THE C/EO PERSPECTIVE: WHAT YOU DON T KNOW WILL HURT YOU



Similar documents
EMERGING CYBER RISK CYBER ATTACKS AND PROPERTY DAMAGE: WILL INSURANCE RESPOND?

Cyber Risks Connect With Directors and Officers

CLASS ACTION DATA BREACH LITIGATION: IS THE TIDE TURNING IN PLANTIFFS FAVOR?

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Reducing Cyber Risk in Your Organization

CYBER LIABILITY RISKS SEMINAR Programme overview. THURSDAY 1 OCTOBER am 1.00pm Green Park Conference Centre, Reading

Joe A. Ramirez Catherine Crane

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Eliminating the Prohibition Against General Solicitation and General Advertising in Rule 506 and Rule 144A Offerings File No.

HOW DID NETWORK SECURITY AND PRIVACY ISSUES BECOME D&O EXPOSURES?

UNDERSTANDING INSURANCE OPTIONS For Early Stage Hedge Funds. Leading by Performance

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

JLT Specialty Limited is a member of the Jardine Lloyd Thompson Group of companies. Jardine Lloyd Thompson Group plc is an international group of

Cybersecurity y Managing g the Risks

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Data Privacy and Cybersecurity Task Force

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

UNDERSTANDING INSURANCE OPTIONS For start-up Hedge Funds. Tailor made advice

What are the main liability policies you should consider for your commercial business?

Discussion on Network Security & Privacy Liability Exposures and Insurance

Current trends in D&O liability and insurance in the United States. Kevin M. LaCroix, Executive Vice President, RT Pro Exec and Author, The D&O Diary

Cyber Security Evolved

Cyber/ Network Security. FINEX Global

Big Data As a Threat? An Alternative Approach to Cybersecurity

Newsletter No. 194 (EN) Directors and Officers (D&O) Liability Insurance in Hong Kong

Cyber Security: Not if, but when...

PRIORITIZING CYBERSECURITY

M&A insurance applications and opportunities

BE ON GUARD. Understanding the Executive Liability Risks That Can Threaten Your Biotechnology Company

INVESTMENT MANAGEMENT. Investment Management Services

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Cyber Insurance in an Evolving Liability Landscape: Informed, Strategic Expectations Monday, February 29, :00pm 3:00pm

Information Security & Negligence Targeting the C-Class

PRIVATE COMPANY MANAGEMENT LIABILITY INSURANCE COVERAGE INCONSISTENCIES

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Coverage is subject to a Deductible

Increased Regulatory Focus on Cybersecurity Underscores Need for Public Companies to Review Cybersecurity-Related Disclosures

Dragonshield Proposal Form Broad Form Management Liability Insurance

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

CYBER BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIM & LEGAL GROUP

Mitigating and managing cyber risk: ten issues to consider

Rogers Insurance Client Presentation

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW TECHNOLOGY AND TELECOM COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

CyberSecurity for Law Firms

BT Assure Threat Intelligence

energy JLT Specialty Limited Demand Different

White Paper on Financial Industry Regulatory Climate

risk management & crisis response Building a Proactive Risk Management Program

CGI Cyber Risk Advisory and Management Services for Insurers

Insurance for Data Breaches in the Hospitality Industry

CRISIS MANAGEMENT: Practice Series. The Economy, Security and Coping with the Unexpected. Anton R. Valukas. Robert R. Stauffer. Thomas P.

Anatomy of a Hotel Breach

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am

The Financial Insurance Guide for Investment Advisors

How To Get A Security Insurance Policy From Jlt.Com

Introduction to Medical Malpractice Insurance

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Data security: A growing liability threat

FINRA Publishes its 2015 Report on Cybersecurity Practices

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

Cyber-insurance: Understanding Your Risks

Our specialist insurance services for Professionals risks

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

CYBERSECURITY: Is Your Business Ready?

