420 likes | 542 Views
Managing Cyber Risk Through Insurance and Vendor Contracts. Dino Tsibouris (614) 360-3133 dino@tsibouris.com Tom Srail, SVP, FINEX NA – Cyber and E&O Team tom.srail@willis.com Mehmet Munur (614) 360-3101 mehmet.munur@tsibouris.com. Outline. Cyber risks
E N D
Managing Cyber Risk Through Insurance and Vendor Contracts Dino Tsibouris (614) 360-3133 dino@tsibouris.com Tom Srail, SVP, FINEX NA – Cyber and E&O Team tom.srail@willis.com Mehmet Munur (614) 360-3101 mehmet.munur@tsibouris.com
Outline • Cyber risks • Costs relating to cyber risks • Use of insurance for cyber risks • Lawsuits relating to insurance policies • Strategies in obtaining coverage • Traditional v. Cyber Insurance • Vendors • Conclusion
Cyber Risks • Hacking incidents • Data breaches • Privacy breaches • Unauthorized access • Social engineering • Vandalism or defacement • Cyber extortion • Regulatory enforcement following incidents
Cyber Risks • Privacy is a heightened & evolving exposure • Reliance on Vendors (Cloud, IT, HR) • Regulatory Changes • Underwriters are paying multi-million dollar losses • Business Interruption and Systems Failure • Credit card related fines and lawsuits. • “Cyber” Insurance has broadened to address these risks
“CYBER” INSURANCE TIMELINE Cyber Insurance Introduced NoticeCosts Covered Broad Privacy Ins. Vendor Coverage Corp Confidential Info PCI Fines & Penalties Systems Failure Reg. Fines &Penalties 1996 1998 2000 2002 2006 2008 2010 2012 2004 HIPAA GLB SB1386 PCI HITECH SEC Epsilon/ Sony Card Systems TJX Heartland Insurance History Regulatory/Industry History Claims/Losses History
What is the Data? What Data do you collect/process? • Personally Identifiable Information (PII): SSN, Drivers License, etc. • Payment Card Information (PCI): Credit Card, Debit Card Numbers • Protected Health Information (PHI) • Personal or Sensitive Personal Data (EU)
Where is the Data? Where is it? Do you share with third parties? • How well is it protected? • How long is it kept? What is a Breach? • Unauthorized disclosure • Unauthorized acquisition • Data compromised
Costs of a Data Breach • DIRECT COSTS • Notification • Call Center • Identity Monitoring (credit/non-credit) • Identity Restoration • Discovery / Data Forensics • Loss of Employee Productivity • INDIRECT COSTS • Restitution • Additional Security and Audit Requirements • Lawsuits • Regulatory Fines • Loss of Consumer Confidence • Loss of Funding Cost per record: $214 (2010) (up $10 from 2009) $73 $141 Source: Ponemon Institute
Costs of a Data Breach • Notification: $1/individual • Credit monitoring: $15-$50/individual • Call Centers, Fraud Alerts, Database Scanning, Restoration Services • Civil, regulatory and possibly criminal defense • Data Privacy counsel can cost $1,000+ per hour. • Business Interruption Costs/Data Damage?
Security Incidents and Insurance Proceeds In millions of dollars Source: SEC
Creative Hospitality Ventures v. US Liability Insurance • Restaurant gives customers receipts showing full account number in violation of FACTA. • Class action lawsuit ensues. • Restaurant seeks coverage under CGL policy.
Creative Hospitality Ventures v. US Liability Insurance • Policy limited to “personal and advertising injury.” • Defined as any publication that invaded the right to privacy. • Circuit court reversed magistrate holding that printing receipt was publication. • Therefore, no coverage.
Auto-Owners Insurance v. Websolv • Individual sues Websolv for sending unsolicited faxes as a violation of TCPA. • Websolv seeks coverage under CGL policy. • Auto-Owners sued arguing that it had no duty to defend under: • Advertising Injury – publication & privacy. • Property Damage – fax.
Auto-Owners Insurance v. Websolv • Appeals court held that Iowa law, not Illinois law, applied and that policy did not cover the injury. • Appeals court held: • Privacy interest v. seclusion interest. • Publication v. secrecy. • Damages expected v. intended. • Concluded that there was no coverage.
Eyeblaster v. Federal Insurance • Computer user sues Eyeblaster alleging injuries relating to its advertising software. • Eyeblaster seeks coverage under CGL and Network Technology Errors or Omissions Liability policies. • Federal denies coverage and brings this lawsuit.
