Cybersecurity Risk Transfer

Cybersecurity Risk Transfer Wednesday, October 30, 2013 Part IV in a 4 part series on Cybersecurity Presented by: Arthur J. Gallagher & Co., Huron Legal and Pillsbury Winthrop Shaw Pittman Pillsbury Winthrop Shaw Pittman LLP

Cybersecurity Risk Transfer Presented by: Joe DePaul, Arthur J. Gallagher & Co. Rene Siemens & Joe Kendall, Pillsbury Winthrop Shaw Pittman Laurey Harris, Huron Legal 1 Cybersecurity Risk Transfer

Today s Agenda Let s Recap: Cybersecurity - Overview Cybersecurity - Claims Cybersecurity - Global Records Management & ediscovery What is Risk Transfer? Insurance/Non-Insurance Alternative Methods of Risk Transfer Risk Transfer via Contracting with IT Suppliers Coverage Network Security Liability Privacy Liability Media Liability Crisis Management Cyber Extortion Data Asset Protection Business Interruption Technology Products/Services E&O Questions? 2 Cybersecurity Risk Transfer

Cyber Insurance Market Trends 1 Billion 800 Total Premiums Underwritten 600 400 200 0 2005 2008 2009 2010 2011 2012 Premiums $15,000 to $35,000 per $1,000,000 of limits, for low retentions Soft market: Premiums steadily declining Large corporations were early adopters Most growth is among middle market companies 3 Cybersecurity Risk Transfer

Who Is Issuing Cyber Insurance Policies? 4 Cybersecurity Risk Transfer

The REGULATORY LANDSCAPE is complex, challenging and growing 50 State Privacy Laws (County/Local) - Laws or Regulation Foreign Privacy Laws UK ICO Information Commissioner s Office & many others (trans-border privacy issues) Canada White House Cybersecurity Executive Order Federal Trade Commission FACTA/Red Flags Rule HIPAA / HITECH Standard for smooth, consistent, and secure electronic transmission of health care data. PII/PHI personally identifiable information/health information about individuals - PII includes drivers license # s, SS # s, Credit Card # s, address, account numbers & PIN s PHI includes written documents, electronic files, and verbal information. (Even information from an informal conversation can be considered PHI.) Examples of PHI include: Completed health care claims forms Detailed claim forms Explanations of benefits Notes documenting discussions with plan participants SEC/GLB PCI/DSS 5 Cybersecurity Risk Transfer

Alternative Methods to Risk Transfer Company Strategic Priorities Protect company assets and viability against loss or disruption Achieve the appropriate level of security commensurate with the sensitivity and amount of data collected and retained Protect company systems and data against threats to the network structure and network security Anticipate evolving threats targeting company system vulnerabilities Meet compliance obligations Reduce litigation risks 6 Cybersecurity Risk Transfer

Alternative Methods to Risk Transfer Protect Data Investment There are two primary ways to protect your data investment to avoid a cyber incident: 1. Minimize Risks Associated with Data Breaches by safeguarding your data 2. Implement Records & Information Governance 7 Cybersecurity Risk Transfer

Safeguarding Data Security Goals Good security is A business enabler A process A privacy enabler Risk based Built in Continuous improvement Flexible and Changeable Good security is not A business impediment A product or technology Privacy The absence of danger Added on Ahead of the adversary Static 8 Cybersecurity Risk Transfer

Minimize Risks Associated with Data Breaches by safeguarding your data 1. You need a security framework that addresses Protection user authentication, encryption, firewalls, virus protection Detection intrusion detection, open source monitoring Response disaster recovery plan, incident response 2. Inventory your data by developing data maps Know the Who, Where, What & Why Limit access commensurate with sensitivity of data Secure your data through appropriate means two factor identification, strong passwords and robust network security Train all stakeholders personal online security hygiene Monitor your systems 9 Cybersecurity Risk Transfer

