Managing cyber risk through insurance and vendor contracts
Download
1 / 41

Managing Cyber Risk Through Insurance and Vendor Contracts - PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on

Managing Cyber Risk Through Insurance and Vendor Contracts. Dino Tsibouris (614) 360-3133 [email protected] Tom Srail, SVP, FINEX NA – Cyber and E&O Team [email protected] Mehmet Munur (614) 360-3101 [email protected] Outline. Cyber risks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Managing Cyber Risk Through Insurance and Vendor Contracts' - zubeda


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Managing cyber risk through insurance and vendor contracts

Managing Cyber Risk Through Insurance and Vendor Contracts

Dino Tsibouris (614) 360-3133 [email protected]

Tom Srail, SVP, FINEX NA – Cyber and E&O Team [email protected]

Mehmet Munur (614) 360-3101 [email protected]


Outline
Outline

  • Cyber risks

  • Costs relating to cyber risks

  • Use of insurance for cyber risks

  • Lawsuits relating to insurance policies

  • Strategies in obtaining coverage

  • Traditional v. Cyber Insurance

  • Vendors

  • Conclusion


Cyber risks
Cyber Risks

  • Hacking incidents

  • Data breaches

  • Privacy breaches

  • Unauthorized access

  • Social engineering

  • Vandalism or defacement

  • Cyber extortion

  • Regulatory enforcement following incidents


Cyber risks1
Cyber Risks

  • Privacy is a heightened & evolving exposure

  • Reliance on Vendors (Cloud, IT, HR)

  • Regulatory Changes

  • Underwriters are paying multi-million dollar losses

  • Business Interruption and Systems Failure

  • Credit card related fines and lawsuits.

  • “Cyber” Insurance has broadened to address these risks


“CYBER” INSURANCE TIMELINE

Cyber Insurance Introduced

NoticeCosts Covered

Broad Privacy Ins. Vendor Coverage Corp Confidential Info

PCI Fines

& Penalties

Systems Failure

Reg. Fines

&Penalties

1996

1998

2000

2002

2006

2008

2010

2012

2004

HIPAA

GLB

SB1386

PCI

HITECH

SEC

Epsilon/

Sony

Card

Systems

TJX

Heartland

Insurance History

Regulatory/Industry History

Claims/Losses History


What is the data
What is the Data?

What Data do you collect/process?

  • Personally Identifiable Information (PII): SSN, Drivers License, etc.

  • Payment Card Information (PCI): Credit Card, Debit Card Numbers

  • Protected Health Information (PHI)

  • Personal or Sensitive Personal Data (EU)


Where is the data
Where is the Data?

Where is it? Do you share with third parties?

  • How well is it protected?

  • How long is it kept?

    What is a Breach?

  • Unauthorized disclosure

  • Unauthorized acquisition

  • Data compromised


Costs of a data breach
Costs of a Data Breach

  • DIRECT COSTS

    • Notification

    • Call Center

    • Identity Monitoring (credit/non-credit)

    • Identity Restoration

    • Discovery / Data Forensics

    • Loss of Employee Productivity

  • INDIRECT COSTS

    • Restitution

    • Additional Security and Audit Requirements

    • Lawsuits

    • Regulatory Fines

    • Loss of Consumer Confidence

    • Loss of Funding

Cost per record:

$214 (2010) (up $10 from 2009)

$73

$141

Source: Ponemon Institute


Costs of a data breach1
Costs of a Data Breach

  • Notification: $1/individual

  • Credit monitoring: $15-$50/individual

  • Call Centers, Fraud Alerts, Database Scanning, Restoration Services

  • Civil, regulatory and possibly criminal defense

  • Data Privacy counsel can cost $1,000+ per hour.

  • Business Interruption Costs/Data Damage?




Security incidents and insurance proceeds
Security Incidents and Insurance Proceeds

In millions of dollars

Source: SEC


Creative hospitality ventures v us liability insurance
Creative Hospitality Ventures v. US Liability Insurance

  • Restaurant gives customers receipts showing full account number in violation of FACTA.

  • Class action lawsuit ensues.

  • Restaurant seeks coverage under CGL policy.


Creative hospitality ventures v us liability insurance1
Creative Hospitality Ventures v. US Liability Insurance

  • Policy limited to “personal and advertising injury.”

  • Defined as any publication that invaded the right to privacy.

  • Circuit court reversed magistrate holding that printing receipt was publication.

  • Therefore, no coverage.


Auto owners insurance v websolv
Auto-Owners Insurance v. Websolv

  • Individual sues Websolv for sending unsolicited faxes as a violation of TCPA.

  • Websolv seeks coverage under CGL policy.

  • Auto-Owners sued arguing that it had no duty to defend under:

    • Advertising Injury – publication & privacy.

    • Property Damage – fax.


Auto owners insurance v websolv1
Auto-Owners Insurance v. Websolv

  • Appeals court held that Iowa law, not Illinois law, applied and that policy did not cover the injury.

  • Appeals court held:

    • Privacy interest v. seclusion interest.

    • Publication v. secrecy.

    • Damages expected v. intended.

  • Concluded that there was no coverage.


Eyeblaster v federal insurance
Eyeblaster v. Federal Insurance

  • Computer user sues Eyeblaster alleging injuries relating to its advertising software.

  • Eyeblaster seeks coverage under CGL and Network Technology Errors or Omissions Liability policies.

  • Federal denies coverage and brings this lawsuit.


Eyeblaster v federal insurance1
Eyeblaster v. Federal Insurance

  • CGL includes coverage for “physical injury to tangible property” but excludes “any software, data or other information that is in electronic form.”

