Is Your Financial Institutions' Insurance Policy vulnerable to a cyber claim? Joan D Ambrosio, James Cooper and Kim West 22 January 2014

Similar documents
Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Mitigating and managing cyber risk: ten issues to consider

Joe A. Ramirez Catherine Crane

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cybercrime: risks, penalties and prevention

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Data Breach and Senior Living Communities May 29, 2015

Cyber Threats: Exposures and Breach Costs

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Network Security & Privacy Landscape

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Preventing And Dealing With Cyber Attacks And Data Breaches. Arnold & Porter LLP Lockheed Martin WMACCA February 12, 2014

Managing Cyber Risk through Insurance

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber and data Policy wording

CYBER RISK SECURITY, NETWORK & PRIVACY

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

Why Lawyers? Why Now?

Practical Cyber Law: Why the Standard of Care Requires Lawyers to Have a Basic Understanding of Cyber Insurance

Cybersecurity Workshop

Data security: A growing liability threat

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

Beyond Data Breach: Cyber Trends and Exposures

Cyber/ Network Security. FINEX Global

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cybersecurity y Managing g the Risks

Cyber Liability. AlaHA Annual Meeting 2013

Cyber Risks in the Boardroom

Who s next after TalkTalk?

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

CAGNY Spring 2015 Meeting Fundamentals of Cyber Risk. Brad Gow June 9th, 2015 Endurance

Cyber Liability Insurance: It May Surprise You

Cyber Insurance Presentation

The potential legal consequences of a personal data breach

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Privacy Rights Clearing House

Cyber and Data Security. Proposal form

Cyber Insurance as one element of the Cyber risk management strategy

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Network Security & Privacy Landscape

Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015

CYBER SECURITY SPECIALREPORT

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

HIPAA Security Rule Compliance

Coverage is subject to a Deductible

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Discussion on Network Security & Privacy Liability Exposures and Insurance

How To Protect Your Data From Hackers

Cyber-Crime Protection

Cyber Risks and Insurance Solutions Malaysia, November 2013

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Data Privacy and Cybersecurity Task Force

Insuring Innovation. CyberFirst Coverage for Technology Companies

Cyber Risk in Healthcare AOHC, 3 June 2015

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

NZI LIABILITY CYBER. Are you protected?

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

CYBER/ NETWORK SECURITY

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Cyber Risks in Italian market

Cyber-insurance: Understanding Your Risks

MYTHS AND FACTS ABOUT THE HIPAA PRIVACY RULE PART 1

DATA PROTECTION LAWS OF THE WORLD. India

What would you do if your agency had a data breach?

CYBER LIABILITY. Bring on tomorrow. Network Security and Privacy. May 15, 2014

Cyber Liability. What School Districts Need to Know

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Anatomy of a Hotel Breach

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

How To Cover A Data Breach In The European Market

The era of hacks and cyber regulation

Canada s New Anti-Spam Legislation: Overview and Implications for Businesses

FINAL // FOR OFFICIAL USE ONLY. William Noonan

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Cyber and CGL Insurance Coverage for Data Breach Claims

Specialty Risk Protector

Transcription:

Is Your Financial Institutions' Insurance Policy vulnerable to a cyber claim? Joan D Ambrosio, James Cooper and Kim West 22 January 2014

Cyber Exposures Joan D Ambrosio

Reported data breaches continue to increase In the US: 2005 136 breaches impacting 52,821,610 records 2006 482 breaches impacting 48,607,177 records 2007 452 breaches impacting 129,974,681 records 2008 354 breaches impacting 49,659,455 records 2009 252 breaches impacting 218,662,415 records 2010 596 breaches impacting 12,313,609 records 2011 179 breaches impacting 68,371,678 records 2012 683 breaches impacting 27,985,484 records 2013 585 breaches impacting 54,788,210 records Massive new breaches reported in 2014 already Sources: Privacy Rights Clearinghouse, Chronology of Data Breaches: http://www.privacyrights.org 2 Round 5

