10-26-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO) and Privacy Officer 1
How to Investigate the Right Coverage How do you select an insurance broker? Questions to ask insurance brokers Process of purchasing cyber insurance How to evaluate your cyber insurance needs 2
Cyber Insurance Considerations How does the assessment portion of cyber insurance work? What are the questions to ask when looking at cyber insurance? Insurance Broker timeline: All the items we want to know about provided in interviews i of key stakeholders and then it may take up to two months to go through it. Have them provide a list of underwriters who will be presenting their cyber insurance coverage. 3
Selection of an Insurance Broker Some local Find the right Assessment Cyber insurance brokers still not mature enough to type of coverage for your company prior to obtaining Insurance Broker insurance analysis: what we need, why we know what cyber security is all about Who is the right Insurance Broker? need dit 4
Insurance Broker s View Used with Permission from IAPP Global Summit presenters: Toby Merrill, ACE Group Sarah Stephens, JLT Mark Greisiger, NetDiligence 5
Role of Insurance in Managing Cyber Risk Used with Permission from IAPP Global Summit presenters Toby Merrill, ACE Group, Sarah Stephens, JLT and Mark Greisiger, NetDiligence Most common policy triggers Industry 25% network security attack 15% rogue employee 20% lost or stolen device 9% privacy policy 16% human error 6% paper 31% healthcare 9% retail 13% technology 8% travel and hospitality 13% professional services 7% financial institutions Breakout Mitigate: Loss Mitigation Services - cyber and data privacy risk management portal e.g., NetDiligence s erisk Hub ; Remediate and patch exploits; IDS/IPS; dedicated security staff; network security assessment, phishing exercises Respond: Data Breach Team - independent Data Breach Team to respond to incidents Forensics Team preservation of evidence and aid investigation Legal Team to assist with notifications; Transfer: Risk Transfer Solutions - Financial Loss Protection including experienced claims staff to handle highly complex claims Insurance coverage for breaches - file lawsuits against third parties for recovery of claim 6
Insurance Broker Criteria Insurance Broker needs to understand cyber security needs Knowing what underwriters want is a valuable trait in an Insurance Broker Policy is meaningful and not just another insurance policy Present 3-4 underwriters who know your business and provide a quality cyber insurance policy Investigate having cyber insurance as part of the errors and omissions policy make sure human errors with technology is covered 7
Insurance Broker Criteria How do you evaluate the relative maturity of the Insurance Broker in selling cyber? Look for an Insurance Broker meet with risk team and advise them of our requirements What you are worried about making sure that we are giving full knowledge to the Insurance Broker of our security posture Insurance Broker would Insurance Broker wants Filling out application interview employees and tohelp epyouceatea create a (survey) would not show know what the profile and do a dress what our situation is. underwriters want to see rehearsal including an indepth report necessary Personal relationship is rather than just provide answers to a survey 8
Used with Permission i from IAPP Global Summit presenters: Toby Merrill, ACE Group Sarah Stephens, JLT Mark Greisiger, NetDiligence 9
Questions for Insurance Broker Tell me about the key things that will reduce our cost of What s hot right now in terms of what insurance What is the Broker s overall pitch to us? coverage the most? underwriters have an They should essentially Like to hear some interest? describe that they want to explanation about security controls and capabilities in response and not just scope reductions. Third party vendor management, protecting credits cards, point-of-sale, other? deeply understand our business and package our risk in a way that it can be sold to underwriters. Schedule a Meeting with Insurance Broker 10
Questions for Insurance Broker Explain a real case of yours when an insurance company pushed back on a claim and how you were able to advocate and fight for your client s position effectively? What types of considerations would we need to think about as we are examining the policies themselves? Potential ti expectations: ti discussions i regarding things like acts of God, accidental backdoors introduced by company s own developers, nation-state adversaries, terrorism, economic espionage, cases where company might have employed some form of active defense, etc. 11
Questions for Insurance Broker Do cyber security policies cover ransomware attacks? Does the Broker understand cyber security needs? What underwriters do you use? Do you know what the underwriters want to see with regard to our security posture? 12
