chubb specialty insurance – ©2011 1 cybersecurity by chubb ® insurance for privacy breaches...
TRANSCRIPT
Chubb Specialty Insurance – ©2011 1
CyberSecurity by Chubb®
Insurance for Privacy Breaches
Presented by
Chubb Insurance Company of Canada
June 2011
Chubb Specialty Insurance – ©2011 2
Presenters
Matthew DaviesCanadian Manager - Professional & Media LiabilityChubb Specialty Insurance – Canadian Zone
Kate KristieUnderwriter – Chubb Pro and Executive ProtectionChubb Specialty Insurance – Toronto Branch
Chubb Specialty Insurance – ©2011 3
DISCLAIMER
The views, information and content expressed herein are those of the author and do not necessarily represent the views of any of the insurers of The Chubb Group of Insurance Companies. Chubb did not participate in and takes no position on the nature, quality or accuracy of such content. The information provided should not be relied on as legal advice or a definitive statement of the law in any jurisdiction. For such advice, an applicant, insured, listener or reader should consult their own legal counsel…
Chubb Specialty Insurance – ©2011 4
DISCLAIMER continued
In fact, as far as Chubb is concerned, we don’t even admit to employing Matthew Davies. The fact that Matthew Davies gets a pay cheque from Chubb 26 times a year or gets his expenses paid by us for appearing before you today is purely coincidental. Nothing to do with Chubb, never heard of the dude.
As for Kate, well….
Chubb Specialty Insurance – ©2011 5
Agenda
Exposures faced by Insureds Privacy Law in Canada and Abroad Insurance Coverage CyberSecurity by Chubb Target Classes of Business Underwriting Requirements
Chubb Specialty Insurance – ©2011 6
EXTRA, EXTRA – READ ALL ABOUT IT!
“Privacy czar to investigate
Epsilon email breach ” Australian
IT 7 Apr 2011
“Largest U.S. defence contractor
thwarts ‘tenacious’ cyber attack”
National Post 30 May 2011
“Major [Bay St] law firms fall victim to cyber attacks” Globe & Mail 6 April 2011
“Hacked PBS reports Tupac, Biggie alive” SC Magazine 30
May 2011
“Toronto Woman Sues Rogers after her affair is exposed” Toronto Star – 17 May 2010
“Sony finds
security fla
w
in password
reset websit
e”
Globe & Mail
, 18 May 201
1
Chubb Specialty Insurance – ©2011 7
Privacy Breaches Incur Real Costs
A 2009 survey of more than 600 Canadian IT security professionals by TELUS and the Rotman School of Management at U of T found that on average(1):
– IT security breaches – including viruses, intellectual property theft and abuse by employees – cost reporting organizations $834,149 in 2009, almost double the amount reported in 2008
– IT security breaches soared to 11.3 per reporting organization in 2009, compared to 3 each in 2008
– In 2008, ~17% of reporting organizations had “insider breaches” compared to 36% in 2009
(1) Globe & Mail 29 Sep 2009
Chubb Specialty Insurance – ©2011 8
Privacy Breaches Incur Real Expenses
In a 2009 Global survey of 133 organizations in 18 industry sectors shows the following comparison (2)
(2) 2009 Ponemon Institute / PGP Corporation Global Study(+) Updated – March 2011
Country Avg Cost per Record Avg Cost of a Breach
Australia USD $114 USD $1.83 mln
France USD $119 USD $2.53 mln
Germany USD $177 USD $3.44 mln
UK USD $98 USD $2.57 mln
US USD $214(+) USD $7.20 mln(+)
Avg of Above USD $142 USD $3.43 mln
Chubb Specialty Insurance – ©2011 9
Cyber Crime(3) and (4)
Prior to May 2011, Canada has usually ranked twelfth or thirteenth in the cyber crime landscape
Now, the top five countries found to be hosting servers engaged in cyber crime are the U.S., Canada, Egypt, Germany and the U.K.