UK In the UK, too Bank of England reported increase in cyber attacks revealing vulnerabilities in computing infrastructure of UK banks and markets in November 2013 Data breaches reported to ICO: 2007/08 79 instances reported 2011/12 821 instances reported And 723 instances reported in first half of 2013/14 fiscal year alone Sources: Bank of England Financial Stability Report, 26 November 2013; Information Commissioner s Office (http://www.ico.org.uk) 3 Round 5

Identity Theft Thriving Black Market for customer information 7% Americans age 16 or older were victims of identity theft during 2012 (estimated 17 million people) 2/3 victims experienced financial loss Identity theft cost Americans $24.7 billion during 2012 $10 billion more than all other property crimes combined 4 Round 5

How do data breaches occur? Misconception that most breaches caused by malicious attacks Human Error / System Error represent majority Loss of unencrypted portable devices Stray emails, letters, faxes, documents Inadequate destruction of data Technical security failures Cyber Attacks Malware / virus attacks (unsecured networks) Denial of service attacks ( DDoS ) Property crimes (stolen computers, mobile phones, USB drives) Inside job (employee steals information) Phishing scams Spear-phishing (social engineering) Advanced persistent threats 5 Round 5

Data breaches affect all industries Healthcare Retail Financial Professional Services Education Government Transportation Insurance 6 Round 5

FI breaches Bank of New York Mellon (March 2008): Computer data tape containing names, Social Security numbers and bank account numbers of 12.5 million customers, shareholders and other investors went missing in transit to a third party storage facility. HSBC (July 2009): FSA imposed 3.2m fine as a result of an investigation which found large amounts of unencrypted customer data were sent by post or courier. 7 Round 5

FI breaches cont d JP Morgan Chase (December 2013): Information associated with prepaid cash cards accessed by hackers in July 2013. During the attack, passwords appeared in plain text. Bank of Scotland (August 2013): Fined 75,000 by ICO for faxing customer account information to the wrong recipients between 2009 and 2012. Barclays Bank (April 2013): 1.3m stolen by hackers who connected to an internet router inside one branch under the guise of IT engineer. 8 Round 5

Corporations Endless examples 93,000 Websites (December 2013): Keylogging software was used to collect usernames and passwords across 93,000 websites, including Facebook, Twitter, Gmail, YouTube, LinkedIn and other public and private limited companies. Target Neiman Marcus Other retailers Average Cost Increased Risk 9 Round 5

What is the exposure? Initial Response/Investigation Huge cost implications before breach is even notified to public Forensic examination Privacy counsel Management time Public relations 10 Round 5

What is the exposure? Data Breach Response Notification and reporting costs Tight deadlines Multiple forms of notice to comply with different rules Credit monitoring Not a legal requirements, but now commonplace Call Centres/FAQ scripts 11 Round 5

What is the exposure? Regulatory FTC Office of Civil Rights - $100 to $50,000 per violation (capped at $1.5M) Attorney Generals HHS California Department of Public Health snooping penalties of up to $250,000 per record Department of Education DOJ Foreign Governments (ICO, consumer protection entities, etc.) Increasingly frequent even for smaller breaches, as regulators have become more sophisticated and better trained/staffed Response can be very expensive Investigations can lead to fines or (worse) corrective actions that can require compliance for years 12 Round 5

What is the exposure? Third party Claims Lawsuits Class action lawsuits common in US Potential shareholder derivative actions in D&O context Reputation and publicity impact Links in to share price risks e.g. Heartland Payment Systems (2009): Stock dropped from $15-20 to $5.49 following disclosure of breach implicating over 130 million records. Audit and preventative measures 13 Round 5

Standalone cyber policies Are evolving Network security breaches e.g. denial of service, hacking, malware Privacy liability e.g. loss of data, failure to comply with notification requirements Notification costs e.g. legal obligation Regulatory defences and penalties Cyber extortion PCI fines Sub-limits 14 Round 5

But what about traditional policies? Coverage may exist under CGL, D&O, Crime and other policies for certain aspects of data breach exposures Only 30% US companies buying cyber standalone cover Industry predictions re massive increase Even where coverage has been found, there will be gaps New exclusions coming on line 15 Round 5

