Aon & DLA Piper s 2014 Network Security & Privacy Symposium. September 2014

Aon & DLA Piper s 2014 Network Security & Privacy Symposium September 2014

2014 Aon Corporation Australia Limited ABN 58 004 756 772 Kevin Kalinich Global Cyber Leader Aon Risk Solutions

Network Security & Privacy Exposures and Insurance Solutions 1 Cyber Exposure Trends a) Increase in Dependence on Technology & Information Assets b) Magnitude & Frequency of Losses c) Evolving Nature of Cyber Risks in Australia 2 Cyber Risk Mitigation a) Risk Mitigation Best Practices b) Australia Privacy Act Amendments Compliance c) IT Vendor Management 3 Gaps in Existing Coverage a) General Liability b) Property c) Professional Liability d) Crime /EPLI 4 Cyber Insurance a) Coverage Terms & Conditions b) Exclusions c) Limits and Benchmarking 5 Key Takeaways a) Financial Statement Impact & Protection b) Reports to Management (It is a Board of Directors issue) c) Functions can be outsourced, but legal liability cannot be completely outsourced d) Collaboration of Organisation s Departments 2

April 2014 World Wide Web 25 Year Anniversary Timeline of the World Wide Web 3

When we say Network Risk, what do we mean? Personal information, intellectual property losses and operational outages mean material financial and reputational damage. However, Stuxnet was a game changer it proved that physical property losses are possible through cyber means 4

What is Network Security & Privacy for Risk Managers? 5

Emerging Network Security & Privacy Risks Social Media Two distinct sources of risk: corporate and employee activity Network Security, Privacy. Social Engineering Defamation, product disparagement, IP infringement, harassment, and invasion of privacy. Mobile Device Payment Apps Mobile payment hardware, software, and mobile wallet technology is exploding globally Juniper Research study predicts mobile transactions will hit $1.3 trillion worldwide by 2015 PCI Council guidance addresses account data security, mobile devices; hardware, software, usage, and customer relationship How is risk affected for all participants in the payment value chain? Mobile payments for online purchases predicted to skyrocket from $18 B (2012) to $117 B (2017) according to WorldPay Cloud Computing What are the risk oversight and security controls of the cloud provider? Where will the data be stored and will the provider make a contractual commitment to obey privacy laws? How is our data segregated from other data? How can I recover my data if disaster strikes? What if the provider goes out of business? How can I get my data back? How is liability allocated? Internet of Things Telematics, Device data collection, and location tracking, GPS. International Laws and Regulations Big Data Analytics 6

2014 Developments Australian Privacy Principles (March 2014), BUT no mandatory data breach notification Australian Bureau of Statistics $7 MM security breach prompts insider trading charges (May 2014) Apple device hijacking urges Australia icloud accounts to change passwords (May 2014) ¾ Australians say data breaches at banks & credit card companies concern them (Unisys) & 72% would never use breached entity (SafeNet July 2014) Australian daily deals site disclosed 2011 data breach after 3 years ( Catch of the Day ) Telstra fined $10K & warned over 16,000 customer privacy breach (March 2014) August 2014: 1.2 billion user names & passwords hacked by Russian crime ring 40% of Asian companies report significant economic losses from data breaches (Economist Intelligence Unit July 2014) October 2011 SEC Guidelines Re Cyber Risks Shareholder Derivative Actions Against Target Corp (2014), Heartland Payment Systems (2008), TJX settled 2010) and Wyndham Worldwide (2014) D s & O s Target Corp. $200 MM+ loss estimate to date SEC Commissioner, June 10, 2014: Boards that choose to ignore, or minimise, the importance of cyber security responsibility do so at their own peril. National Institute of Standards and Technology s Framework for Improving Critical Infrastructure EU delay of Data Privacy Directive Amendments 7

Cyber Exposure Trends : Breakdown of Data Breach Expenses 8

Catastrophic Breach Model 9

Global Cost of an average Data Breach $7.0 $250 Millions $6.0 $5.0 $4.0 $3.0 $2.0 $1.0 $200 $150 $100 $50 Total Cost Response Costs Lost Business Cost per Record $- $- 10

