chubb specialty insurance – ©2011 1 cybersecurity by chubb ® insurance for privacy breaches...

Chubb Specialty Insurance – ©2011 1

CyberSecurity by Chubb®

Insurance for Privacy Breaches

Presented by

Chubb Insurance Company of Canada

June 2011


Presenters

Matthew DaviesCanadian Manager - Professional & Media LiabilityChubb Specialty Insurance – Canadian Zone

Kate KristieUnderwriter – Chubb Pro and Executive ProtectionChubb Specialty Insurance – Toronto Branch


DISCLAIMER

The views, information and content expressed herein are those of the author and do not necessarily represent the views of any of the insurers of The Chubb Group of Insurance Companies. Chubb did not participate in and takes no position on the nature, quality or accuracy of such content. The information provided should not be relied on as legal advice or a definitive statement of the law in any jurisdiction. For such advice, an applicant, insured, listener or reader should consult their own legal counsel…


DISCLAIMER continued

In fact, as far as Chubb is concerned, we don’t even admit to employing Matthew Davies. The fact that Matthew Davies gets a pay cheque from Chubb 26 times a year or gets his expenses paid by us for appearing before you today is purely coincidental. Nothing to do with Chubb, never heard of the dude.

As for Kate, well….


Agenda

Exposures faced by Insureds Privacy Law in Canada and Abroad Insurance Coverage CyberSecurity by Chubb Target Classes of Business Underwriting Requirements


EXTRA, EXTRA – READ ALL ABOUT IT!

“Privacy czar to investigate

Epsilon email breach ” Australian

IT 7 Apr 2011

“Largest U.S. defence contractor

thwarts ‘tenacious’ cyber attack”

National Post 30 May 2011

“Major [Bay St] law firms fall victim to cyber attacks” Globe & Mail 6 April 2011

“Hacked PBS reports Tupac, Biggie alive” SC Magazine 30

May 2011

“Toronto Woman Sues Rogers after her affair is exposed” Toronto Star – 17 May 2010

“Sony finds

security fla

w

in password

reset websit

e”

Globe & Mail

, 18 May 201

1


Privacy Breaches Incur Real Costs

A 2009 survey of more than 600 Canadian IT security professionals by TELUS and the Rotman School of Management at U of T found that on average(1):

– IT security breaches – including viruses, intellectual property theft and abuse by employees – cost reporting organizations $834,149 in 2009, almost double the amount reported in 2008

– IT security breaches soared to 11.3 per reporting organization in 2009, compared to 3 each in 2008

– In 2008, ~17% of reporting organizations had “insider breaches” compared to 36% in 2009

(1) Globe & Mail 29 Sep 2009


Privacy Breaches Incur Real Expenses

In a 2009 Global survey of 133 organizations in 18 industry sectors shows the following comparison (2)

(2) 2009 Ponemon Institute / PGP Corporation Global Study(+) Updated – March 2011

Country Avg Cost per Record Avg Cost of a Breach

Australia USD $114 USD $1.83 mln

France USD $119 USD $2.53 mln

Germany USD $177 USD $3.44 mln

UK USD $98 USD $2.57 mln

US USD $214(+) USD $7.20 mln(+)

Avg of Above USD $142 USD $3.43 mln


Cyber Crime(3) and (4)

Prior to May 2011, Canada has usually ranked twelfth or thirteenth in the cyber crime landscape

Now, the top five countries found to be hosting servers engaged in cyber crime are the U.S., Canada, Egypt, Germany and the U.K.

Tens of thousands of servers in Canada host “phising” expeditions

In 2010, the United States Secret Service arrested more than 1,200 suspects for cybercrime violations. These investigations involved over $500 million in actual fraud loss and prevented approximately $7 billion in additional losses.

(3) ITWorldCanada.com as at 5 May 2011(4) Verizon Data Breach Study Investigations Report April 2011 page 7


The Threat(4)

According to IBM: More than 4.7 trillion security events in 2010 (or about

150,000 every second) 8,000 new vulnerabilities that did not exist in 2009 44% of web application vulnerabilities had no

corresponding patch by the end of 2010 to protect users

14% of Fortune 500 sites have many severe client facing JavaScript issues that infect users with malware, viruses, hijacking of web sessions and spoofing of web content

“Phising Attacks” - when a hacker masquerades as a trustworthy source, such as a bank, in order to steal sensitive user data have been replaced by a more sophisticated version known as “Spear Phishing.”