Cybersecurity Developments and the Growing Role of Senior Executives and Directors

7 Steps to Protect Your Company from a Data Breach

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Helping you protect your good intentions

Insurance Coverage During the Economic Crisis. by Bianca R. Chapman and Marc Rosenthal

Common Mistakes Made With Real Estate Errors and Omissions Insurance. Gallagher Real Estate & Hospitality

How To Protect Your Cybersecurity From Cyber Incidents

IAPP Global Privacy Summit 2014 The SEC and Cybersecurity: What Every Publicly Traded Company Must Know

ALM Virtual Corporate Counsel Managing Cybersecurity Risks and Mitigating Data Breach Damage

Is Your Financial Institutions' Insurance Policy vulnerable to a cyber claim? Joan D Ambrosio, James Cooper and Kim West 22 January 2014

BOARD OF GOVERNORS MEETING JUNE 25, 2014

Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

our promises. Our policies are Claims Management Highlights Panel Counsel Depth in Leadership. Trusted Partnership. Fold Fold

CYBER SECURITY SPECIALREPORT

The promise and pitfalls of cyber insurance January 2016

Defining the Gap: The Cybersecurity Governance Study

Security Incident Response Process. Category: Information Security and Privacy. The Commonwealth of Pennsylvania

CYBER RISK SECURITY, NETWORK & PRIVACY

How To Cover A Data Breach In The European Market

CREDIT, POLITICAL & SECURITY RISKS ANALYTICS & CONSULTANCY. Protecting business and securing opportunity

Written Testimony of Michael Menapace. Sen. Jerry Moran, Sen. Blumenthal, and other members of the Subcommittee -

DIRECTORS & OFFICERS LIABILITY INSURANCE

What Data? I m A Trucking Company!

In an ever changing business and social environment it has become increasingly

OECD PROJECT ON CYBER RISK INSURANCE

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

VENDOR MANAGEMENT. General Overview

Cyber Exposure for Credit Unions

Transcription:

THE C/EO PERSPECTIVE: WHAT YOU DON T KNOW WILL HURT YOU Cyber Liability in the Boardroom What you don t know will hurt you.

ABOUT JLT SPECIALTY JLT Specialty Insurance Services is the U.S. platform of JLT Group, the leading specialty business advisory firm. Our experts have deep industry and product experience serving the leading U.S. and global firms. Our client proposition is built upon our specialist knowledge, client advocacy, tailored advice and service excellence. Our culture reinforces the value of our people with teamwork and collaboration. Together, we place our clients first, champion independent thinking and expect to be judged on the results we deliver. ABOUT C/EO A key component of JLT Specialty s recent expansion of its US operations has been the formation of the Cyber and E&O Practice (C/EO), a team of motivated and skilled people who bring a wealth of experience in complex cyber and E&O placements and a proven track record of success in working with clients of all sizes. They are committed to growing a specialty business in the US market and are aligned with JLT Group s client-first culture and entrepreneurial drive. We pride ourselves on a pragmatic approach that leverages the Cyber and E&O Practitioners deep industry and product knowledge. This starts with an interactive exposure identification and priority discussion. We then transform this discussion into a risk transfer solution strategy, including proposed coverages, insurer partners and execution timeline.

