© Copyright 2013 by K&L Gates LLP. All rights reserved.

Roberta D. Anderson roberta.anderson@klgates.com@RobertaEsq

June 25, 2014

Cyber-Attacks: Insurance Coverage for Cyber Risks and Realities

1

Lloyd’s of London (Reuters) May 8, 2000

Agenda The Spectrum of Cyber Risk Practical Risk and Exposure Legal and Regulatory Framework What to do Before an Incident? What to do After an Incident? Potential Coverage Under “Legacy” Policies Limitations of “Legacy” Insurance Policies Technology Errors & Omissions Coverage Cutting Edge “Cyber” Products How to Enhance “Off-The-Shelf” Cyber Insurance Forms Through Negotiation A Word About Vendor Contracts Audience Q&A

© Copyright 2013 by K&L Gates LLP. All rights reserved.

THE SPECTRUM OF CYBER RISK

The Spectrum of Cyber Risk Malicious attacks

Advanced Persistent Threats Social engineering/employee sabotage Vruses, worms, Trojans DDoS attacks

Data breach Software vulnerability (HeartBleed) Unauthorized access (spyware) Inadequate security and system glitches Employee mobility and disgruntled employees Lost or stolen mobile and other portable devices Vendors/outsourcing (the function but not the risk) & the “cloud” Human error

klgates.com 5

oops!!

backlink

klgates.com 6

7

“[T]here are only two types of companies: those that have been

hacked and those that will be. And even they are converging into

one category: companies that have been hacked and will be

hacked again.” Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA Cyber Security Conference San Francisco, CA (Mar. 1, 2012)

“[T]here are only two types of companies: those that have been

hacked and those that will be.

“[T]here are only two types of companies: those that have been

hacked and those that will be. And even they are converging into

one category: companies that have been hacked and will be

hacked again.”

© Copyright 2013 by K&L Gates LLP. All rights reserved.

LEGAL AND REGULATORY FRAMEWORK

State Privacy Laws http://www.ncsl.org/research/telecommunications-and-information-

technology/security-breach-notification-laws.aspx State Consumer Protection Laws Federal Laws

Gramm-Leach-Billey Act HIPAA/HITECH Federal Trade Commission Act, Section 5 (FTC v. Wyndham Worldwide Corp.) FCRA /FACTA/Red Flags Rule

Foreign Laws PCI Data Security Standards (PCI DSS) Common law

Legal and Regulatory Framework

back

Five Tips to Consider When Any Public Company Might be The Next Target, http://www.klgates.com/five-tips-to-consider-when-any-public-company-might-be-the-next-target-02-11-2014

Legal and Regulatory Framework

SEC Guidance -- “[A]ppropriate disclosures may include”: “Discussion of aspects of the registrant’s business or operations that give rise to

material cybersecurity risks and the potential costs and consequences”; “To the extent the registrant outsources functions that have material cybersecurity

risks, description of those functions and how the registrant addresses those risks”; “Description of cyber incidents experienced by the registrant that are individually, or

in the aggregate, material, including a description of the costs and other consequences”;

“Risks related to cyber incidents that may remain undetected for an extended perid”; and

“Description of relevant insurance coverage.”

Legal and Regulatory Framework

NIST Cybersecurity Framework -- provides a common taxonomy and mechanism for organizations to:

Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritize opportunities for improvement within the context of a

continuous and repeatable process; Assess progress toward the target state; Communicate among internal and external stakeholders about cybersecurity

risk. The Framework is voluntary (for now)

Legal and Regulatory Framework

NIST Cybersecurity Framework

Legal and Regulatory Framework

NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/

Legal and Regulatory Framework

back

© Copyright 2013 by K&L Gates LLP. All rights reserved.

PRACTICAL RISK AND EXPOSURE

Breach Notification Costs/Identity Monitoring

Computer Forensics/PR Consulting

Loss of Customers/Revenue

Damaged Reputation/Brand

Regulatory Actions/Fines/Penalties/Consumer Redress

Lawsuits & Defense Costs

Loss of “Crown Jewels”

Business Interruption & Supply Chain Disruption

Drop in Stock Price/Loss of Market Share

Potential D&O Suits (Target)

Practical Risk and Exposure

“[T]he average total cost of a data breach for the companies participating in this research increased 15 percent to $3.5 million”

Practical Risk and Exposure

“The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in this year’s study.”

“However, German and US organizations on average experienced much higher costs at $195 and $201, respectively.”

“These countries also experienced the highest total cost (US at $5.85 million and Germany at $4.74 million)”

“[W]e do not include data breaches of more than approximately 100,000 compromised records in our analysis.”

© Copyright 2013 by K&L Gates LLP. All rights reserved.

WHAT TO DO BEFORE AN INCIDENT?

Pro-active management of cyber risks at the C-Suite level Assessment of key risks impacting the business and identifying critical

information assets Get a graded cybersecurity assessment Regular internal training on information management and IT security Have an incident response plan in place before a cybersecurity incident Pay attention to vendor contracts Address and mitigate risk through insurance

What to do Before an Incident?

© Copyright 2013 by K&L Gates LLP. All rights reserved.

WHAT TO DO AFTER AN INCIDENT?