(4) IBM Security Solutions X-Force 2010 Trend and Risk Report, March 2010


Causes of Breach(5)

(5) Ponemon Institute “Five Countries Cost of Data Breach” April 2010


Operation PODIUM – Vancouver 2010

Wanna hear a war story? Let me tell you about Op RACCOON


The Cost of a Lost Laptop(6)

Average value of a lost laptop is $49,246. based on 7 cost factors:

1. Replacement: hardware, software & allocated corporate overhead

2. Detection & Escalation: employee time spent trying to recover the laptop and reporting the incident

3. Forensics & Investigation: Hours of IT employee time to do analysis of what data has been exposed

4. Data Breach: per Record to notify

5. Lost IP: Un-encrypted data and estimate of its value to a competitor

6. Lost Productivity: downtime for the employee

7. Legal, Regulatory and Consulting Costs

(6) Ponemon Institute, “The Cost of a Lost Laptop” Apr 2009


Large Data Security Breaches of the past Decade

Heartland(7) – Malicious breach of 130mln debit and credit card records from Dec 07 through Oct 08. Exposure at $30. a card = $4bln.

TJX Companies – Malicious breach of over 100mln cards from Dec 02 to Jan 07. Exposure estimated to be $1bln. Settled with VISA in Nov 07 for $40.9mln, with MasterCard in May 08 for $24mln and various state actions in Jun 09 and Sep 09 for over $10mln.

Google and 20 other multinationals – Announced in Jan 10 that hackers in China breached e-mail accounts

Epsilon – April 2011 If you haven’t heard about this one, just Google “Epsilon Breach” and 2mln articles later…

Four Bay Street Law Firms – April 2011 Sony – May 2011: Need I say anything else? Etc, etc, etc – we just can’t keep up…

(7) Advisen Apr 10


Social Media

Web 2.0 - interactive, dynamic, users become creators of the message through posts, collaboration, sharing and re-use of content

– Blogs and Micro-Blogs Twitter

– File-Sharing YouTube

– Collaborative sites Wikipedia, Wikileaks, Ancestry, Quirky

– Social Networking Facebook, MySpace, LinkedIn

– Aggregation sites Digg, Stumbleupon

– Virtual Worlds Second Life


Social Media Exposures

Brand protection– User Names– User and Domain Name Squatting– Trademarks

Virtual worlds– Contracts, E-commerce, Consumer Protection,

Privacy, Intellectual Property, Taxation, Family Law Vicarious Liability

– Outsourcing– Employment Practices– Client confidentiality– IT and Corporate Governance


Privacy Law in Canada and Abroad


Notification Laws for a Privacy Breach

US has led the way in implementing breach notification laws, mandating that organisations inform those individuals potentially affected by such a breach (notification laws now in place in 40 states and counting)

Many jurisdictions such as the European Union and Australia have tabled Bills or passed Acts legislating mandatory data breach disclosure

Other jurisdictions such as Canada and Japan have instituted voluntary guidelines. In Canada, the federal government released a proposed model in June 2008 to impose mandatory notification


Privacy Legislation in General

Depending on the jurisdiction in which a privacy breach occurs, there could be any number of requirements that should be met and/or must be met

Even if an Insured is only domiciled in Canada, they are subject to the privacy legislation, jurisprudence and remedies elsewhere if a plaintiff’s private information is breached in another jurisdiction

Every jurisdiction has its own approach to the standard of care and obligations to report when private information in your care, custody or control may have been or actually has been breached


Privacy Legislation - Canadian Perspective

FEDERAL LEGISLATION Personal Information Protection and Electronic Documents

Act (PIPEDA) Privacy Act – applies to government institutions

PROVINCIAL LEGISLATION BC: Personal Information Protection Act (PIPA), Alberta: Personal Information Protection Act (PIPA), Quebec: An Act Respecting the Protection of Personal

Information in the Private Sector (QPPIPS) Saskatchewan, Manitoba and Ontario: Health and

Information Protection Act (HIPA), Personal Health Information Act (PHIA), Personal Health Information Protection Act (PHIPA)

Other Provinces / Territories rely on PIPEDA


Bill 54 - Alberta

Alberta is leading the pack in obligations to notify customers of a breach of their privacy

Bill 54 amends Personal Information Protection Amendment Act (PIPA), received Royal Assent on November 26, 2009, has been proclaimed into force and effective May 1, 2010

Requirement to notify the Privacy Commissioner or individuals, as required by the Commissioner, about security breaches that place personal information at risk, and to inform individuals when services involving personal information are occurring outside of Canada.