Financial Institution Policies James Cooper 16 Round 5

What will be covered Crime Policies Civil Liability Policies Recent market movements 17 Round 5

Fidelity insuring clause direct financial loss caused by employees dishonest, fraudulent or malicious acts 18 Round 5

Loss of Property insuring clause direct financial loss loss of property BUT tangible property only 19 Round 5

Computer Manipulation insuring clause What was the original intent of this? What do more recent versions cover? 20 Round 5

Civil Liability insuring clause Still require a Wrongful Act? claimant s costs defence costs reasonable costs of mitigation cost of representation at any official investigation/inquiry (is this relevant to the Information Commissioner?) 21 Round 5

Potential Costs Initial response/investigation (forensic examination, privacy counsel, management time, public relations) Notification, credit monitoring and crisis management (eg costs of helpline, mail drop to all affected) Implementing preventative measures Regulatory investigation and response Defence costs of third party claims Restoring firms reputation 22 Round 5

Recent Market Movements Cyber Endorsement to Crime Policies: Cyber loss or damage restoration of data Business interruption reduction of business income any expenses to resume and restore operations includes expenses to avoid loss of clients 23 Round 5

Directors & Officers Kim West 24 Round 5

Other Regulatory Developments That Will Increase D&O Exposure On a governmental level, the need to protect business and national security assets has become a major focus of the White House, Congress and the Securities and Exchange Commission (SEC). Most recently the Cyber Intelligence Sharing and Protection Act of 2013 was approved by the House Intelligence Committee. On February 12, 2013, the White House issued an executive order titled Improving Critical Infrastructure Cybersecurity" establishing a "top-to-bottom" review of the federal government's efforts to defend the nation's information and infrastructure. The SEC Division of Corporation Finance 118S issued guidance instructing companies to disclose cyber attacks or risks associated with cybersecurity breaches if such attacks or breaches are likely to be material to investors. 25 Round 5

Other Regulatory Developments That Will Increase D&O Exposure. 26 Round 5 SEC Continues To Target Cybersecurity Disclosures Corp Fin acknowledged that no "existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents," but stated that (1) various disclosure requirements may impose an obligation to disclose cybersecurity risks and incidents, and (2) material information about cybersecurity risks and incidents could be required to be disclosed to make other required disclosures not misleading. Corp Fin advised companies to review the adequacy of their disclosures on these topics "on an ongoing basis. Chairwoman White stated that, "even in the absence of a line item requirement" in the disclosure rules regarding cyber attacks, the materiality standard governs disclosures about such attacks. The SEC will continue to prioritize increased disclosure of cyber security practices and to monitor the steps companies take to manage cyber security risk.

Other Regulatory Developments That Will Increase D&O Exposure. Sec Position On Disclosures Specifically, the SEC believes that companies should disclose the risk of cyber incidents in a company's "risk factors" and that specific material cybersecurity breaches be disclosed in their management discussion and analysis. Furthermore, cybersecurity breaches may have a broad impact on a company's income and assets, and that these impacts should be reflected in a company's financial statements. 27 Round 5

Regulatory Developments - UK EU Data Protection Regulation Overhaul of Data Protection Directive to establish one single data protection law across all EU Member States and one single data protection authority to deal with. Key proposals include: higher penalties for breach (fines up to 100M or 5% of annual worldwide turnover); primacy of EU law; mandatory data protection officers; introduction of data protection reviews and privacy impact assessments. Proposed final text of the regulation due to be voted on by European Council in April 2014 but will not be passed until early 2015. EU Directive on Cyber Crime The Cyber Crime Directive (2013/40/EU) came into force on 3 September 2013. Member states must implement it by 4 September 2015. The new Directive aims to tackle the increasingly sophisticated and large-scale forms of attacks on information systems by requiring member states to strengthen national cyber-crime laws and introduce tougher criminal sanctions. It also aims to facilitate the prevention of such offences and to improve co-operation between judicial and other competent authorities. 28 Round 5

