CYBER-LIABILITY COVERAGE: The $ 45 Million Dollar Exposure

CYBER-LIABILITY COVERAGE: The $ 45 Million Dollar Exposure

CYBER-LIABILITY COVERAGE: The $ 45Million Dollar Exposure Today s Presenters: Mark J. Camillo, MBA, BS Head of Network Security and Privacy Products AIG Jill Haynes Gidge, CPCU, CIC, CISR, CRIS, AAI, AAM, AIT, CPIW, AIS, BSN, RN Independent Insurance Education Consultant /Trainer Insure-Ed Brad Vatrt, BA, JD Complex Claim Director for Network Security/Media/Technology Group AIG

DATA BREACH 2012-2013* Number of Breaches 825+ and rising Number of People Exposed 13,498,996+ and rising Location of Breaches Educational facilities Banking, credit / financial Government / military Healthcare facilities and companies Data / information companies Utilities / hospitality / retail * Federal Trade Commission Are you and your clients protected?

DATA BREACH 2012-2013 (2) Average cost per data breach loss $ 203,000- $ 591,000 (42% increase)* 30-40% growth in overall data breach / cyber security claims Cyber-liability no longer a back burner issue 17% of firms had Enterprise-wide risk approach in 2008 72% of firms have Enterprise-wide risk approach in 2012 *Ponemon Institute Research Report 2012

WHAT CONSTITUTES A DATA BREACH? The intentional or unintentional release of secure information (data leak, data spill) to an unsecure or non-trustworthy environment "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so * * Wikipedia

Overview of Key Federal & State Laws Impacting Data Breach/Cyber-Liability Health Insurance and Accountability Act Drivers Privacy Protection Act Fair Credit Reporting Act Gramm-Leach-Bliley Cyberspace Electronic Security Act USA Patriot Act Cyber Security Enhancement Act Standards for Safeguarding Customer Information Fair and Accurate Credit Transaction Act Red Flags File Transfer Compliance Massachusetts 201 CMR 17

Health Insurance & Accountability Act Health Insurance & Accountability Act Protections for individuals Use, disclosure and transmission PHI Privacy Rule Protect confidentiality Security Rule Safeguards to protect the confidentiality, integrity and availability

Drivers Privacy Protection Act DMV & MVRs Personal Information Photograph Social security # Name Address Telephone number Medical / disability information PFI

Fair Credit Reporting Act Individuals only Protect privacy & assure accuracy Collection & dissemination of information, redress More PFI

Gramm-Leach-Bliley: Financial Services Modernization Act Protection of consumer s non-public personal financial information Includes information utilized by agents and brokers Compliance mandatory!

Cyberspace Electronic Security Act Protection Standards set for Privacy Security Safety Encryption Symmetric key Asymmetric key Https://

USA Patriot Act Investigation of Terrorism Ensure domestic security Surveillance Money Laundering Increase of Power 4 th amendment

Cyber-Security Enhancement Act of 2002 Set sentencing Guidelines Relative to certain computer crimes

Regulation 173 Standards for Safeguarding Customer Information Risk assessment required Manage and control cyber-risk Oversee service provider arrangements Evaluate, monitor and adjust the program

Fair and Accurate Credit Transaction Act Free credit reports annually from each reporting agency without harm to credit score Fraud alerts Ability to opt-out of affiliate marketing Protection against unauthorized access Requirement to exercise due diligence

Red Flags Written Identity Theft Prevention Program Detects warning signs ( red flags ) of ID theft Step 1: Identifying relevant red flags Step 2: Detecting red flags Step 3: Responding to red flags Step 4: Administering the Program

File Transfer Compliance 201 CMR 17 Establishes a minimum standard for the protection of Massachusetts residents personal information (PFI and PHI) both in electronic and paper form Written security program required Other states may follow!

Who Has A Cyber-Liability Exposure? Any person or business with web site Size is immaterial here! Can be subject to claims for Damage caused to another computer when interfacing or downloading Damage to data or software Remember: Electronic data is not tangible property (ISO forms)

Where Is Cyber-Liability Coverage Available If At All? ISO Commercial General Liability Coverage Form CG 00 01 Definitions 17. Property Damage Damage to, loss of, destruction of tangible physical property including its loss of use electronic data is NOT tangible property Exclusions j. Damage to property o. Personal & advertising injury p. Electronic Data

Where Is Cyber-Liability Coverage Available If At All? (2) Coverage B Personal and Advertising Injury Liability (ISO CGL) Definitions 14. Personal and advertising injury 17. Property damage Exclusions Especially i and j Chatrooms, bulletin boards, web hosts, webmasters, etc.

Where Is Cyber-Liability Coverage Available If At All? (3) ISO Electronic Data Liability Endorsement CG 04 37 Buy back liability coverage (for negligence in data damage, etc.) Loss of electronic data now a category of property damage (direct damage) C. Definitions Data STILL not tangible property

Where Is Cyber-Liability Coverage Available If At All? (4) ISO Electronic Data Liability Coverage Form CG 00 65 Broader coverage Actual loss of data covered No need for physical injury to tangible property Claims made format!!!! Covers loss caused by electronic data incident

Where Is Cyber-Liability Coverage Available If At All? (5) ISO Businessowners Policy Electronic Data Liability Limited Coverage Endorsement BP 05 95 Similar to CGL version for direct damage to data of others due to insured s negligence Electronic Data Liability Broad Coverage Endorsement BP 05 96 Similar to ISO Electronic Data Liability Coverage Form, but as an endorsement

Where Is Cyber-Liability Coverage Available If At All? (6) Cyber-Liability Insurance First & third party risks Privacy Infringement of intellectual property Virus transmission E-business, internet, networks Who needs it??

Where Is Cyber-Liability Coverage Available If At All? (7) Network Risk Insurance Private and Public companies Exposures covered vary What does it do? Protection against unauthorized access to data Theft of data (crime) Computer viruses (direct damage, loss of use) Distributed Denial of Service (DDoS) attacks Loss/Corruption of Data

Where Is Cyber-Liability Coverage Available If At All? (8) Network Risk Insurance ( cont d) Protection against unauthorized access to data (cont d) Business Interruption Liability Cyber-Extortion Public Relations Criminal Rewards Cyber-Terrorism Identity Theft

Cyber-Liability 2013 Most Common Internal Security Threats Mark Camillo Most Common Reasons for Data Breach Litigation Brad Vatrt OMG!

Cyber-Liability 2013 (2) Costs of cyber-risk Approaches to cyber-risk Carrier perspectives

Cyber-Liability Risk Management Physical security Privacy policies Established procedures Employee training Encryption Firewalls Passwords Anti-virus, anti-spyware software Cyber-hygiene function Copyright review

Cyber-Liability Risk Management (2) Shred! (cross-cut best) Awareness of operations / activities involving data Be proactive prevent / reduce risk potential before loss happens Duplication and segregation of data (Cloud, recovery and storage vendors, etc.) Question what s done, why Assess risk On a personal note: Know your score

Cyber-Liability Risk Management (3) Password expirations Password history Password length (8-11 characters) Password composition (upper, case, lower case, symbols, numbers)

It s A Wrap! Thank you for attending our presentation! Please complete an evaluation Have a great rest of your day, and CONGRATULATIONS to all the new designees!

Session Feedback Please rate this session using the mobile app