Tens of thousands of servers in Canada host “phising” expeditions
In 2010, the United States Secret Service arrested more than 1,200 suspects for cybercrime violations. These investigations involved over $500 million in actual fraud loss and prevented approximately $7 billion in additional losses.
(3) ITWorldCanada.com as at 5 May 2011(4) Verizon Data Breach Study Investigations Report April 2011 page 7
Chubb Specialty Insurance – ©2011 10
The Threat(4)
According to IBM: More than 4.7 trillion security events in 2010 (or about
150,000 every second) 8,000 new vulnerabilities that did not exist in 2009 44% of web application vulnerabilities had no
corresponding patch by the end of 2010 to protect users
14% of Fortune 500 sites have many severe client facing JavaScript issues that infect users with malware, viruses, hijacking of web sessions and spoofing of web content
“Phising Attacks” - when a hacker masquerades as a trustworthy source, such as a bank, in order to steal sensitive user data have been replaced by a more sophisticated version known as “Spear Phishing.”
(4) IBM Security Solutions X-Force 2010 Trend and Risk Report, March 2010
Chubb Specialty Insurance – ©2011 11
Causes of Breach(5)
(5) Ponemon Institute “Five Countries Cost of Data Breach” April 2010
Chubb Specialty Insurance – ©2011 12
Operation PODIUM – Vancouver 2010
Wanna hear a war story? Let me tell you about Op RACCOON
Chubb Specialty Insurance – ©2011 13
The Cost of a Lost Laptop(6)
Average value of a lost laptop is $49,246. based on 7 cost factors:
1. Replacement: hardware, software & allocated corporate overhead
2. Detection & Escalation: employee time spent trying to recover the laptop and reporting the incident
3. Forensics & Investigation: Hours of IT employee time to do analysis of what data has been exposed
4. Data Breach: per Record to notify
5. Lost IP: Un-encrypted data and estimate of its value to a competitor
6. Lost Productivity: downtime for the employee
7. Legal, Regulatory and Consulting Costs
(6) Ponemon Institute, “The Cost of a Lost Laptop” Apr 2009
Chubb Specialty Insurance – ©2011 14
Large Data Security Breaches of the past Decade
Heartland(7) – Malicious breach of 130mln debit and credit card records from Dec 07 through Oct 08. Exposure at $30. a card = $4bln.
TJX Companies – Malicious breach of over 100mln cards from Dec 02 to Jan 07. Exposure estimated to be $1bln. Settled with VISA in Nov 07 for $40.9mln, with MasterCard in May 08 for $24mln and various state actions in Jun 09 and Sep 09 for over $10mln.
Google and 20 other multinationals – Announced in Jan 10 that hackers in China breached e-mail accounts
Epsilon – April 2011 If you haven’t heard about this one, just Google “Epsilon Breach” and 2mln articles later…
Four Bay Street Law Firms – April 2011 Sony – May 2011: Need I say anything else? Etc, etc, etc – we just can’t keep up…
(7) Advisen Apr 10
Chubb Specialty Insurance – ©2011 15
Social Media
Web 2.0 - interactive, dynamic, users become creators of the message through posts, collaboration, sharing and re-use of content
– Blogs and Micro-Blogs Twitter
– File-Sharing YouTube
– Collaborative sites Wikipedia, Wikileaks, Ancestry, Quirky
– Social Networking Facebook, MySpace, LinkedIn
– Aggregation sites Digg, Stumbleupon
– Virtual Worlds Second Life
Chubb Specialty Insurance – ©2011 16
Social Media Exposures
Brand protection– User Names– User and Domain Name Squatting– Trademarks
Virtual worlds– Contracts, E-commerce, Consumer Protection,
Privacy, Intellectual Property, Taxation, Family Law Vicarious Liability
– Outsourcing– Employment Practices– Client confidentiality– IT and Corporate Governance
Chubb Specialty Insurance – ©2011 17
Privacy Law in Canada and Abroad
Chubb Specialty Insurance – ©2011 18
Notification Laws for a Privacy Breach
US has led the way in implementing breach notification laws, mandating that organisations inform those individuals potentially affected by such a breach (notification laws now in place in 40 states and counting)
Many jurisdictions such as the European Union and Australia have tabled Bills or passed Acts legislating mandatory data breach disclosure
Other jurisdictions such as Canada and Japan have instituted voluntary guidelines. In Canada, the federal government released a proposed model in June 2008 to impose mandatory notification
Chubb Specialty Insurance – ©2011 19
Privacy Legislation in General
Depending on the jurisdiction in which a privacy breach occurs, there could be any number of requirements that should be met and/or must be met