Minimize Risks Associated with Data Breaches by safeguarding your data 3. Create a Data Breach Response Plan Cross-disciplinary team legal, business partners, vendors and law enforcement Repeatable process that is well documented Conduct assessments and drills 4. Implement Information Governance Program - by developing record retention schedules and policies Records and information are retained for as long as legally or operationally required Systematic destruction of records and information in the ordinary course of business Protection of PII, vital and confidential records and information Improved customer service 10 Cybersecurity Risk Transfer

Moving to the Left Data Disposition Costs are volume driven If we shrink volumes, we shrink costs. Figure out how to get their electronic houses in order to cut costs (e-discovery and data breach) risks associated with ESI, from initial creation through final disposition 11 Cybersecurity Risk Transfer

Takeaways for Big Data and Cybersecurity Good security is a process that is necessarily risk based 100% security does not exist anywhere Threats and attackers are real and interested in your data Educate employees on personal security hygiene Develop a plan for information governance Big Databases are valuable assets and therefore; targets You need a security framework that addresses Protection, Detection, and Response to minimize the risk of a breach Know who is responsible for protection in 3 rd Party hosting Prepare for incident response before the crisis Prepare for e-discovery in advance of litigation 12 Cybersecurity Risk Transfer

Risk Transfer via Contracting with IT Suppliers Step 1 - Include Security Obligations Supplier shall maintain an information security program that - ensures security of Customer Data and protects against unauthorized use or access of Customer Data Supplier shall comply with Customer s Policies & Procedures Specific IT requirements. Supplier shall - encrypt all data maintain firewalls and security gateways monitor usage of User IDs / Passwords to access System Customer has right to modify Customer policies only question is cost Cloud Contracts Cloud Providers will not sign up for Customer s Policies and Procedures Business model depends on standardized service offering Cloud Providers require the right to change their security policies 13 Cybersecurity Risk Transfer

Risk Transfer via Contracting with IT Suppliers Step 2 Audit and Compliance Provisions Customer should have robust rights to audit Supplier Supplier should provide Customer with audits performed for Supplier by third parties SAS 70 Type 2 previously used to evaluate Supplier s security, but was not designed to be a security audit AICPA established SSAE 16 and Service Organization Controls ( SOC ) reporting Framework in June 2011 SOC 1 tests controls at a Supplier relevant to internal controls over financial reporting SOC 2 tests controls at a service organization relevant to security, availability, processing integrity, confidentiality and privacy Type I versus Type II Type I verifies the existence of the controls, and Type II audits whether the controls are being observed ISO 27001 Certification Add rep and warranty that Supplier will provide this Certification annually 14 Cybersecurity Risk Transfer

Risk Transfer via Contracting with IT Suppliers Step 3 - Subcontracting and other Protections Subcontracting Approval Right or Notice at a minimum Key is understand who may access data Subs obligated to comply with same security obligations as Supplier Supplier responsible for actions of subcontractors Restrictions on Supplier s Delivery Location Supplier will not change location from which it provides Services without Customer s consent Obligations to Destroy/Clean Media Supplier shall remove all Customer Data from any media which is retired and destroy or securely erase such media as Customer directs Instructions on wiping, shredding, destroying can be very specific 15 Cybersecurity Risk Transfer

Risk Transfer via Contracting with IT Suppliers Step 4 - What if there is a Cybersecurity Incident? Supplier shall - notify Customer within X Hours investigate the Incident and provide a report remediate the Incident in accordance with plan approved by Customer conduct forensic investigation to determine cause and what data / systems are implicated provide daily updates of its investigation to Customer and permit Customer reasonable access to the investigation cooperate with Customer s investigation Customer (and not Supplier) makes final decision on whether notices will be sent to affected individuals 16 Cybersecurity Risk Transfer

