Embed Size (px)
Citation preview
Tamra PawloskiJeff Miller
The views, information, and content expressed herein are those of the authors and do not
necessarily represent the views of Chubb & Son.
This presentation is advisory in nature and necessarily general in content. No liability is
assumed by reason of the information provided.
The information provided should not be relied on as legal advise or a definitive statement of the law in
any jurisdiction. For such advise, a listener or reader should consult their own legal counsel.
Cyber Insurance: Having the Right Coverage Matters
Agenda• What is Cyber Insurance, who needs it and
why?
• What questions should you ask your broker?
• What are the Typical Breach Expenses?
• How should a Company respond to or report cyber incidents?
• How can a Company minimize its risk with its Supply Chain?
What is Cyber Insurance, who needs it and why?
• Sometimes called “Data Breach Insurance”.
• Collect, store, and transmit some type of private information or use computer systems.
• Not all Breaches are Hackers• 59% Negligence (Human Error, System Problems)
• 41% Criminal Act
• Total average cost of a data breach is now $5.4 million about $188 per person.
• Approx. cost $1,500 per $1M of coverage (depending on Carrier)
What is Cyber Insurance, who needs it and why?
Cyber-insurance policies will depend on a company's size and the industry in which it operates, how much data it has and what a company already does to secure it.
Coverage may include: Data Breach/Privacy Crisis Management
• Private Information
Multimedia/Media• Lost Laptop, Mobile Device
Extortion• Insider Activity
Network Security• Malware Online
What Questions should you ask about the Coverage?
What security controls can you put into place that will reduce the premium?
Will you have to undertake a security risk review of some sort?
What is expected of you to reduce or limit the risks?
The security / protection industry is very fast changing, how can the insurance ensure that your policy is current?
What Questions should you ask about the Coverage?
Do all portable media/computing devices need to be encrypted?
What about unencrypted media in the care or control of your third-party processors?
Are all and any court attendances to defend claims from others covered?
Are malicious acts by employees covered?
What Questions should you ask about the Coverage?
Will you have to provide evidence of compliance to existing Data Protection Principles, in relation to your actual processing, to prove you were not acting disproportionately?
Could you claim if you were not able to detect an intrusion until several months or years have elapsed, so you are outside the period of the cover, (as with the Red October malware which was discovered after about five years)?
What are the Typical Breach Expenses
Forensics• IT Forensic Expert
• Legal Expenses
• Cost of Examination
• Cost to Remediate what is found
Notification • Crafting, Printing, Mailing Letters
$2 per person
• Call Centers
Public Relations• Public Relations Firm /Press Releases
• Credit Monitoring ($30 or $40 per person)
Loss of Business• Reputation
• Diversion of Personnel
How should a Company respond to or report cyber incidents?
Have preventative measures Report the alleged crime to your law
enforcement agency Engage an organization that specializes
in cybercrime Contact your Insurance provider
3rd Party Data Breach Management
Sample types of breaches• Personal Health Information
• Passwords
• Credit / debt cards, savings, checking, etc.
• Social Security Numbers Services• Notification Services (customers)
• Call Center Services (incident response website, enrollment services and bureau alerts)
• Credit Monitoring, account restoration, and remediation services
How can a Company minimize its risk with its Supply Chain?
• Your business – Cyber Insurance & breach management services
• Suppliers – Cyber Insurance that are connected with your business network
• Supplier’s - suppliers?
PIIPHI
?
?Your Business Your Supplier
Their Suppliers?
How can a Company minimize its risk with its Supply Chain?
While natural disasters such as earthquakes, tsunamis and flooding have disrupted supply chains around the world, cyber attacks pose even
greater risks as companies rely more on computers and the Internet to
conduct their business.
How can a Company minimize its risk with its Supply Chain?
Companies should implement a supply chain risk management program to proactively address these exposures, which does
include insurance requirements.
How can a Company minimize its risk with its Supply Chain?
Contract Language:Insurance for Internet, e-commerce, cyber security, network risk and exposures relating thereto (“Cyber-Liability Insurance”) which includes coverage for (1) computer or network systems attacks (2) denial or loss of service (3) introduction, implantation, or spread of malicious software code (4) unauthorized Access and use of computer systems and (5) privacy liability (meaning liability arising from the loss or disclosure of confidential information no matter how it occurs) with limits in an amount not less than $5,000,000 per occurrence and annual aggregate.
HOW READY ARE YOU????
Cyber-attacks typically target individual organizations or a well-
defined group of organizations, but they have the potential to
cripple a business sector, or even an entire country.
