Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© Copyright 2013 by K&L Gates LLP. All rights reserved.
Roberta D. Anderson [email protected]@RobertaEsq
June 25, 2014
Cyber-Attacks: Insurance Coverage for Cyber Risks and Realities
1
Lloyd’s of London (Reuters) May 8, 2000
Agenda The Spectrum of Cyber Risk Practical Risk and Exposure Legal and Regulatory Framework What to do Before an Incident? What to do After an Incident? Potential Coverage Under “Legacy” Policies Limitations of “Legacy” Insurance Policies Technology Errors & Omissions Coverage Cutting Edge “Cyber” Products How to Enhance “Off-The-Shelf” Cyber Insurance Forms Through Negotiation A Word About Vendor Contracts Audience Q&A
© Copyright 2013 by K&L Gates LLP. All rights reserved.
THE SPECTRUM OF CYBER RISK
The Spectrum of Cyber Risk Malicious attacks
Advanced Persistent Threats Social engineering/employee sabotage Vruses, worms, Trojans DDoS attacks
Data breach Software vulnerability (HeartBleed) Unauthorized access (spyware) Inadequate security and system glitches Employee mobility and disgruntled employees Lost or stolen mobile and other portable devices Vendors/outsourcing (the function but not the risk) & the “cloud” Human error
klgates.com 5
oops!!
backlink
klgates.com 6
7
“[T]here are only two types of companies: those that have been
hacked and those that will be. And even they are converging into
one category: companies that have been hacked and will be
hacked again.” Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA Cyber Security Conference San Francisco, CA (Mar. 1, 2012)
“[T]here are only two types of companies: those that have been
hacked and those that will be.
“[T]here are only two types of companies: those that have been
hacked and those that will be. And even they are converging into
one category: companies that have been hacked and will be
hacked again.”
© Copyright 2013 by K&L Gates LLP. All rights reserved.
LEGAL AND REGULATORY FRAMEWORK
State Privacy Laws http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx State Consumer Protection Laws Federal Laws
Gramm-Leach-Billey Act HIPAA/HITECH Federal Trade Commission Act, Section 5 (FTC v. Wyndham Worldwide Corp.) FCRA /FACTA/Red Flags Rule
Foreign Laws PCI Data Security Standards (PCI DSS) Common law
Legal and Regulatory Framework
back
Five Tips to Consider When Any Public Company Might be The Next Target, http://www.klgates.com/five-tips-to-consider-when-any-public-company-might-be-the-next-target-02-11-2014
Legal and Regulatory Framework
SEC Guidance -- “[A]ppropriate disclosures may include”: “Discussion of aspects of the registrant’s business or operations that give rise to
material cybersecurity risks and the potential costs and consequences”; “To the extent the registrant outsources functions that have material cybersecurity
risks, description of those functions and how the registrant addresses those risks”; “Description of cyber incidents experienced by the registrant that are individually, or
in the aggregate, material, including a description of the costs and other consequences”;
“Risks related to cyber incidents that may remain undetected for an extended perid”; and
“Description of relevant insurance coverage.”
Legal and Regulatory Framework
NIST Cybersecurity Framework -- provides a common taxonomy and mechanism for organizations to:
Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritize opportunities for improvement within the context of a
continuous and repeatable process; Assess progress toward the target state; Communicate among internal and external stakeholders about cybersecurity
risk. The Framework is voluntary (for now)
Legal and Regulatory Framework
NIST Cybersecurity Framework
Legal and Regulatory Framework
NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/
Legal and Regulatory Framework
back
© Copyright 2013 by K&L Gates LLP. All rights reserved.
PRACTICAL RISK AND EXPOSURE
Breach Notification Costs/Identity Monitoring
Computer Forensics/PR Consulting
Loss of Customers/Revenue
Damaged Reputation/Brand
Regulatory Actions/Fines/Penalties/Consumer Redress
Lawsuits & Defense Costs
Loss of “Crown Jewels”
Business Interruption & Supply Chain Disruption
Drop in Stock Price/Loss of Market Share
Potential D&O Suits (Target)
Practical Risk and Exposure
“[T]he average total cost of a data breach for the companies participating in this research increased 15 percent to $3.5 million”
Practical Risk and Exposure
“The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in this year’s study.”
“However, German and US organizations on average experienced much higher costs at $195 and $201, respectively.”
“These countries also experienced the highest total cost (US at $5.85 million and Germany at $4.74 million)”
“[W]e do not include data breaches of more than approximately 100,000 compromised records in our analysis.”
© Copyright 2013 by K&L Gates LLP. All rights reserved.
WHAT TO DO BEFORE AN INCIDENT?
Pro-active management of cyber risks at the C-Suite level Assessment of key risks impacting the business and identifying critical
information assets Get a graded cybersecurity assessment Regular internal training on information management and IT security Have an incident response plan in place before a cybersecurity incident Pay attention to vendor contracts Address and mitigate risk through insurance
What to do Before an Incident?
© Copyright 2013 by K&L Gates LLP. All rights reserved.
WHAT TO DO AFTER AN INCIDENT?
Look (hopefully) to the incident response plan Notification of a security breach must be given to all or some of:
Potentially impacted individuals State AGs / Regulators
“Breach coach” counsel should: Advise on who, when, and how to notify Engage pre-vetted forensics professionals and other crisis management
responders (e.g., credit monitoring, public relations)
What to do After an Incident?