Risk Transfer via Contracting with IT Suppliers Step 5 Risk Shifting Liability Provisions Traditionally Supplier s Liability for data breach was unlimited Today, due to increasing number of cybersecurity incidents, Suppliers seek to limit liability as much as possible by: inserting liability cap limit liability to their breach of data security obligations preserve defense that damages are consequential (not recoverable) Supplier should be liable for any issues caused by Supplier s fault or negligence (includes an omission as well as not performing an obligation) Separate liability pool for these damages Stipulate types of costs that are recoverable to avoid claim that the damages are consequential and therefore not recoverable. Include: Preparation / sending of Notices, Credit monitoring services, etc. 17 Cybersecurity Risk Transfer

Where are the Gaps with Traditional Insurance? General Liability Property E&O/D&O Crime Cyber Network security POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Privacy breach POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Media liability POSSIBLE NONE POSSIBLE NONE COVERAGE Professional services POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE Virus Transmission POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Damage to data POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Breach notification POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE Regulatory investigation POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE Extortion POSSIBLE NONE POSSIBLE POSSIBLE COVERAGE Virus/hacker attack POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE Denial of service attack Business interruption loss POSSIBLE POSSIBLE POSSIBLE POSSIBLE COVERAGE NONE POSSIBLE POSSIBLE NONE COVERAGE 18 Cybersecurity Risk Transfer

Available Insurance Coverage Exposure Category Network Security Liability Privacy Liability Description Provides liability coverage if an Insured's Computer System fails to prevent a Security Breach or a Privacy Breach Provides liability coverage if an Insured fails to protect electronic or non-electronic information in their care custody and control Media Liability Covers the Insured for Intellectual Property and Personal Injury perils the result from an error or omission in content (coverage for Patent and Trade Secrets are generally not provided) Regulatory Liability Notification Expense Coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws 1st Party expenses to comply with Privacy Law notification requirements Crisis Management Credit Monitoring Expense Forensic Investigations 1st Party expenses to provide up to 12 months credit monitoring 1st Party expenses to investigate a system intrusion into an Insured Computer System Data Recovery Public Relations & Call Center 1st Party expenses to hire a Public Relations firm & manage a Call Center 1st party expenses to recover data damaged on an Insured Computer System as a result of a Failure of Security Business Interruption Cyber Extortion Technology Services/Products & Professional Errors & Omission Liability 1st party expenses for lost income from an interruption to an Insured Computer System as a result of a Failure of Security Payments made to a party threatening to attack an Insured's Computer System in order to avert a cyber attack Technology Products & Services and Miscellaneous E&O can be added to a policy when applicable 19 Cybersecurity Risk Transfer

3rd Party Coverage Network and Privacy Liability Coverage for: Claims arising from the unauthorized access to data containing identity information, Failure to protect non-public information (PII/PHI/Corporate Confidential Information in your care, custody and control Transmission of a computer virus, and Liability associated with the failure to provide authorized users with access to the company s website 20 Cybersecurity Risk Transfer

3rd Party Coverage Technology Products/Services Errors & Omissions Coverage for: Claims arising from the failure of a technology product or service to perform as indicated. Media Liability Coverage for: Claims arising from Personal Injury perils on/off line Defamation/Infringement/libel/slander *Not Patent/Trade secret 21 Cybersecurity Risk Transfer

1st Party Coverage Crisis Management/Security Breach Remediation and Notification Expenses Coverage for: Crisis Management Expenses Covers expenses to obtain legal assistance to navigate the event, determine which regulatory bodies need to be notified and which laws would apply Public relations services to mitigate negative publicity as a result of cyber liability Forensic costs incurred to determine the scope of a failure of Network Security and determine whose information was accessed Notification to those individuals of the security breach Credit monitoring Call center to handle inquiries Identity fraud expense reimbursement for those individuals affected by the breach 22 Cybersecurity Risk Transfer

1st Party Coverage Computer Program and Electronic Data Restoration Expenses Coverage for: Expenses incurred to restore data lost from damage to computer systems due to computer virus or unauthorized access Cyber Extortion Coverage for: Money paid due to threats made regarding an intent to fraudulently transfer funds, destroy data, introduce a virus or attack on computer system, or disclose electronic data/information Business Interruption and Additional Expense Coverage for: Loss of income, and the extra expense incurred to restore operations, as result of a computer system disruption caused by a virus or other unauthorized computer attack 23 Cybersecurity Risk Transfer

