Cyber Risk and Cyber Insurance

Document Sample
Cyber Risk and Cyber Insurance Powered By Docstoc
					          “CYBER” RISK & “CYBER”

 An MAIA Member Information
       White Paper


MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
Part 1 – “Cyber” Risk

           o Cyber Risk & Cyber Exposures

           o Cyber Laws & Law Suits

           o Cyber Risk Terms

           o Why Cyber Risk Is Not Likely Insured Elsewhere

           o Cyber Claims Examples

Part 2 – “Cyber” Insurance

           o “Cyber” Insurance Policies…

           o “1st Party” Insurance: Business Interruption, Crisis
             Management, Expense Coverage for Notification,
             Extortion, Threat & Reward

           o “3rd Party” Insurance: Privacy (Data Breach),
             Security, Intellectual Property, Media Content

           o Loss Control (“Cyber” Security)

           o 16. Questions You Need to Ask…

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
Part 1 - “Cyber” Risk…

What is “Cyber” Risk ?

     "Financial Damages resulting from Any “E-Business” (electronic

           o Internet

           o Internal Business Network

           o Any Electronic Data!
           o We can’t forget the paper exposure! (server or "cloud" storage,
             email attachments, faxes, mail, etc.)

“1st Party” Cyber Risk:
Your “financial loss” because of “injury” to your electronic data or systems
    resulting from acts of others”

        o Costs of fixing your problem

           o Expenses to protect clients (including notification costs)

           o Other expenses to mitigate loss (including publicity costs)

           o Theft of data & intangible property

           o Loss of your future income

           o Cyber extortion

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
“3rd Party” Cyber Risk:
            Your “liability for financial losses or costs sustained by others”

           [Financial damages resulting from client law suits and law suits from
           others for their personal/content injury, intellectual property claims,
           professional services, and injury from a security or privacy breach]

“Cyber” Risk Claim Examples…
              Privacy — An online retailer attempted to sell its customers'
        personal information to pay creditors as part of the retailer's bankruptcy!
        But the retailer's privacy policy had stated that personally identifiable
        information (PII) would not be sold. Several parties threatened to sue.

              Privacy & Security — A hacker infiltrated an online shopping
        website and stole 300,000 customer credit card numbers. The website
        faced claims from the customers for unauthorized charges made on their
        credit cards.

              Security —Businesses that unknowingly spread a worm, virus, or
        other corrupting files via email to 3rd parties could face liability from
        those 3rd parties for revenues lost as a result of the virus overloading the
        3rd parties' computer network (“denial of service”).

              Media/Content — A university pathologist posted a message on a
        bulletin board accusing another doctor with receiving kickbacks from a
        company trying to obtain a contract to provide pathology services to the
        university. The university doctor sued, and a jury awarded him $675,000.

              Intellectual Property — A business that used a competitor's
        trademarked name on its website was sued by the competitor for
        trademark infringement and unfair competition.

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
Federal “Cyber” Laws…
    “The protection and disclosure of confidential consumer
    information”, both personally identifiable information (PII) and
    protected health information (PHI), is currently governed by a
    patchwork of federal and state laws that target different exposures.
    Some of these federal statutes include:
    • Family Educational Rights Privacy Act (FERPA)
    • HIPAA
    • Gramm Leach Bliley Act

    • Fair Credit Reporting Act
    •Sarbanes-Oxley (SOX)

    •Federal Privacy Act.

    Two of the newest additions…

•    It beefed-up HIPAA by requiring notification of potential private
     health information (PHI) breaches.
•    It went into effect 2/17/09, but as of 9/23/09 HITECH now includes
     all "business associates”…
•    “Business associates” are persons or entities “… who perform
     services on behalf of a HIPAA-covered entity and in so doing
     access the PHI of the covered entity”.
•    Businesses have 60 days to report a breach once discovered.
•    Breaches over 500 persons requires notice to the media!
•    HITECH will be enforced by the Department of Health and Human
     Services (DHHS).
•    DHHS will do annual audits and levy fines for non-compliance.

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
"Red Flags" Rule (FTC)…
•    Was supposed to go into effect 11/1/2009, but was postponed for
     the 5th time to June 2010.
•     is now part of 2009 Omnibus Healthcare Law and now in effect!
•     requires any business that has any creditor relationships to have
     a written Identity Theft Prevention Program.
•    broadly defines "creditor" to include essentially any business that
     defers payments for services, including healthcare providers.
•    requires doctors’ offices, hospitals and other providers (including
     “business associates”) to establish a written procedure to identify
     warning signs ("red flags“) of identity theft.

