CYBER LIABILITY & INFORMATION SECURITY



Similar documents
Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

NZI LIABILITY CYBER. Are you protected?

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Discussion on Network Security & Privacy Liability Exposures and Insurance

Cyber Exposure for Credit Unions

Rogers Insurance Client Presentation

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

DATA BREACH COVERAGE

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

EMERGING CYBER RISK CYBER ATTACKS AND PROPERTY DAMAGE: WILL INSURANCE RESPOND?

Cyber/ Network Security. FINEX Global

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

What Data? I m A Trucking Company!

YOUR TRUSTED PARTNER IN A DIGITAL AGE. A guide to Hiscox Cyber and Data Insurance

Statutory Liability Insurance

Coverage is subject to a Deductible

Cyber Risk State of the Art

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Joe A. Ramirez Catherine Crane

Cyber Threats: Exposures and Breach Costs

How To Cover A Data Breach In The European Market

Mitigating and managing cyber risk: ten issues to consider

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

cyber invasions cyber risk insurance AFP Exchange

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Testimony of PETER J. BESHAR. Executive Vice President and General Counsel. Marsh & McLennan Companies

CYBER LIABILITY. Bring on tomorrow. Network Security and Privacy. May 15, 2014

Cyber Risks in Italian market

Data Breach and Senior Living Communities May 29, 2015

Cyber Risks and Insurance Solutions Malaysia, November 2013

erisks Policyholder s Guide to Privacy & Security Breach Response Planning

CYBER/ NETWORK SECURITY

WHITE PAPER BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION CYBER COVERAGES

Privacy and Data Breach Protection Modular application form

CYBER RISK SECURITY, NETWORK & PRIVACY

Cyber Insurance Presentation

ISO? ISO? ISO? LTD ISO?

Beyond Data Breach: Cyber Trends and Exposures

Cyber-insurance: Understanding Your Risks

BOARD OF GOVERNORS MEETING JUNE 25, 2014

CyberSecurity for Law Firms

CYBER SECURITY SPECIALREPORT

What would you do if your agency had a data breach?

DATA BREACH RESPONSE READINESS Is Your Organization Prepared?

4/30/2015 CYBER LIABILITY AND AVIATION AGENDA LEARNING OBJECTIVES. Presented by Hal Hunt May 3, 2015

Practical Cyber Law: Why the Standard of Care Requires Lawyers to Have a Basic Understanding of Cyber Insurance

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

Medical Information Breaches: Are Your Records Safe?

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Cyber Liability Insurance: It May Surprise You

Privacy Rights Clearing House

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

STATE of the market ON CYBER RISK

Understanding. your Cyber Liability coverage

Beazley presentation master

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Achieving Cyber Resilience. By Garin Pace, Anthony Shapella and Greg Vernaci

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Cyber Risk Management

Network Security & Privacy Landscape

Cyber and data Policy wording

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Making Sense of Cyber Insurance: A Guide for SMEs

Cyber-Crime Protection

CYBER BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIM & LEGAL GROUP

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

ANATOMY of a DATA BREACH DISASTER. Avoiding a Cyber Catastrophe. June, Sponsored by:

FACT SHEET: Ransomware and HIPAA

CAGNY Spring 2015 Meeting Fundamentals of Cyber Risk. Brad Gow June 9th, 2015 Endurance

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Security Issues - Brief Business Report

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

DATA BREACH, NETWORK SECURITY, CYBER LIABILITY, PRIVACY PROTECTION: ARE YOU INSURED?

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber Liability. What School Districts Need to Know

Cyber Insurance as one element of the Cyber risk management strategy

Defensible Strategy To. Cyber Incident Response

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015

Privacy Liability & Data Breach Management Nikos Georgopoulos 1 st Athens Privacy & Data Breach Management Conference

Don t Wait Until It s Too Late: Top 10 Recommendations for Negotiating Your Cyber Insurance Policy

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Transcription:

MAIN: 919.926.4623 TOLL-FREE: 855.490.2528 WEBSITE: www.sentinelra.com CYBER LIABILITY & INFORMATION SECURITY In today's world, terms such as data breach and cyber liability are not new. With each year, it seems that these risks are becoming more and more prevalent both in our daily lives, as well as in our businesses. This publication will seek to bring you up to date on the current state of data breach, as well as attempt to unravel some of the complexities associated with proper risk management in this area. One thing we know is that data breach is not slowing down. In the Poneman s 2015 Cost of Data Breach Study (Poneman Institute is considered the pre-eminent research center dedicated to privacy, data protection and information security policy), it was reported that data breach is on the rise, continuing to escalate each year in both the number of breaches and the associated costs. The United States has one of the highest per capita costs of data breach at an average of $217 per record (see chart.) This number contains both the direct costs, which may include utilizing forensic and legal experts and providing customer support and credit monitoring, as well as the indirect costs associated with in-house investigation, customer loss, and reputational harm. In addition to understanding the costs of data breach, it is important to look at what industry segments are being targeted. The short answer is all of them. What differentiates the industries is the cost associated with the breach. Page 1