© Copyright 2013 by K&L Gates LLP. All rights reserved.
POTENTIAL COVERAGE UNDER “LEGACY” POLICIES
Directors’ and Officers’ (D&O) Errors and Omissions (E&O)/Professional Liability Employment Practices Liability (EPL) Fiduciary Liability Crime
Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)
Property? Commercial General Liability (CGL)?
Potential Coverage Under “Legacy” Policies
Coverage B provides coverage for damages because of “personal and advertising injury”
“Personal and Advertising Injury” is defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy”
What is a “Person’s Right of Privacy”? What is a “Publication”?
Potential Coverage Under “Legacy” Policies
© Copyright 2013 by K&L Gates LLP. All rights reserved.
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
Limitations of “Legacy” Insurance Policies
klgates.com
Limitations of “Legacy” Insurance Policies
ISO states that “when this endorsement isattached, it will result in a reduction ofcoverage due to the deletion of anexception with respect to damagesbecause of bodily injury arising out of lossof, loss of use of, damage to, corruption of,inability to access, or inability to manipulateelectronic data.”
Limitations of “Legacy” Insurance Policies
Limitations of “Legacy” Insurance Policies
Limitations of “Legacy” Insurance Policies
Limitations of “Legacy” Insurance Policies
Zurich American Insurance Co. v. Sony Corp. of America et al.
Limitations of “Legacy” Insurance Policies
© Copyright 2013 by K&L Gates LLP. All rights reserved.
TECHNOLOGY ERRORS & OMISSIONS COVERAGE
Essential for a provider of e-commerce-related solutions Covers
Errors & Omissions in the Provision of Technology Services Failure of Technology Products to Serve Their Purpose
But there are limitations Triggered By a “Claim” That Alleges An Act or Omission May Exclude Security Beach or Unauthorized Access to Information May Not Include Breach Notification Costs, Which is Viewed As More of a “First-
Party” Loss
Technology E&O Coverage
© Copyright 2013 by K&L Gates LLP. All rights reserved.
CUTTING EDGE “CYBER” PRODUCTS
Privacy And Network Security Provides coverage for liability (defense and indemnity) arising out of data
breaches, transmission of malicious code, denial of third-party access to the insured’s network, and other network security threats
Regulatory Liability Provides coverage for liability arising out of administrative or regulatory
proceedings, fines and penalties Media Liability
Provides coverage for liability (defense and indemnity) for claims alleging infringement of copyright and other intellectual property rights and misappropriation of ideas or media content
Specialty “Cyber” Policies – Third Party
Information Asset Coverage Coverage for damage to or theft of the insured’s own systems and hardware,
and may cover the cost of restoring or recreating stolen or corrupted data. Network Interruption And Extra Expense (and CBI)
Coverage for business interruption and extra expense caused by malicious code, DDoS attacks, unauthorized access to, or theft of, information, and other security threats to networks.
Extortion Coverage for losses resulting from extortion (payments of an extortionist’s
demand to prevent network loss or implementation of a threat) Crisis Management
Specialty “Cyber” Policies – First Party
© Copyright 2013 by K&L Gates LLP. All rights reserved.
HOW TO ENHANCE “OFF-THE-SHELF” CYBER INSURANCE FORMS THROUGH NEGOTIATION
klgates.comback
Data Breach Example 1
Data Breach Example 1
Data Breach Example 2
Data Breach Example 2
Data Breach Example 2
Data Breach Example 2
Network Security Example 1
Network Security Example 1
Network Security Example 2
Network Security Example 2
Network Security Example 3
Network Security Example 3
TIPS For A Successful Placement ■ Privacy And Network Security■ Regulatory Liability
■ Media Liability
■ Information Asset Coverage
■ Network Interruption And Extra Expense (and CBI)
■ Extortion
■ Crisis Management
Remember Dave?
TIPS For A Successful Placement ■ Embrace a Team Approach
■ Understand the Risk Profile
■ Review Existing Coverages
■ Purchase Cyber Coverage as Needed
■ Remember the “Cyber” Misnomer
■ Spotlight the “Cloud”
■ Consider the Amount of Coverage
■ Pay attention to the Retroactive Date and ERP
■ Look at Defense and Settlement Provisions
■ Engage Coverage Counsel
BEWARETHE
FINE
“A well drafted policy will reduce the likelihood that an insurer will
be able to avoid or limit insurance coverage in the event
of a claim.”
Roberta D. Anderson, Partner, K&L Gates LLP (June 25, 2014)
© Copyright 2013 by K&L Gates LLP. All rights reserved.
A WORD ABOUT VENDOR CONTRACTS
A Word About Vendor Contracts■ Be specific
■ Who is responsible for securing stored data? Data in motion?
■ Reference objective standards, e.g., Version 5 of the SANS Institute Critical Security Controls http://www.sans.org/critical-security-controls
■ Who has access – and to which parts –to various parts of the organizations network?
■ What are the required cybersecurity standards?
■ Dovetail Vendor Contracts With Insurance Contracts
© Copyright 2013 by K&L Gates LLP. All rights reserved.
AUDIENCE Q&A
60
Linkedin: robertaandersonesq
Twitter: @RobertaEsq
Insurance Thought Leadership