Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Greater New York Chapter Association of Corporate Counsel November 19, 2015 Stephen D. Becker, Executive Vice President Northeast Region, Willis of New York, Inc.
Insurance Considerations What's the threat? Identifying the Gaps Cyber Liability coverage: What is it? Vendor Contracts Coverage considerations Cost considerations 2
Top 5 Trends in Cyber Risk Increasing interconnectivity and commercialization of cybercrime driving greater frequency and severity of incidents, including data breaches Data protection legislation will toughen globally. More notifications and significant fines for data breaches in future can be expected Business interruption (BI), intellectual property theft and cyberextortion risk potential increasing. BI costs could be equal to or exceed breach losses Vulnerability of industrial control systems poses significant threat No silver bullet solution for cyber security 3
Cyber/Privacy Security Risk Gaps in Traditional Insurance Property General Liability Crime/Bond K&R E&O Cyber/ Privacy 1 st Party Privacy/Network Risks Physical damage to Data Virus/Hacker damage to Data Denial of Service attack B.I. Loss from security event Extortion or Threat Employee sabotage 3 rd Party Privacy/Network Risks Theft/disclosure of private info Confidential Corporate Info breach Technology E&O Media Liability (electronic content) Privacy breach expense/notification Damage to 3 rd party s data Regulatory Privacy Defense/Fines Virus/malicious code transmission Coverage Provided Limited Coverage No Coverage
Traditional Insurance Gaps Theft or disclosure of third party information (GL) Security and privacy Intentional Act exclusions (GL) Data is not tangible property (GL, Prop, Crime) Bodily Injury & Property Damage triggers (GL) Value of data if corrupted, destroyed, or disclosed (Prop, GL) Contingent risks (from external hosting, etc.) Commercial Crime policies require intent, only cover money, securities and tangible property. Territorial restrictions Sublimit or long waiting period applicable to any virus coverage available (Prop) 5
Privacy & Network Coverage LIABILITY COVERAGE PRIVACY LIABILITY Liability costs associated with your inability to protect private information Loss Example Incident: Government department employee took records and placed them on his home computer which was hacked with 26M records being stolen. Amount: $20M paid in settlement. NETWORK SECURITY LIABILITY Liability costs associated with your inability to prevent a computer attack against your computer network Loss Example Hackers obtained access to debit card account records and changed limit parameters resulting in fraud and a liability of $10 million MEDIA LIABILITY Tort liability associated with content you create, distribute or is created and distributed on your behalf Loss Example - Can cover unauthorized expression and other exposures over social media sites by employees or others for whom a company might be responsible 6
Privacy & Network Coverages DIRECT (LOSS MITIGATION) COVERAGE DATA BREACH EXPENSES coverage typically sublimited Direct costs expended to mitigate a privacy breach, they typically include but are not limited to public relations expenses, consumer notification, identity theft restoration, credit monitoring service costs and forensic expenses Loss Example - Incident: Financial institution had a fired employee input a timed virus into systems which was intended to go into effect when he left the company. The company discovered the virus but spent significant sums on forensics to rid the system of the malicious code. Amount: Over $3,000,000 acknowledged costs. PRIVACY REGULATORY EXPENSES coverage typically sublimited Defense costs (associated damages) expended to respond to or comply with a demand made by a regulatory agency (authority) Loss Example $6.8M state regulatory fine results from a health insurer that mailed 13,000 letters with insurance number printed on envelope. 7
Privacy & Network Coverages DIRECT (FIRST PARTY) COVERAGE Revenue Loss/Extra Expense associated with your inability to prevent a computer attack against your computer network Loss Example - $25M - Financial Institution had security related Network Business Interruption Loss ADDITIONAL COVERAGE with ADDITIONAL COSTS System Failure Loss Example - An insured experienced a 48-hour system failure (due to internal programming errors). The company could not process sales and payments quickly and its operations were disrupted. The company was reimbursed $1.4 Million by the insurer for lost net income associated with the loss. 8
Privacy & Network Coverages DIRECT (FIRST PARTY) COVERAGE Data Reconstruction - Your costs to recreate, recollect data, lost, stolen or corrupted due to your inability to prevent a computer attack against your computer network Loss Example - A company suffers an attack against its computer network that damages or destroys data. The company expends money to restore the lost or corrupted data Extortion Cost - Your costs expended to comply with an cyber extortion demand Loss Example - A third party or rogue employee steals information. If the company does not pay him $XXmln, he will release the information 9
Cyber Marketplace Total Cyber premiums have reached $2B and growing every year. Estimated to $20B by 2025 No standardization from carrier to carrier Products are comparable, but look very different Customization is available Average Limit / Cost- $25m / $250,000 Markets AIG, Chubb, Bermuda & London markets Exclusions in traditional policies will become more commonplace. Stand-alone cyber product to be the main source of liability cover Cyber concept and wordings will be tested, potentially resulting in litigation 10
IT Vendor Requirements Coverage / Limit Requirements Technology Errors & Omission Multimedia Liability Privacy Liability Network Security Liability Breach Cost Coverage Notification, Credit Monitoring, Forensics, Public Relations Regulatory Fines and Penalties assessed due to a Data / Privacy Breach $20 million Combined overall limit 11
Contact Information Stephen D. Becker, Executive Vice President Northeast Region Willis of New York, Inc. Phone: 212 915 8320 Email: stephen.becker@willis.com 12