NetDiligence®

Cyber Risk & PrivacyLiability Forum October 8-9, 2014

Cyber Basics

Speakers

Robert HammesfahrHWR Consulting

moderator

Robert ParisiMarsh USA

Kevin BaughnSafehold Special Risk

Michael D. HandlerCozen O’Connor

John WurzlerOneBeacon

Technology Insurance

What are Cyber Risks? Any organization that: (1) uses technology in its operations &/or (2) handles/collects/stores confidential information has Cyber Risk.

• Legal liability to others for computer security breaches

• Legal liability to others for privacy breaches of confidential information

• Regulatory actions, fines and scrutiny

• Loss or damage to data / information

• Loss of revenue due to a computer attack

• Extra expense to recover / respond to a computer attack

• Loss or damage to reputation

• Cyber-extortion

• Cyber-terrorism

Cyber Coverage OverviewNetwork Security Liability: liability to a third party as a result of a failure of your network security to protect against destruction, deletion, or corruption of a third party’s electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third party computers and systemsPrivacy Liability: liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information you had entrusted to them in the normal course of your business.Regulatory Investigation Defense: coverage for legal expenses associated with representation in connection with a regulatory investigation, including indemnification of fines & penalties where insurable.Event Response and Crisis Management Expenses: expenses incurred in responding to a data breach event, including retaining forensic investigator, crisis management firm and law firm. Includes expenses to comply with privacy regulations, such as communication to impacted individuals and appropriate remedial offerings like credit monitoring or identity theft insurance. Cyber Extortion: ransom &/or investigative expenses associated with a threat directed at you that would cause an otherwise covered event or lossNetwork Business Interruption: reimbursement of your loss of income and / or extra expense resulting from an interruption or suspension of computer systems due to a failure of technology. Includes coverage for dependent business interruption.Data asset protection: recovery of costs and expenses you incur to restore, recreate, or recollect your data & other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.

The Cyber Insurance Market

Market capacity: • Over 50 markets selling or participating in cyber insurance• Over $600M deployable capacity; largest placements still in $200M rangeAppetite & Approach:Different for each insurer and varies by:• Size: revenue, record count, transaction volume• Industry: Healthcare, Retail, Finance, Higher Ed, etc.• Jurisdiction: USA, Canada, Europe, Asia, etc.Principal Markets:• For larger risks: AIG, Beazley, Zurich, Chubb, Safehold (representing certain Lloyd’s Syndicates)• For SME, key markets: capacity is plentiful--One Beacon, Philadelphia, etc.Market Size:• Estimates vary at between $750M & $1B GWP 2013

Privacy Has Emerged

Global reliance on real time data has created the greater need for real time innovative solutions.

Privacy is a heightened and evolving exposure

Privacy – Today the Need has Changed1.Failing to protect: Personally Identifiable Information (PII) employee, customer, Service Provider, or; Personal Health Information customers, members, employees2. Worldwide Regulatory changes occurring Federal, State, Sovereign, Local Governmental Agencies 3. Reliance on Service Providers Hosting, Cloud, IT, HR, Archiving 4. Financial Institutions are suing for cost to reissue credit cards5. Business Interruption and Systems Failure6. Global Threat Environment – Hostile State sponsored terrorism threats7. Malware is influencing the threat environment and includes.

Privacy Regulation Milestones

© 2014 OneBeacon Technology Insurance Group

500 Million Records disclosed since 2005 – represents a samplingwww.privacyrights.org/data-breach

47 States plus DC have consumer data protection laws; HIPAA, HiTech; Congress to pass Fed Law? (Oct 2014)

Obama Executive Order 13636 – Improving Critical Infrastructure in Cybersecurity -February 2013 results in S. bill 1638 the Cybersecurity Public Awareness Act of 2013 (November 5)

California S.B. 1386, Personal Information, Privacy, July 1, 2003. Considered by many to be the first Data Privacy Legislation.

What Kind of Data?

1. Paper and Electronic2. Personally identifiable information (employee, customer, Service

Provider), or;3. Personal Health Information (customers, members, employees)4. Credit Card Numbers5. Confidential 3rd party information6. Merger/Acquisition target/plans7. Financial Account Information

Privacy Risk Management

Ask Privacy/IT professionals:− Incident Response Plan (tested?)

− Service Provider Contracts / Insurance Requirements

− Requirements

− Evaluation

− Selection

− SLA Considerations

− Contracting Parties (when your Service Provider pharms out)

− Location…Location…Location (Where is your data?)

Privacy Risk Assessment (sources, vulnerabilities, processes, perils)

Check Existing Insurance Gap Analysis (GL, Prop, E&O, Crime, K&R)

New coverage terms must integrate− With Response Plans

− With Traditional Policies

Insurance Coverages – First & Third, Nobody Out?