Eyeblaster v. Federal Insurance • CGL includes coverage for “physical injury to tangible property” but excludes “any software, data or other information that is in electronic form.” • District court finds that there is no physical injury; therefore, no coverage. • Appeals court finds that inability to use computer constitutes injury under the policy and reverses.
Zurich Insurance v. Sony • Sony’s online networks are attacked and passwords are compromised. • Sony shuts down PSN for weeks. • Sony offers fraud monitoring. • Sony offers discounted games in apology. • Sony is sued in tens of class action lawsuits. • Zurich sues Sony for declaratory judgment.
Zurich Insurance v. Sony • Sony has insurance through many providers, including Mitsui Sumitomo, National Union, ACE, AXIS, Lloyd’s, Chartis, and others. • Zurich claims that its insurance policies cover: • Bodily injury, • Property damage, and • Personal and advertising injury. • Litigation ongoing.
Common Issues • Interpretation of undefined terms crucial in coverage. • Interpretation varies depending on trial court, appeals court, and state law. • Litigating insurance policy consumes time and resources.
Common Issues • Data may not be tangible personal property. • Publication may not have occurred. • Privacy rights may not have been breached.
Common Issues • CGL policy covers specific risks. • Cyber risks may not be covered. • Coverage varies widely among policies.
Traditional Insurance Gaps • Theft or disclosure of third party information (GL) • Security and privacy – “Intentional Act” exclusions (GL) • Data is not “tangible property” (GL, Prop, Crime) • Bodily Injury & Property Damage triggers (GL) • Value of data if corrupted, destroyed, or disclosed (Prop, GL)
Traditional Insurance Gaps • Contingent risks (from external hosting, etc.) • Commercial Crime policies require intent, only cover money, securities and tangible property. • Territorial restrictions • Sublimit or long waiting period applicable to any virus coverage available (Prop)
Preparation is Key • Policy must be part of an Enterprise Risk Management program • Utilize privacy, security, and legal: • Policies • Procedures • Controls • Understand probability and magnitude of risk • Audit products and services
Preparation is Key • Ask Your Privacy / IT professionals: • Incident Response Plan (tested?) • Vendor Contracts / Insurance Requirements • Privacy Risk Assessment • Check Existing Insurance Gap Analysis • New coverage terms must integrate with • Response Plans • Traditional Policies
Cyber Risk Coverage • Data breach • Governmental civil actions • Virus liability • Content liability • Extortion • Lost data
Privacy & Network Coverages Expense (Loss Mitigation) Coverage • Data Breach Expenses: • Consumer notification and credit monitoring service costs (sub-limit) • Forensics/Investigations • Public Relations/Crisis Management Expenses
Privacy & Network Coverages Liability Coverage • Privacy Liability • Network Security Liability • Media, IP and Content Liability
Privacy & Network Coverages Direct (First Party) Coverage • Revenue Loss (Interruption to income due to systems outage) • Data Reconstruction
Limits and Exclusions • Must the insured notify you right away? • Indemnification for losses or claims, too? • Who chooses the lawyer to defend a lawsuit? • Are there preferred vendors? • Limitation of liability – dollar amount?
Vendor Contracts • Breaches may occur at a vendor. • Contract clauses and limitations should harmonize with insurance clauses. • Damage limits should factor policy limits. • Notify if a breach may have occurred. • Should they tender your defense? • You are liable, but they can help.
Vendor Contracts IT/Software Companies • Request Tech E&O, plus Privacy/Network Coverage • Some Tech E&O policies have security/privacy exclusions • Breach could occur without “wrongful act” being committed
Vendor Contracts Business Services – Payroll, Auditors, Counsel • Request appropriate E&O coverage • Request Privacy/Network coverage Credit Card Processors/Acquiring Banks • Request Privacy/Network Coverage (Gaps in Bond or Professional Liability coverage)
Vendor Contracts Other Vendors that transport, touch, interact with your systems or sensitive information • Request Privacy/Network coverage
Upcoming Issues • Revisions to the EU Data Protection Directive that propose fines of up to 2% of annual turnover of a company • Federal data breach notification in the U.S. • FTC Final Privacy Report and Privacy by Design • Department of Commerce multi-stakeholder enforceable codes of conduct process
Outline • Cyber risks • Costs relating to cyber risks • Use of insurance for cyber risks • Lawsuits relating to insurance policies • Strategies in obtaining coverage • Traditional v. Cyber Insurance • Vendors • Conclusion
Questions Dino Tsibouris (614) 360-3133 dino@tsibouris.com Tom Srail, SVP, FINEX NA – Cyber and E&O Team tom.srail@willis.com Mehmet Munur (614) 360-3101 mehmet.munur@tsibouris.com