managing cyber risk through insurance and vendor contracts dino tsibouris (614) 360-3133...
TRANSCRIPT
Managing Cyber Risk Through Insurance and Vendor
ContractsDino Tsibouris (614) 360-3133 [email protected]
Tom Srail, SVP, FINEX NA – Cyber and E&O Team [email protected]
Mehmet Munur (614) 360-3101 [email protected]
Outline1. Cyber risks2. Costs relating to cyber risks3. Use of insurance for cyber risks4. Lawsuits relating to insurance policies5. Strategies in obtaining coverage6. Traditional v. Cyber Insurance7. Vendors8. Conclusion
Cyber Risks• Hacking incidents• Data breaches• Privacy breaches• Unauthorized access• Social engineering• Vandalism or defacement• Cyber extortion• Regulatory enforcement following incidents
Cyber Risks• Privacy is a heightened & evolving exposure• Reliance on Vendors (Cloud, IT, HR)• Regulatory Changes• Underwriters are paying multi-million dollar
losses• Business Interruption and Systems Failure• Credit card related fines and lawsuits. • “Cyber” Insurance has broadened to address
these risks
“CYBER” INSURANCE TIMELINE
20001996 2002 2006
HIPAA
Cyber Insurance Introduced
2004 2008 2010
Broad Privacy Ins. Vendor Coverage Corp Confidential Info
1998
GLB SB1386 HITECH
TJX Heartland Card
Systems
NoticeCosts Covered
PCI
Reg. Fines
&Penalties
Insurance History
Regulatory/Industry History
Claims/Losses History
PCI Fines
& Penalties
Systems Failure
2012
Epsilon/Sony
SEC
What is the Data?
What Data do you collect/process?• Personally Identifiable Information (PII): SSN,
Drivers License, etc.• Payment Card Information (PCI): Credit Card,
Debit Card Numbers• Protected Health Information (PHI)• Personal or Sensitive Personal Data (EU)
Where is the Data?
Where is it? Do you share with third parties?• How well is it protected?• How long is it kept?What is a Breach?• Unauthorized disclosure • Unauthorized acquisition• Data compromised
79
9
19
21
35
Causes of a Data Breach
Hacked Systems
Malicious Insider or Code
Paper Records
Electronic Backup
Lost Laptop or Device
3rd Party or Outsourcer
Costs of a Data Breach
DIRECT COSTSNotificationCall Center
Identity Monitoring (credit/non-credit)Identity Restoration
Discovery / Data ForensicsLoss of Employee Productivity
INDIRECT COSTSRestitution
Additional Security and Audit Requirements
LawsuitsRegulatory Fines
Loss of Consumer ConfidenceLoss of Funding
$73
Cost per record:$214 (2010) (up $10
from 2009)
Source: Ponemon Institute
$141
Costs of a Data Breach• Notification: $1/individual• Credit monitoring: $15-$50/individual• Call Centers, Fraud Alerts, Database Scanning,
Restoration Services• Civil, regulatory and possibly criminal defense• Data Privacy counsel can cost $1,000+ per
hour. • Business Interruption Costs/Data Damage?
13.1
43.2
29.7
12.4 1.6
Rating for Potential Dangers Posed by Cyber Risks
Extremely Serious
Serious
Moderate
Mild
Very Mild
Source: Advisen Cyber Risk Special Report
24.4
52
23.6
Considering Buying Coverage Next Year?
Yes
No
Don't Know
Source: Advisen Cyber Risk Special Report
59.3
41.4
3.5
32.4
5
Heartland Payment Systems Breach
Visa & Banks
MasterCard
American Express
Legal Fees and Costs
Discover In millions of dollars
Source: SEC
TJX HPS RSA ChoicePoint Epsilon0
20
40
60
80
100
120
140
160
180
200
171.5
147.1
66.3
38.3
18.931.2
11
Total CostCovered By Insurance
Security Incidents and Insurance Proceeds
In millions of dollarsSource: SEC
Creative Hospitality Ventures v. US Liability Insurance
• Restaurant gives customers receipts showing full account number in violation of FACTA.
• Class action lawsuit ensues.• Restaurant seeks coverage
under CGL policy.
Creative Hospitality Ventures v. US Liability Insurance
• Policy limited to “personal and advertising injury.”
• Defined as any publication that invaded the right to privacy.
• Circuit court reversed magistrate holding that printing receipt was publication.
• Therefore, no coverage.
Auto-Owners Insurance v. Websolv
• Individual sues Websolv for sending unsolicited faxes as a violation of TCPA.
• Websolv seeks coverage under CGL policy.• Auto-Owners sued arguing that it had no duty
to defend under:– Advertising Injury – publication & privacy.– Property Damage – fax.
Auto-Owners Insurance v. Websolv
• Appeals court held that Iowa law, not Illinois law, applied and that policy did not cover the injury.
• Appeals court held:– Privacy interest v. seclusion interest.– Publication v. secrecy. – Damages expected v. intended.
• Concluded that there was no coverage.