Look (hopefully) to the incident response plan Notification of a security breach must be given to all or some of:

Potentially impacted individuals State AGs / Regulators

“Breach coach” counsel should: Advise on who, when, and how to notify Engage pre-vetted forensics professionals and other crisis management

responders (e.g., credit monitoring, public relations)

What to do After an Incident?

© Copyright 2013 by K&L Gates LLP. All rights reserved.

POTENTIAL COVERAGE UNDER “LEGACY” POLICIES

Directors’ and Officers’ (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime

Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)

Property? Commercial General Liability (CGL)?

Potential Coverage Under “Legacy” Policies

Coverage B provides coverage for damages because of “personal and advertising injury”

“Personal and Advertising Injury” is defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy”

What is a “Person’s Right of Privacy”? What is a “Publication”?

Potential Coverage Under “Legacy” Policies

© Copyright 2013 by K&L Gates LLP. All rights reserved.

LIMITATIONS OF “LEGACY” INSURANCE POLICIES

Limitations of “Legacy” Insurance Policies

klgates.com

Limitations of “Legacy” Insurance Policies

ISO states that “when this endorsement isattached, it will result in a reduction ofcoverage due to the deletion of anexception with respect to damagesbecause of bodily injury arising out of lossof, loss of use of, damage to, corruption of,inability to access, or inability to manipulateelectronic data.”

Limitations of “Legacy” Insurance Policies

Limitations of “Legacy” Insurance Policies

Limitations of “Legacy” Insurance Policies

Limitations of “Legacy” Insurance Policies

Zurich American Insurance Co. v. Sony Corp. of America et al.

Limitations of “Legacy” Insurance Policies

© Copyright 2013 by K&L Gates LLP. All rights reserved.

TECHNOLOGY ERRORS & OMISSIONS COVERAGE

Essential for a provider of e-commerce-related solutions Covers

Errors & Omissions in the Provision of Technology Services Failure of Technology Products to Serve Their Purpose

But there are limitations Triggered By a “Claim” That Alleges An Act or Omission May Exclude Security Beach or Unauthorized Access to Information May Not Include Breach Notification Costs, Which is Viewed As More of a “First-

Party” Loss

Technology E&O Coverage

© Copyright 2013 by K&L Gates LLP. All rights reserved.

CUTTING EDGE “CYBER” PRODUCTS

Privacy And Network Security Provides coverage for liability (defense and indemnity) arising out of data

breaches, transmission of malicious code, denial of third-party access to the insured’s network, and other network security threats

Regulatory Liability Provides coverage for liability arising out of administrative or regulatory

proceedings, fines and penalties Media Liability

Provides coverage for liability (defense and indemnity) for claims alleging infringement of copyright and other intellectual property rights and misappropriation of ideas or media content

Specialty “Cyber” Policies – Third Party

Information Asset Coverage Coverage for damage to or theft of the insured’s own systems and hardware,

and may cover the cost of restoring or recreating stolen or corrupted data. Network Interruption And Extra Expense (and CBI)

Coverage for business interruption and extra expense caused by malicious code, DDoS attacks, unauthorized access to, or theft of, information, and other security threats to networks.

Extortion Coverage for losses resulting from extortion (payments of an extortionist’s

demand to prevent network loss or implementation of a threat) Crisis Management

Specialty “Cyber” Policies – First Party

© Copyright 2013 by K&L Gates LLP. All rights reserved.

HOW TO ENHANCE “OFF-THE-SHELF” CYBER INSURANCE FORMS THROUGH NEGOTIATION

klgates.comback

Data Breach Example 1

Data Breach Example 1

Data Breach Example 2

Data Breach Example 2

Data Breach Example 2

Data Breach Example 2

Network Security Example 1

Network Security Example 1

Network Security Example 2

Network Security Example 2

Network Security Example 3

Network Security Example 3

TIPS For A Successful Placement ■ Privacy And Network Security■ Regulatory Liability

■ Media Liability

■ Information Asset Coverage

■ Network Interruption And Extra Expense (and CBI)

■ Extortion

■ Crisis Management

Remember Dave?

TIPS For A Successful Placement ■ Embrace a Team Approach

■ Understand the Risk Profile

■ Review Existing Coverages

■ Purchase Cyber Coverage as Needed

■ Remember the “Cyber” Misnomer

■ Spotlight the “Cloud”

■ Consider the Amount of Coverage

■ Pay attention to the Retroactive Date and ERP

■ Look at Defense and Settlement Provisions

■ Engage Coverage Counsel

BEWARETHE

FINE

PRINT

“A well drafted policy will reduce the likelihood that an insurer will

be able to avoid or limit insurance coverage in the event

of a claim.”

Roberta D. Anderson, Partner, K&L Gates LLP (June 25, 2014)

© Copyright 2013 by K&L Gates LLP. All rights reserved.

A WORD ABOUT VENDOR CONTRACTS

A Word About Vendor Contracts■ Be specific

■ Who is responsible for securing stored data? Data in motion?

■ Reference objective standards, e.g., Version 5 of the SANS Institute Critical Security Controls http://www.sans.org/critical-security-controls

■ Who has access – and to which parts –to various parts of the organizations network?

■ What are the required cybersecurity standards?

■ Dovetail Vendor Contracts With Insurance Contracts

© Copyright 2013 by K&L Gates LLP. All rights reserved.

AUDIENCE Q&A

60

Linkedin: robertaandersonesq

Twitter: @RobertaEsq

Insurance Thought Leadership