Cyber Insurance and Your Data Ted Claypoole, Partner, Womble Carlyle and Jack Freund, PhD, InfoSec Mgr, TIAA-CREF

Cyber Insurance and Your Data Ted Claypoole, Partner, Womble Carlyle and Jack Freund, PhD, InfoSec Mgr, TIAA-CREF October 9, 2013 1

Cyber Insurance Why? United States Department of Commerce: Cyber Insurance is an effective, market driven way of increasing Cybersecurity. United States Department of Homeland Security: Cyber Insurance may help reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures; encouraging the implementation of best practices by basing premiums on an insured s level of self-protection; and limiting the level of losses that companies face following a cyber attack. 2

Cyber Insurance Discussion Topics Homeland Security Workshop Topics: Defining Insurable and Uninsurable Cyber Risks Cyber Insurance and the Human Element Cyber Liability: Who is Responsible for What Harm? Current Cyber Risk Management Strategies and Approaches Cyber Insurance: What Harms Should It Cover and What Should It Cost? Improving the Cyber Insurance Market: Stakeholder Roles and Responsibilities Sequencing Solutions: How Should the Market Move Forward? 3

Cyber Insurance History What falls under business insurance? Errors and Omissions? Business says Yes, Insurer says No Leave it to the Courts to Decide 4

Cyber Insurance History Zurich Am. Ins. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. filed July 20, 2011) In April 2011, hackers accessed data for one hundred million Sony PlayStation users and as a result, Sony was sued in sixty actions across the United States. Zurich brought suit seeking a declaratory judgment, claiming that it has no duty to defend or indemnify Sony against customer class actions and related matters. Sony purchased primary commercial general liability and excess liability policies from Zurich. Zurich asserts that the lawsuits arising out of the cyber attacks are not covered by the "bodily injury," "property damage" and "personal and advertising injury" coverage provided by its liability policies. 5

Cyber Insurance History Arch Ins. Co. v. Michaels Stores Inc., 1:12-cv-00786 (N.D. Ill. filed Feb. 23, 2012) Arch brought suit seeking a declaration that it is not required to indemnify or defend Michaels under a general liability policy in connection with a recent security breach where criminals known as skimmers tampered with PIN pad terminals in Michaels stores, using them to steal customers financial information and obtain access to their bank accounts. Arch asserts that none of the underlying suits allege property damage, bodily injury, or advertising injury, as required by the policies. Moreover, Arch contends that the electronic data and breach of contract exclusions in the policies apply 6

Cyber Insurance History DSW Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., Case No. 10-4576/5608 (Aug. 23, 2012). The U.S. Court of Appeals for the Sixth Circuit recently addressed an exclusion for loss caused by the theft of confidential information. The court found that there was coverage for first-party and third-party losses arising from the theft of customer credit card information by hackers under a crime policy s computer fraud endorsement. The Sixth Circuit found that the crime policy at issue covered third-party liability losses even though the insuring agreement limited coverage to loss resulting directly from the theft of any Insured property by Computer Fraud. The Sixth Circuit also refused to apply an exclusion barring coverage for any loss of proprietary information, Trade Secrets, Confidential Processing Methods or other confidential information of any kind. The court reasoned that, while credit card information might be considered confidential in some circumstances, it could not have been the type of confidential information envisioned by the exclusion. 7

Cyber Insurance History St. Paul Fire and Marine Ins. Co. v. Compaq Computer Corp., 539 F.3d 809 (8th Cir. 2008) Applying Texas law, the Eight Circuit found that the insurer had a duty to defend under a technology E&O policy because the allegations in the underlying litigation included conduct falling within the policy s definition of error. Specifically, the plaintiffs alleged the insured engaged in the unintentional incorrect act of selling defective computers. As the act was alleged to be unintentional rather than intentional, the claims fell within the scope of the policy. 8

Cyber Insurance History Union Pump Co. v. Centrifugal Tech., Inc., No. 05-0287, 2009 U.S. Dist. LEXIS 86352 (W.D. La. Sept. 18, 2009) In this case, the court found that there was no coverage under the insured s commercial general liability policy for litigation involving claims that the insured had wrongfully used and then destroyed electronic data which included plaintiff s design drawings, autocad drawings, and pump models. As to coverage for property damage, the court found that electronic data failed to meet the definition of tangible property as required by the policy and that further, coverage only applied to property damage in the event of an occurrence. Since plaintiff s claims all involved allegations of intentional acts, they were excluded under the intentional act exclusion. 9

Cyber Insurance History Early Cyber Insurance: Extended Consulting Contract. If you hire us as security consultants, and if you pay us to crawl inside your business and look for problems, and if you take all of the steps that we recommend for you, then we will insure some of your risk. 10

Other Early Cyber Coverages: Cyber Insurance History Tech E & O for consultants and tech contractors. Liability and Property Insurance aimed at big tech companies. Data breach loss Third party claim expenses Cyber-extortion coverage Crisis management/legal 11

Cyber Insurance History Game Changers: Breach Notice Laws guess what? Everybody knows now. Organized Crime discovers hacking for profit. Rise of the Cloud/SaaS/IaaS/Outsourcing 12

Cyber Insurance Now Now Risk Transfer is More Attractive. Market is Bigger/Prices are Lower More Direct Policies Customizing Coverage Increasing Complexity Increasing Attack Risk Businesses Forced to Accept Risk: Regulators/contracts SEC Guidance 13

Cyber Insurance Now First Party Coverage: Direct damages from theft of IP, Data loss or destruction, hacking, denial of service attacks. Forensics covered Third Party Coverage: Public Relations Services Co-ordinated Outreach to Affected Customers (and regulators) Legal Expenses Credit Monitoring/Fraud Resolution Services Penalties and Fines 14

So You ve Decided to Buy A Policy How much insurance do you need? What s your tolerance for loss? Insuring the first dollar is always the most expensive Will need to self-insure up to your limit (deductible) In this case, will need to be a hard threshold Pay attention to the types of losses 15

Types of Losses Privacy Notification Costs Call Center Costs Credit Monitoring Identify Theft Repair Consumer Redress and Fines Liability and Defense Expense 16

Modeling Losses to Assess Limits MIN ML MAX Response Effort No. Ppl in Response Effort 5 50 500 No. Hours Per Person 20 40 250 Hourly rate $55.00 $70.00 $90.00 No. records 10,000 250,000 1,000,000 Per record Notification Cost 10.00 7.00 5.00 Credit Monitoring Per record monitoring costs 25.00 15.00 10.00 Acceptance % 5% 10% 25% Legal Defense Costs $250,000 $750,000 $2,000,000 Fines & Judgments $500,000 $1,000,000 $5,000,000 $368,000 $3,015,000 $20,750,000 17

Modeling Losses with Monte Carlo Most Likely Losses are ~ $3M 18

Modeling Losses with Monte Carlo But we are buying cyber insurance for catastrophe scenarios Heretical Math Use Max as Mean, and Mode as Std. Dev. 3x Std. Dev gives you 99.7% Max Losses ~$16M 19

Stress Testing with Tail Analysis Most Likely Losses are ~ $17M 20

Choosing Thresholds $0 $5M $50M You Pay They Pay You Pay 21

Ted Claypoole Partner Womble Carlyle Jack Freund, PhD InfoSec Mgr TIAA-CREF riskdr.com 22