Insurance Coverage


Exposures that Brokers need to explain to their clients

Insured has a fiduciary duty to protect third party private information that they hold

– Does the Insured hold, share, host or transmit client information?

– Theft of personal identification information (including employee information)?

– Breach of records that include private facts?– Unauthorized access of a customer’s proprietary information

entrusted to the Insured? Obligations to notify third parties of security breach and

monitor their credit records to mitigate loss Cyber Threats, Extortion or Attacks against an Insured

shutting down its Systems Content published on an Insured’s website or in e-mail

– Defamation– Infringement of third party’s intellectual property


Uncharted Territory

Cyberspace knows no boundaries – exposures are ahead of legislation / people’s knowledge levels

Insurance industry dilemma – how do we track losses that have an internet nexus?

If we aren’t discreetly tracking how new media losses are being paid, how can we measure the exposure?

Actuarially significant loss analysis Cyber related losses – publicly reported damages Privacy Breaches – hard costs don’t tell the whole story New insurance products - Months to create, weeks to be out of

date Supply of cyber products (in one form or another) is ahead of

buyer demand


So many coverages, so much confusion…

Media and Internet Liability (content) Professional Liability (service) Electronics E&O Liability (software and hardware sold or

licensed to others) D&O Liability (management) Employment Practices Liability (employment) Fiduciary Liability (pension plan administration) Crime (fidelity and fraud) General Liability (premises, products and completed

operations, personal and advertising injury torts) Kidnap & Ransom (extortion payments) Cyber (liability and first party cyber activities)


Cyber Coverage

Kate Kristie


Cyber Liability – Features to look for

A stand alone liability policy with optional multiple first party expense coverages with individual sub-limits and retentions

Intended for Insured's that do transactions over the internet and/or store confidential customer information on their Systems

Flexibility to allow tailoring for individual clients

Claims made Pay on behalf for liability coverage First party expenses paid as incurred


Cyber Liability Coverage

Mandatory Liability Coverage Insuring Clause (A) Cyber Liability

– Covers the Insured’s liabilities for “Injury” via: Conduit, Content, Disclosure, Impaired Access; or Reputational Injury

Does the coverage distinguish who causes the Injury?


Cyber Liability Triggers

Conduit Injury (B2B / B2C - System)– Customers systems are affected by a Cyber-attack

launched against the Insured’s System– Example: Suit arises from a System security failure that

causes a virus to be transmitted from the Insured to a third party’s System

Content Injury (B2B / B2C - IP Named Peril)– Violation of a third party’s intellectual property rights via

the Insured’s System– Example: The Insured displays a logo on its website

that violates someone else’s trademark



Disclosure Injury (B2C - Privacy)– Individuals are affected by the unauthorized access of

their private information held on the Insured’s system– Example: Individual customers’ credit card data is

stolen from the Insured’s System by a hacker– Coverage enhancements available by Endorsement

Impaired Access Injury (B2B / B2C – Transactional Named Peril)

– Customers suffer damages because they can’t access the Insured’s system to conduct a transaction

– Example: A disgruntled employee Exceeds Authorized Access and Customers can’t transact business with the Insured in a timely fashion resulting in the Customer suffering a financial loss



Reputational Injury (B2B / B2C - Disparagement Named Peril)

– Third party is disparaged or has their privacy violated due to the Insured’s Cyber Activities

– Example: An employee makes a comment in a company e-mail that libels a customer


Cyber Liability Coverage – Optional Additional Insuring Clauses

Insuring Clause (B) Privacy Notification Expense – Triggered by a Disclosure or Reputational

Injury– Reasonable and necessary cost of notifying

those Persons who may be directly affected by the potential or actual unauthorized access of a Record

Changing their account numbers, identity numbers and security codes

Providing them with credit monitoring or similar services to protect them against fraudulent use of their Record for a stipulated period of time

– Sub limited up to 25% of Insuring Clause (A), Separate Retention



Insuring Clause (C)(1) Crisis Management– Expenses incurred by the Insured to obtain

independent advice from outside counsel, forensic investigators, public relations consultants or cost to conduct advertising or public relations activities

– Sub limited up to 25% of Insuring Clause (A), Separate Retention

Insuring Clause (C)(2) Reward Expense– Monies paid to an Informant that leads to the arrest

and conviction of persons who caused a loss– Up to a flat Sub limit of $50K with a $1K Retention



