Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Lunch and Learn Series: “The Sky Is Falling!” (Maybe)—Insurance for Product Manufacturers
Wednesday, May 16, 2018 Noon–1 p.m.
1 General CLE credit
Cyber Risks
iiCyber Risks
CYBER RISKS
The materials and forms in this manual are published by the Oregon State Bar exclusively for the use of attorneys. Neither the Oregon State Bar nor the contributors make either express or implied warranties in regard to the use of the materials and/or forms. Each attorney must depend on his or her own knowledge of the law and expertise in the use or modification of these materials.
Copyright © 2018
OREGON STATE BAR16037 SW Upper Boones Ferry Road
P.O. Box 231935Tigard, OR 97281-1935
iiiCyber Risks
TABLE OF CONTENTS
Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Faculty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Presentation Slides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
ivCyber Risks
vCyber Risks
SCHEDULE
Presented by Chris Keefer, KEEFER, Portland.
11:30 Registration
Noon Cyber Risks
F Types of cyber events and exposures
F Cyber insurance coverages
F Varying coverage provisions across insurers
F Payment Card Industry Data Security Standards coverage
F Cyber terrorism
1:00 Adjourn
FACULTY
Chris Keefer, KEEFER, Portland. Mr. Keefer guides brands and product manufacturers through complex insurance and risk management scenarios. He has assisted manufacturers around the world in developing risk management strategies and has led the insurance program of a global medical device manufacturer. He has presented nationally on risk management and insurance issues. Mr. Keefer is a member of the Oregon Entrepreneur Network and is admitted to practice law in Oregon and Indiana.
viCyber Risks
1Cyber Risks
“The Sky is Falling!” Insurance for Product Manufacturers May 16, 2018Part 3: Cybersecurity
22
Session 2 Recap
Business Interruption• Covers lost income if something happens to
your property
• Does not cover lost income if something happens to 3rd party property you depend on (so you’ll need Contingent BI coverage)
What are Dependent Properties?• Contributing, manufacturing, recipient,
leader properties
2Cyber Risks
33
Session 2 RecapPitfalls• Sub-limits
• Deductibles and exclusions
• Coverage territory
• Physical vs. non-physical damage
• Direct vs. indirect suppliers
• Named vs. unnamed suppliers
Retain coverage and risk counsel solelyrepresenting your interests
Recap
Cap
44
Cyber Attacks & Data BreachesIf your business keeps any type of electronic records of customers, clients, employees, trade secrets, or other confidential information, a cyber attack or data breach is a serious risk
Cyber attacks are on the rise:In the first half of 2017, over 6 billion records were exposed through 2,227 publicly disclosed data breaches . . . already higher than the previous all-time high at the end of 2016.
The business sector accounted for 56.5% of the reported breaches . . . 93% of the total records exposed.
Source: SecurityIntelligence
3Cyber Risks
55
Cyber ThreatsRansomware/Malware
Social Engineering
Phishing
Spear Phishing
Denial of Service
Identity Theft
Insider Jobs
66
Cyber Security LawsCompanies are legally required to comply with data protection and breach notification standards, subject to penalties and fines
Corporate directors and officers have fiduciary obligations to safeguard electronic assets
• S-OX
• Gramm-Leach-Bliley Act
• PCI Data Security Standard
• HIPAA
• HITECH Act
• SEC Guidance
• FTC Act
• Fair Credit Reporting Act
• Executive Order 13636
• 48 states + DC, PR, Guam
• International (EU, Asia, South America, Middle East)
4Cyber Risks
77
Data Breach Costs to CompanyPer 2017 Ponemon Institute Study, average cost of data breach in U.S. is $7.35M
• Data breach response (avg. $1.56M)• Help desk activities• Inbound communications set-up• Regulatory reporting and interventions• Investigations• Remediation• Legal spend• Product discounts• Identity protection services
• Loss of customers (avg. $4.13M)
• Settlements of lawsuits by 3rd parties
• Direct losses (if access to financial accounts)
88
Cyber Attack + Business Interruption = Bottom Line
5Cyber Risks
99
Small Business Exposure
According to Small Business Trends (smallbiztrends.com):• 43% of cyber attacks target
small businesses
• 60% of small companies go out of business within 6 months of a cyber attack
• 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective
1010
Practice Good Cyber Hygiene . . .• Keep inventory of hardware and software on the company
network
• Develop process for software installation by end users (e.g., blocking installation w/out prior IT approval)
• Require employees to complete data security training (e.g., password management, identifying phishing efforts, which devices to connect to the network, bad websites, the company policy)
• Keep up-to-date with latest security patches and software
• Regularly backup data on system as well as the cloud
• Turn to industry-accepted secure configurations/standards like NIST and CIS Benchmark (define items like password length, encryption, port access, and multi-factor authentication
• Limit number of users with admin privileges
• Develop and implement a Cyber Security Policy incorporating everything
• Develop and implement comprehensive incident response plan for responding to and managing effects of a security attack
• Have your process regularly audited internally, as well as by 3rd party auditors
Source: SentinelOne
6Cyber Risks
1111
. . . And Then Purchase Cyber InsuranceJust because you are still practicing good hygiene doesn’t mean you’re risks go away• Risks can be reduced, not eliminated