Cyber Exposure Trends : Cost of a Breach We ignore the risks that are hardest to measure, even when they pose the greatest threats to our well-being Nate Silver The Signal And The Noise: Why So Many Predictions Fail But Some Don t Review Applicable FI Cyber Losses Peer Benchmarking Monte Carlo Simulations Financial Impact Options Risk Acceptance Risk Avoidance Risk Retention Risk Transfer Contractual Allocation Cyber Insurance Risk mitigation is key in all cases Board of Directors Liability? Integrate with Enterprise Risk Management 11

When we say Network Risk, what do we mean? 12

13

14

Wait isn t this already covered? Property Insurance Malware and Denial-of-Service attacks do not constitute physical perils and do not damage tangible property Malpractice/E&O/PI Unauthorised access exclusions Requires negligence in provision of defined business activities Generally no cover for information commissioner regulatory actions Common Hurdles Intentional acts and insured versus insured issues No coverage for expensive risks expenses required by Law or to protect reputation General Liability Insurance CGL Privacy coverage limited to publication or utterance resulting in one of traditional privacy torts Crime Coverage Crime policies require intent theft of money, securities or tangible property 15

Insurance Services Office (ISO) 2013/2014 2007: Bars coverage for Telephone Consumer Protection Act (TCPA) claims 2013: Bars coverage for the violation of a federal, state or local statute that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information. 2014 (effective May 2014) (Revisions to General Liability Standard Form): This insurance does not apply to: Access or Disclosure of Confidential or Personal Information "Personal and advertising injury" arising out of any access to or disclosure of any person's or organisation's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information. This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organisation's confidential or personal information. 16

Would you like to litigate for cover? Zurich v. Sony Declaratory Judgment Action verdict: NO COVERAGE UNDER GL, February 21, 2014: Direct costs to companies impacted by cyber breaches, such as forensics, notification, credit monitoring and public relations costs, are basic costs we would cover under our Zurich Security and Privacy Protection policy, says Zurich. Then if a claim is filed, we have a liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a result. State National Insurance Co. v. Global Payments April 2013 $84 Million Declaratory Judgment Action regarding excess Professional Liability policy: Card association claims do not arise out of negligence from professional services or technology-based services Hartford v. Crate & Barrel and Children s retail Stores (Declaratory Judgment Action with respect to GL Policy): Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah (GL Policy) -- Negligence suit against insurance broker for not placing proper coverage Tornado Technologies Inc. v. Quality Control Inspection, Inc. (Ohio Ct. App. August 2, 2012) no negligence of insurer for not warning insured to purchase special cyber policy Retail Ventures v. National Union Fire Ins. (August 23, 2012) Crime Policy Endorsement Applies (http://www.troutmansanders.com/retail-ventures-decision-is-another-example-of-ongoing-efforts-to-determine-how-insuranceapplies-to-cyber-attacks-09-17-2012/) Lone Star Bank v. Heartland Payment (Sept. 2013) Breached entity liable to third parties under negligence Eyeblaster v. Federal Ins (8th Cir 2010) Coverage under E & O for negligent software CNA v. HIAR (September, 2013) TCPA damages covered under GL as not a fine Liberty v. Schnucks (Aug, 2013) Declaratory Judgment denying potential $80 MM breach under CGL (dropped Oct 2013) Hartford v. Corcino (Oct. 7, 2013) GL Advertising Injury triggered by medical information breach Abercrombie & Fitch Co v. ACE EUROPEAN GROUP, LIMITED (S.D. Ohio 2013) Cyber policy covers consumer protection claim Safety National Casualty Corp. v. Michaels Stores (June 18, 2014) Declaratory judgment under CGL regarding failed PIN pad terminals 17

Scope of Cyber Insurance coverage 18

Cyber Insurance: Major Exclusions Breach of contract (unless liable in absence of a contract) Patent/Trade Secret Return of Fees or Recall Expense Direct Bodily Injury or Property Damage False/Deceptive Advertising Known network security vulnerabilities Unsolicited communication Unauthorised or wrongful collection of information (coverage varies) Breaches or security failures that began prior to retro date Intentional acts or fraud by management Liquidated damages Coupons, discounts, or incentives to Insured s customers System upgrades or repairs Unencrypted Devices/Information 19

