managing cyber risk through insurance and vendor contracts
Download
Skip this Video
Download Presentation
Managing Cyber Risk Through Insurance and Vendor Contracts

Loading in 2 Seconds...

play fullscreen
1 / 41

Managing Cyber Risk Through Insurance and Vendor Contracts - PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on

Managing Cyber Risk Through Insurance and Vendor Contracts. Dino Tsibouris (614) 360-3133 [email protected] Tom Srail, SVP, FINEX NA – Cyber and E&O Team [email protected] Mehmet Munur (614) 360-3101 [email protected] Outline. Cyber risks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Managing Cyber Risk Through Insurance and Vendor Contracts' - zubeda


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
managing cyber risk through insurance and vendor contracts

Managing Cyber Risk Through Insurance and Vendor Contracts

Dino Tsibouris (614) 360-3133 [email protected]

Tom Srail, SVP, FINEX NA – Cyber and E&O Team [email protected]

Mehmet Munur (614) 360-3101 [email protected]

outline
Outline
  • Cyber risks
  • Costs relating to cyber risks
  • Use of insurance for cyber risks
  • Lawsuits relating to insurance policies
  • Strategies in obtaining coverage
  • Traditional v. Cyber Insurance
  • Vendors
  • Conclusion
cyber risks
Cyber Risks
  • Hacking incidents
  • Data breaches
  • Privacy breaches
  • Unauthorized access
  • Social engineering
  • Vandalism or defacement
  • Cyber extortion
  • Regulatory enforcement following incidents
cyber risks1
Cyber Risks
  • Privacy is a heightened & evolving exposure
  • Reliance on Vendors (Cloud, IT, HR)
  • Regulatory Changes
  • Underwriters are paying multi-million dollar losses
  • Business Interruption and Systems Failure
  • Credit card related fines and lawsuits.
  • “Cyber” Insurance has broadened to address these risks
slide5

“CYBER” INSURANCE TIMELINE

Cyber Insurance Introduced

NoticeCosts Covered

Broad Privacy Ins. Vendor Coverage Corp Confidential Info

PCI Fines

& Penalties

Systems Failure

Reg. Fines

&Penalties

1996

1998

2000

2002

2006

2008

2010

2012

2004

HIPAA

GLB

SB1386

PCI

HITECH

SEC

Epsilon/

Sony

Card

Systems

TJX

Heartland

Insurance History

Regulatory/Industry History

Claims/Losses History

what is the data
What is the Data?

What Data do you collect/process?

  • Personally Identifiable Information (PII): SSN, Drivers License, etc.
  • Payment Card Information (PCI): Credit Card, Debit Card Numbers
  • Protected Health Information (PHI)
  • Personal or Sensitive Personal Data (EU)
where is the data
Where is the Data?

Where is it? Do you share with third parties?

  • How well is it protected?
  • How long is it kept?

What is a Breach?

  • Unauthorized disclosure
  • Unauthorized acquisition
  • Data compromised
costs of a data breach
Costs of a Data Breach
  • DIRECT COSTS
    • Notification
    • Call Center
    • Identity Monitoring (credit/non-credit)
    • Identity Restoration
    • Discovery / Data Forensics
    • Loss of Employee Productivity
  • INDIRECT COSTS
    • Restitution
    • Additional Security and Audit Requirements
    • Lawsuits
    • Regulatory Fines
    • Loss of Consumer Confidence
    • Loss of Funding

Cost per record:

$214 (2010) (up $10 from 2009)

$73

$141

Source: Ponemon Institute

costs of a data breach1
Costs of a Data Breach
  • Notification: $1/individual
  • Credit monitoring: $15-$50/individual
  • Call Centers, Fraud Alerts, Database Scanning, Restoration Services
  • Civil, regulatory and possibly criminal defense
  • Data Privacy counsel can cost $1,000+ per hour.
  • Business Interruption Costs/Data Damage?
security incidents and insurance proceeds
Security Incidents and Insurance Proceeds

In millions of dollars

Source: SEC

creative hospitality ventures v us liability insurance
Creative Hospitality Ventures v. US Liability Insurance
  • Restaurant gives customers receipts showing full account number in violation of FACTA.
  • Class action lawsuit ensues.
  • Restaurant seeks coverage under CGL policy.
creative hospitality ventures v us liability insurance1
Creative Hospitality Ventures v. US Liability Insurance
  • Policy limited to “personal and advertising injury.”
  • Defined as any publication that invaded the right to privacy.
  • Circuit court reversed magistrate holding that printing receipt was publication.
  • Therefore, no coverage.
auto owners insurance v websolv
Auto-Owners Insurance v. Websolv
  • Individual sues Websolv for sending unsolicited faxes as a violation of TCPA.
  • Websolv seeks coverage under CGL policy.
  • Auto-Owners sued arguing that it had no duty to defend under:
    • Advertising Injury – publication & privacy.
    • Property Damage – fax.
auto owners insurance v websolv1
Auto-Owners Insurance v. Websolv
  • Appeals court held that Iowa law, not Illinois law, applied and that policy did not cover the injury.
  • Appeals court held:
    • Privacy interest v. seclusion interest.
    • Publication v. secrecy.
    • Damages expected v. intended.
  • Concluded that there was no coverage.
eyeblaster v federal insurance
Eyeblaster v. Federal Insurance
  • Computer user sues Eyeblaster alleging injuries relating to its advertising software.
  • Eyeblaster seeks coverage under CGL and Network Technology Errors or Omissions Liability policies.
  • Federal denies coverage and brings this lawsuit.
eyeblaster v federal insurance1
Eyeblaster v. Federal Insurance
  • CGL includes coverage for “physical injury to tangible property” but excludes “any software, data or other information that is in electronic form.”
  • District court finds that there is no physical injury; therefore, no coverage.
  • Appeals court finds that inability to use computer constitutes injury under the policy and reverses.
zurich insurance v sony
Zurich Insurance v. Sony
  • Sony’s online networks are attacked and passwords are compromised.
  • Sony shuts down PSN for weeks.
  • Sony offers fraud monitoring.
  • Sony offers discounted games in apology.
  • Sony is sued in tens of class action lawsuits.
  • Zurich sues Sony for declaratory judgment.
zurich insurance v sony1
Zurich Insurance v. Sony
  • Sony has insurance through many providers, including Mitsui Sumitomo, National Union, ACE, AXIS, Lloyd’s, Chartis, and others.
  • Zurich claims that its insurance policies cover:
    • Bodily injury,
    • Property damage, and
    • Personal and advertising injury.
  • Litigation ongoing.
common issues
Common Issues
  • Interpretation of undefined terms crucial in coverage.
  • Interpretation varies depending on trial court, appeals court, and state law.
  • Litigating insurance policy consumes