Even if an Insured is only domiciled in Canada, they are subject to the privacy legislation, jurisprudence and remedies elsewhere if a plaintiff’s private information is breached in another jurisdiction
Every jurisdiction has its own approach to the standard of care and obligations to report when private information in your care, custody or control may have been or actually has been breached
Chubb Specialty Insurance – ©2011 20
Privacy Legislation - Canadian Perspective
FEDERAL LEGISLATION Personal Information Protection and Electronic Documents
Act (PIPEDA) Privacy Act – applies to government institutions
PROVINCIAL LEGISLATION BC: Personal Information Protection Act (PIPA), Alberta: Personal Information Protection Act (PIPA), Quebec: An Act Respecting the Protection of Personal
Information in the Private Sector (QPPIPS) Saskatchewan, Manitoba and Ontario: Health and
Information Protection Act (HIPA), Personal Health Information Act (PHIA), Personal Health Information Protection Act (PHIPA)
Other Provinces / Territories rely on PIPEDA
Chubb Specialty Insurance – ©2011 21
Bill 54 - Alberta
Alberta is leading the pack in obligations to notify customers of a breach of their privacy
Bill 54 amends Personal Information Protection Amendment Act (PIPA), received Royal Assent on November 26, 2009, has been proclaimed into force and effective May 1, 2010
Requirement to notify the Privacy Commissioner or individuals, as required by the Commissioner, about security breaches that place personal information at risk, and to inform individuals when services involving personal information are occurring outside of Canada.
Chubb Specialty Insurance – ©2011 22
Insurance Coverage
Chubb Specialty Insurance – ©2011 23
Exposures that Brokers need to explain to their clients
Insured has a fiduciary duty to protect third party private information that they hold
– Does the Insured hold, share, host or transmit client information?
– Theft of personal identification information (including employee information)?
– Breach of records that include private facts?– Unauthorized access of a customer’s proprietary information
entrusted to the Insured? Obligations to notify third parties of security breach and
monitor their credit records to mitigate loss Cyber Threats, Extortion or Attacks against an Insured
shutting down its Systems Content published on an Insured’s website or in e-mail
– Defamation– Infringement of third party’s intellectual property
Chubb Specialty Insurance – ©2011 24
Uncharted Territory
Cyberspace knows no boundaries – exposures are ahead of legislation / people’s knowledge levels
Insurance industry dilemma – how do we track losses that have an internet nexus?
If we aren’t discreetly tracking how new media losses are being paid, how can we measure the exposure?
Actuarially significant loss analysis Cyber related losses – publicly reported damages Privacy Breaches – hard costs don’t tell the whole story New insurance products - Months to create, weeks to be out of
date Supply of cyber products (in one form or another) is ahead of
buyer demand
Chubb Specialty Insurance – ©2011 25
So many coverages, so much confusion…
Media and Internet Liability (content) Professional Liability (service) Electronics E&O Liability (software and hardware sold or
licensed to others) D&O Liability (management) Employment Practices Liability (employment) Fiduciary Liability (pension plan administration) Crime (fidelity and fraud) General Liability (premises, products and completed
operations, personal and advertising injury torts) Kidnap & Ransom (extortion payments) Cyber (liability and first party cyber activities)
Chubb Specialty Insurance – ©2011 26
Cyber Coverage
Kate Kristie
Chubb Specialty Insurance – ©2011 27
Cyber Liability – Features to look for
A stand alone liability policy with optional multiple first party expense coverages with individual sub-limits and retentions
Intended for Insured's that do transactions over the internet and/or store confidential customer information on their Systems
Flexibility to allow tailoring for individual clients
Claims made Pay on behalf for liability coverage First party expenses paid as incurred
Chubb Specialty Insurance – ©2011 28
Cyber Liability Coverage
Mandatory Liability Coverage Insuring Clause (A) Cyber Liability
– Covers the Insured’s liabilities for “Injury” via: Conduit, Content, Disclosure, Impaired Access; or Reputational Injury
Does the coverage distinguish who causes the Injury?
