April 2011. Cyber risks: Understanding your insurance protection

Similar documents
CYBER RISK SECURITY, NETWORK & PRIVACY

Our specialist insurance services for Professionals risks

How To Cover A Data Breach In The European Market

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Cyber/ Network Security. FINEX Global

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

CYBER/ NETWORK SECURITY

Managing Cyber Risk through Insurance

ISO? ISO? ISO? LTD ISO?

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

National Corporate Practice. Cyber risks explained what they are, what they could cost and how to protect against them

FINANCIAL LINES ACE ELITE PLUS MANAGEMENT LIABILITY INSURANCE

Cyber and data Policy wording

Mitigating and managing cyber risk: ten issues to consider

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Coverage is subject to a Deductible

Cyber Insurance Presentation

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

Insuring Innovation. CyberFirst Coverage for Technology Companies

Enterprise PrivaProtector 9.0

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

IMPORTANT IT IS DEAMED THAT YOU HAVE READ AND AGREE TO ALL TERMS & CONDITIONS BEFORE USING THIS WEBSITE.

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

NZI LIABILITY CYBER. Are you protected?

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Card Account means your Card account that is in relation to your Visa Wallet maintained and operated by Tune Money Sdn Bhd.

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

INFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE. I. GENERAL INFORMATION Full Name:

What is Cyber Liability

TECHNOLOGY INSURANCE APPLICATION & SUPPLEMENTS (Claims First Made & Reported Basis)

INFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES

Insurance implications for Cyber Threats

CAMBRIDGE PROPERTY & CASUALTY SPECIAL REPORT

Airmic Review of Recent Developments in the Cyber Insurance Market. & commentary on the increased availability of cyber insurance products GUIDE

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Security & Privacy Current cover and Risk Management Services

Cyber Risk Insurance for Agents. Frequently Asked Questions

Cyber Security Issues - Brief Business Report

INFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

GENOA, a QOL HEALTHCARE COMPANY WEBSITE TERMS OF USE

CYBER RISK IN AUSTRALIA IS YOUR DATA SAFE? Academy of Risk

Cyber Threats: Exposures and Breach Costs

region16.net Acceptable Use Policy ( AUP )

APPLICATION FOR TECHNOLOGY & PRIVACY PROFESSIONAL LIABILITY

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

FMGateway by FMWebschool

WEBSITE TERMS OF USE

Cyber and Data Security. Proposal form

Zurich Security And Privacy Protection Policy Application

Application for NetProtect 360 Information Risk Insurance (for General Industry)

Joe A. Ramirez Catherine Crane

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

CYBER RISK INSURANCE. Presented By: Jonathan Healy

Privacy and Data Breach Protection Modular application form

Cyber Risk State of the Art

insurance policies can now be easily extended to include the new Section 3 coverage for Professional Indemnity which is a market first

Specialist insurance and risk implications for prepaid an update. Prepaid International Forum Osborne Clarke London Thursday 9 th February 2012

GENOA, a QoL HEALTHCARE COMPANY GENOA ONLINE SYSTEM TERMS OF USE

Understanding Professional Liability Insurance

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Miscellaneous Professional Indemnity Insurance

Acceptable Use Policy

Cyber Risks and Insurance Solutions Malaysia, November 2013

Acceptable Use and Publishing Policy

Cyber Threats and the Insurance Response

Understanding the Business Risk

What is Technology, Media and Professional Services (TMPS) Coverage? Why Companies Should Consider Buying TMPS Coverage?

Cyber threat reality check GLOBAL TECHNOLOGY S RISK ADVISOR SERIES TURN RISK INTO ADVANTAGE THE THREAT IS GROWING IGNORING IT CAN BE COSTLY

ACE Advantage PRIVACY & NETWORK SECURITY

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Acceptable Use Policy

JLT Mining. Utilising our expert knowledge of the mining industry and through understanding your individual business, JLT Mining can deliver:

Cyber Exposure for Credit Unions

The potential legal consequences of a personal data breach

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Beyond Data Breach: Cyber Trends and Exposures

What would you do if your agency had a data breach?

As with most things, insurance should be

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Ya-YaOnline Platform ( Service ).