• A hacker still only needs to find one way into your system, while you are trying to block numerous entrances
Cyber insurance covers businesses in the event of a successful cyber attack or data breach
1212
Typical Cyber Insurance CoverageCovered items generally include:
• Forensics examination (including 3rd party security firm as well as coordination with law enforcement and FBI)
• Business losses (network downtime, business interruption, PR/crisis management)
• Notification to customers and credit monitoring
• Lawsuits against your business due to release of confidential information and IP
• Regulatory fines
• PCI DSS fines and assessments
• Costs of cyber extortion (e.g., ransomware)
7Cyber Risks
1313
Cyber Insurance is the “Wild West” of the IndustryThere are 60+ cyber insurers, and the quality and scope of coverage can vary
There are numerous exclusions to coverage, and coverage may be vague and ambiguous
Some carriers are willing to negotiate provisions and exclusions to provide more customized coverage, while others are not
Legal and cyber landscape still evolving
It is extremely important for product manufacturers to know what is in their cyber policies and what options are available . . . especially if they are selling online DTC
1414
Make Sure Limits and Sub-limits Match ExposureCommon sub-limits:• Forensic costs
• Crisis management and PR
• Customer notification cost
• Regulatory fines
• PCI DSS fines and assessments
Sub-limits can vary among policies
Enlist your in-house or contracted IT professionals to help you understand the full extent of your cyber exposure . . .
. . . and then make sure your insurance aligns with this exposure!
8Cyber Risks
1515
Retro DateHackers may be on your system months (or years) before the breach is discovered
Cyber policies will exclude coverage occurring before the retroactive date set in the policy• Hint, negotiate the earliest
retro date possible
1616
Varying Waiting Periods in PoliciesNot all cyber policies provide immediate coverage• Some require a 24-hour (and even up to
72-hour) wait before coverage kicks in
• Cyber Monday example
Understand the immediate impacts of a cyberattack or data breach to you company• If the policy language does not match
your exposure, work with the carrier to change
9Cyber Risks
1717
Varying Business Interruption Periods in PoliciesCyber policies provide different business interruption coverage periods• Some require “reasonable”
mitigation steps first be taken before coverage kicks in
Understand business interruption impacts of a cyberattack or data breach• If the policy language does not
match your exposure, work with carrier to change
Cyber contingent business interruption becoming available in some policies
1818
PCI DSS CoveragePayment Card Industry Data Security Standards• Developed by Council
consisting of Visa, MasterCard, American Express, Discover and JCB
If you sell products online direct-to-consumer, you may have PCI DSS exposure
Watch out for exclusions in your policy
10Cyber Risks
1919
Know Your ContractsIndemnification provisions• Cyber policies typically exclude 3rd party
claims involving liabilities assumed under contract
• Discuss the possibility of coverage from your carrier for these contracts (hint, there will likely be additional premium)
• Otherwise consider push-back with your customer/client on this item
Also make sure you have purchased the minimum limits required in these contracts
2020
Cyber TerrorismCyber policies cover cyberattacks
What if the cyberattack emanated from a foreign actor hostile to the U.S.?• International terrorism exclusion
could apply given definitions of “terrorism” and “international terrorism” in policies
• Understand your policy language and get clarification or endorsement if necessary
• WannaCry? (DPRK)
11Cyber Risks
2121
Beware Overlapping ProvisionsYour cyber, property, and crime policies could potentially cover losses related to a cyberattack or data breach, especially if multiple carriers
A cyber event enlisting each of these policies could trigger the “other insurance” provisions of each policy
• “Any payment due under this policy is specifically excess of and will not contribute with any other valid and collectible insurance”
• Payment of claim will be delayed while carriers argue over who pays (and you may have to sue all)
• What if your cyber and property policies have differing business interruption waiting periods?
CYBERPROPERTYCRIMEOTHER?
2222
Cyber Contingent Business InterruptionAs the cyber and legal landscapes become more developed, there are more data points for insurers to underwrite more novel risks
What if your dependent property is hit with a cyberattack?
• Typical CBI provisions will not cover (not a physical damage or loss)
• Cyber insurance policies covering business interruption typically only cover attacks or breaches of the company’s own systems
Newer policies are available which may cover cyberattacks, data breaches and system failures at your dependent properties
12Cyber Risks
2323
Key TakeawaysUnderstand the full extent of your cyber exposure. . . ENLIST IT PROS!
Work with IT cross-functionally to develop robust SOPs for cyber hygiene, compliance, data back-up and employee training
Retain counsel to review your cyber insurance to make sure your insurance carriers, coverage and limits align with your exposure, risk appetite and contracts
If these are not aligned, negotiate problem language in advance of renewal . . . and certainly before a cyber event occurs!
Thank You.Thank You.
13Cyber Risks
14Cyber Risks