  • District court finds that there is no physical injury; therefore, no coverage.

  • Appeals court finds that inability to use computer constitutes injury under the policy and reverses.


Zurich insurance v sony
Zurich Insurance v. Sony

  • Sony’s online networks are attacked and passwords are compromised.

  • Sony shuts down PSN for weeks.

  • Sony offers fraud monitoring.

  • Sony offers discounted games in apology.

  • Sony is sued in tens of class action lawsuits.

  • Zurich sues Sony for declaratory judgment.


Zurich insurance v sony1
Zurich Insurance v. Sony

  • Sony has insurance through many providers, including Mitsui Sumitomo, National Union, ACE, AXIS, Lloyd’s, Chartis, and others.

  • Zurich claims that its insurance policies cover:

    • Bodily injury,

    • Property damage, and

    • Personal and advertising injury.

  • Litigation ongoing.


Common issues
Common Issues

  • Interpretation of undefined terms crucial in coverage.

  • Interpretation varies depending on trial court, appeals court, and state law.

  • Litigating insurance policy consumes

    time and resources.


Common issues1
Common Issues

  • Data may not be tangible personal property.

  • Publication may not have occurred.

  • Privacy rights may not have been breached.


Common issues2
Common Issues

  • CGL policy covers specific risks.

  • Cyber risks may not be covered.

  • Coverage varies widely among policies.


Traditional insurance gaps
Traditional Insurance Gaps

  • Theft or disclosure of third party information (GL)

  • Security and privacy – “Intentional Act” exclusions (GL)

  • Data is not “tangible property” (GL, Prop, Crime)

  • Bodily Injury & Property Damage triggers (GL)

  • Value of data if corrupted, destroyed, or disclosed (Prop, GL)


Traditional insurance gaps1
Traditional Insurance Gaps

  • Contingent risks (from external hosting, etc.)

  • Commercial Crime policies require intent, only cover money, securities and tangible property.

  • Territorial restrictions

  • Sublimit or long waiting period applicable to any virus coverage available (Prop)


Preparation is key
Preparation is Key

  • Policy must be part of an Enterprise Risk Management program

  • Utilize privacy, security, and legal:

    • Policies

    • Procedures

    • Controls

  • Understand probability and magnitude of risk

  • Audit products and services


Preparation is key1
Preparation is Key

  • Ask Your Privacy / IT professionals:

    • Incident Response Plan (tested?)

    • Vendor Contracts / Insurance Requirements

  • Privacy Risk Assessment

  • Check Existing Insurance Gap Analysis

  • New coverage terms must integrate with

    • Response Plans

    • Traditional Policies


Cyber risk coverage
Cyber Risk Coverage

  • Data breach

  • Governmental civil actions

  • Virus liability

  • Content liability

  • Extortion

  • Lost data


Privacy network coverages
Privacy & Network Coverages

Expense (Loss Mitigation) Coverage

  • Data Breach Expenses:

    • Consumer notification and credit monitoring service costs (sub-limit)

    • Forensics/Investigations

    • Public Relations/Crisis Management Expenses


Privacy network coverages1
Privacy & Network Coverages

Liability Coverage

  • Privacy Liability

  • Network Security Liability

  • Media, IP and Content Liability


Privacy network coverages2
Privacy & Network Coverages

Direct (First Party) Coverage

  • Revenue Loss (Interruption to income due to systems outage)

  • Data Reconstruction


Limits and exclusions
Limits and Exclusions

  • Must the insured notify you right away?

  • Indemnification for losses or claims, too?

  • Who chooses the lawyer to defend a lawsuit?

  • Are there preferred vendors?

  • Limitation of liability – dollar amount?


Vendor contracts
Vendor Contracts

  • Breaches may occur at a vendor.

  • Contract clauses and limitations should harmonize with insurance clauses.

  • Damage limits should factor policy limits.

  • Notify if a breach may have occurred.

  • Should they tender your defense?

  • You are liable, but they can help.


Vendor contracts1
Vendor Contracts

IT/Software Companies

  • Request Tech E&O, plus Privacy/Network Coverage

  • Some Tech E&O policies have security/privacy exclusions

  • Breach could occur without “wrongful act” being committed


Vendor contracts2
Vendor Contracts

Business Services – Payroll, Auditors, Counsel

  • Request appropriate E&O coverage

  • Request Privacy/Network coverage

    Credit Card Processors/Acquiring Banks

  • Request Privacy/Network Coverage (Gaps in Bond or Professional Liability coverage)


Vendor contracts3
Vendor Contracts

Other Vendors that transport, touch, interact with your systems or sensitive information

  • Request Privacy/Network coverage


Upcoming issues
Upcoming Issues

  • Revisions to the EU Data Protection Directive that propose fines of up to 2% of annual turnover of a company

  • Federal data breach notification in the U.S.

  • FTC Final Privacy Report and Privacy by Design

  • Department of Commerce multi-stakeholder enforceable codes of conduct process


Outline1
Outline

  • Cyber risks

  • Costs relating to cyber risks

  • Use of insurance for cyber risks

  • Lawsuits relating to insurance policies

  • Strategies in obtaining coverage

  • Traditional v. Cyber Insurance

  • Vendors

  • Conclusion


Questions

Questions

Dino Tsibouris (614) 360-3133 [email protected]

Tom Srail, SVP, FINEX NA – Cyber and E&O Team [email protected]

Mehmet Munur (614) 360-3101 [email protected]


ad