Embed Size (px)
Citation preview
© Copyright 2015 by K&L Gates LLP. All rights reserved.
CYBER 3.0Cutting-Edge Advancements in
Insurance Coverage for Cyber Risk and Reality
April 14, 2015
Annual RIMS/CPCU Joint Chapter Session
Sheraton Station Square
Introduction Role and Perspective of the Risk Manager
The Risk Manager’s Role in Addressing and Mitigating Risk Unique Challenges and Opportunities in Placing “Cyber” Insurance
Setting the “Cyber” Stage Practical Risk and Exposure Latest Legal and Regulatory Developments
Newest Cutting Edge “Cyber” Products Third-Party, First-Party, and DIC Coverages How to Avoid the Traps How to Enhance “Off-The-Shelf” Forms / Best-Practices “Checklist”
Legacy Insurance Policies -- Potential Coverage And Limitations
AGENDA
rdardardarrrrrRoberta D. AndersonInsurance Coverage /
Data Privacy & Cybersecurity Partner
Timothy Flaherty Manager
Insurance Risk Management
INTRODUCTIONrdardardarrrrr
rdardardarrrrr
The Risk Manager’s Role in Addressing and Mitigating Risk Unique Challenges
Lack of Standardization (ISO Forms) Lack of Claims/Legal Precedent Capacity
Opportunities Tailored Coverages Ability to Negotiate Enhancements Increasing Market Capacity
ROLE AND PERSPECTIVE OF THE RISK MANAGER
In Placing Coverage: Determine the Need for Coverage
Risk Assessment
Review the Extent of Coverage under Existing Policies Engage a Knowledgeable Broker and Outside Counsel Execute Non-disclosure Agreements with Potential Insurers Conduct Open Discussions and Partner with Your Chief Information Officer to
Complete an Extensive Application Conduct Face-to-Face Meetings with Potential Insurers Obtain Senior Management Concurrence or Authorization to Bind Coverage Retro Date Logistics Acquisitions Aligning “Cyber” Placement with Existing Programs Length of Time for Placement
ROLE AND PERSPECTIVE OF THE RISK MANAGER
SETTING THE “CYBER” STAGE
PRACTICAL RISK AND EXPOSURE
• Malicious attacks – Advanced Persistent Threats
– Social Engineering
– Viruses, Trojans, DDoS attacks
• Data breach / Unauthorized Access • Software Vulnerability
(HeartBleed) • System Glitches• Employee Mobility• Lost or Stolen Mobile and Other
Portable Devices
• Vendors/Outsourcing(Function, Not the Liability)
• The Internet Of Things• Human Error
klgates.com 8
Source: Ponemon Institute 2014 Cost of Data Breach Study – Global
PRACTICAL RISK AND EXPOSURE
Source: Ponemon Institute LLCCost of Data Breach Study:Global Analysis(May 2014)
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
LATEST LEGAL AND REGULATORY DEVELOPMENTS
• Federal Cybersecurity/Data Privacy Laws – HIPAA/HITECH
– GLBA
– FTC Act
• State Cybersecurity/Data Privacy Laws/Consumer Protection Statutes
– 47 states, D.C., & U.S. territories breach notification laws
– State Security Standards (MA, CA, CT, RI, OR, MD, NV)
• NIST Cybersecurity Framework• Industry Standards, e.g., PCI DSS• SEC Cybersecurity Risk Factor Guidance
– FCC Act
– FCRA/FACTA
“[A]ppropriate disclosures may include”: “Discussion of aspects of the registrant’s business or operations that give rise to
material cybersecurity risks and the potential costs and consequences”; “To the extent the registrant outsources functions that have material cybersecurity
risks, description of those functions and how the registrant addresses those risks”; “Description of cyber incidents experienced by the registrant that are individually, or
in the aggregate, material, including a description of the costs and other consequences”;
“Risks related to cyber incidents that may remain undetected for an extended period”; and
“Description of relevant insurance coverage.”
