Discussing Cyber Risk Coverage With Your Commercial Clients

Steve RobinsonArea PresidentRPS Technology & Cyber

October 17, 2014

Threat Landscape and Common Misperceptions

Facts

When it comes to data breach, size doesn’t matter*

It’s more than just hacking The “we’ve got this covered”

attitude is waning IT is now very much on board

*Source: 2013 Data Breach Investigations Report Verizon RISK Team, et al

The Changing Threat Landscape

“Our 2013 findings suggest that there’s a lot

of complacency among organizations about

the risk of espionage attacks. The assumption

is that these attacks only target government,

military and high-profile organizations, but our

data shows that this increasingly isn’t true.

Don’t underestimate the likelihood that your

organization will be a target..”

Source: 2013 Data Breach Investigations Report Verizon RISK Team, et al

RPS Technology & Cyber

Information Risks –What Can Go

Wrong?

Information Risks

Hazards Hacker Attacks/Unauthorized Access Virus/Malicious Code Denial of Services Attacks Malicious Hardware Physical Theft of Device/Media Accidental Release Employee/Vendor Error Rogue Employees Social Engineering

Information Risks

Source: Open Security Foundation

Industry-Specific Threats

Industry-Specific Threats

RPS Technology & Cyber

Healthcare Retail Education Hospitality Financial Public Entity Nonprofit Mfg Technology

Breach of Personally Identifiable Info (PII)

Breach of credit card data & PCI Fines

Breach of Protected Health Information (PHI)

Breach of customers’ rights to privacy

Breach of confidential employee data

eBusiness Interruption

Technology Errors or Omissions

Personal Injury – Social Media Environment

Intellectual Property Infringement

Regulatory Liability

Electronic Theft

Cyber Extortion

Cost of a Data Breach

Data Breach Related Costs Average cost per compromised record = $201.00*

Direct Coordination Defense Notification expenses Credit monitoring Regulatory fines

Indirect Customer churn Impact on shareholder value Loss of future opportunity

Source: Ponemon Institute 2013 Annual Study “Cost of a Data Breach”

Related CostsPer Capita Cost By Industry Classification*

Source: Ponemon Institute 2013 Annual Study “Cost of a Data Breach”

Mitigating Risk in our

Clients’ Businesses

How Can Clients Reduce Their Risk?

Data Management* Collection

What employee, customer, donor/volunteer (nonprofits) data are you storing? Do you need to store it?

Access Who in your organization has access to sensitive information? Do those with access absolutely need access to perform their job? What of this information is publically available?

Use Are you using customer info in a manner it was originally intended (and consistent with the

way you communicated to your customers?) Storage

Where is your data stored? Is the stored information protected by access controls? Does sensitive customer information exist in multiple formats?

Eradication How long do you keep customer information? What do you do with info (in any format) you no longer need? 3rd party vendor agreements for document storage,

disposal, janitorial services, etc.

Source: NTEN – Nonprofit Technology Network

Policies & Procedures Privacy

Do you have a written privacy policy in place? Have employees and/or volunteers been trained?

Social Media Inventory your social media presence - regularly Restrict authority for creation and content management on behalf of your organization to

one or two designated employees Are there restrictions for social media access on systems that connect to your network

containing personal information on customers, employees, etc.? Websites, Intellectual Property & Electronic Communication

Consistency of content and message? Legal review? Have appropriate rights been secured (music, lyrics, video, etc.) Staff training in email etiquette

Network Security Software, patch management, spam filters, firewall protection, etc. & Credentialing Encryption of data - at rest and in a mobile state Vulnerability testing BYOD policies

How Can Clients Reduce Their Risk?

Risk Transfer Vendor Agreements

Appropriate transfer of liability language in vendor contracts? Cloud providers Payment processors Website hosting services Document disposal, storage and janitorial services

Insurance Cyber/Privacy Liability Insurance

How Can Clients Reduce Their Risk?

Cyber Risk Insurance Coverage

What is Cyber Risk Insurance?

Insurance coverage designed to protect a business from: Liability associated with:

• Unauthorized release of confidential information

• Violation of a person’s rights to privacy

• Personal injury in an electronic/social media environment

• Intellectual property infringement

• Violations of state or federal privacy laws

Out-of-pocket expenses incurred to make the above problems go away

Cyber Risk Insurance

RPS Technology & Cyber

Exposure Category Description

Privacy Liability Provides liability coverage for failure to protect electronic or non-electronic information in your care custody and control. Can include coverage for acts of vendors as well.

Network Security Liability Provides liability coverage if an Insured's Computer System fails to prevent a Security Breach, becomes inaccessible to those who need it or unintentionally transmits a virus to a 3rd party.