Regulatory Developments - Canada Canada's Anti-Spam legislation Most of Canada's Anti Spam legislation will come into force on 1 July 2014 as part of the Canadian Radio-television and Telecommunications Commission (CRTC) regulations. There are three broad activities that will engage the CRTC: sending of commercial electronic messages without consent alteration of transmission data in an electronic message without express consent installation of computer programs without express consent The underlying principle is that these activities can only be carried out with prior consent and that such consent may be withdrawn. The CRTC will have a number of compliance tools; one such being administrative monetary penalties (AMPs). The maximum AMP is $1 million per violation for an individual and $10 million per violation for entities, such as corporations. 29 Round 5

Concern In The Boardroom According to a survey by FTI Consulting, cybersecurity has become the number one concern for general counsel and directors. Specifically, the survey found the following: 55% of general counsel said that data security was their top concern 33% of general counsel believe that boards are not adequately managing cyber risk 47% of general counsel said that operational risks such as cybersecurity were their most pressing concern 30 Round 5

Sources of Potential Claims Against Directors and Officers Increased news exposure about significant cyber security breaches raises the possibility of the following claims: Securities Class Action Litigation Shareholder Derivative Actions Regulatory Actions by SEC 31 Round 5

Securities Class Actions The most significant ingredient to a securities class action claim from the perspective of the plaintiff's securities class action bar is a significant stock drop in close proximity to a disclosure. A company that experiences a cybersecurity breach will likely not be a target of a securities class action unless the disclosure of the breach can be linked to a statistically significant drop in the company's stock price. The strict pleading requirements of the Private Securities Litigation Reform Act of 1995 should bar any securities complaint that does not plead facts supporting a strong inference of fraud. Nonetheless, defense costs could be significant. Note: According to a Bloomberg Review, the 27 largest US Companies disclosing cyber attacks to the SEC as of May 2013 all reported they sustained no major financial losses. 32 Round 5

Shareholder Derivative Actions Another potential securities litigation risk for companies dealing with a cybersecurity breach is shareholder derivative litigation against officers and directors. Shareholders might allege, for example, that the directors of a company that experienced a cybersecurity breach breached their fiduciary duties to the company by failing to ensure adequate security measures. If any defendants sold shares before the attack occurred or before the risk was fully disclosed to the corporation, plaintiffs could allege they violated the duty of loyalty by profiting from the sale of those shares. The duty of care claim could be based on a decision made by the board or the failure of the board to exercise proper oversight, allowing vulnerabilities to go unfixed and ultimately exploited. 33 Round 5

Shareholder Derivative Actions Caremark claims require shareholders to demonstrate 1) that the directors knew or should have known that violations of the law were occurring, 2) that the directors did not make a good faith effort to prevent or remedy the situation, and 3) that such failure proximately caused damage to the company. A challenge to the sufficiency of a board action (i.e., decision) is unlikely to prevail. Absent a finding of bad faith or failure to act rationally, decisions of the board - no matter how questionable with the aid of hindsight - will generally be protected by the business judgment rule. Even if one were to establish gross negligence necessary to overcome the presumption granted by the business judgment rule, most companies have adopted charter provisions under the Delaware Code, Title 8 102(b)(7), insulating directors from personal liability resulting from a breach of their duty of care. 34 Round 5

SEC Actions If the SEC chooses to pursue formal actions against companies that have failed to disclose cybersecurity breaches, it can bring actions based on securities antifraud provisions such as Rule 10b-5. The SEC may try to establish books and records violations under Rule 13b2-2, which requires only simple negligence to establish liability. Companies that have experienced significant cybersecurity breaches should prepare themselves for potential SEC investigations and lawsuits. 35 Round 5

Insurance Coverage Comprehensive General Liability Professional Indemnity D&O Fidelity 36 Round 5

1,400 1st 290 33 Lawyers and fee earners worldwide Law Firm of the Year Legal Business Awards 2011 Partners worldwide Offices across Europe, Americas, Middle East, Africa and Asia. Clyde & Co US LLP accepts no responsibility for loss occasioned to any person acting or refraining from acting as a result of material contained in this summary. No part of this summary may be used, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, reading or otherwise without the prior permission of Clyde & Co US LLP. Clyde & Co US LLP 2014

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information