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Cyber-insurance: Understanding Your Risks

Cyber Risk Management

cyber invasions cyber risk insurance AFP Exchange

TERMS AND CONDITIONS OF USE OF KUWAIT FINANCE HOUSE BAHRAIN S WEBSITE & INTERNET BANKING SERVICES

Terms of Use Mercer BenefitsCentral SM

LIGC-ACC Presentation November 9, 2015

Cybercrime: risks, penalties and prevention

Cyber Risks in the Boardroom

Viva Energy may from time to time amend, delete or supplement these Terms and Conditions. Any change takes effect from the earlier of:

PCI Compliance for Healthcare

TechDefender SM. Tech E&O, Network Security, Privacy, Internet Media, and MPL Insurance Application

Transcription:

April 2011 Cyber risks: Understanding your insurance protection

The information contained in this paper provides only a general overview of subjects covered. It is not intended to be taken as advice regarding any individual situation or policy and should not be relied upon as such. Statements concerning legal matters should be understood to be general observations based solely on our experience as insurance brokers and risk consultants and should not be relied upon as legal advice, which we are not authorized to provide. All such matters should be reviewed with the client s own qualified legal advisors in these areas. 11/0086

Introduction Today, information constitutes a significant portion of a company s assets, which is predominately stored electronically and shared over networks 1. What would happen if these vital corporate assets were stolen, disclosed, lost, destroyed or corrupted? How many companies or businesses could function without the information they send and receive on sophisticated information networks? A growing appreciation of the dependency on and importance of e-commerce, coupled with the ever increasing levels of cyber attacks, has sparked debate on the need for and availability of appropriate insurance coverage. The development and evolution of cyber risks mean that traditional insurance policies now have limitations when it comes to responding to these risks, which, at the same time, are increasingly prevalent for businesses. This paper examines some of the areas where cyber risks may fall outside the scope of traditional policies and looks at how businesses can find protection in the current insurance market. Melita Simic Managing Principal Financial & Professional Services April 2011 1. Examples include accounting information, intellectual property, customer/client details, competitive information and supplier information. 1

What is cyber risk? Cyber risk in general terms refers to the potential losses and liabilities arising out of the use of e-commerce. E-commerce, broadly speaking, is the application of technology towards the automation of business transactions. It consists of businesses connecting their critical business systems directly to their critical constituencies such as customers, employees, suppliers, vendors and business partners utilising internet based technologies. While the benefits of employing e-commerce strategies and internet based technologies are numerous, so are the risks. Cyber risks can be broadly categorised into the following: 1) Content risks 2) Technical risks 1) Content risks A company is responsible for all and any information posted on its web site. This means that a company may be exposed to liability for: Negligence if information appearing on its website is incorrect and results in an individual suffering loss Breach of contract or for misleading and deceptive conduct if the information appearing on its website is incorrect or misleading and deceptive and induces a party (or is relied on) to enter into a contact with the company online Any defamatory material appearing on its website or which is transmitted from its systems/servers across the internet Intellectual property infringement, encompassing copyright material (text, design and other graphics, photographs, software and the like), trademarks and logos, proprietary information (sales records, marketing plans, customer files), trade secrets and patented inventions False advertising or advertising infringement as a result of over exuberance in advertising Claims for breach of confidential information and/or privacy A company may also potentially be liable (for any of the above) under any given number of acts, codes, rules and regulations, which can result in hefty fines and criminal penalties. Additionally, the web site owner may be subject to different laws of different jurisdictions since web content appears worldwide. The list provided above is by no means exhaustive. The law remains uncertain as it evolves to take account of new cyber realities. 2

Content risks Liability under acts, codes, rules and regulations Breach of private and confidential information Intellectual property infringement Negligence Misleading and deceptive conduct WEBSITE INFORMATION Breach of privacy False advertising Different laws of different jurisdiction Breach of contract Defamation 2) Technical risks In addition to exposure to content risks, a company is also constantly open to a number of technical risks, and must consider the following: The transmission of information across the internet brings with it the risk of unauthorised access, human (programming) and/or other technical errors Any company connected to the internet is susceptible to an assortment of viruses, malicious codes or trojan horses, which can result in legal liabilities as well as damage to or destruction of valuable information assets, disruptions to service and financial loss Cyber extortion may occur when hackers steal or threaten to steal company information for the purposes of selling it back to them Information networks give employees unprecedented access to business information. Employees can use a company s computer network to destroy information or steal it to sell. Since most e-theft involves the copying of information and data, a company may not know that its information or data has been stolen until it appears somewhere else Deliberate overloading of web servers can cause a web server to crash, bringing to a halt internet trading and other on line operations The security of proprietary information in electronic form is a major risk area because of the high potential for loss, theft or unauthorised use of electronic data. In part, this is due to the fact that lost or stolen data can result in the violation of privacy rights. If hackers can get into the Pentagon, would it not be easy for them to get into your networks? 3

