Embed Size (px)
Citation preview
Cyber Insurance
Presented by:Paul J. Miola, CPCU, ARM
Executive DirectorOctober, 2013
2
Goes by various names – “Information Security Insurance”, “Network Security Insurance”, “Privacy Insurance”, “Data Breach Insurance”, “Network Breach Insurance”, “Technology Solutions”, “Cyber Liability”, “Breach Response Insurance”…
What Is Cyber Insurance?
3
General Liability Insurance doesn’t respond to cyber claims Typical CGL policy defines “property damage” as “physical
injury to tangible property, including all resulting loss of use of that property.
Some CGL policy forms specifically exclude electronic data from their definition of “property damage.” In such policies, “electronic data” is generally defined as the “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software.”
Data, web pages and computer systems do not constitute tangible property because they are not capable of being touched, held or sensed by the human mind.
3
Why Cyber Insurance?
4
In the event of a data breach: Notify Employees Notify members of public Notify regulators
• State/Multi State• Federal
• Additional efforts
You Have Added Responsibilities
Who has to do this?
5
Responsibility lies with the offending entity
You Do!
6
Not just insurance coverage Claims for damages by third parties
A variety of services Designed to prevent claims Respond on your behalf Deal with regulators
Make sure you comply• Handle Public Relations
Cyber InsuranceSpecialized Coverage
Takes the burden off of you
7
Cyber claims are infrequent but they do occur
Big name companies are targets but you represent low hanging fruit Lack of formal security and “Privacy
Policies” What if it happens to you? Will you know what to do?
Cyber Risks Are Real
8
If you pass along a virus or other type of malware, even unknowingly, especially if another entity's customer information is then compromised.
What Could Go Wrong?
9
If an employee gains unauthorized access to another entity's information or if confidential information is disclosed or misused.
What Could Go Wrong?
10
If an employee knowingly or unwittingly slanders another entity in a blog, e-mail, or in a social media or forum post, or infringes on copyrighted material.
What Could Go Wrong?
11
If you do not follow federal or state regulations controlling notification of members of the public/employees whose personal data has been compromised.
What Could Go Wrong?
12
Breach occurs when an unauthorized 3rd party accesses your network or the network becomes infected with a virus or a denial of service attack.
What Is A Data Breach?
13
Data can be stolen that can help criminals access PII*. PII is a legal concept, not a technical concept. PII can be exploited by criminals to stalk or
steal the identity of a person, or to aid in the planning of criminal acts.
PII has become much more important as information technology and the Internet have made it easier to collect PII through breaches of internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII.
What Can Happen?
*Personally Identifiable Information
14
What’s It Going to Cost?
And who pays for it?
15
Who You Gonna Call?
Ghost Busters?
16
In The Event of A Breach(Or a suspected Breach)
Immediately dial theXL Data Breach Hotline
1-855-566-4724
This is EXTREMELY IMPORTANT!Keep the number handy!
17
XL Data Breach HotlineImmediate Triage Assistance
Nelson, Levine, deLuca, & Hamilton
They will guide you.
19
Data Recovery◦ Expenses required to
replace, recreate, restore or repair the Insured’s network or information residing on the network to substantially the form in which it existed immediately prior to a breach.
What’s Covered…
20
Cyber Extortion Coverage provided to reimburse
an Insured the amounts paid to avert a credible threat to commit or continue a network attack against the insured or to disclose personally identifiable information
What’s Covered…
21
Data Breach Response Costs PCI-DSS Response
Reimburse the Insured for the costs incurred following a breach of private information. Typically costs are provided on a sub-limited basis.
Reimburse the Insured for the costs in incurs to respond to a PCI-DSS incident.
• Forensics costs
• Public relations costs
• Legal
• Mandatory notification costs
• Voluntary notification costs
• Credit monitoring
• Call center
• Breach coach costs
• Independent forensic investigation
conducted by a Payment Card Industry
Forensic Investigator (PFI);
• Attorney fees
• fines and penalties owed by the
Insured under the terms of a Merchant
Services Agreement Fees.
Crisis Management Coverage
.
22
Data Breach Response Costs PCI-DSS Response
Reimburse the Insured for the costs in incurs following a breach of private information. Typically costs are provided on a sublimited basis.
Reimburse the Insured for the costs incurred to respond to a PCI-DSS incident.
• Forensics costs
• Public relations costs
• Legal
• Mandatory notification costs
• Voluntary notification costs
• Credit monitoring
• Call center
• Breach coach costs
• Independent forensic investigation
conducted by a Payment Card Industry
Forensic Investigator (PFI);
• Attorney fees
• fines and penalties owed by the
Insured under the terms of a Merchant
Services Agreement Fees.
