Managing cyber risk through insurance and vendor contracts
Download
1 / 41

Managing Cyber Risk Through Insurance and Vendor Contracts - PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on

Managing Cyber Risk Through Insurance and Vendor Contracts. Dino Tsibouris (614) 360-3133 dino@tsibouris.com Tom Srail, SVP, FINEX NA – Cyber and E&O Team tom.srail@willis.com Mehmet Munur (614) 360-3101 mehmet.munur@tsibouris.com. Outline. Cyber risks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Managing Cyber Risk Through Insurance and Vendor Contracts' - zubeda


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Managing cyber risk through insurance and vendor contracts

Managing Cyber Risk Through Insurance and Vendor Contracts

Dino Tsibouris (614) 360-3133 dino@tsibouris.com

Tom Srail, SVP, FINEX NA – Cyber and E&O Team tom.srail@willis.com

Mehmet Munur (614) 360-3101 mehmet.munur@tsibouris.com


Outline
Outline

  • Cyber risks

  • Costs relating to cyber risks

  • Use of insurance for cyber risks

  • Lawsuits relating to insurance policies

  • Strategies in obtaining coverage

  • Traditional v. Cyber Insurance

  • Vendors

  • Conclusion


Cyber risks
Cyber Risks

  • Hacking incidents

  • Data breaches

  • Privacy breaches

  • Unauthorized access

  • Social engineering

  • Vandalism or defacement

  • Cyber extortion

  • Regulatory enforcement following incidents


Cyber risks1
Cyber Risks

  • Privacy is a heightened & evolving exposure

  • Reliance on Vendors (Cloud, IT, HR)

  • Regulatory Changes

  • Underwriters are paying multi-million dollar losses

  • Business Interruption and Systems Failure

  • Credit card related fines and lawsuits.

  • “Cyber” Insurance has broadened to address these risks


Managing cyber risk through insurance and vendor contracts

“CYBER” INSURANCE TIMELINE

Cyber Insurance Introduced

NoticeCosts Covered

Broad Privacy Ins. Vendor Coverage Corp Confidential Info

PCI Fines

& Penalties

Systems Failure

Reg. Fines

&Penalties

1996

1998

2000

2002

2006

2008

2010

2012

2004

HIPAA

GLB

SB1386

PCI

HITECH

SEC

Epsilon/

Sony

Card

Systems

TJX

Heartland

Insurance History

Regulatory/Industry History

Claims/Losses History


What is the data
What is the Data?

What Data do you collect/process?

  • Personally Identifiable Information (PII): SSN, Drivers License, etc.

  • Payment Card Information (PCI): Credit Card, Debit Card Numbers

  • Protected Health Information (PHI)

  • Personal or Sensitive Personal Data (EU)


Where is the data
Where is the Data?

Where is it? Do you share with third parties?

  • How well is it protected?

  • How long is it kept?

    What is a Breach?

  • Unauthorized disclosure

  • Unauthorized acquisition

  • Data compromised


Costs of a data breach
Costs of a Data Breach

  • DIRECT COSTS

    • Notification

    • Call Center

    • Identity Monitoring (credit/non-credit)

    • Identity Restoration

    • Discovery / Data Forensics

    • Loss of Employee Productivity

  • INDIRECT COSTS

    • Restitution

    • Additional Security and Audit Requirements

    • Lawsuits

    • Regulatory Fines

    • Loss of Consumer Confidence

    • Loss of Funding

Cost per record:

$214 (2010) (up $10 from 2009)

$73

$141

Source: Ponemon Institute


Costs of a data breach1
Costs of a Data Breach

  • Notification: $1/individual

  • Credit monitoring: $15-$50/individual

  • Call Centers, Fraud Alerts, Database Scanning, Restoration Services

  • Civil, regulatory and possibly criminal defense

  • Data Privacy counsel can cost $1,000+ per hour.

  • Business Interruption Costs/Data Damage?




Security incidents and insurance proceeds
Security Incidents and Insurance Proceeds

In millions of dollars

Source: SEC


Creative hospitality ventures v us liability insurance
Creative Hospitality Ventures v. US Liability Insurance

  • Restaurant gives customers receipts showing full account number in violation of FACTA.

  • Class action lawsuit ensues.

  • Restaurant seeks coverage under CGL policy.


Creative hospitality ventures v us liability insurance1
Creative Hospitality Ventures v. US Liability Insurance

  • Policy limited to “personal and advertising injury.”

  • Defined as any publication that invaded the right to privacy.

  • Circuit court reversed magistrate holding that printing receipt was publication.

  • Therefore, no coverage.


Auto owners insurance v websolv
Auto-Owners Insurance v. Websolv

  • Individual sues Websolv for sending unsolicited faxes as a violation of TCPA.

  • Websolv seeks coverage under CGL policy.

  • Auto-Owners sued arguing that it had no duty to defend under:

    • Advertising Injury – publication & privacy.

    • Property Damage – fax.


Auto owners insurance v websolv1
Auto-Owners Insurance v. Websolv

  • Appeals court held that Iowa law, not Illinois law, applied and that policy did not cover the injury.

  • Appeals court held:

    • Privacy interest v. seclusion interest.

    • Publication v. secrecy.

    • Damages expected v. intended.

  • Concluded that there was no coverage.


Eyeblaster v federal insurance
Eyeblaster v. Federal Insurance

  • Computer user sues Eyeblaster alleging injuries relating to its advertising software.

  • Eyeblaster seeks coverage under CGL and Network Technology Errors or Omissions Liability policies.

  • Federal denies coverage and brings this lawsuit.


