CYBER LIABILITY INSURANCE

CYBER LIABILITY INSURANCE CONTINUING EDUCATION CLASS MARCH 6, 2013 PRESENTED BY COUSINO HARRIS STEWART V. NELSON, Senior Risk Advisor Stewart.Nelson@Kapnick.com 734 929 6057

Class Objectives Understand & Explain need for Cyber Insurance Identify 5 major coverage options available Assist your clients in selecting best policy for their needs Discover recent trends in cyber cases, rulings & laws

Background on Cyber policies First issued in early 1990 s - web media risks, Software and Hardware protection Carriers added other features over next 12 years - notification, legal, forensics, call centers etc. Large businesses adopted fastest Small business slower

New Drivers in Cyber Liability State & federal Regulations Social media Contracts may require it More data stored Cloud computing Data breaches in the news

Why do we need Cyber insurance? 1. Tangible vs. intangible property Fuzzy concept - Bits & Bytes Hard to value No premium for the risk 2. Concept of an Occurrence or trigger What is the trigger? Real vs. Potential harm 3 Carriers got better at excluding it 3. Carriers got better at excluding it or sub-limiting it.

Why do we need Cyber Liability? A. Exclusion 2.p. of Coverage A - Bodily Injury And Property Damage Liability in Section I - Coverages is replaced by the following: 2. Exclusions This insurance does not apply to: p. Electronic Data Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data" that does not result from physical injury to tangible property. "Electronic data" " means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software), hard or floppy disks, CD-ROMs, tapes, drives, cells, CG 04 37 04 13

Why do we need Cyber Insurance? 17. "Property damage" means: a. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; b. Loss of, loss of use of, damage to, corruption of, inability to access, or inability to properly manipulate "electronic data", resulting from physical injury to tangible property. All such loss of "electronic data" shall be deemed to occur at the time of the "occurrence" that caused it. For the purposes of this insurance, "electronic data" is not tangible property CG 04 37 04 13

So what are we going to do? Suing the carrier is not a sustainable risk management strategy! Low cost cyber insurance is readily available and affordable You must help your clients understand You must help your clients understand their data storage risks

Who is the enemy? 98% Committed by outsiders 58% of stolen data perpetrated by Hacktavists Only 4% corporate insiders

How do they work? 81% used some form of hacking 69% used some form of malware Only 10% were physical attacks

Commonalities of data breaches 79% targets of opportunity 85% of breaches took weeks or more to discover 97% of all data breaches were avoidable by simple preventive steps 92% were discovered by a third party

What data is worth to a hacker: Utility bill scanned = $10 Full identity = $6 to $80 Gmail user name & password = $80 Facebook user name & password = $300 Bank account credentials = $15 to $850 Credit card with $1,000 Available = $25 Credit card with personal information = $80

Ci Criminals i use data to:: Obtain fraudulent credit cards Open store credit Medical identity ty theft t Criminal identity theft Phone & utility fraud

Attacks on SMB increasing i 75% of data breaches analyzed by Verizon in 2011 were in companies with less than 100 employees. According to Accounting Web, 80% of small businesses that experience a data breach suffer serious financial losses and many go bankrupt.

Opportunity How many companies think Cyber security is important? Answer: 84% What percentage have actually bought cyber policies? Answer: 19%!

What is Cyber Liability? Cyber A prefix that means computer or computer network Cyber Liability refers to risk associated with storing data, doing business on Internet or publishing a web site. Now we need to include smart phones & tablets.

Two Parts of Cyber Liability Insurance Property Data yours or someone else s s Network 1 st or 3 rd party Bus Income 1 st or 3 rd party Casualty (Liability) Casualty (Liability) 1 st Party

What types of data? 1. Personal Information (PI) Names, DL numbers, SSN s, addresses, emailaddresses addresses, credit card data, phone numbers, age, sex, political affiliation, marital status, finger prints, blood type, education, financial information, i employment history, criminal i records. 2. Personal health Information (PHI) Medical records 3. Account numbers & passwords 4. Intellectual Property

Fed Regulatory Agencies &A Acts Sarbanes-Oxley Act (SOX) Gramm-Leach-Bliley Act (GLB) Act Electronic Fund Transfer Act, Reg. E (EFTA) Children's Online Privacy Protection ti Act (COPPA) Fair and Accurate Credit Transaction Act (FACTA), Red Flags Rule Federal Rules of Civil Procedure (FRCP)

Industry Specific Regs. Payment Card Industry (PCI DSS) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)

State Regulations & Acts State Attorneys General 47 States - Privacy Acts Massachusetts 201 CMR 17 (aka Mass Data Protection Law) Nevada Personal Information Data Privacy Nevada Personal Information Data Privacy Encryption Law NRS 603A

International Laws Canada - Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA) Mexico - Law on the Protection of Personal Data Held by Private Parties European Union - Data Protection Directive; Safe Harbor Act

Data transparency requirements EU When the data subject has given his consent When processing is necessary for compliance with a legal obligation When processing is necessary in order to protect the vital interests of the data subject

Why I don t need Cyber Insurance! 1. I am too small to be noticed No hacker would target us. 2. Too expensive 3. Brokers don t explain it very well 4. They believe they are covered 5. Just not paying attention 6. My IT guy says we don t need it 7. Getting insurance means some did not do their job

What s at risk for insureds? Hard Costs Ponemon Institute > $200 per record Soft Costs Loss of reputation and trust = loss Net Income

Who needs Cyber Cb Liability Insurance? Almost Every Company!