4

First party losses and third party liabilities From our examination of the range of cyber risks, it is evident that they can result in both: 1) First party losses 2) Third party liabilities 1) First party losses First party losses refer to direct losses sustained by the company stemming from the use of e-commerce or internet related activities. Examples include: (a) Damage to property consisting of intangible assets namely software (programs) and data (b) Business interruption (c) Theft of proprietary information or consumer data These can all occur as a result of one or more of the following cyber perils: (i) Hackers (external and internal) (ii) Viruses (iii) Extortion (iv) Programming errors (v) Power surges and the like leading to network or system failures 2) Third party liabilities Third party liabilities concern a company s liability to third parties for sustained losses arising out of the company s use (namely wrongful use) of e-commerce or internet related activities. Examples include: (a) Damage to third party property consisting of intangible assets, namely software (programs) and data and or financial losses as a result of: (i) Denial of access (ii) Insufficient measures used to protect third party from computer crime (iii) Spread of a computer virus (iv) Failure of software (v) Programming errors leading to network or system failures or loss of expected goods and services. (b) Intellectual property infringements encompassing software patents, copyrights, trade secrets, trade marks (c) Defamation, libel and slander (d) Invasion of privacy (e) Unfair competition or false and misleading advertising (f) Unauthorised use of confidential information 5

Traditional policies and cyber risks More often than not, cyber risks fall outside the realm of traditional insurance policies. The reason for this is twofold. Firstly, traditional insurance policies were developed long before the evolution of cyber risks. Consequently, cyber risks do not fit neatly within existing definitions and exclusions 2. A review of traditional insurance policies indicates that there are several gaps in coverage for cyber risks. Some of the problems with standard policies in relation to cyber risks include the following: There isn t always a trigger that creates an insured event. For instance, general liability and property policies were developed to respond to liabilities and natural perils (e.g. fire, hail, earthquakes) that damaged physical assets. Under property policies, business interruption is generally triggered if there is direct physical damage. Crime policies similarly provide cover to predominantely tangible property. Cyber risks on the other hand are largely intangible, caused by human error, or the result of malicious attacks and crimes. Most general liability policies do not cover economic loss or professional services, precluding most cyber risk damages The theft of intellectual property (given that intellectual property is considered an intangible asset) is not addressed by most policies 3 Crime policies often contain confusing exclusions and limitations when it comes to employee dishonesty and computer fraud Coverage may not exist for third party losses due to computer viruses or unauthorised access to private and confidential information Advertising injury coverage under general liability policies does not completely address intellectual property infringement, content and advertising offences over the internet Many companies do not have errors and omissions policies, and where they do, such policies often contain security breach exclusions Professional liability policies may exclude coverage because the internet related work may go beyond the scope of an insured s current professional services Many insurance policies have geographical limitations; the internet does not Secondly, insurers are attempting to limit their liability for cyber risks by incorporating additional exclusions into traditional policies. There are a number of reasons for this. Insurers do not want to expose themselves to risks they did not intend to cover when they wrote the traditional policies and for which they did not charge a premium, particularly when there is a lack of definition and quantification of these risks and little historical data. As a result, companies are finding that, while their cyber risks are expanding significantly, the coverage available for these exposures under traditional policies is shrinking creating serious coverage gaps for companies looking to safeguard their systems and intangible assets. 2. Some general insurance policies may however provide elements of cyber cover. 3. Specialised insurance cover has become available in recent years. 6

Finding a way forward Cyber risks are increasingly viewed by insurers as a distinct category of risk risk not covered by traditional commercial insurance. Whether traditional insurance policies will provide cover is uncertain and would be limited at best. It is therefore important that companies review and continuously update their insurance and risk management procedures to ensure that they can best protect themselves from cyber related losses. Given the current environment, protecting knowledge capital and networks against non-physical perils is critical. It is essential that companies put procedures in place to: Identify cyber risks 4 Qualify and rank them Assess controls and countermeasures in place Identify risk improvement procedures Repeat the process regularly and monitor progress Once cyber risks are identified, an insurance wording gap analysis can be performed and decisions made to negotiate extensions to current wordings or place a specific cyber policy to either supplement existing policies or act as first line policies. New cyber specific insurance policies are emerging to fill the gaps in traditional policies. This has been due in part to a better understanding of cyber risks and risk management issues as well as access to loss information. It is helpful to keep in mind that when underwriting this area of risk underwriters are likely to be examining the following aspects of the company to make a decision about its risk: What is the internet site being used for? Is it passive in that it only offers information with no customer interaction or is it interactive in that it allows customers to interact with the website by requesting or providing information or is it active in that it allows customers to make purchases from the website? 5 Is there a privacy statement? What security measures are in place? Physical security, written security policy, virus detection policies/software, passwords, firewalls, encrypted logins, authentication technology, or intrusion detection systems? Is there any regular testing of the security by internal audit? Is the security tested by an outside party i.e. penetration hacking or ethical hacking? What is the financial status of the company? What is the nature of the company? 6 What is the claims history of the company? Are there satisfactory internal controls and risk management procedures in place? 4. The key to protection lies in the accurate and adequate risk identification. 5. Cyber risks increase the more active the website. 6. Cyber risks vary between industries. Key cyber risk industries include financial institutions, entertainment/media, technology and telecommunications, manufacturing, airlines and travel services, higher education and retail. 7

Concluding remarks Cyber risks present new and different challenges and can have serious implications to a company s bottom line 7 both as direct 8 and indirect 9 consequences of the event. Ever growing media interest in cyber crime and various surveys into computer crime conducted over the years now highlight that the first lines of technological defence are no longer impenetrable. Data breaches affect millions of records a year. Media reports of data or network sabotage, virus and Trojan infection, computer fraud and laptop theft, incidents of denial of service and network scanning are ever increasing and it is unlikely that the underlying trends will improve in the short-term. Accordingly, insurance coverage for cyber risks should be a significant and growing concern for companies. Network security breaches can expose companies to class action lawsuits, significant recovery costs and irreversable damage to the corporate brand 10. Undoubtedly, the liabilities will continue to grow and evolve 11 as new perils arise and lawyers develop new causes of action. Policies have been specifically designed to cover a range of cyber risks (including both first party losses and third party liabilities) as well as to afford cover for associated legal expenses, settlements, judgments, regulatory investigations and other related business expenses, for example, privacy notification expenses. Given the enormous and growing participation of all companies in e-commerce isn t it time to consider transferring this risk? 7. Cyber Risks: is your company protected by Dawn Simmons, Senior Underwriter Professional Lines XL Insurance printed in Insight International September 2010. 8. For example the actual costs incurred in notifying relevant customers and data protection agencies of the security breach and mitigating further losses 9. For example customer turnover and damage to reputation. 10. Putting Cyber Risks on the Board s Radar Screen by Tracey Vispoli 11. Such as Privacy Notification Expenses. For example obligations to notify third parties of a security breach and mitigate losses 8

About Marsh: Marsh, the world s leading insurance broker and risk advisor, teams with its clients to define, design, and deliver innovative industry-specific solutions that help them protect their future and thrive. It has over 24,000 colleagues who collaborate to provide advice and transactional capabilities to clients in over 100 countries. Marsh is a member of Marsh & McLennan Companies, a global professional services firm with 51,000 employees worldwide and annual revenue exceeding $10 billion, which is also the parent company of Guy Carpenter, the risk and reinsurance specialist; Mercer, the provider of HR and related financial advice and services; and Oliver Wyman, the management consultancy. Its stock (ticker symbol: MMC) is listed on the New York, Chicago and London stock exchanges.

www.marsh.com.au Marsh (Sydney) Darling Park Tower 3 201 Sussex Street Sydney NSW 2000 Tel: +61 2 8864 8888 Fax: +61 2 8864 8800 Marsh (Melbourne) 555 Lonsdale Street Melbourne VIC 3000 Tel: +61 3 9603 2222 Fax: +61 3 9670 8581 Marsh (Brisbane) Level 20, Riverside Plaza 123 Eagle Street Brisbane QLD 4000 Tel: +61 7 3115 4555 Fax: +61 7 3115 4500 Marsh (Parramatta) Level 1, 87 Marsden Street Parramatta NSW 1250 Tel: +61 2 8864 8888 Fax: +61 2 8864 7333 Marsh (Perth) 2 The Esplanade Perth WA 6000 Tel: +61 8 9289 3888 Fax: +61 8 9289 3880 Marsh (Adelaide) Level 5 108 North Terrace Adelaide SA 5000 Tel: +61 8 8385 3600 Fax: +61 8 8385 3650 Marsh (Canberra) Level 5 60 Marcus Clarke Street Canberra ACT 2601 Tel: +61 2 6279 3300 Fax: +61 2 6279 3320 Marsh (Hobart) 111 Macquarie Street Hobart TAS 7000 Tel: +61 3 6281 3100 Fax: +61 3 6281 3160 Marsh (Darwin) Carpentaria House Level 1, 13 Cavenagh Street Darwin NT 0800 Tel: +61 8 8943 4400 Fax: +61 8 8981 9311 Marsh (Launceston) Level 2, 33 George Street Launceston TAS 7250 Tel: +61 3 6333 3200 Fax: +61 3 6333 3260 Disclaimer: The information contained herein is based on sources we believe reliable, but we do not guarantee its accuracy. The information contained in this publication provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation, and should not be relied upon as such. Statements concerning legal matters should be understood to be general observations based solely on our experience as insurance brokers and risk consultants and should not be relied upon as legal advice, which we are not authorized to provide. Insureds should consult their own qualified insurance and/or legal advisors regarding specific coverage and other issues. Copyright - 2011 Marsh Pty Ltd. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information