Eyeblaster v federal insurance1
Eyeblaster v. Federal Insurance

  • CGL includes coverage for “physical injury to tangible property” but excludes “any software, data or other information that is in electronic form.”

  • District court finds that there is no physical injury; therefore, no coverage.

  • Appeals court finds that inability to use computer constitutes injury under the policy and reverses.


Zurich insurance v sony
Zurich Insurance v. Sony

  • Sony’s online networks are attacked and passwords are compromised.

  • Sony shuts down PSN for weeks.

  • Sony offers fraud monitoring.

  • Sony offers discounted games in apology.

  • Sony is sued in tens of class action lawsuits.

  • Zurich sues Sony for declaratory judgment.


Zurich insurance v sony1
Zurich Insurance v. Sony

  • Sony has insurance through many providers, including Mitsui Sumitomo, National Union, ACE, AXIS, Lloyd’s, Chartis, and others.

  • Zurich claims that its insurance policies cover:

    • Bodily injury,

    • Property damage, and

    • Personal and advertising injury.

  • Litigation ongoing.


Common issues
Common Issues

  • Interpretation of undefined terms crucial in coverage.

  • Interpretation varies depending on trial court, appeals court, and state law.

  • Litigating insurance policy consumes

    time and resources.


Common issues1
Common Issues

  • Data may not be tangible personal property.

  • Publication may not have occurred.

  • Privacy rights may not have been breached.


Common issues2
Common Issues

  • CGL policy covers specific risks.

  • Cyber risks may not be covered.

  • Coverage varies widely among policies.


Traditional insurance gaps
Traditional Insurance Gaps

  • Theft or disclosure of third party information (GL)

  • Security and privacy – “Intentional Act” exclusions (GL)

  • Data is not “tangible property” (GL, Prop, Crime)

  • Bodily Injury & Property Damage triggers (GL)

  • Value of data if corrupted, destroyed, or disclosed (Prop, GL)


Traditional insurance gaps1
Traditional Insurance Gaps

  • Contingent risks (from external hosting, etc.)

  • Commercial Crime policies require intent, only cover money, securities and tangible property.

  • Territorial restrictions

  • Sublimit or long waiting period applicable to any virus coverage available (Prop)


Preparation is key
Preparation is Key

  • Policy must be part of an Enterprise Risk Management program

  • Utilize privacy, security, and legal:

    • Policies

    • Procedures

    • Controls

  • Understand probability and magnitude of risk

  • Audit products and services


Preparation is key1
Preparation is Key

  • Ask Your Privacy / IT professionals:

    • Incident Response Plan (tested?)

    • Vendor Contracts / Insurance Requirements

  • Privacy Risk Assessment

  • Check Existing Insurance Gap Analysis

  • New coverage terms must integrate with

    • Response Plans

    • Traditional Policies


Cyber risk coverage
Cyber Risk Coverage

  • Data breach

  • Governmental civil actions

  • Virus liability

  • Content liability

  • Extortion

  • Lost data


Privacy network coverages
Privacy & Network Coverages

Expense (Loss Mitigation) Coverage

  • Data Breach Expenses:

    • Consumer notification and credit monitoring service costs (sub-limit)

    • Forensics/Investigations

    • Public Relations/Crisis Management Expenses


Privacy network coverages1
Privacy & Network Coverages

Liability Coverage

  • Privacy Liability

  • Network Security Liability

  • Media, IP and Content Liability


Privacy network coverages2
Privacy & Network Coverages

Direct (First Party) Coverage

  • Revenue Loss (Interruption to income due to systems outage)

  • Data Reconstruction


Limits and exclusions
Limits and Exclusions

  • Must the insured notify you right away?

  • Indemnification for losses or claims, too?

  • Who chooses the lawyer to defend a lawsuit?

  • Are there preferred vendors?

  • Limitation of liability – dollar amount?


Vendor contracts
Vendor Contracts

  • Breaches may occur at a vendor.

  • Contract clauses and limitations should harmonize with insurance clauses.

  • Damage limits should factor policy limits.

  • Notify if a breach may have occurred.

  • Should they tender your defense?

  • You are liable, but they can help.


Vendor contracts1
Vendor Contracts

IT/Software Companies

  • Request Tech E&O, plus Privacy/Network Coverage

  • Some Tech E&O policies have security/privacy exclusions

  • Breach could occur without “wrongful act” being committed


Vendor contracts2
Vendor Contracts

Business Services – Payroll, Auditors, Counsel

  • Request appropriate E&O coverage

  • Request Privacy/Network coverage

    Credit Card Processors/Acquiring Banks

  • Request Privacy/Network Coverage (Gaps in Bond or Professional Liability coverage)


Vendor contracts3
Vendor Contracts

Other Vendors that transport, touch, interact with your systems or sensitive information

  • Request Privacy/Network coverage


Upcoming issues
Upcoming Issues

  • Revisions to the EU Data Protection Directive that propose fines of up to 2% of annual turnover of a company

  • Federal data breach notification in the U.S.

  • FTC Final Privacy Report and Privacy by Design

  • Department of Commerce multi-stakeholder enforceable codes of conduct process


Outline1
Outline

  • Cyber risks

  • Costs relating to cyber risks

  • Use of insurance for cyber risks

  • Lawsuits relating to insurance policies

  • Strategies in obtaining coverage

  • Traditional v. Cyber Insurance

  • Vendors

  • Conclusion


Questions

Questions

Dino Tsibouris (614) 360-3133 dino@tsibouris.com

Tom Srail, SVP, FINEX NA – Cyber and E&O Team tom.srail@willis.com

Mehmet Munur (614) 360-3101 mehmet.munur@tsibouris.com