The C/EO Perspective: What You Don t Know Will Hurt You 1 CYBER LIABILITY IN THE BOARDROOM When a company becomes the victim of a cyber breach, naturally fingers point in all directions the Chief Information Security Officer (if there is one) or the IT department in general; third party vendors that may have acted as an initial point of contact; foreign governments that have gained a reputation for hacking into competing companies; the Board. Wait the Board of Directors? Until recently, board accountability following a cyber breach was merely theoretical. In an ever evolving legal and regulatory environment, various theories of negligence and fault have been tested, in many cases unsuccessfully. The latest trend, however, puts even the Board at risk for liability stemming from a failure to protect their customers personal and financial information. Wyndham Worldwide has kept itself in the news following three data breaches over a period of 22 months, beginning in April 2008, resulting in the compromise of 600,000 records a relatively small community of victims based on 2014 standards. But Wyndham has taken an unprecedented approach in challenging, not the merits of the allegations, but the authority of the entity bringing regulatory action against them, namely the FTC. Following the FTC investigation and subsequent legal action, shareholders demanded, on two separate occasions, that the Board file suit against Wyndham officers for employing inadequate security controls. After the Board declined to bring suit a second time, the shareholder filed a derivative suit in February 2014. Ultimately, the court dismissed the suit with prejudice on the basis that the Board had conducted their due diligence and acted in the best interest of Wyndham. Though the Wyndham derivative suit was unsuccessful, it affirms the growing responsibility of the Board to actively engage in cyber security implementation. Wyndham was successful in dismissing the suit primarily because they had strong evidence to suggest that they were active in the breach response and cyber security conversation. How many Boards are employing the same due diligence before a breach occurs? With complex cyber issues threatening businesses of all sizes and sectors on a daily basis cited as 97% of all companies currently being hacked by FireEye CEO Dave DeWalt during a recent 60 Minutes segment - ignorance or lack of action is no longer a defense, and in fact, can expose a Board to liability. The failed derivative suit also acts as another example of how an established breach response plan, including third party assistance, can be the best defense against future liability. In another example, Heartland Payment Systems suffered a breach of a whopping 130 million records, discovered in early 2009, which is still considered to be the largest breach based on record count. Following disclosure of the breach, Heartland s stock plummeted 80%, prompting securities class action litigation. Though this suit was also dismissed for failing to meeting the pleading standards, it was aggressive in alleging that Heartland had made fraudulent statements during a 2008 earnings call, ultimately misleading investors regarding the state of their security controls. Nearly five years after the Heartland breach, and more than ten years since the first dedicated cyber insurance product was introduced, underwriters will candidly admit that they are still refining the questions and tools necessary to adequately evaluate exposure through a dedicated cyber underwriting effort, much less via the D&O placement, which in many cases has been a continuous renewal for several years. The SEC s attempt to incorporate clarity in financial statements regarding cyber security measures has actually done little to inform investors and other interested parties into the granular details necessary to assess a company s security measures.

2 The C/EO Perspective: What You Don t Know Will Hurt You According to the 2014 EY Global Information Security Survey, the second most critical, but overlooked foundational requirement of an organization without proper cyber security integration is to Get Board-level support for a security transformation. Redefine cybersecurity governance, e.g., realigning cybersecurity outside of the IT function and ensuring that the Board understands processes. Put another way, EY views Board support and collaboration to be as important as, and specifically, a fundamental principal along with, more commonly recognized practices like penetration testing, risk assessment and road mapping, continuity and incident response plans. Despite the dismissals, the Wyndham and Heartland lawsuits illustrate the potential litigation exposure arising out of a cyber breach to not only the company and its directors and officers, but also to its D&O insurers. Whereas coverage for the company under a public company D&O program is generally limited to claims alleging violations of securities laws, the scope of coverage for individual directors and officers (defendants in derivative litigation) is much broader. A D&O program, if properly negotiated, should protect the individuals for derivative litigation arising out of a cyber breach. Furthering the concern of D&O insurers, many jurisdictions questions to be asked of insureds and potential insureds at each placement. Underwriters will want to discuss the company s strategy to understand and mitigate the risk associated with a cyber breach as well as the role of the directors and officers in developing and reviewing that strategy. As is frequently the case with specialty insurance products where policy language and carrier appetite vary widely, no Insured should assume that all risks associated with a cyber breach are affirmatively covered. While a dedicated cyber policy should respond to many of the first and third party losses associated with a breach (if properly negotiated), the D&O policy should also be reviewed to ensure affirmative response to suits against the directors and officers resulting from a breach. Following Target s acknowledgement of their massive data breach in December 2013, two derivative suits were filed in January 2014. The suits allege Breach of Fiduciary Duty, Waste of Corporate Assets, Gross Mismanagement and Abuse of Control. Shareholders specifically allege that directors and officers failed to properly oversee Target s business and operations. Based on FireEye s assertion of 97% of all companies being breached, is any Board in a position to properly oversee their company s business preclude corporate indemnification for settlements and judgments resulting from derivative litigation implicating the Side A (non-indemnifiable loss) insuring agreement of the D&O program, eliminating the retention and putting the insurer s limit at greater risk. In light of this emerging exposure, D&O insurers are taking notice and companies should be prepared to address questions related to the firm s cyber exposure as part of the D&O Liability insurance renewal process - some insurers have even formalized a set of cyber security-related and operations? Based on The Global State of Information Security Survey 2015 conducted by PwC, only 42% of respondents confirm that the board is active in the security strategy, and only a quarter review current security and privacy risks. When less than half of these boards are involved in the security conversation, how can they adequately defend their ability to properly oversee businesses and operations? At the time of this publication, Sony has spent over a month as the leading cyber breach story, finding itself in the midst of a cyber security and