SEC CYBERSECURITY
Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/
SEC CYBERSECURITY“We note that your network-security insurance coverage is subject to a $10 million deductible. Please tell us whether this coverage has any other significant limitations. In addition, please describe for us the ‘certain other coverage’ that may reduce your exposure to Data Breach losses”
Target Form 10-K (March 2014)
SEC CYBERSECURITY“We note your disclosure that an unauthorized party was able to gain access to your computer network ‘in a prior fiscal year.’ So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage.”
Alion Science and Technology Corp. S-1 filing (March 2014)
SEC CYBERSECURITY“Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities . . . .
Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
Luis Aguilar, SEC Commissioner, speech given at NYSE June 10, 2014
20
22
FTC CYBERSECURITY
23
FTC CYBERSECURITY
STANDING TREND – SONY
STANDING TREND – MICHAELS
STANDING TREND – ADOBE
STANDING TREND – TARGET
NEWEST CUTTING EDGE “CYBER” PRODUCTS
klgates.comback
REMEMBER THE SNOWFLAKE
Privacy and Network Security Generally Covers Third-Party Liability Arising from Data Breaches and Other Failures to
Protect Confidential, Protected Information, as well as Liability Arising from Security Threats to Networks, e.g., Transmission of Malicious Code
Questions: Coverage for the Acts, Errors, Omissions of Third Parties, e.g., Vendors? Coverage for Data in the Care, Custody, Control of Third Parties, e.g., Cloud Providers? Coverage for Proliferating and Expanding Privacy Laws/Regulations? Coverage for Data in Any Form, e.g., Paper Records? Coverage for Confidential Corporate Data, e.g., Third-Party Trade Secrets? Coverage for “Rogue” Employees? Coverage for Wrongful Collection of Data? Coverage for TCPA Violations?
THIRD-PARTY COVERAGE
Regulatory Liability Generally Covers Amounts Payable in Connection with Administrative or Regulatory
Investigations
Questions: Coverage for Fines and Penalties? Coverage for Consumer Redress Funds? Regulatory Exclusion Carve Backs? Sufficient Sublimit?
PCI-DSS Liability Generally Covers Amounts Payable in Connection with PCI Demands for Assessments,
Including Contractual Files and Penalties, for Alleged Non-compliance with PCI Data Security Standards
THIRD-PARTY COVERAGE
Media Liability Generally Covers Third-Party Liability Arising From Infringement of Copyright and Other
Intellectual Property Rights, and Torts Such as Libel, Slander, and Defamation Arising From the Insured's Media Activities, e.g., Broadcasting and Advertising
Questions: Coverage for “Rogue” Employees? Coverage for Media Content in Any Form, e.g., Printed Publications, or Limited to Digital
Media Content? Coverage Limited to Certain Locations of Media Content Display, e.g., on the Insured’s
Website or Social Media sites? Coverage for Liability Arising Out Of the Insured’s Own Advertising Activities? “Occurrence”-Based or Claims Made Coverage? Appropriate for Media Companies?
THIRD-PARTY COVERAGE
Crisis Management Generally Covers “Crisis Management” Expenses That Typically Follow in the Wake of a
Breach Incident, e.g., Breach Notification Costs, Credit Monitoring, Call Center Services, Forensic Investigations, and Public Relations
Questions: Triggered by Failures of Security? Coverage for Forensic Investigation and PCI Forensic Investigator? Coverage for Public Relations, Crisis Management, “Breach Coach” Counsel? Coverage for Notification? How about ID Theft Education, ID Theft Restoration Services,
Call Center Services, Credit Monitoring, Reimbursement Insurance? Insured’s Reasonable Selection of Counsel/Vendors? Outside or Inside Limits? Sufficient Sublimits?
FIRST-PARTY COVERAGE
Network Interruption Generally Covers First-Party Business Income Loss Associated with the Interruption of
the Insured’s Business Caused by the Failure of Computer Systems
Questions: Coverage for Third Party Systems? Coverage for Cloud Failure? Coverage for Non-Malicious Acts, e.g., Unintentional, Unplanned Outage? Exclusion for Power Failure, Blackout/Brownout, Etc.? Coverage Beyond the Interruption, e.g., 120 Days? Waiting Period, e.g., 12 Hours? Hourly Sublimits? Sufficient Sublimit(s), e.g., Contingent and Non-Malicious Acts Coverage? What About Loss Caused By Physical Perils, e.g., Flood?