Eyeblaster v. Federal Insurance
• Computer user sues Eyeblaster alleging injuries relating to its advertising software.
• Eyeblaster seeks coverage under CGL and Network Technology Errors or Omissions Liability policies.
• Federal denies coverage and brings this lawsuit.
Eyeblaster v. Federal Insurance
• CGL includes coverage for “physical injury to tangible property” but excludes “any software, data or other information that is in electronic form.”
• District court finds that there is no physical injury; therefore, no coverage.
• Appeals court finds that inability to use computer constitutes injury under the policy and reverses.
Zurich Insurance v. Sony
• Sony’s online networks are attacked and passwords are compromised.
• Sony shuts down PSN for weeks.• Sony offers fraud monitoring.• Sony offers discounted games in apology.• Sony is sued in tens of class action lawsuits.• Zurich sues Sony for declaratory judgment.
Zurich Insurance v. Sony• Sony has insurance through many providers,
including Mitsui Sumitomo, National Union, ACE, AXIS, Lloyd’s, Chartis, and others.
• Zurich claims that its insurance policies cover:– Bodily injury,– Property damage, and – Personal and advertising injury.
• Litigation ongoing.
Common Issues
• Interpretation of undefined terms crucial in coverage.
• Interpretation varies depending on trial court, appeals court, and state law.
• Litigating insurance policy consumes time and resources.
Common Issues
• Data may not be tangible personal property.• Publication may not have occurred.• Privacy rights may not have been breached.
Common Issues
• CGL policy covers specific risks.• Cyber risks may not be covered.• Coverage varies widely among policies.
Traditional Insurance Gaps• Theft or disclosure of third party information
(GL)• Security and privacy – “Intentional Act”
exclusions (GL)• Data is not “tangible property” (GL, Prop,
Crime)• Bodily Injury & Property Damage triggers (GL)• Value of data if corrupted, destroyed, or
disclosed (Prop, GL)
Traditional Insurance Gaps
• Contingent risks (from external hosting, etc.) • Commercial Crime policies require intent, only
cover money, securities and tangible property.• Territorial restrictions• Sublimit or long waiting period applicable to
any virus coverage available (Prop)
Preparation is Key• Policy must be part of an Enterprise Risk
Management program• Utilize privacy, security, and legal:
– Policies– Procedures– Controls
• Understand probability and magnitude of risk• Audit products and services
Preparation is Key• Ask Your Privacy / IT professionals:
– Incident Response Plan (tested?)– Vendor Contracts / Insurance Requirements
• Privacy Risk Assessment• Check Existing Insurance Gap Analysis• New coverage terms must integrate with
– Response Plans– Traditional Policies
Cyber Risk Coverage
• Data breach• Governmental civil actions• Virus liability• Content liability• Extortion• Lost data
Privacy & Network Coverages
Expense (Loss Mitigation) Coverage • Data Breach Expenses:
– Consumer notification and credit monitoring service costs (sub-limit)
– Forensics/Investigations– Public Relations/Crisis Management
Expenses
Privacy & Network Coverages
Liability Coverage• Privacy Liability • Network Security Liability• Media, IP and Content Liability
Privacy & Network Coverages
Direct (First Party) Coverage• Revenue Loss (Interruption to income due to
systems outage)• Data Reconstruction
Limits and Exclusions
• Must the insured notify you right away?• Indemnification for losses or claims, too?• Who chooses the lawyer to defend a lawsuit?• Are there preferred vendors?• Limitation of liability – dollar amount?
Vendor Contracts
• Breaches may occur at a vendor.• Contract clauses and limitations should
harmonize with insurance clauses.• Damage limits should factor policy limits.• Notify if a breach may have occurred.• Should they tender your defense?• You are liable, but they can help.
Vendor Contracts
IT/Software Companies• Request Tech E&O, plus Privacy/Network
Coverage• Some Tech E&O policies have security/privacy
exclusions• Breach could occur without “wrongful act”
being committed
Vendor Contracts
Business Services – Payroll, Auditors, Counsel• Request appropriate E&O coverage• Request Privacy/Network coverageCredit Card Processors/Acquiring Banks• Request Privacy/Network Coverage (Gaps in
Bond or Professional Liability coverage)
Vendor Contracts
Other Vendors that transport, touch, interact with your systems or sensitive information
• Request Privacy/Network coverage
Upcoming Issues
• Revisions to the EU Data Protection Directive that propose fines of up to 2% of annual turnover of a company
• Federal data breach notification in the U.S.• FTC Final Privacy Report and Privacy by Design• Department of Commerce multi-stakeholder
enforceable codes of conduct process
Outline1. Cyber risks2. Costs relating to cyber risks3. Use of insurance for cyber risks4. Lawsuits relating to insurance policies5. Strategies in obtaining coverage6. Traditional v. Cyber Insurance7. Vendors8. Conclusion
Questions
Dino Tsibouris (614) 360-3133 [email protected]
Tom Srail, SVP, FINEX NA – Cyber and E&O Team [email protected]
Mehmet Munur (614) 360-3101 [email protected]