Don t Start With The Application! (You have some work to do first) Avoid the Risk Mitigate Transfer

Avoidance a. Don t collect personal data b. Collect only data you actually use c. Destroy data when not needed Mitigate a. Use Strong Passwords b. Limit Access c. Encryption d. Penetration Testing Transfer a. Hold Harmless Agreements b. Buy Cyber Liability Insurance

Lt l Let s look at the 5 major sub types of Cyber Liability policies 1. Data Breach Failure to protect an Individual s privacy 2. Virus & Malware Malicious code 3. Nt Network ksecurity Loss or damage to a network & data 4. Media Liability Web content 5. evandalism & Extortion

I. Data Breach First & Third Party Protection Also called Data Compromise, Data Security, Privacy Events, Event Management depending on carrier Casualty Claims Liability Third Party Claims, Usually Duty to Defend but maybe not, Trigger is Wrongful Act Property Claims Cyber Crime, Indemnity, reimbursement, dedicated services, Trigger is Potential Loss of Information

Data Breach First Party Expenses maycover insureds for their: Legal services Forensic reviews Notification to third parties Credit monitoring Credit freezes Call centers Lost business income & EE Reconstruct lost data Public relations Regulatory fines and penalties

Data Breach Potential Third Party (Liability) Expenses for: Privacy of your employees Privacy of Customers Legal expenses Arbitration Loss of 3 rd Party data Violation of Federal or State regulations 3 rd Party BI & EE Assumed liability by contract * * Most policies don t cover this.

2Vi 2.Virus & Ml Malware Malicious Software, First & 3rd Party Vector: Trojan Horses Worms Key Stroke Loggers Phishing Advanced Persistent Threats, (APT s) Stuxnet Causes: Network damage Lost BI & EE Data Breach

3. Network Security Loss of or damage to insured s or 3 rd party network or information Reasonable & necessary expenses that are required to restore the network or data

4. Publishing or Media Mdi Liability (Web Content) Copyright, slogan, trademark, trade or service name Emotional distress Libel, slander/defamation, product disparagement Invasion of privacy Plagiarism, failure to attribute Misstatement or misleading statement Failure to follow published privacy policy Wrongful entry or eviction Contextual errors and Omissions

5. evandalism & Cyber Extortion Trigger is the threat Loss Money paid to terminate threat Cost to investigate Travel expenses

Mechanics of a Cyber Liability policy Manuscript policies all are different most are: Claims Made Md (and reported), td)duty to defend, df d most defense inside limits. Read dprovisions, i Dfiii Definitions & Exclusions Coverage Summary (Limits, Sub Limits, Retro dates) Insuring agreement Definitions (Claim, Loss, Insured, etc.) Settlement provisions Severability (White Hats/Black Hats) Exclusions

Coverage Summary What to look kfor: Limits & Sub Limits, Shared limits? Retro Dates & Continuity Dates Aggregates (hard to spot) Coinsurance

Insuring Agreement What to look for: Who, what, when and for what? The Company shall pay, on behalf of the Insured, Loss on account of a Claim first made (and reported) during the Policy Period, or Et Extended ddreporting Period dif applicable.

Definitions: What to look for: Claim (broad as possible) Written demand for monetary or non monetary damages including injunctive relief. Civil proceedings Criminal proceedings Arbitration or mediation Loss Monetary & Non Monetary, Punitive, Civil Fines, HIPAA, Penalties,PCI DSS etc. Settlements & Defense Costs

Definitions Cont: What to look for: Insured Covers contractual obligations if needed. Hard to find. Watch out for Past Officers/Directors Insured v Insured Rogue Employee

Settlement Provisions i Hammer Clauses Full Insured responsible for expenses above the offer Modified Company will pay expenses 50 70% above offer

Severability What to look for: White Hats & Black Hats Who knew what, when? When is a Black Hat a Black Hat? (Final Judgment)

Exclusions: Liability assumed in a contract except liability they would have in the absence of a contract (Business Associates should watch out for this one!) Regulatory Taxes, Fines & Penalties Loss caused by an employee, officer, director, owner, Independent Contractors Fraudulent acts of insured Deliberate failure to report Infringement of a patent or trade secret

Liability assumed in a contract t Based upon, directly or indirectly arising i out of or in any way involving: :: An Insured s actual or alleged liability under any oral or written contract or agreement, including but not limited to express warranties or guarantees. Not withstanding t the foregoing exclusion, coverage otherwise available to an Insured shall apply to such Insureds liability that exists in the absence of a contract.

Exclusions (Cont.) Interruptions (managed or hosted services, electrical failure, cable or telephone service) Failure to follow minimum required practices identified in the application or endorsement Criminal acts Intellectual Property software licenses Wireless networks need encryption

Other important t Items to look for: Paper Records Laptops, Thumb & Hard Drives Fines & Penalties European Union Assumed Liability Cloud Storage Punitive Damages

Other important items to look for (Cont.) Avoid carriers that dabble in cyber Say things expressly Say what it covers & cover it Vicarious Liability Regulatory action (Investigation)

How is Cyber Liability Rated? Rating Basis Revenue Nature of business Number of records Security Practices Fire Walls Strong passwords Penetration testing Dedicated security team

Trends in data privacy enforcement Lower thresholds in data loss cases More subrogation's Law suits being filed quicker Tougher HIPAA laws - Business Associates FTC getting more involved

Trends in data privacy enforcement (Cont.) OCR following up on smaller breaches Cloud computing one sided contracts Aggressive State s Attorneys General Potential Harm from Actual Harm

CYBER LIABILITY INSURANCE CONTINUING EDUCATION CLASS MARCH 6, 2013 PRESENTED BY COUSINO HARRIS STEWART V. NELSON, Senior Risk Advisor Stewart.Nelson@Kapnick.com 734 929 6057