Crisis Management Coverage.
23
Data Breach Response Costs PCI-DSS Response
Reimburse the Insured for the costs incurred following a breach of private information. Typically costs are provided on a sub-limited basis.
Reimburse the Insured for the costs incurred to respond to a PCI-DSS incident.
• Forensics costs
• Public relations costs
• Legal
• Mandatory notification costs
• Voluntary notification costs
• Credit monitoring
• Call center
• Breach coach costs
• Independent forensic investigation
conducted by a Payment Card Industry
Forensic Investigator (PFI);
• Attorney fees
• fines and penalties owed by the
Insured under the terms of a Merchant
Services Agreement Fees.
Crisis Management Coverage
24
Network Security Liability Privacy Liability
Failure by the Insured to prevent a network breach which results in:
1. the inability of an authorized user
to gain access to the network;
2. the alteration, addition to,
copying, destruction, deletion,
disclosure, damage or removal of
any data residing on the network;
3. a denial of service attack against
Internet sites or computers;
4. the transmission of a computer
virus from the network to third-
party networks or Internet sites;
Coverage for claim arising from third parties for allegations of:
1. violation of privacy torts, law and
regulations (GLB, HIPAA, COPPA)
2. theft, loss, unauthorized disclosure
of personally identifiable
information private information
3. alterations, corruption,
destruction, deletion or damage to
private information
• Includes both online and off-line
data
Third Party Liability Coverage
.
25
Network Security Liability Privacy Liability
Failure by the Insured to prevent a network breach which results in:
1. the inability of an authorized user
to gain access to the network;
2. the alteration, addition to,
copying, destruction, deletion,
disclosure, damage or removal of
any data residing on the network;
3. a denial of service attack against
Internet sites or computers;
4. the transmission of a computer
virus from the network to third-
party networks or Internet sites;
Coverage for claim arising from third parties for allegations of:
1. violation of privacy torts, law and
regulations (GLB, HIPAA, COPPA)
2. theft, loss, unauthorized disclosure
of personally identifiable
information private information
3. alterations, corruption,
destruction, deletion or damage to
private information
• Includes both online and off-line
data
Third Party Liability Coverage
.
26
Network Security Liability Privacy Liability
Failure by the Insured to prevent a network breach which results in:
1. the inability of an authorized user
to gain access to the network;
2. the alteration, addition to,
copying, destruction, deletion,
disclosure, damage or removal of
any data residing on the network;
3. a denial of service attack against
Internet sites or computers;
4. the transmission of a computer
virus from the network to third-
party networks or Internet sites;
Coverage for claim arising from third parties for allegations of:
1. violation of privacy torts, law and
regulations (GLB, HIPAA, COPPA)
2. theft, loss, unauthorized disclosure
of personally identifiable
information private information
3. alterations, corruption,
destruction, deletion or damage to
private information
• Includes both online and off-line
data
Third Party Liability Coverage
27
Defense Provides defense costs resulting from a regulatory
investigation or proceeding. Typical enforcement comes from the FTC or AGs.
FTC can charge defendants with violating of Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce.
As of May 1, 2011, the FTC has brought 32 legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information.
Regulatory Coverage
28
Covers the content the Insured disseminates through various means including social media for a defined list of covered perils. Intellectual property
infringement Defamation Other personal injury torts
Media Coverage
29
Third Party Coverage: Media Liability, Network Security and
Privacy Liability $1,000,000 per claim $3,000,000 annual aggregate $10,000 deductible each claim
Regulatory Fines and Penalties sub limit of $500,000
Retroactive date January 1, 2013
Summary of ACM JIF Cyber Risk Coverage
Limits:
30
First Party Coverage: Notification Costs, Extortion Threat,
Crisis Management and Business Interruption $500,000 per claim limit $3,000,000 annual aggregate $10,000 deductible each claim
Summary of ACM JIF Cyber Risk Coverage
Limits:
31
Data Breach Hotlineo 1-888-566-4724o Service Provided by Nelson, Levin,
deLuca & Horst eRisk Hub
◦ Go to https://www.eriskhub.com/xl.php◦ Complete Registration Form◦ Access Code – 10448◦ Once Registered your have immediate
access to the portal with User ID & password created during registration
Value Added Services
32
33
34
35
What Else?
Much
Much
More
Jim PrendergastPartner
Nelson Levine de Luca & [email protected]
www.nldhlaw.com
After The Break…Cyber Liability Risk Management