Ten Tips For Buying Cyber Insurance #1 Make sure your limits and sub-limits are adequate Average remediation cost is $7.2 million per data breach event Average remediation cost is $214 per record Source: Symantec Corp. and Ponemon Institute: Global Cost of a Data Breach (2010) WARNING! Many policies impose inadequate limits for crisis management expenses and regulatory action expenses 24 Cybersecurity Risk Transfer

Ten Tips For Buying Cyber Insurance #2 Ask for retroactive coverage What if a breach happens before you buy insurance, but you were unaware of it? Retroactive coverage insures prior unknown events that result in claims or expenses during the policy period Commonly available for 1, 2, 5 or 10 year periods and sometimes is unlimited Insurers may not offer it, so ask! 25 Cybersecurity Risk Transfer

Ten Tips For Buying Cyber Insurance #3 Watch out for panel and consent provisions Policies often provide that you must use the insurance company s pre-approved forensic consultants, defense counsel, etc. Make sure that your advisers and attorneys are pre-approved Or reject panel provisions and insist on control Policies often say that forensic, notification and defense costs are covered only if you obtain the insurer s prior consent Ask for policy language specifying that the insurer s consent shall not be unreasonably withheld Or insist that such provisions be deleted 26 Cybersecurity Risk Transfer

Ten Tips For Buying Cyber Insurance #4 Make sure you are covered for your vendors errors and omissions Example: Bad The Insurer shall pay all Loss that an Insured incurs as a result of your actual or alleged breach of duty to maintain security of confidentiality Confidential Information Good The Insurer shall pay all Loss that an Insured incurs as a result of any alleged failure to protect Confidential Information in the care, custody and control of the Insured or a third party to which an Insured has provided Confidential Information 27 Cybersecurity Risk Transfer

Ten Tips For Buying Cyber Insurance #4, cont d Conversely if you handle data for others, make sure your liability to them is covered too Example: Bad The Insurer will not make any payment for any claim alleging or arising from your performance of services under a contract with your client Better The Insurer will not pay for Claims arising out of breach of contract; provided, however, that this exclusion shall not apply to liabilities that the Insured would have in the absence of contract, or arising out of breach of a confidentiality agreement or a professional services agreement for the handling of confidential information Best The Insurer will pay on behalf of the Insured all Damages and Claim Expense which the Insured becomes legally obligated to pay because of liability imposed by law or Assumed Under Contract 28 Cybersecurity Risk Transfer

Ten Tips For Buying Cyber Insurance #5 Make sure you are covered for loss of data, not just theft or unauthorized access Example: Bad A covered breach shall include the unauthorized acquisition, access, use, or disclosure of confidential information Good A covered breach shall include the unauthorized acquisition, access, use, disclosure or loss of confidential information 29 Cybersecurity Risk Transfer

Ten Tips For Buying Cyber Insurance #6 Avoid one size fits all crisis management coverage Example: Bank suffers loss of thousands of customer credit card numbers Insurance policy covers cost of providing notice and credit monitoring Bank would rather just cancel and re-issue the cards, but that cost isn t covered Lesson: When procuring insurance, negotiate for the coverage you will actually need 30 Cybersecurity Risk Transfer

Ten Tips For Buying Cyber Insurance #7 Beware of hidden traps Example: Bad The Insurer shall pay Crisis Management Expenses incurred by an Insured arising out of a Claim Good The Insurer shall pay Crisis Management Expenses incurred by an Insured in response to an actual or alleged security breach 31 Cybersecurity Risk Transfer