time and resources.

common issues1
Common Issues
  • Data may not be tangible personal property.
  • Publication may not have occurred.
  • Privacy rights may not have been breached.
common issues2
Common Issues
  • CGL policy covers specific risks.
  • Cyber risks may not be covered.
  • Coverage varies widely among policies.
traditional insurance gaps
Traditional Insurance Gaps
  • Theft or disclosure of third party information (GL)
  • Security and privacy – “Intentional Act” exclusions (GL)
  • Data is not “tangible property” (GL, Prop, Crime)
  • Bodily Injury & Property Damage triggers (GL)
  • Value of data if corrupted, destroyed, or disclosed (Prop, GL)
traditional insurance gaps1
Traditional Insurance Gaps
  • Contingent risks (from external hosting, etc.)
  • Commercial Crime policies require intent, only cover money, securities and tangible property.
  • Territorial restrictions
  • Sublimit or long waiting period applicable to any virus coverage available (Prop)
preparation is key
Preparation is Key
  • Policy must be part of an Enterprise Risk Management program
  • Utilize privacy, security, and legal:
    • Policies
    • Procedures
    • Controls
  • Understand probability and magnitude of risk
  • Audit products and services
preparation is key1
Preparation is Key
  • Ask Your Privacy / IT professionals:
    • Incident Response Plan (tested?)
    • Vendor Contracts / Insurance Requirements
  • Privacy Risk Assessment
  • Check Existing Insurance Gap Analysis
  • New coverage terms must integrate with
    • Response Plans
    • Traditional Policies
cyber risk coverage
Cyber Risk Coverage
  • Data breach
  • Governmental civil actions
  • Virus liability
  • Content liability
  • Extortion
  • Lost data
privacy network coverages
Privacy & Network Coverages

Expense (Loss Mitigation) Coverage

  • Data Breach Expenses:
    • Consumer notification and credit monitoring service costs (sub-limit)
    • Forensics/Investigations
    • Public Relations/Crisis Management Expenses
privacy network coverages1
Privacy & Network Coverages

Liability Coverage

  • Privacy Liability
  • Network Security Liability
  • Media, IP and Content Liability
privacy network coverages2
Privacy & Network Coverages

Direct (First Party) Coverage

  • Revenue Loss (Interruption to income due to systems outage)
  • Data Reconstruction
limits and exclusions
Limits and Exclusions
  • Must the insured notify you right away?
  • Indemnification for losses or claims, too?
  • Who chooses the lawyer to defend a lawsuit?
  • Are there preferred vendors?
  • Limitation of liability – dollar amount?
vendor contracts
Vendor Contracts
  • Breaches may occur at a vendor.
  • Contract clauses and limitations should harmonize with insurance clauses.
  • Damage limits should factor policy limits.
  • Notify if a breach may have occurred.
  • Should they tender your defense?
  • You are liable, but they can help.
vendor contracts1
Vendor Contracts

IT/Software Companies

  • Request Tech E&O, plus Privacy/Network Coverage
  • Some Tech E&O policies have security/privacy exclusions
  • Breach could occur without “wrongful act” being committed
vendor contracts2
Vendor Contracts

Business Services – Payroll, Auditors, Counsel

  • Request appropriate E&O coverage
  • Request Privacy/Network coverage

Credit Card Processors/Acquiring Banks

  • Request Privacy/Network Coverage (Gaps in Bond or Professional Liability coverage)
vendor contracts3
Vendor Contracts

Other Vendors that transport, touch, interact with your systems or sensitive information

  • Request Privacy/Network coverage
upcoming issues
Upcoming Issues
  • Revisions to the EU Data Protection Directive that propose fines of up to 2% of annual turnover of a company
  • Federal data breach notification in the U.S.
  • FTC Final Privacy Report and Privacy by Design
  • Department of Commerce multi-stakeholder enforceable codes of conduct process
outline1
Outline
  • Cyber risks
  • Costs relating to cyber risks
  • Use of insurance for cyber risks
  • Lawsuits relating to insurance policies
  • Strategies in obtaining coverage
  • Traditional v. Cyber Insurance
  • Vendors
  • Conclusion
questions

Questions

Dino Tsibouris (614) 360-3133 [email protected]

Tom Srail, SVP, FINEX NA – Cyber and E&O Team [email protected]

Mehmet Munur (614) 360-3101 [email protected]

ad