Questions for Insurance Broker Explain the application do we fill it out with your help and at what point are we held accountable for the answers? Ask, how will the application be used? Would you simply use the application or would you interview employees? What is the relative maturity of the Broker in selling cyber insurance? 13
Questions for Insurance Broker How do you Consider having How much Quotes for determine what is reputational damage? coverage is enough? Brand coverage is the soft costs and premiums may go up. Have not done a good job quantifying yet. a line item in the cyber insurance policy for hiring a PR firm, forensics analysts, and attorneys to assist with a breach Cyber is so complex. It is tough to determine. Inventory number of records, PII, PFI, ephi data held various levels of coverage (i.e., $1M, $3M, $5M, up to $100M) 14
Sample of Possible Application Questions Reg8latory Which laws and/or standards apply to your business: PCI-DSS HIPAA GLBA DPPA (Driver s Privacy Protection Act) California s Privacy Law Red Flag Rules EU Data Directive Privacy Privacy Officer designated for company Privacy Policy Written and published Reviewed by an attorney Audited by external third party Secure data destruction policy/procedures in place Data retention policy for personally identifiable information (PII) Security Controls Chief Information Security Officer designated for company Information Security policies written and published Access controls restricted access to PII Incident Response Plan for network intrusions and viruses Penetration testing and audits performed Vulnerability scans, security appliances, IDS/IPS monitoring, DLP, etc. Physical controls Backup formats and secure storage r Damage and Hacke Business In nterruption Maintain redundant systems Speed of recovering and installing backups Description of website content t and social network posting control Processes for review of social media and website content Trademarks Copyright Disparagement Prior claims or loss from a breach 15
Cyber Insurance Coverages Network Security and Privacy Liability unauthorized access events Breach Response Services notification costs, credit monitoring, public relations expenses, forensic analysis, legal services, and call center services Regulatory Defense, Fines, and Penalties make sure this is included. Note: civil fines and penalties are not covered Transmission of Viruses/Malicious Code determine whether company would need this coverage Business Interruptions Expense costs to stand up business again (hardware, consulting services) Theft and Fraud destruction or theft of data and/or funds Digital Asset Coverage restore or recollect data lost of stolen PCI Fines and Penalties stolen credit card data and regulatory penalties Communications and Media Liability traditional and social media content, t website, trademarks, etc. Cyber Extortion payment and security consultant t fees 16
Cyber Insurance Premiums Climb Sharply Due to the number of data breaches, cyber insurance rates have increased substantially Retailers are seeing increases in premiums go up by 32% of what they were paying the previous year Some health insurance companies who have been breached are having a hard time renewing coverage Coverage for over $100 million is difficult to find Target s 2013 data breach cost $264 million and was paid out of pocket Insight - Cyber insurance premiums rocket after high-profile attacks by Jim 17 Finkle
Key Take Aways 1. Interview Insurance Brokers just because you have always used them for other insurance needs, does not mean you cannot seek one with cyber insurance expertise 3. Demonstrate your company is best in class. Build out incident response plan to include vendors and make improvements to security program prior to applying for cyber insurance. 5. Evaluate what your needs are and select the coverage that will protect your company the best 2. Setup an interview meeting with insurance broker. Prepare by developing questions you want to have them answer. 4. Complete the application with honest answers be prepared p to support your answers 6. Complete the purchase of cyber liability insurance and review the policy. Present this to the company s Board of Directors. 18
Resources For Research Purposes Only William C. Wagner, Esq. TftL Taft Law Firm Pi Privacy and Data Security Insight http://www.privacyanddatasecurityinsight.com/category/cybersecurity/breach-detection/ Cyber Insurance: Do I Really Need It? Cyber Insurance: What do Cyber Insurance Policies Cover and Cost? Cyber Insurance: How Do I Determine My Coverage Needs? Department of Homeland Security Cybersecurity Insurance Resource Page: http://www.dhs.gov/publication/cybersecurity-insurance UK Cyber Security The Role of Insurance in Managing And Mitigating the Risk https://www.gov.uk/government/uploads/system/uploads/attachment_dat a/file/415354/uk_cyber_security_report_final.pdf NetDiligence Cyber Risk Assessment and Data Breach Services http://www.netdiligence.com erisk Hub https://eriskhub.com 19
Thank You! Questions? 20
Further Questions? Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust CISO and Privacy Officer Email: Dr.FaithIG@gmail.com 21