Cyber Insurance: How to Investigate the Right Coverage for Your Company



Similar documents
CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Cyber Liability & Data Breach Insurance Claims

cyber invasions cyber risk insurance AFP Exchange

Managing Cyber & Privacy Risks

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Privacy and Data Breach Protection Modular application form

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Understanding the Business Risk

CYBER RISK SECURITY, NETWORK & PRIVACY

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Network Security & Privacy Landscape

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Cyber Liability & Data Breach Insurance Claims

Rogers Insurance Client Presentation

Updates within Network Security and Privacy Risk Management

Beazley presentation master

ACE Advantage PRIVACY & NETWORK SECURITY

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Cyber/ Network Security. FINEX Global

Top Ten Technology Risks Facing Colleges and Universities

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Cyber Threats: Exposures and Breach Costs

Insurance implications for Cyber Threats

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Cyber Liability & Data Breach Insurance Claims

Report on CAP Cybersecurity November 5, 2015

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Data Privacy & Security: Essential Questions Every Business Must Ask

CYBER SECURITY SPECIALREPORT

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Data Security Incident Response Plan. [Insert Organization Name]

Cyber-insurance: Understanding Your Risks

PCI Compliance for Healthcare

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

How To Cover A Data Breach In The European Market

Data Breach and Senior Living Communities May 29, 2015

Law Firm Cyber Security & Compliance Risks

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Technology, Privacy and Cyber Protection Modular application form

Cyber Insurance as one element of the Cyber risk management strategy

How To Protect Your Data From Being Hacked

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

SECURITY. Risk & Compliance Services

Attachment A. Identification of Risks/Cybersecurity Governance

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Cyber Risks and Insurance Solutions Malaysia, November 2013

Cyber-Crime Protection

Senate Committee on Commerce, Science, and Transportation March 19, 2015, Hearing Examining the Evolving Cyber Insurance Marketplace

Cybercrime: risks, penalties and prevention

Cyber Liability Insurance: It May Surprise You

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Managing cyber risks with insurance

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

Privacy Liability & Data Breach Management Nikos Georgopoulos 1 st Athens Privacy & Data Breach Management Conference

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Enterprise PrivaProtector 9.0

NZI LIABILITY CYBER. Are you protected?

CSR Breach Reporting Service Frequently Asked Questions

ISO? ISO? ISO? LTD ISO?

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

October 24, Mitigating Legal and Business Risks of Cyber Breaches

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

Joe A. Ramirez Catherine Crane

Logging In: Auditing Cybersecurity in an Unsecure World

Transcription:

6-11-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO) and Privacy Officer and InfraGard National Members Alliance, Inc. Secretary 1 How to Investigate the Right Coverage How do you select an insurance broker? Questions to ask insurance brokers Process of purchasing cyber insurance How to evaluate your cyber insurance needs 2 1

Cyber Insurance Considerations How does the assessment portion of cyber insurance work? What are the questions to ask when looking at cyber insurance? Insurance Broker timeline: All the items we want to know about provided in interviews of key stakeholders and then it may take up to two months to go through it. Have them provide a list of underwriters who will be presenting their cyber insurance coverage. 3 Selection of an Insurance Broker Some local insurance brokers still not mature enough to know what cyber security is all about Find the right type of coverage for your company Assessment prior to obtaining Insurance Broker Who is the right Insurance Broker? Cyber insurance analysis: what we need, why we need it 4 2

Insurance Broker s View Used with Permission from IAPP Global Summit presenters: Toby Merrill, ACE Group Sarah Stephens, JLT Mark Greisiger, NetDiligence 5 Role of Insurance in Managing Cyber Risk UsedwithPermissionfromIAPP Global SummitpresentersTobyMerrill, ACE Group, Sarah Stephens, JLT and Mark Greisiger, NetDiligence Most common policy triggers 25% network security attack 20% lost or stolen device 16% human error 15% rogue employee 9% privacy policy 6% paper Industry Breakout 31% healthcare 13% technology 13% professional services 9% retail 8% travel and hospitality 7% financial institutions Mitigate: Loss Mitigation Services - cyber and data privacy risk management portal e.g., NetDiligence s erisk Hub ; Remediate and patch exploits; IDS/IPS; dedicated security staff; network security assessment, phishing exercises Respond: Data Breach Team - independent Data Breach Team to respond to incidents Forensics Team preservation of evidence and aid investigation Legal Team to assist with notifications; Transfer: Risk Transfer Solutions - Financial Loss Protection including experienced claims staff to handle highly complex claims Insurance coverage for breaches - file lawsuits against third parties for recovery of claim 6 3

Insurance Broker Criteria Insurance Broker needs to understand cyber security needs Knowing what underwriters want is a valuable trait in an Insurance Broker Policy is meaningful and not just another insurance policy Present 3-4 underwriters who know your business and provide a quality cyber insurance policy Investigate having cyber insurance as part of the errors and omissions policy make sure human errors with technology is covered 7 Insurance Broker Criteria How do you evaluate the relative maturity of the Insurance Broker in selling cyber? Look for an Insurance Broker meet with risk team and advise them of our requirements What you are worried about making sure that we are giving full knowledge to the Insurance Broker of our security posture Insurance Broker wants to help you create a profile and do a dress rehearsal including an indepth report Insurance Broker would interview employees and know what the underwriters want to see rather than just provide answers to a survey Filling out application (survey) would not show what our situation is. Personal relationship is necessary 8 4