Chubb Specialty Insurance – ©2011 29
Cyber Liability Triggers
Conduit Injury (B2B / B2C - System)– Customers systems are affected by a Cyber-attack
launched against the Insured’s System– Example: Suit arises from a System security failure that
causes a virus to be transmitted from the Insured to a third party’s System
Content Injury (B2B / B2C - IP Named Peril)– Violation of a third party’s intellectual property rights via
the Insured’s System– Example: The Insured displays a logo on its website
that violates someone else’s trademark
Chubb Specialty Insurance – ©2011 30
Cyber Liability Triggers
Disclosure Injury (B2C - Privacy)– Individuals are affected by the unauthorized access of
their private information held on the Insured’s system– Example: Individual customers’ credit card data is
stolen from the Insured’s System by a hacker– Coverage enhancements available by Endorsement
Impaired Access Injury (B2B / B2C – Transactional Named Peril)
– Customers suffer damages because they can’t access the Insured’s system to conduct a transaction
– Example: A disgruntled employee Exceeds Authorized Access and Customers can’t transact business with the Insured in a timely fashion resulting in the Customer suffering a financial loss
Chubb Specialty Insurance – ©2011 31
Cyber Liability Triggers
Reputational Injury (B2B / B2C - Disparagement Named Peril)
– Third party is disparaged or has their privacy violated due to the Insured’s Cyber Activities
– Example: An employee makes a comment in a company e-mail that libels a customer
Chubb Specialty Insurance – ©2011 32
Cyber Liability Coverage – Optional Additional Insuring Clauses
Insuring Clause (B) Privacy Notification Expense – Triggered by a Disclosure or Reputational
Injury– Reasonable and necessary cost of notifying
those Persons who may be directly affected by the potential or actual unauthorized access of a Record
Changing their account numbers, identity numbers and security codes
Providing them with credit monitoring or similar services to protect them against fraudulent use of their Record for a stipulated period of time
– Sub limited up to 25% of Insuring Clause (A), Separate Retention
Chubb Specialty Insurance – ©2011 33
Cyber Liability Coverage – Optional Additional Insuring Clauses
Insuring Clause (C)(1) Crisis Management– Expenses incurred by the Insured to obtain
independent advice from outside counsel, forensic investigators, public relations consultants or cost to conduct advertising or public relations activities
– Sub limited up to 25% of Insuring Clause (A), Separate Retention
Insuring Clause (C)(2) Reward Expense– Monies paid to an Informant that leads to the arrest
and conviction of persons who caused a loss– Up to a flat Sub limit of $50K with a $1K Retention
Chubb Specialty Insurance – ©2011 34
Cyber Liability Coverage – Optional Additional Insuring Clauses
Insuring Clause (D) E-Business Interruption Expense and Extra Expense
– Pays Business Income and Extra Expense loss incurred during the Period of Recovery due to actual impairment or denial of Operations resulting from Fraudulent Access or Transmission
– Limits can match Insuring Clause (A), subject to a 24 hour waiting period and Separate Retention
– Period of Recovery – until Operations are restored or 60 days after Insured’s Services are restored
Chubb Specialty Insurance – ©2011 35
Cyber Liability Coverage – Optional Additional Insuring Clauses
Insuring Clause E and F are restricted to Financial Institution Insureds only
Insuring Clause (E) E-Theft Loss– Loss resulting from an Insured having given credence to
a transaction based on false Data introduced into the Insured’s System
– Limits can match Insuring Clause (A), Separate Retention Insuring Clause (F) E-Communication Loss
– Loss resulting from a third party having relied upon a fraudulent Communication purporting to be made by an Insured (phishing) and for which the Insured is legally liable
– Limits can match Insuring Clause (A), Separate Retention May be covered under a Crime Policy for non-FI
Insureds
Chubb Specialty Insurance – ©2011 36
Cyber Liability Coverage – Optional Additional Insuring Clauses
Insuring Clause (G) E-Threat Expenses– Funds or property surrendered by an Insured plus
reasonable fees incurred to negotiate an extortion threat and loss of any extortion payment enroute
– Limits can match Insuring Clause (A), Separate Retention
Insuring Clause (H) E-Vandalism Expenses– Cost of blank media and labour to reproduce Data or
replace Media following any alteration, damage, deletion or destruction of Insured’s Data
– Sub-Limited to 5% -10% of Insuring Clause (A), Separate Retention
Could a single incident trigger all Insuring Clauses?