First Party Coverage– Damage to digital assets– Business interruption– Extortion– Privacy Breach Expenses

Third Party Coverage– Privacy liability– Network security liability– Internet media liability– Regulatory liability – Contractual liability

Recent Cyber Product Innovation• Traditional Approach:

– Fines & Penalties drop down coverage through Bermuda as an Excess & DIC component of standard cyber capacity

– Business Interruption System Outage/Technology Failure trigger expands beyond a cyber attack Dependent Business Interruption trigger Reputational trigger

– Catastrophic Approach Broad form coverage for accounts taking catastrophic approach to risk transfer—i.e. taking a retention above $100M

• Non-Traditional Approach:– Industrial Risks

Coverage for property damage caused by technology failure of industrial components, i.e. industrial control systems– P&C Excess-DIC

Excess/DIC coverage over traditional coverage lines (property, casualty, etc.) that picks up covered loss/damage otherwise excluded because caused by a cyber attack

Types of First Party Losses

• Hardware or software malfunction/corruption

• Denial of service• Loss of business

– Service downtime– Abnormal turnover of customers– Related to reputation / PR

• Data theft

• Loss of trust (customers, employees, shareholders)

• Brand damage• Exposure or

proprietary/sensitive data• Breach expenses• Forensic costs

Issues With First Party Policies

• Named Perils – coverage would normally not be triggered by

cyber loss because not a named peril

• All Risk– requires “direct physical loss” to “covered property”

• Business Interruption – loss must be caused by fortuitous

event inflicting “physical injury to tangible property”

Cyber Risk Policies• First party policies often do not apply

– “direct physical loss or damage”• “physical” = tangible … not electronic data• Bodily Injury often requires damage or destruction of property• Exclusions often apply

– Fidelity and commercial crime insurance may apply

• High costs– $188/record, average of >28k records (Ponemon Institute Survey)– $277 when caused by malicious attacks (Ponemon Institute Survey– Just a sample; not catastrophic

• It will eventually happen

Cyber Risk Policies

• Each data breach is different• Prevention consultation

– Strong security decreases downstream costs

• Assistance with incident response plans– Incident response plans save $42 record (Ponemon)

• Response consultation– Consultants decrease costs and increase remediation effectiveness– Consultants can save $13/record (Ponemon)

• Crisis management and public relations to mitigate fallout

Causes of Data Breaches: Advanced Persistent Threats

• Internet Malware Infections– Drive by downloads– Email attachments– File sharing– Pirated software

• Physical Malware Infections– Infected USB memory sticks, CDs, and DVDs– Infected applications– Backdoored IT equipment

• External Exploitation• Human Error

SEC CF Disclosure: Cybersecurity Risk Factors

• Consistent with Regulation S-K Item 503(c) Risk Factors should include:– A discussion of cybersecurity and cyber incidents if such issues are among the most

significant factors that make an investment in the company speculative or risky.

• In deciding on disclosures, companies consider:– The frequency and severity of prior cyber incidents

– The probability of, qualitative, and quantitative magnitude of risk from future attacks.

– Per Disclosure Guidance: adequacy of any preventative measures taken

• Type(s) of Insurance purchased may be relevant to disclosures,

depending in part on standards in the industry.

SEC CF Disclosure: Cybersecurity

• Event Disclosure• Management Discussion and Analysis• Description of Business• Legal Proceedings• Financial Statement Disclosures• Disclosure Controls and Procedures• Form 8-K

Case Update: Sony PlayStation February 2014 Ruling

• 60 underlying lawsuits involved in PlayStation cyberattack

• $2 Billion in losses after hackers stole personal information from millions of PlayStation users

– One of largest recorded data security breaches at the time

– Required shutdown of server for nearly a month

• Personal information included:– Names, addresses, birthdates, credit card numbers, bank account information

• Large breach, but since eclipsed by more recent cyberattacks (e.g. Target, Xmas 2013 & JP Morgan Chase, Summer 2014).

Case Update: Sony PlayStation Ruling

• Coverage B: “oral or written publication in any manner of material that violates a person’s right of privacy”

• Issue: whether Sony required to commit the breach-causing act, or if third parties’ acts suffice

• Court found Sony was not involved in the “publication” – declined to expand insurer’s liability by construing “in any manner” to include criminal hackers

• Provision could only be read to require policyholder to perpetrate or commit the “publication” - could not be expanded to third parties

• Implications: otherwise reluctant policyholders encouraged to buy data breach coverage

• No automatic coverage for these types of large-scale response costs, or responding to third party litigation

Data Breach Liability Exclusion ISO Form

• CG 21 06 05 14:– Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability –

With Limited Bodily Injury Exception

• Excludes damages arising out of:– (1) Any access to or disclosure of any persons’ or organization’s confidential or personal information,

including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

– (2) The loss of, loss of use of, damage to corruption of, inability to access, or inability to manipulate electronic data

• Exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by your or others arising out of that which in (1) or (2) above

• However, unless Paragraph (1) above applies ,this exclusion does not apply to damages because of “bodily injury”

Data Breach Liability Exclusion ISO Form

• As used in the exclusion, electronic data means information facts or program stored as or on, created or used on, or transmitted to or from computer software including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment

• The exclusion does not apply to “personal and advertising injury”– Arising out of any access to or disclosure of any person’s or organization’s confidential

or personal information– Exclusion applies even if damages are claimed for notifications costs, credit monitoring

expenses, forensic expenses, etc.

Data Breach Liability Exclusion’s Impact

• As CGL policies expire and are replaced, businesses must carefully consider how to manage their financial exposure to newly excluded data losses, including those carried by third-party vendors

• Managing data risk requires a collaborative effort to predict foreseeable losses and potential impacts, to meet today’s digital challenges

• Exclusion should ultimately reduce litigation on whether data breaches are covered by CGL policies, while providing needed protection and certainty for insurers and policyholders alike

Speakers

MODERATOR: Robert Hammesfahr HWR Consultingrhammesfahr@ameritech.net

John WurzlerOneBeacon Technology InsuranceJwurzler@onebeacontech.com952.852.6025

Kevin BaughnSafehold Special Riskkevin.baughn@safehold.com206-470-3296

Robert ParisiMarsh USArobert.parisi@marsh.com212 345 5924

Michael D. HandlerCozen O’Connormhandler@cozen.com(206) 808-7839