Lunch and Learn Series: “The Sky Is Falling!” (Maybe)—Insurance for Product Manufacturers

Wednesday, May 16, 2018 Noon–1 p.m.

1 General CLE credit

Cyber Risks

iiCyber Risks

CYBER RISKS

The materials and forms in this manual are published by the Oregon State Bar exclusively for the use of attorneys. Neither the Oregon State Bar nor the contributors make either express or implied warranties in regard to the use of the materials and/or forms. Each attorney must depend on his or her own knowledge of the law and expertise in the use or modification of these materials.

Copyright © 2018

OREGON STATE BAR16037 SW Upper Boones Ferry Road

P.O. Box 231935Tigard, OR 97281-1935

iiiCyber Risks

TABLE OF CONTENTS

Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Faculty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Presentation Slides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

ivCyber Risks

vCyber Risks

SCHEDULE

Presented by Chris Keefer, KEEFER, Portland.

11:30 Registration

Noon Cyber Risks

F Types of cyber events and exposures

F Cyber insurance coverages

F Varying coverage provisions across insurers

F Payment Card Industry Data Security Standards coverage

F Cyber terrorism

1:00 Adjourn

FACULTY

Chris Keefer, KEEFER, Portland. Mr. Keefer guides brands and product manufacturers through complex insurance and risk management scenarios. He has assisted manufacturers around the world in developing risk management strategies and has led the insurance program of a global medical device manufacturer. He has presented nationally on risk management and insurance issues. Mr. Keefer is a member of the Oregon Entrepreneur Network and is admitted to practice law in Oregon and Indiana.

viCyber Risks

1Cyber Risks

“The Sky is Falling!” Insurance for Product Manufacturers May 16, 2018Part 3: Cybersecurity

22

Session 2 Recap

Business Interruption• Covers lost income if something happens to

your property

• Does not cover lost income if something happens to 3rd party property you depend on (so you’ll need Contingent BI coverage)

What are Dependent Properties?• Contributing, manufacturing, recipient,

leader properties

2Cyber Risks

33

Session 2 RecapPitfalls• Sub-limits

• Deductibles and exclusions

• Coverage territory

• Physical vs. non-physical damage

• Direct vs. indirect suppliers

• Named vs. unnamed suppliers

Retain coverage and risk counsel solelyrepresenting your interests

Recap

Cap

44

Cyber Attacks & Data BreachesIf your business keeps any type of electronic records of customers, clients, employees, trade secrets, or other confidential information, a cyber attack or data breach is a serious risk

Cyber attacks are on the rise:In the first half of 2017, over 6 billion records were exposed through 2,227 publicly disclosed data breaches . . . already higher than the previous all-time high at the end of 2016.

The business sector accounted for 56.5% of the reported breaches . . . 93% of the total records exposed.

Source: SecurityIntelligence

3Cyber Risks

55

Cyber ThreatsRansomware/Malware

Social Engineering

Phishing

Spear Phishing

Denial of Service

Identity Theft

Insider Jobs

66

Cyber Security LawsCompanies are legally required to comply with data protection and breach notification standards, subject to penalties and fines

Corporate directors and officers have fiduciary obligations to safeguard electronic assets

• S-OX

• Gramm-Leach-Bliley Act

• PCI Data Security Standard

• HIPAA

• HITECH Act

• SEC Guidance

• FTC Act

• Fair Credit Reporting Act

• Executive Order 13636

• 48 states + DC, PR, Guam

• International (EU, Asia, South America, Middle East)

4Cyber Risks

77

Data Breach Costs to CompanyPer 2017 Ponemon Institute Study, average cost of data breach in U.S. is $7.35M

• Data breach response (avg. $1.56M)• Help desk activities• Inbound communications set-up• Regulatory reporting and interventions• Investigations• Remediation• Legal spend• Product discounts• Identity protection services

• Loss of customers (avg. $4.13M)

• Settlements of lawsuits by 3rd parties

• Direct losses (if access to financial accounts)

88

Cyber Attack + Business Interruption = Bottom Line

5Cyber Risks

99

Small Business Exposure

According to Small Business Trends (smallbiztrends.com):• 43% of cyber attacks target

small businesses

• 60% of small companies go out of business within 6 months of a cyber attack

• 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective

1010

Practice Good Cyber Hygiene . . .• Keep inventory of hardware and software on the company

network

• Develop process for software installation by end users (e.g., blocking installation w/out prior IT approval)

• Require employees to complete data security training (e.g., password management, identifying phishing efforts, which devices to connect to the network, bad websites, the company policy)

• Keep up-to-date with latest security patches and software

• Regularly backup data on system as well as the cloud

• Turn to industry-accepted secure configurations/standards like NIST and CIS Benchmark (define items like password length, encryption, port access, and multi-factor authentication

• Limit number of users with admin privileges

• Develop and implement a Cyber Security Policy incorporating everything

• Develop and implement comprehensive incident response plan for responding to and managing effects of a security attack

• Have your process regularly audited internally, as well as by 3rd party auditors