Used with Permission from IAPP Global Summit presenters: Toby Merrill, ACE Group Sarah Stephens, JLT Mark Greisiger, NetDiligence 9 Questions for Insurance Broker Tell me about the key things that will reduce our cost of coverage the most? Like to hear some explanation about security controls and capabilities in response and not just scope reductions. What s hot right now in terms of what insurance underwriters have an interest? Third party vendor management, protecting credits cards, point-ofsale, other? What is the Broker s overall pitch to us? They should essentially describe that they want to deeply understand our business and package our risk in a way that it can be sold to underwriters. Schedule a Meeting with Insurance Broker 10 5

Questions for Insurance Broker Explain a real case of yours when an insurance company pushed back on a claim and how you were able to advocate and fight for your client s position effectively? What types of considerations would we need to think about as we are examining the policies themselves? Potential expectations: discussions regarding things like acts of God, accidental backdoors introduced by company s own developers, nation-state adversaries, terrorism, economic espionage, cases where company might have employed some form of active defense, etc. 11 Questions for Insurance Broker Do cyber security policies cover ransomware attacks? Does the Broker understand cyber security needs? What underwriters do you use? Do you know what the underwriters want to see with regard to our security posture? 12 6

Questions for Insurance Broker Explain the application do we fill it out and at what point are we held accountable for the answers? Ask, how will the application be used? Would you simply use the application or would you interview employees? What is the relative maturity of the Broker in selling cyber insurance? 13 Questions for Insurance Broker How do you determine what is reputational damage? Brand coverage is the soft costs and premiums may go up. Have not done a good job quantifying yet. Consider having a line item in the cyber insurance policy for hiring a PR firm, forensics analysts, and attorneys to assist with a breach How much coverage is enough? Cyber is so complex. It is tough to determine. Inventory number of records, PII, PFI, ephi data held Quotes for various levels of coverage (i.e., $1M, $3M, $5M, up to $20M) 14 7

Sample of Possible Application Questions Reg8latory Which laws and/or standards apply to your business: PCI-DSS HIPAA GLBA DPPA (Driver s Privacy Protection Act) California s Privacy Law Red Flag Rules EU Data Directive Privacy Privacy Officer designated for company Privacy Policy Written and published Reviewed by an attorney Audited by external third party Secure data destruction policy/procedures in place Data retention policy for personally identifiable information (PII) Security Controls Chief Information Security Officer designated for company Information Security policies written and published Access controls restricted access to PII Incident Response Plan for network intrusions and viruses Penetration testing and audits performed Vulnerability scans, security appliances, IDS/IPS monitoring, DLP, etc. Physical controls Backup formats and secure storage Business Interruption and Hacker Damage Maintain redundant systems Speed of recovering and installing backups Description of website content and social network posting control Processes for review of social media and website content Trademarks Copyright Disparagement Prior claims or loss from a breach 15 Cyber Insurance Coverages Network Security and Privacy Liability unauthorized access events Breach Response Services notification costs, credit monitoring, public relations expenses, forensic analysis, legal services, and call center services Regulatory Defense, Fines, and Penalties make sure this is included. Note: civil fines and penalties are not covered Transmission of Viruses/Malicious Code determine whether company would need this coverage Business Interruptions Expense costs to stand up business again (hardware, consulting services) Theft and Fraud destruction or theft of data and/or funds Digital Asset Coverage restore or recollect data lost of stolen PCI Fines and Penalties stolen credit card data and regulatory penalties Communications and Media Liability traditional and social media content, website, trademarks, etc. Cyber Extortion payment and security consultant fees 16 8

Key Take Aways 1. Interview Insurance Brokers just because you have always used them for other insurance needs, does not mean you cannot seek one with cyber insurance expertise 3. Demonstrate your company is best in class. Build out incident response plan to include vendors and make improvements to security program prior to applying for cyber insurance. 5. Evaluate what your needs are and select the coverage that will protect your company the best 2. Setup an interview meeting with insurance broker. Prepare by developing questions you want to have them answer. 4. Complete the application with honest answers be prepared to support your answers 6. Complete the purchase of cyber liability insurance and review the policy. Present this to the company s Board of Directors. 17 Resources For Research Purposes Only William C. Wagner, Esq. Taft Law Firm Privacy and Data Security Insight http://www.privacyanddatasecurityinsight.com/category/cybersecurity/breach-detection/ Cyber Insurance: Do I Really Need It? Cyber Insurance: What do Cyber Insurance Policies Cover and Cost? Cyber Insurance: How Do I Determine My Coverage Needs? Department of Homeland Security Cybersecurity Insurance Resource Page: http://www.dhs.gov/publication/cybersecurity-insurance UK Cyber Security The Role of Insurance in Managing And Mitigating the Risk https://www.gov.uk/government/uploads/system/uploads/attachment_dat a/file/415354/uk_cyber_security_report_final.pdf NetDiligence Cyber Risk Assessment and Data Breach Services http://www.netdiligence.com erisk Hub https://eriskhub.com 18 9

Thank You! Questions? 19 Further Questions? Faith M. Heikkila, Ph.D., CIPP-US, CIPM, CISM, ABCP Greenleaf Trust CISO and Privacy Officer and InfraGard National Members Alliance, Inc. Secretary E: fheikkila@infragardmembers.org 20 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information