Insuring Clause (D) E-Business Interruption Expense and Extra Expense

– Pays Business Income and Extra Expense loss incurred during the Period of Recovery due to actual impairment or denial of Operations resulting from Fraudulent Access or Transmission

– Limits can match Insuring Clause (A), subject to a 24 hour waiting period and Separate Retention

– Period of Recovery – until Operations are restored or 60 days after Insured’s Services are restored



Insuring Clause E and F are restricted to Financial Institution Insureds only

Insuring Clause (E) E-Theft Loss– Loss resulting from an Insured having given credence to

a transaction based on false Data introduced into the Insured’s System

– Limits can match Insuring Clause (A), Separate Retention Insuring Clause (F) E-Communication Loss

– Loss resulting from a third party having relied upon a fraudulent Communication purporting to be made by an Insured (phishing) and for which the Insured is legally liable

– Limits can match Insuring Clause (A), Separate Retention May be covered under a Crime Policy for non-FI

Insureds



Insuring Clause (G) E-Threat Expenses– Funds or property surrendered by an Insured plus

reasonable fees incurred to negotiate an extortion threat and loss of any extortion payment enroute

– Limits can match Insuring Clause (A), Separate Retention

Insuring Clause (H) E-Vandalism Expenses– Cost of blank media and labour to reproduce Data or

replace Media following any alteration, damage, deletion or destruction of Insured’s Data

– Sub-Limited to 5% -10% of Insuring Clause (A), Separate Retention

Could a single incident trigger all Insuring Clauses?


Target Classes of Business and Underwriting Requirements


Green Classes

Advertising Agriculture Consulting Firms Construction Mid-Sized Entertainment Mid-Sized Hospitality Mid-Sized Financial

Institutions Human Resources

Manufacturing Media Professional Services

Firms Publishing Mid-Sized Retail Transportation Non Technology

Products


Yellow Classes

Energy Large Entertainment Large Hospitality Large Financial

Institutions

Pension Plans Not For Profit Unions

Yellow Classes will tend to spend less on IT security or will have an elevated importance in the operation of critical infrastructure


Red Classes

Tough Classes Educational Institutions Hospitals Healthcare Providers Large Retailers (>$100mln) Municipalities Payroll Processing Utilities

No Go 100% Virtual Business Credit Card Providers Data Aggregators Gaming ISP’s, Portals, Social

Networking websites Start ups Technology (Refer to TIS)

Red Classes will have the greatest exposure to likelihood of Cyber-attack. The records they keep and the damaged caused by a privacy loss are particularly sensitive


What do Underwriters need to know?

Insurable interest Content Risk Management and Loss Control Transactions / e-commerce exposures Peripherals Privacy Breaches Threats and Extortion E-business interruption Underwriting influencers


Underwriting Requirements

All Insureds require an Application Risk Matrix or Supplemental Questionnaire

needed for:– Red Class – Regardless of Limits sought– Green Class and Yellow Class – Limits >$5mln– Healthcare Accounts


Chubb’s Appetite

Green Classes– Minimum premium of $5,000 for the first $1mln (Insuring

Clauses A, B and C only) or $6,500 for all Insuring Clauses Minimum Deductible

– $25,000 Capacity

– $10mln Aggregate for Primary or Excess Rated on Revenue (For Financial Institutions – AUM) Minimum premium for Yellow and Red Class business will

be determined on a case-by-case basis Target Insureds: Both existing and new clients to Chubb.

We can quote this as a stand-alone product or as part of a bundled approach if other lines are being considered too


Trends Influencing Buying Decisions

Open the newspaper – every day there is an example of a breach of privacy or an emerging concern about privacy

Exposure and Insureds’ awareness of it are increasing – it may vary depending on where a Customer’s privacy is breached

Legislation is continually evolving - Bill 54, Amendments to PIPEDA

Operations in US or revenue stream from US Sales The Insured’s clients are adding contractual

requirements for coverage to be carried by their service providers

Overcoming the objection of “do you have any idea how much I spend a year on IT Security – why would I spend money on this insurance too?”


Questions?

CyberSecurity by Chubb®

chubb specialty insurance – ©2011 1 cybersecurity by chubb ® insurance for privacy breaches...

Documents

mln slide

privacy breaches

security breaches

legal counsel slide

insureds n privacy law

mln franceusd

mln germanyusd

mln ususd