Media Content Liability Provides liability coverage for Intellectual Property and Personal Injury lawsuits stemming from your website or social media content under your direct control.

Regulatory Liability Defense coverage for legal proceedings or investigations by Federal, State, or Foreign regulators relating to Privacy Laws.

Crisis Management

Legal Assistance Expense Expenses incurred to hire an attorney to help navigate the breach response process in accordance with the multitude of State and federal laws.

Forensic Expense Expenses incurred to hire a firm to conduct IT forensics investigations following a data breach.

Notification Expense Expenses incurred to notify members of a breach in accordance with State and Federal laws.

Credit Monitoring Expense Expenses incurred to provide donors with access to identity protection services.

Public Relations Expense Expenses incurred to hire a public relations consultancy, media expenses, etc. in the wake of a data breach.

Data Recovery/Restoration Expenses incurred to re-create data that is damaged as a result of a cyber incident.

Business Interruption The reduction of business income as a result of an interruption or use of a computer system as a result of a network breach to their system.

Cyber Extortion Expenses incurred resulting from threats to introduce a system hack, virus, etc. or from threats to disseminate or use information contained in your computer systems to destroy or alter your computer systems.

Fines and Penalties Where permissible by law, expenses incurred as a result of a State, Federal or other (PCI DSS) fine or penalty resulting from a data breach.

Doesn’t My Insurance Already

Cover This?

ISO General Liability Form

Coverage exclusion for claims of copyright, trademark infringement.

ISO Property Form

Protects physical computers but not the data that is stored on them.

CGL Data Breach Exclusions

Current ISO CGL form coverage is provided:

“For personal and advertising injury as the offense of an oral or written publication in any manner, or material that violates a person’s right of privacy.”

New ISO GL Exclusion (effective May 2014):

“Exclusion – Access or Disclosure of confidential or personal information and data-related liability – with limited bodily injury exception.”

Doesn’t My Insurance Cover This?

General Liability Property Crime Professional K&R Cyber3rd Party Privacy/Network Security/Personal Injury/IP

Theft/Unauthorized Disclosure PII

Breach of Confidential Corporate Info

Technology E&O

Media Liability/Social Networking

Regulatory Defense/Penalties

Virus/Malicious Code Transmission

1st Party Privacy / Network RisksLegal Assistance/Breach CoachIT ForensicsPhysical Damage to DataDenial of Service AttackBusiness Income from Security EventExtortion or ThreatRogue Employee - Data RelatedPublic Relations/Crisis Management

Coverage Provided?Coverage Possible?No Coverage?

* For reference and discussion only; policy language and facts of claim will require further analysis. This is not a guarantee of coverage.

Cyber Risk Coverage: Key Differentiators

RPS Technology & Cyber

Cyber Risk Coverage

Samples of Key Differentiators: Look carefully at the definitions Unauthorized acts of employees Coverage for electronic and non-electronic information Vicarious liability - 3rd parties/vendors/cloud providers Defense of privacy regulatory actions (at full privacy

limits) Regulatory fines & penalties Sublimits for 1st party vs full limits Breadth of media coverage

Cyber Risk Coverage Common Exclusions

Intentional Acts – look closely here Infrastructure failure Software Responsibility/Inadequate Software Unencrypted portable media Wrongful Collection Employment Practices

Not All Policies Are Created Equal

Cyber Endorsement “Fail”

Application Process & Rating Factors

Application Process & Rating Factors

Pricing Class of business

• High/Medium/Low• Number of patients and records held – medical

Annual revenue Number of employees Network defense parameters in place and update

procedures Information security policies Loss history

Application New streamlined options available

Coverage Trends

Coverage Trends

The tale of two worlds Large retail – appetite, capacity, underwriting Small business

Business Interruption triggers Aggregation Reputational Harm Electronic Theft – monetary & otherwise Retro date

Summary

Why Your Client Needs Cyber Risk Coverage Specific exclusions exist in traditional policies for:

• Privacy breach• Network related incidents• eBusiness Interruption• Personal Injury in Social Media, websites, blogs, etc.• Regulatory defense, fines

Buying coverage aligns pre and post-breach resources not afforded under other policies

Claims are on the rise Laws are driving demand:

• GLB, HIPAA, HI-TECH Act, FTC’s Red Flag Rule, etc. • 47 of 50 States require notification

Coverage is more accessible and affordable than ever

Thank You

Steven R. RobinsonArea President

Steven_Robinson@RPSins.comwww.RPSins.com410-901-0704 direct800-336-5659 toll free