Source: SentinelOne

6Cyber Risks

1111

. . . And Then Purchase Cyber InsuranceJust because you are still practicing good hygiene doesn’t mean you’re risks go away• Risks can be reduced, not eliminated

• A hacker still only needs to find one way into your system, while you are trying to block numerous entrances

Cyber insurance covers businesses in the event of a successful cyber attack or data breach

1212

Typical Cyber Insurance CoverageCovered items generally include:

• Forensics examination (including 3rd party security firm as well as coordination with law enforcement and FBI)

• Business losses (network downtime, business interruption, PR/crisis management)

• Notification to customers and credit monitoring

• Lawsuits against your business due to release of confidential information and IP

• Regulatory fines

• PCI DSS fines and assessments

• Costs of cyber extortion (e.g., ransomware)

7Cyber Risks

1313

Cyber Insurance is the “Wild West” of the IndustryThere are 60+ cyber insurers, and the quality and scope of coverage can vary

There are numerous exclusions to coverage, and coverage may be vague and ambiguous

Some carriers are willing to negotiate provisions and exclusions to provide more customized coverage, while others are not

Legal and cyber landscape still evolving

It is extremely important for product manufacturers to know what is in their cyber policies and what options are available . . . especially if they are selling online DTC

1414

Make Sure Limits and Sub-limits Match ExposureCommon sub-limits:• Forensic costs

• Crisis management and PR

• Customer notification cost

• Regulatory fines

• PCI DSS fines and assessments

Sub-limits can vary among policies

Enlist your in-house or contracted IT professionals to help you understand the full extent of your cyber exposure . . .

. . . and then make sure your insurance aligns with this exposure!

8Cyber Risks

1515

Retro DateHackers may be on your system months (or years) before the breach is discovered

Cyber policies will exclude coverage occurring before the retroactive date set in the policy• Hint, negotiate the earliest

retro date possible

1616

Varying Waiting Periods in PoliciesNot all cyber policies provide immediate coverage• Some require a 24-hour (and even up to

72-hour) wait before coverage kicks in

• Cyber Monday example

Understand the immediate impacts of a cyberattack or data breach to you company• If the policy language does not match

your exposure, work with the carrier to change

9Cyber Risks

1717

Varying Business Interruption Periods in PoliciesCyber policies provide different business interruption coverage periods• Some require “reasonable”

mitigation steps first be taken before coverage kicks in

Understand business interruption impacts of a cyberattack or data breach• If the policy language does not

match your exposure, work with carrier to change

Cyber contingent business interruption becoming available in some policies

1818

PCI DSS CoveragePayment Card Industry Data Security Standards• Developed by Council

consisting of Visa, MasterCard, American Express, Discover and JCB

If you sell products online direct-to-consumer, you may have PCI DSS exposure

Watch out for exclusions in your policy

10Cyber Risks

1919

Know Your ContractsIndemnification provisions• Cyber policies typically exclude 3rd party

claims involving liabilities assumed under contract

• Discuss the possibility of coverage from your carrier for these contracts (hint, there will likely be additional premium)

• Otherwise consider push-back with your customer/client on this item

Also make sure you have purchased the minimum limits required in these contracts

2020

Cyber TerrorismCyber policies cover cyberattacks

What if the cyberattack emanated from a foreign actor hostile to the U.S.?• International terrorism exclusion

could apply given definitions of “terrorism” and “international terrorism” in policies

• Understand your policy language and get clarification or endorsement if necessary

• WannaCry? (DPRK)

11Cyber Risks

2121

Beware Overlapping ProvisionsYour cyber, property, and crime policies could potentially cover losses related to a cyberattack or data breach, especially if multiple carriers

A cyber event enlisting each of these policies could trigger the “other insurance” provisions of each policy

• “Any payment due under this policy is specifically excess of and will not contribute with any other valid and collectible insurance”

• Payment of claim will be delayed while carriers argue over who pays (and you may have to sue all)

• What if your cyber and property policies have differing business interruption waiting periods?

CYBERPROPERTYCRIMEOTHER?

2222

Cyber Contingent Business InterruptionAs the cyber and legal landscapes become more developed, there are more data points for insurers to underwrite more novel risks

What if your dependent property is hit with a cyberattack?

• Typical CBI provisions will not cover (not a physical damage or loss)

• Cyber insurance policies covering business interruption typically only cover attacks or breaches of the company’s own systems

Newer policies are available which may cover cyberattacks, data breaches and system failures at your dependent properties

12Cyber Risks

2323

Key TakeawaysUnderstand the full extent of your cyber exposure. . . ENLIST IT PROS!

Work with IT cross-functionally to develop robust SOPs for cyber hygiene, compliance, data back-up and employee training

Retain counsel to review your cyber insurance to make sure your insurance carriers, coverage and limits align with your exposure, risk appetite and contracts

If these are not aligned, negotiate problem language in advance of renewal . . . and certainly before a cyber event occurs!

Thank You.Thank You.

13Cyber Risks

14Cyber Risks