State “Cyber” Laws…
•    Consumer Notification…

    o Is now required in 46 states, PR & DC

    o Is based on the location of the consumer, not the business

    o Example: In New York - NY Business Law Section 899-aa
      requires notice of breach of security of all computerized
      personal information held by both public and private entities
      (Consumers Union 8/21/2007)

•    Credit monitoring & restoration is not typically required by state
     law, but may soon be imposed by judicial or regulatory decision,
     based on precedents being set by current settlements…
       –    TJX – class action for damages to ID theft victims as well as
            credit monitoring services: $40,800,000 settlement with VISA,
            $24,000,000 settlement with MasterCard

       (Source: Media/Professional Insurance)

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
“Cyber” Negligence…

Plaintiffs are now challenging the “standard of care” on their Personal
Identifiable Information (Pll) and Personal Health Information (PHI).


           o One publicly-disclosed case involved San Diego-based
             Ligand Pharmaceuticals Inc...

           o A lab assistant found a box with 38 former employees'
             personnel records…

           o The assistant then used the information to acquire 75
             credit cards, $100,000 in merchandise, opened 20 cellular
             telephone accounts and rented three apartments!

           o The assistant was subsequently convicted and imprisoned,
             but then 14 of the former employees filed suit, charging
             Ligand with negligence.

           o A confidential "significant six-figure" settlement was
             approved by the court.

“Cyber” Risk Terms…
•    Personally Identifiable Information (PII)…

           o Any Credit Card Information

           o Any Personal Financial Information

           o All Social Security Numbers

           o All Drivers License Numbers

           o Any Banking Information

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
           o Any Employment Information

           o Any Insurance Information

•    Personal Health Information (PHI)…

       o      Any Business Information of Others (including their
           “Trade Secrets”)…

“Cyber” Risk Includes …
           o Network Data

           o Non-Network Data

           o Corporate Servers

           o Third Party Data Storage (“Cloud Computing”)

           o Spam

           o Virus

           o Hackers

           o Storage Media

           o PCs

              – Servers
              – Electronic Tape Backup
              – Laptops
              – USBs (“flash drives”)
              – Handheld Devices (iPads)
MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
              – CDs/DVDs/floppy disks
              – Paper!
 “Cyber” Risk – Why It’s Likely Not
  Covered Elsewhere…
       1. General Liability covers Bodily Injury and Property Damage,
          not stolen identities. Personal Injury coverage may be limited
          to "invasion of privacy" arising from the publication of

       2. Property Insurance does not consider data as tangible

       3. Media Liability policies only cover libel, slander and

       4. E&O policies cover ‘services for others for a fee”. Some may
          cover “invasion of privacy”, but will only respond to actual
          damages… But, many businesses hold PII but are not a
          service industry that’s eligible to buy E&O (example: gas

       5. Intellectual Property (Patent/Copyright). These policies are
          designed to protect the insured from claims brought by
          competitors and other third parties. This coverage responds
          to theft of ideas, products or content, not identities or money.

       6. Crime Insurance covers theft of money, securities and
          property. In the absence of a cyber insurance policy, there
          wouldn't be coverage for notification and credit monitoring.

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
Part 2 - “Cyber” Insurance…
           o An Evolving Coverage…

           o Insurers vary widely on:

                   – Coverage
                   – Policy wording
                   – Policy structure
                   – Terminology
           o No standard policies yet…

“Cyber”          Insurance…
 Who sells it?

   1.   Chartis (AIG) (“netAdvantage”)
   2.   CNA (“netProtect”)
   3.   Beazley
   4.   Chubb
   5.   Evanston
   6.   Hiscox (affirmative Contractual Liability included)
   7.   Markel American
   8.   Philadelphia
   9.   + 9 other insurers to date…

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
“Cyber Insurance” Insuring Agreements…
1st Party (The Insured):

        1. Business Interruption
        2. Crisis Management Expense
        3. Extortion/Threat Expenses
        4. Privacy (Notification Expense of Data Breach)
              [if 3rd Party (Other-Than-The-Insured)]
        5. Privacy Liability (Data Breach)
        6. Security
        7. Administrative & Regulatory Actions
        8. Intellectual Property
        9. Media/Content

3rd Party - Privacy Coverage

 Regulatory Defense & Expenses – many new regulations exist
  related to the protection of confidential data. Insurance will
  provide defense cost coverage for regulatory proceeding and even
  penalties where insurable.