Chubb Specialty Insurance – ©2011 37
Target Classes of Business and Underwriting Requirements
Chubb Specialty Insurance – ©2011 38
Green Classes
Advertising Agriculture Consulting Firms Construction Mid-Sized Entertainment Mid-Sized Hospitality Mid-Sized Financial
Institutions Human Resources
Manufacturing Media Professional Services
Firms Publishing Mid-Sized Retail Transportation Non Technology
Products
Chubb Specialty Insurance – ©2011 39
Yellow Classes
Energy Large Entertainment Large Hospitality Large Financial
Institutions
Pension Plans Not For Profit Unions
Yellow Classes will tend to spend less on IT security or will have an elevated importance in the operation of critical infrastructure
Chubb Specialty Insurance – ©2011 40
Red Classes
Tough Classes Educational Institutions Hospitals Healthcare Providers Large Retailers (>$100mln) Municipalities Payroll Processing Utilities
No Go 100% Virtual Business Credit Card Providers Data Aggregators Gaming ISP’s, Portals, Social
Networking websites Start ups Technology (Refer to TIS)
Red Classes will have the greatest exposure to likelihood of Cyber-attack. The records they keep and the damaged caused by a privacy loss are particularly sensitive
Chubb Specialty Insurance – ©2011 41
What do Underwriters need to know?
Insurable interest Content Risk Management and Loss Control Transactions / e-commerce exposures Peripherals Privacy Breaches Threats and Extortion E-business interruption Underwriting influencers
Chubb Specialty Insurance – ©2011 42
Underwriting Requirements
All Insureds require an Application Risk Matrix or Supplemental Questionnaire
needed for:– Red Class – Regardless of Limits sought– Green Class and Yellow Class – Limits >$5mln– Healthcare Accounts
Chubb Specialty Insurance – ©2011 43
Chubb’s Appetite
Green Classes– Minimum premium of $5,000 for the first $1mln (Insuring
Clauses A, B and C only) or $6,500 for all Insuring Clauses Minimum Deductible
– $25,000 Capacity
– $10mln Aggregate for Primary or Excess Rated on Revenue (For Financial Institutions – AUM) Minimum premium for Yellow and Red Class business will
be determined on a case-by-case basis Target Insureds: Both existing and new clients to Chubb.
We can quote this as a stand-alone product or as part of a bundled approach if other lines are being considered too
Chubb Specialty Insurance – ©2011 44
Trends Influencing Buying Decisions
Open the newspaper – every day there is an example of a breach of privacy or an emerging concern about privacy
Exposure and Insureds’ awareness of it are increasing – it may vary depending on where a Customer’s privacy is breached
Legislation is continually evolving - Bill 54, Amendments to PIPEDA
Operations in US or revenue stream from US Sales The Insured’s clients are adding contractual
requirements for coverage to be carried by their service providers
Overcoming the objection of “do you have any idea how much I spend a year on IT Security – why would I spend money on this insurance too?”
Chubb Specialty Insurance – ©2011 45
Questions?
CyberSecurity by Chubb®