When a data breach occurs, the repair process is more than just writing a check for $217 per record. Extraordinary coordination efforts must be deployed to handle the following: 1. Stop the breach (the forensic team will assess whether a breach occurred, work to stop the attack, and determine the impact) 2. Comply with individual state notification statutes and avoid fines and penalties (use of the legal team) 3. Protect your brand (use of the public relations team) 4. Address data loss/restoration needs (forensics and/or IT may be needed to rebuild computer systems and restore any lost data) 5. Mitigate/recover lost revenue (utilize internal resources and time) Because of this, it is essential (and cost saving) to have a plan in place which will ensure a smooth facilitation. Finally, the data breach arena is one that continues to evolve with each year. While notification for those whose information may have been compromised remains paramount, there are other areas of data breach which are concerning. 2015 saw an exponential rise in extortion, including ransomware and denial-of-service attacks. Another area of concern which has grown, and is now being addressed on many stand-alone crime policies, is targeted phishing scams. These are sometimes referred to as social engineering or spear phishing, but they all involve a cybercriminal who attempts to impersonate a high ranking company official, usually through email, and instruct another employee to transfer what appears to be a legitimate wire transfer into the criminal's account. Another increasing, and largely unresolved concern in the area of cyber liability is property damage resulting from a cyber incident. For the most part, cyber policies exclude property damage. For example, if through hacking, sprinklers are turned on and left on, most property polices will either exclude or significantly limit coverage for this risk; and general liability policies are typically going to exclude this risk. As we noted in the Sentinel 2015 Market Review and 2016 Market Forecast, there is an abundance of capacity and new markets being created; so while we are optimistic for a reasonable solution, there will likely be a lag. Page 2

When considering the potential of data breach and the costs that come with it, the most prudent measure a business can undertake is prevention. While not all breaches are preventable, we do know that those who have formulated a plan in advance of the breach suffer fewer damages when such an event occurs. One of the first ways a business can mitigate risk from a potential data breach is to explore their own data retention plan. Failure to implement a data retention plan can be very costly if a data breach occurs. With notification to each record owner being required for each record that may have been compromised, it is imperative that records that are no longer needed be properly discarded. Each business should set guidelines for how long data (whether in the form of paper documents or electronic files) should be saved. In addition to this, there should be explicit instructions included for the destruction of data which is past its expiration. There have been a number of breaches that occurred because documents that were past their expiration were carelessly tossed in the dumpster. This can be a very costly mistake, and those employees who are tasked with the job of document destruction should be given the proper protocol for how it should be handled. In addition to a document retention plan, having an incident response plan (IRP) in place is extremely important. An incident response plan should detail four key areas which include prevention, detection, response, and reporting: 1. Prevention - The IRP should include: a detection and response training schedule for employees (most insurers like to see this reviewed at least once a year), IT protocol and security safeguards which are to be in place, what type of security testing/monitoring will be performed and with what regularity. 2. Detection - Data breaches are not often detected at the onset, so it is important that employees be taught what it is they are to look for in hopes of stopping data breach. If issues like suspicious emails and viruses are reported right away, potential hackings can often be mitigated. For those companies with IT departments, the level at which IT should be monitoring for detection of potential breaches should also be laid out. 3. Response - Once a potential data breach is discovered, it is important that the person who made the discovery knows where to turn. An internal chain of command should be established so that employees know who to contact and in what manner (email, phone, face to face conversation). Once reported, there should be protocol for who is contacted next - whether it be IT, the insurance carrier, legal counsel, authorities, etc. This determination will help guide the response that follows: mitigation/remediation, forensic analysis, recovery, notification, and lessons learned. Page 3

4. Reporting - Because reporting in the event of a breach is necessary to avoid certain regulatory fines and penalties, the IRP should include a list of which entities should be notified of the breach. It is also important to detail who will be the one to provide these reports and in what timeframe. One of the final components of data breach risk mitigation is contract review. Many businesses today utilize third party vendors to house and manage data. With these relationships come contracts, and it is important that these documents are reviewed carefully. You may be able to negotiate your own third party vendor contract, but it is also good to ask if your vendor is using other third parties to do your work. If so, a follow up detailing what requirements they have for their vendors is prudent. Some questions that should be addressed for vendors and any additional subcontractors are: Do they have cyber insurance? If yes, what limits / sublimits? What are the retentions? o If a subcontractor, does the vendor require cyber insurance? What do the indemnification provisions look like? In the event of potential breach, how soon is notification required to the parties of the contract? One final method to mitigate the costs of data breach is through insurance. In addition to the cost, the time required for handling a data breach can be substantial, and insurance allows a business to streamline the process. When cyber liability insurance is in place, the Insured makes a call to their insurer or broker and the insurer will then deploy the pre-vetted team (which may include legal, forensics, public relations, etc.) to immediately begin assessing and managing the situation. Cyber liability insurance has been in the news the last few years, but the fact of the matter is this is not a new coverage. Some carriers have been offering cyber coverage to their clients since the late 1990s. Since that time, there has not only been an evolution in coverage, but also in insurers who have entered the marketplace. Today there are more than 50 insurers that provide some type of stand- alone cyber insurance, and that number doesn t contemplate those insurers that are offering some type of cyber coverage enhancement to their package policies. Page 4