Ten Tips For Buying Cyber Insurance #8 Harmonize cyber insurance with your indemnity agreements Bad The Insurer s liability applies only to amounts in excess of the policy s Self- Insured Retention. Such Retention Amount shall be borne by the Insured s uninsured and at their own risk Good The Insurer s liability applies only to amounts in excess of the policy s Self- Insured Retention. Such Retention Amount may be paid either by the Insured, or by the Insured s other insurance or indemnified by third parties Emerging Issues: If you contractually waive or cap your indemnity rights against vendors, will your insurer use that as an excuse to deny coverage? Cloud vendors often refuse to indemnify Ask for a subrogation waiver but you might not get it 32 Cybersecurity Risk Transfer

Ten Tips For Buying Cyber Insurance #9 Harmonize cyber insurance with your other insurance & vendors insurance Review your agreements with vendors Make sure your vendors are required to have adequate insurance Ask to be added as an additional insured on their policies Make sure your policy s other insurance clause specifies that their policy will apply first Example: This Policy shall be primary, unless the Insured is also covered for the loss under the insurance of a third party, in which case this insurance shall apply excess of amounts actually paid by that other insurance 33 Cybersecurity Risk Transfer

Ten Tips For Buying Cyber Insurance #10 Negotiate favorable defense provisions Pay defense costs on behalf of vs. duty to defend Will you control your own defense? At least negotiate the right to choose your own counsel if the policy has a panel provision Negotiate specific deadlines for payment by the insurer (e.g., within 30 days of invoicing) If rates are an issue, negotiate them up front! 34 Cybersecurity Risk Transfer

What If You Don t Have Cyber Insurance? Insurance industry often asserts that there is no coverage under most conventional insurance for privacy and network security breaches, but many courts disagree. The most recent example: DSW, Inc. v. National Union (6 th Cir. July 17, 2012) holds that costs of customer communications, public relations, lawsuits, attorneys fees, and fines imposed by Visa and Mastercard resulting from a hacking incident in which 1.4M customers information was stolen were covered losses under a crime policy Therefore, even if you have cyber insurance policy, tender to your other insurers! You have little to lose and much to gain. 35 Cybersecurity Risk Transfer

Many company networks are compromised without them even knowing it. 36 Cybersecurity Risk Transfer 36

37 Cybersecurity Risk Transfer

Cybersecurity Webinar Series 9/18: Cybersecurity Overview Catherine Meyer and David Stanton Pillsbury Winthrop Shaw Pittman Joe DePaul Arthur J. Gallagher & Co. 10/2: Cybersecurity Claims Joe DePaul Arthur J. Gallagher & Co. Rene Siemens - Pillsbury Winthrop Shaw Pittman Chris Adams Huron Legal 10/16: Cybersecurity Issues Related to Global Records Management and E-Discovery Catherine Meyer and David Stanton Pillsbury Winthrop Shaw Pittman Carolyn Southerland Huron Legal 10/30: Cybersecurity Risk Transfer Joe DePaul Arthur J. Gallagher & Co. Laurey Harris) Huron Legal Rene Siemens, Joe Kendall Pillsbury Winthrop Shaw Pittman Please complete our Cybsecurity survey: http://pillsburylaw.draft-cybersecurity-survey.sgizmo.com/s3/ 38 Cybersecurity Risk Transfer

Contact Details Joe DePaul Managing Director, CyberRisk Services Arthur J. Gallagher & Co. Joe_depaul@ajg.com 35 Waterview Blvd. - 3 rd Floor Parsippany, NJ 07054 Ph +1.973-939-3646 Laurey Harris Huron Legal lharris@huronconsultinggroup.com 9101 Kings Parade Blvd., Ste. 300 Charlotte, NC 28273 Ph + 1.704.697.1424 Rene Siemens Pillsbury Winthrop Shaw Pittman LLP rene.siemens@pillsburylaw.com 725 South Figueroa Street, Suite 2800 Los Angeles, CA 90017-5406 Ph +1.213.488.7277 Joseph E. Kendall Pillsbury Winthrop Shaw Pittman LLP joseph.kendall@pillsburylaw.com 2300 N Street, NW Washington, DC 20037 Ph +1.202.663.8350 39 Cybersecurity Risk Transfer