing coverage for unintended circumstances and you have several compelling reasons to pursue a dedicated option. 2 P a g e

Solutions Many of the issues discussed above may be contemplated by security & privacy or cyber insurance policies. Carriers understand that claims are inevitable but to help mitigate catastrophic losses, many underwriters have taken a risk management approach for this coverage rather than just plain risk transfer. Carriers typically offer robust propositions that include proactive risk assessment and risk management advisory services as well as access to experienced data breach service providers. This is great news for a risk manager at an organization who can partner with their carrier to address elements beyond just financial loss. From a technical perspective, time is of the essence when a data breach incident occurs. Working with an experienced team that has been involved in multiple serious breaches with a background in law enforcement is the partnership that is needed once that claim is filed. First, stop the bleeding and protect further loss of data. At the same time, preserve the evidence for law enforcement or litigation purposes. In certain cases, where data is unstructured (PDFs, un-aligned name, addresses and SSN) data analytics tools and review may be required to determine true affected population. As you can see, a one size fits all approach doesn t work in this scenario. Notifying an entire customer base is not optimal when available data analytics tools can better identify the true affected population. This approach would help mitigate reputational damage and unnecessary expenses. Cyber insurance is seen as a growth market. There are over 30 carriers offering capacity and everyone is trying to differentiate themselves. A risk management approach allows underwriters to display cyber insurance as a partnership with the insured to help reduce risk with certain loss control methodologies. While buyers may have an increasingly hard time assessing risks and avoiding big losses, risk management innovations from insurers, brokers and partners may help make a difference. Insurers have to rely on the insured to manage its network defense. Proactively managing security framework is a loss control measure that is proving to yield a two pronged benefit; a) Reduce future data breach claim losses and b) Differentiate the cyber policy in crowded marketplace. A carrier would potentially view an insured as a better risk at renewal if the insured avails the loss control services provided as part of the policy. This may mean a premium discount for the insured at renewal and client retention for the carrier. With the evolution of the threat, litigation and regulatory landscapes, it is only reasonable to expect that cyber policies will evolve at an equal pace. Since 2003, we have already seen an impressive evolution of the coverage grants carriers are willing to provide and that have now become market standard. The customer only stands to benefit by partnering with a carrier that is dedicated to working with them to understand an exposure environment of which we have just now begun to scratch the surface. Sources: 2012 NetDiligence Cyber Claims Study The Betterley Report Cyber Privacy Insurance Market Survey 2012 A New Era in Information Security and Cyber Liability Risk Management: A Survey on Enterprise-wide Cyber risk Management Practices Information Security & Cyber Liability Risk Management: The Second Annual Survey of Enterprise-wide Cyber Risk Management Practices in Europe 3 P a g e

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy. Kroll Advisory Solutions is not a subsidiary or affiliate of Zurich and use of their products and services are independent of Zurich s products or services. Certain Altegrity companies provide investigative services. State licensing information can be found at www.altegrity.com/compliance. These materials have been prepared for general information purposes only and do not constitute legal or other professional advice. Always consult with your own professional and legal advisors concerning your individual situation and any specific questions you may have. 2013 Zurich American Insurance Company and Kroll, Inc. All rights reserved. 4 P a g e

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information