FIRST-PARTY COVERAGE
Digital Asset Generally Covers First-Party Cost Associated with Replacing, Recreating, Restoring and
Repairing Damaged or Destroyed Programs, Software or Electronic Data
Extortion Generally Covers Losses Resulting From Extortion, e.g., Payment of an Extortionist’s
Demand to Prevent a Cybersecurity Incident
Reputational Harm Generally Covers “Crisis Management” Type Costs in the Event of a Publication Likely
to be Seen by an Insured’s Stakeholders, e.g., Customers, Investors, Vendors, or Regulators, and to Have an Adverse Impact on Public Perception of the Insured or its Brand. Can Also Cover Business Income Loss Caused By A Publication Likely to be Seen by an Insured’s Stakeholders, and to Have an Adverse Impact on Public Perception of the Insured or its Brand
FIRST-PARTY COVERAGE
DIC COVERAGE
vv
First-Party Property Damage and Business Interruption Third-Party Bodily Injury and Property Damage
[T]his policy will drop down and pay Loss caused by a Security Failure [a failure or violation of the security of a Computer System that: (A) results in, facilitates or fails to mitigate any: (i) unauthorized access or use; (ii) denial of service attack; or (iii) receipt, transmission or behavior of a malicious code] that would have been covered within an Underlying Policy, as of the inception date of this policy, had one or more of the following not applied:
A. a Cyber Coverage Restriction [a limitation of coverage in an Underlying Policy expressly concerning, in whole or in part, the security of a Computer System (including Electronic Data stored within that Computer System)]; and/or
B. a Negligent Act Requirement. [a requirement in an Underlying Policy that the event, action or conduct triggering coverage under such Underlying Policy result from a negligent act, error or omission]
DIC COVERAGE
DIC COVERAGE
klgates.com
AVOID THE TRAPS
41
POLICY EXAMPLE 1
POLICY EXAMPLE 2
43
POLICY EXAMPLE 2
POLICY EXAMPLE 1
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 2
POLICY EXAMPLE 3
POLICY EXAMPLE 3
51
POLICY EXAMPLE 1
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 2
POLICY EXAMPLE
Any member of the “Control Group.” e.g., CEO, CFO ,RM, CRO, CIO, GC
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 3
Request a “Retroactive Date” of At Least a Year
BEWARETHE
FINE
REMEMBER THE DEVIL IS IN THE DETAILS
REMEMBERING THE SNOWFLAKEBEST-PRACTICES “CHECKLIST”
BEST PRACTICES CHECKLIST• Embrace a Team Approach
• Understand the Risk Profile
• Review Existing Coverages
• Purchase Appropriate Other Coverage as Needed
• Remember the “Cyber” Misnomer
• Spotlight the “Cloud”
• Remember the Retro Date
• Selection of Counsel and Vendors
• Engage a Knowledgeable Broker and Outside Counsel
• Carefully Review the Application
“A well drafted policy will reduce the likelihood that an insurer will be able to avoid or limit insurance
coverage in the event of a claim.”
Roberta D. Anderson, Partner, K&L Gates LLP (April 14, 2015)
“LEGACY” INSURANCE POLICIES
69
Directors’ and Officers’ (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime
Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)
Property Commercial General Liability (CGL)
POTENTIAL COVERAGE
Coverage B Provides Coverage for Damages Because of “Personal and Advertising Injury”
“Personal and Advertising Injury”: “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” What is a “Person’s Right of Privacy”? What is a “Publication”? Does the Insured Have to “Do” Anything Affirmative And Intentional to Get
Coverage?
Coverage A Provides Coverage for Damages Because of “Property Damage”
“Property Damage”: “Loss of use of tangible property that is not physically injured”
POTENTIAL COVERAGE
POTENTIAL LIMITATIONS
POTENTIAL LIMITATIONS
ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”
POTENTIAL LIMITATIONS
POTENTIAL LIMITATIONS
POTENTIAL LIMITATIONS
cv
cv
POTENTIAL LIMITATIONS
Zurich American Insurance Co. v. Sony Corp. of America et al.
POTENTIAL LIMITATIONS
QUESTIONS
THANK YOU