The C/EO Perspective: What You Don t Know Will Hurt You 3 Public Relations nightmare, with no foreseeable end in sight. Déjà vu all over again? Sony was on the receiving end of multiple targeted attacks by hacktivists in 2011, casting a lasting negative light, not only due to their response, but the actions that led to the retaliatory attacks. Three years later, Sony can t seem to exit the spotlight nor the rhetorical question of did they learn nothing the first time? More troublesome then finding yourself as the victim of a cyber attack is finding yourself in that situation again. As the release of information by the attackers, calling themselves Guardians of Peace slowing, and the modified, but no less controversial release of the film at the heart of the attack having come and gone to earn much lower revenue figures than originally forecast, the next phase of the conversation is speculation as to the types of losses Sony is likely facing now, and likely to face in the future. To date, Sony has been named in four suits, one of which filed by two former employees in federal court alleges that Sony failed to secure its computer systems, servers and databases because Sony made a business decision to accept the risk of losses associated with being hacked. Though Sony s own emails obtained and released by the hackers seem to support the claim that their controls were lackluster and demonstrate some warnings from their IT department and others, this specific allegation begs the question of whether a company s choice to accept the financial and reputational risk associated with a cyber breach introduces a new theory of liability. If Sony s decision makers were aware of the risk but chose to assume it, does that mean that the decision makers at 97% of companies that are purportedly currently being hacked, or those that choose not to insure the financial aspect of a cyber breach are breaching their Fiduciary Duty, or failing to properly oversee their business and operations? Included in the list of suits that Sony is likely to face in the future is shareholder litigation as a result of the low revenue figures earned from the film s modified release. Sony s share price took a rather large tumble in 2011 resulting from the hacktivist attack, and though no shareholder suit followed, based on recent activity and expectations of accountability, the Board should be prepared to defend their ability to properly oversee their business and operations, even more so because of the 2011 breach. So, what is a Board to do when they can t cross their fingers and hope to be part of the 3% of companies that have somehow eluded the threat of cyber criminals to date? Despite much of the litigation against directors and officers pending, and others unsuccessfully testing various theories, it is clear that preparedness, or lack thereof, is a common theme among the suits. Boards need to take an active role in the ongoing responsibility of cyber security, which goes far beyond simply trying to prevent intrusions. Minimizing the information that can leave the organization, knowing how the company will respond once an incident occurs, and ensuring that they have taken all reasonable and appropriate measures to minimize the harm not only to the customer or individuals whose information may be at risk, but now the shareholders, too. JLT s Cyber Liability and D&O experts are well versed in this emerging exposure and welcome the opportunity to engage in additional dialogue. The C/EO team utilizes a defined, pragmatic approach in order to evaluate cyber liability exposures and craft a customized policy to meet the insured s specific needs. Part of that process includes the evaluation of ancillary policies and coverage that could be impacted in the event of a cyberattack. JLT s experienced D&O brokers work in conjunction with the attorneys in our dedicated Legal & Claims Practice and the C/EO team to conduct a gap analysis on the existing D&O program, remediate coverage deficiencies, ensure coordination between the D&O and Cyber Liability programs and maximize protection for both personal and corporate assets. If you d like to discuss how your company can coordinate and contain your cyber liability exposures among your various insurance policies or otherwise, please don t hesitate to contact the brokers at JLT Specialty.

FOR D&O INQUIRIES WILLIAM KROUPA Vice President, JLT Specialty Insurance Services, Inc. Financial Lines Group 303 589 3744 William.Kroupa@jltus.com FOR CYBER INQUIRIES SHANNON GROEBER Senior Vice President JLT Specialty Insurance Services, Inc. Cyber/E&O 215 246 3993 Shannon.Groeber@jltus.com JLT Specialty Insurance Services, Inc. Centre Square East 1500 Market Street Philadelphia, PA 19102 Tel 215.246.1600 www.jltspecialty.com Lloyd s Broker. Authorised and regulated by the Financial Conduct Authority. A member of the Jardine Lloyd Thompson Group. Registered Office: The St Botolph Building, 138 Houndsditch, London EC3A 7AW. Registered in England No. 01536540. VAT No. 244 2321 96. December 2014 xxxxxx

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information