Before you buy Qualification Quantification Risk Maturity Review Insurability Review What can go wrong? How am I protected? How bad can it be? Will my insurance respond? 20 Aon Cyber Risk Diagnostic Tool https://www.aoncyberdiagnostic.com

Cyber Insurance Optimal Cyber Programme 21

Share of Total Cyber Premium by Industry (Aon Data) 22

Australian Cyber Insurance Markets Theoretical capacity in MM any one risk 300 Year Gross Written premium 2002 <$75m 2004 $200m 2006 $350m 2010 $600m 2013 ~$1bn = 1/15 th of P&C 250 200 150 100 50 0 23

Cyber Insurance then why 24

Cyber Insurance doing what technology cannot The Improved Value Proposition of Cyber Insurance Impact of catastrophic cyber risk transfer capacity is to lower the curve overall 25 Source: Doing What Technology Can t: The Role of Risk Transfer in Effectively Managing Cybersecurity

Will a D&O policy cover violation of the revised Australian Privacy Law? Cyber Exposures Checklist for Australian Boards of Directors: http://www.lexisnexis.com.au/en-au/products/internet-law-bulletin.page September 2014) Cyber Risk: Are Boards the New Target? Directors and officers need to understand how to improve their insurance policy's response to cyber risk. http://ww2.cfo.com/risk-management/2014/04/cyber-risk-boards-new-target/view-all/ The Risk Manager s Role in Mitigating Cyberrisk http://www.rmmagazine.com/2014/03/13/the-risk-managers-role-in-mitigating-cyberrisk/ 26

Alec Christie Partner DLA Piper

What has changed since March 2014? Changes to the Privacy Act It's a matter of attitude! Why do I care? The role of Privacy Commissioner Mandatory data breach reporting: not yet, but! Responsibility/liability of Directors and Boards 28

Lessons from recent investigations A snapshot of key recent findings Investigations in practice What to do! What not to do! 29

Lessons learnt how to prepare your organisation for a potential breach Legal compliance it's a start! In practice roll your sleeves up! Top 5 tips: 1. Understand your unique exposure 2. Understand your potential legal liabilities 3. Internal management 4. Mitigation strategies 5. Insurance? 30

Stephen Trickey Financial Services Group National Leader Aon Risk Solutions Jacques Jacobs Partner DLA Piper 2014 Aon Corporation Australia Limited ABN 58 004 756 772

The Australian market landscape Insurer Chubb Zurich Liberty AIG Dual CFC Underwriting Macquarie Underwriting Beazley London Australia Underwriting Allianz Axis ACE Product Cyber Security Network Security Privacy Cyber Insurance CyberEdge Cyber & Privacy Protection Cyber, Privacy & Media erisks Business Protection Beazley Breach Response Cyber Policy Cyber Protect In development In development 32

Different sectors, different risks 33

Different sectors, different risks NSP Gap Analysis Summary 25% 8% 34% Fully Insured Partially Insured Insurable Excluded 33% 34

Gaps in Conventional Insurances 1st Party Data Protection Privacy Risks Network Interruption Cyber Extortion Data Restoration, Recollection, Recreation (Determination and Action) Employee sabotage of Data Virus/ Hacker damage to Data Denial of Service attack Physical damage to Data Only 3rd Party Data Protection Privacy Risks Breach of Personal Information Breach of Corporate Information Outsourcing Liability / Vicarious Liability Contamination of Third Party Data by any unauthorised software, computer code or virus Denial of access to third party data Theft of an access code from the Company s premises Destruction, modification, corruption, damage or deletion of Data Physical theft of the Company s hardware Data disclosure due to a Breach of Data Security Costs and expenses for legal advice and representation in connection with an Investigation Data Administrative Fines Repair of Company / Individuals Reputation Media Content Liability (IP, Plagiarism, defamation, trespassing) Notification Costs Monitoring Costs (with identity theft education and credit file or identity monitoring Property General Liability Crime/ Bond K&R PI Cyber Coverage Provided Coverage Possible For reference and discussion only: policy language and facts of claim will require further analysis No Coverage 35