What this means for the consumer is there is great opportunity for those who are interested in adding this protective layer to their business. Insurance companies are not only willing to compete on pricing but coverage as well. It is very important to note that in this constantly evolving area of insurance, not all policies provide the same coverages. It is critical to make sure that your broker understands the market and coverages available to you so that you receive a carefully crafted policy that is priced appropriately. When looking at coverage of a cyber liability policy, it is important to know what you need and what you are buying. The names of the different insuring agreements and coverage components may vary from carrier to carrier, but below is a summary of what to look for when examining a cyber liability policy: Event Management - Carriers often bundle legal billings, forensic services, and public relations into one insuring agreement. In the event of a breach, this insuring agreement is a crucial lifeline. It is very important to determine if this coverage is provided at full policy limits or whether it is sublimited. Depending on your business s needs, a sublimit in this area may not be adequate. Network Security/Privacy Liability - This area of coverage contemplates loss of data. Some policies provide first party coverage, some provide third party coverage, and others provide both. This distinction can be a crucial part building an appropriate cyber liability policy. Other items to note in these coverage sections are does the policy cover transmission of malicious code, does the policy cover hackings by rogue employees, and does the policy cover paper as well as electronic data. Regulatory Fines and Penalties - Data breaches can come with regulatory fines and penalties when data is not properly safeguarded or notification does not meet statutory requirements. Most cyber liability policies have some insuring agreement to address this, but one distinction that should be addressed is whether the coverage is for defense only or does it in fact cover fines. Media Liability - This area of coverage is meant to protect against claims of copyright infringement, libel/slander, etc. in media publications. It may also extend to other forms of media beyond a website and social media platforms. Extortion - As hacking becomes more prevalent, we are also seeing an increase in extortion claims. In these scenarios the hacker will demand a ransom for data which has been segmented out or access to a system which has been immobilized. This coverage provides monies that can be used for such payments, but only after such payment is authorized by the insurance carrier. Page 5

Business Interruption - In certain industries, a data breach may leave a business unable to render services. Is this case, business interruption coverage may be available. Not all carriers offer this, and each carrier has a different waiting period before the coverage becomes available. Property - This is an area that is currently excluded on most stand-alone cyber liability policies. However, AIG is offering CyberEdge PC (first of its kind) providing excess and difference-in-conditions cyber insurance for property damage (first party). As a new product, the pricing, limits and deductibles may not be as competitive as a buyer may desire. London also offers difference-in conditions polices for cyber, but again, pricing, limits and deductibles may not meet a buyer s expectation. Larger businesses purchasing all-risk property program coverage may find that their insurers fully intend to cover property damage (first-party) from a cyber-attack. However, smaller and package policies must be carefully reviewed to understand the level of coverage being provided. In addition to the different insuring agreements, it is also critical to be aware of the exclusions that your policy may contain. One of the most important exclusions seen on a cyber liability policy is failure to maintain certain controls. When an Insured completes a cyber application, they warrant that certain protocols are in place. Failure to maintain these controls can negate coverage. For this reason, if changes are being made to security controls, it is imperative that the Insured confer with their cyber liability provider prior to doing so. Another exclusion that many carriers like to utilize is a failure to encrypt data or failure to encrypt mobile devices. Carriers have made it known that they prefer to see their Insureds data encrypted, and many will include an encryption exclusion of some sort on their policy. Because cyber liability coverage is one that is constantly evolving, it is important that these exclusions be reviewed at initial placement and also at renewal for any changes. Business wide cyber activity and cyber losses are increasing beyond the loss of data. All companies, in all industries should review their exposures and evaluate various insurance options to mitigate or transfer their risks. Businesses that purchased cyber coverage should remain vigilant and review their insurance portfolio, not just the cyber policy. Cyber threats are omnipresent and growing. We expect cyber insurance to continue to evolve to address the risks and issues of their insureds. SENTINEL RISK ADVISORS 4700 Six Forks Road - Suite 200 - Raleigh, NC 27609 Phone: 919.926.4623 Fax: 919.926.4664 Toll Free: 855.490.2528 www.sentinelra.com Page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information