 Credit Monitoring – policies may cover up to 1 year of credit
  monitoring services for those exposed. In some cases 2 years of
  monitoring may be available.

 Credit Repair Services – policies may cover 1 year of services to
  repair credit of an actual identity theft.

Privacy: Data Breach Example…

         Hackers broke into a Virginia web site used by pharmacists to
            track prescription drug abuse…
        The hackers made a copy of the records, deleted the original,
            then encrypted their copy…

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
         A ransom demand was then made for $10,000,000 in
             exchange for the password to the encrypted records

        8 million records were stolen and encrypted !

Privacy: Claims Examples…

An online business processer inadvertently provided access to a
non-authorized user. Confidential customer contact information was
exposed to unauthorized users. A regulatory investigation for the data
privacy incident lead to a fine.
   –Loss: Private suit for loss of/damage to data settled for $875,000.
    Defense expenses incurred were in excess of $275,000.

A bank employee had a laptop with sensitive client data missing.
Regulatory investigation is ongoing. Multiple lawsuits are pending by
individuals whose data has been compromised.
  –Loss: Total defense costs now exceed $700,000.

A pharmacy sold to an individual a computer that still contained
prescription records including the names, addresses, social security
numbers and medication lists of pharmacy customers. State law
required certified notification to all of the affected parties. Two
lawsuits were filed: 1) Employee plaintiff alleged damages due to job
loss as a result of the disclosure; 2) Client plaintiff alleged her identity
was stolen and sued to recover the costs of correction and emotional
distress. A HIPAA investigation was triggered.
   –Loss in excess of $410,000

Security Coverage…

•    Third party economic loss resulting from a network and
      information security failure (“security breach”)

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
•    Unauthorized access & unauthorized use

•    “Denial of service” (eg: WikiLeaks jamming)

Security: Statistics for 2008…

             o At least 43% of businesses have experienced    some kind
                of cyber security incident.

             o Annual reported losses from cyber security     incidents
                in 2008 were $288,618 per    business.

             o Financial fraud was the most expensive type of incident
                with an average reported cost of   $463,100.

[Source: Computer Security Institute, CSI Computer Crime and Security
    Survey 2008. ]

Security: Losses Breakdown …

The percentage of incidents for each category has remained
consistent from 2007 to 2008.

Insider abuse, laptop & virus incidents are still the more common

“Cyber” Loss Control…
All businesses need to establish…
•       Corporate Cyber Policies/Plans:
       –       Privacy Policy
       –       Information Security Policy
       –       Computer Usage Policy
       –      Incident Response Plan

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
  •       Employee Cyber Risk Awareness Training
  •       Cyber Software Security Controls
         –       Firewalls, passwords, encryption, antivirus
  •       Physical (Hardware) Security Controls
        –        Locks, portable equipment restrictions, theft controls

16 Questions You Need to Ask …
      1. Do you hold any private data of clients, vendors,
              employees or others?

      2. Are you aware of the notice requirements in each state if you
         lose control of that data?

      3. What steps would you take/who would you call if you lost those
         private records?

      4. Do you have a corporate-wide privacy policy?

      5. Do you have a disaster plan specific to data breaches?

      6. Are your records stored electronically? Paper? Are the
              records secure? Do you shred?

      7. Do any employees have access to private client records?

      8. Do you allow use of USB drives on computers that can
              access private data?

      9. .Are your records ever handled by a 3rd party?

      10. Are all of your laptops and wireless connections
         encrypted? Email encrypted?

  MAIA F.A.C.T.S. Committee Information White Paper 10-14-11
   11. Are you confident your antivirus and firewall systems
      are 100% effective?

   12. Have any of your systems been programmed by non-

   13.How would your clients respond if you lost their
      private records?

   14.If your network was damaged or disabled by a virus or
      hacker attack, would it affect your income?

   15.Do you have a backup system?

   16.How long would it take you to recover?


Basically …
Every business has an exposure to “Cyber” Risk!

Every business needs “Cyber” Insurance!

       o June Wysocki, AmWins, Grand Rapids, MI
       o Jim Whetstone, Hiscox US, Chicago, IL
       o Dark Reading (
       o National Underwriter
       o Rough Notes
       o American Agent & Broker
       o IRMI
o Business Insurance

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

Shared By: