Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013

Cyber Insurance

Presented by:Paul J. Miola, CPCU, ARM

Executive DirectorOctober, 2013

2

Goes by various names – “Information Security Insurance”, “Network Security Insurance”, “Privacy Insurance”, “Data Breach Insurance”, “Network Breach Insurance”, “Technology Solutions”, “Cyber Liability”, “Breach Response Insurance”…

What Is Cyber Insurance?

3

General Liability Insurance doesn’t respond to cyber claims Typical CGL policy defines “property damage” as “physical

injury to tangible property, including all resulting loss of use of that property.

Some CGL policy forms specifically exclude electronic data from their definition of “property damage.” In such policies, “electronic data” is generally defined as the “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software.”

Data, web pages and computer systems do not constitute tangible property because they are not capable of being touched, held or sensed by the human mind.

3

Why Cyber Insurance?

4

In the event of a data breach: Notify Employees Notify members of public Notify regulators

• State/Multi State• Federal

• Additional efforts

You Have Added Responsibilities

Who has to do this?

5

Responsibility lies with the offending entity

You Do!

6

Not just insurance coverage Claims for damages by third parties

A variety of services Designed to prevent claims Respond on your behalf Deal with regulators

Make sure you comply• Handle Public Relations

Cyber InsuranceSpecialized Coverage

Takes the burden off of you

7

Cyber claims are infrequent but they do occur

Big name companies are targets but you represent low hanging fruit Lack of formal security and “Privacy

Policies” What if it happens to you? Will you know what to do?

Cyber Risks Are Real

8

If you pass along a virus or other type of malware, even unknowingly, especially if another entity's customer information is then compromised.

What Could Go Wrong?

9

If an employee gains unauthorized access to another entity's information or if confidential information is disclosed or misused.

What Could Go Wrong?

10

If an employee knowingly or unwittingly slanders another entity in a blog, e-mail, or in a social media or forum post, or infringes on copyrighted material.

What Could Go Wrong?

11

If you do not follow federal or state regulations controlling notification of members of the public/employees whose personal data has been compromised.

What Could Go Wrong?

12

Breach occurs when an unauthorized 3rd party accesses your network or the network becomes infected with a virus or a denial of service attack.

What Is A Data Breach?

13

Data can be stolen that can help criminals access PII*. PII is a legal concept, not a technical concept. PII can be exploited by criminals to stalk or

steal the identity of a person, or to aid in the planning of criminal acts.

PII has become much more important as information technology and the Internet have made it easier to collect PII through breaches of internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII.

What Can Happen?

*Personally Identifiable Information

14

What’s It Going to Cost?

And who pays for it?

15

Who You Gonna Call?

Ghost Busters?

16

In The Event of A Breach(Or a suspected Breach)

Immediately dial theXL Data Breach Hotline

1-855-566-4724

This is EXTREMELY IMPORTANT!Keep the number handy!

17

XL Data Breach HotlineImmediate Triage Assistance

Nelson, Levine, deLuca, & Hamilton

They will guide you.

18

Report The ClaimTime is of The Essence!

proclaimnewnotices@xlgroup.comOr contact Qual-Lynx.

19

Data Recovery◦ Expenses required to

replace, recreate, restore or repair the Insured’s network or information residing on the network to substantially the form in which it existed immediately prior to a breach.

What’s Covered…

20

Cyber Extortion Coverage provided to reimburse

an Insured the amounts paid to avert a credible threat to commit or continue a network attack against the insured or to disclose personally identifiable information

What’s Covered…

21

Data Breach Response Costs PCI-DSS Response

Reimburse the Insured for the costs incurred following a breach of private information. Typically costs are provided on a sub-limited basis.

Reimburse the Insured for the costs in incurs to respond to a PCI-DSS incident.

• Forensics costs

• Public relations costs

• Legal

• Mandatory notification costs

• Voluntary notification costs

• Credit monitoring

• Call center

• Breach coach costs

• Independent forensic investigation

conducted by a Payment Card Industry

Forensic Investigator (PFI);

• Attorney fees

• fines and penalties owed by the

Insured under the terms of a Merchant

Services Agreement Fees.

Crisis Management Coverage

.

22

Data Breach Response Costs PCI-DSS Response

Reimburse the Insured for the costs in incurs following a breach of private information. Typically costs are provided on a sublimited basis.

Reimburse the Insured for the costs incurred to respond to a PCI-DSS incident.

• Forensics costs

• Public relations costs

• Legal

• Mandatory notification costs

• Voluntary notification costs

• Credit monitoring

• Call center

• Breach coach costs

• Independent forensic investigation

conducted by a Payment Card Industry

Forensic Investigator (PFI);

• Attorney fees

• fines and penalties owed by the

Insured under the terms of a Merchant

Services Agreement Fees.

Crisis Management Coverage.

23

Data Breach Response Costs PCI-DSS Response

Reimburse the Insured for the costs incurred following a breach of private information. Typically costs are provided on a sub-limited basis.

Reimburse the Insured for the costs incurred to respond to a PCI-DSS incident.

• Forensics costs

• Public relations costs

• Legal

• Mandatory notification costs

• Voluntary notification costs

• Credit monitoring

• Call center

• Breach coach costs

• Independent forensic investigation

conducted by a Payment Card Industry

Forensic Investigator (PFI);

• Attorney fees

• fines and penalties owed by the

Insured under the terms of a Merchant

Services Agreement Fees.

Crisis Management Coverage

24

Network Security Liability Privacy Liability

Failure by the Insured to prevent a network breach which results in:

1. the inability of an authorized user

to gain access to the network;

2. the alteration, addition to,

copying, destruction, deletion,

disclosure, damage or removal of

any data residing on the network;

3. a denial of service attack against

Internet sites or computers;

4. the transmission of a computer

virus from the network to third-

party networks or Internet sites;

Coverage for claim arising from third parties for allegations of:

1. violation of privacy torts, law and

regulations (GLB, HIPAA, COPPA)

2. theft, loss, unauthorized disclosure

of personally identifiable

information private information

3. alterations, corruption,

destruction, deletion or damage to

private information

• Includes both online and off-line

data

Third Party Liability Coverage

.

25

Network Security Liability Privacy Liability

Failure by the Insured to prevent a network breach which results in:

1. the inability of an authorized user

to gain access to the network;

2. the alteration, addition to,

copying, destruction, deletion,

disclosure, damage or removal of

any data residing on the network;

3. a denial of service attack against

Internet sites or computers;

4. the transmission of a computer

virus from the network to third-

party networks or Internet sites;

Coverage for claim arising from third parties for allegations of:

1. violation of privacy torts, law and

regulations (GLB, HIPAA, COPPA)

2. theft, loss, unauthorized disclosure

of personally identifiable

information private information

3. alterations, corruption,

destruction, deletion or damage to

private information

• Includes both online and off-line

data

Third Party Liability Coverage

.

26

Network Security Liability Privacy Liability

Failure by the Insured to prevent a network breach which results in:

1. the inability of an authorized user

to gain access to the network;

2. the alteration, addition to,

copying, destruction, deletion,

disclosure, damage or removal of

any data residing on the network;

3. a denial of service attack against

Internet sites or computers;

4. the transmission of a computer

virus from the network to third-

party networks or Internet sites;

Coverage for claim arising from third parties for allegations of:

1. violation of privacy torts, law and

regulations (GLB, HIPAA, COPPA)

2. theft, loss, unauthorized disclosure

of personally identifiable

information private information

3. alterations, corruption,

destruction, deletion or damage to

private information

• Includes both online and off-line

data

Third Party Liability Coverage

27

Defense Provides defense costs resulting from a regulatory

investigation or proceeding. Typical enforcement comes from the FTC or AGs.

FTC can charge defendants with violating of Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce.

As of May 1, 2011, the FTC has brought 32 legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information.

Regulatory Coverage

28

Covers the content the Insured disseminates through various means including social media for a defined list of covered perils. Intellectual property

infringement Defamation Other personal injury torts

Media Coverage

29

Third Party Coverage: Media Liability, Network Security and

Privacy Liability $1,000,000 per claim $3,000,000 annual aggregate $10,000 deductible each claim

Regulatory Fines and Penalties sub limit of $500,000

Retroactive date January 1, 2013

Summary of ACM JIF Cyber Risk Coverage

Limits:

30

First Party Coverage: Notification Costs, Extortion Threat,

Crisis Management and Business Interruption $500,000 per claim limit $3,000,000 annual aggregate $10,000 deductible each claim

Summary of ACM JIF Cyber Risk Coverage

Limits:

31

Data Breach Hotlineo 1-888-566-4724o Service Provided by Nelson, Levin,

deLuca & Horst eRisk Hub

◦ Go to https://www.eriskhub.com/xl.php◦ Complete Registration Form◦ Access Code – 10448◦ Once Registered your have immediate

access to the portal with User ID & password created during registration

Value Added Services

32

33

34

35

What Else?

Much

Much

More

Jim PrendergastPartner

Nelson Levine de Luca & Hamiltonjprendergast@nldhlaw.com

www.nldhlaw.com

After The Break…Cyber Liability Risk Management