© Copyright 2015 by K&L Gates LLP. All rights reserved.

Breach – What to Do When Things Go Wrong and Cybersecurity Insurance Coverage

Mark C. Amorosi, Investment Management Partner, K&L Gates LLPLaura L. Grossman, Assistant General Counsel, Investment Adviser AssociationAndras P. Teleki, Investment Management Partner, K&L Gates LLPJason Warmbir, Vice President, Head of the Midwest Cyber Placement Team, Willis Group Holdings Limited Gregory S. Wright, Insurance Coverage Partner, K&L Gates LLP

Thursday, June 11, 2015

klgates.com

Investment Management Cybersecurity Seminar Series Overview Session 1 (February 27, 2015) Untangling the Gordian Knot – Where to Begin When Building Your

Cybersecurity Program Session 2 (March 23, 2015) Board and Senior Management Oversight of Cybersecurity at the

Adviser, the Registered Fund and Their Service Providers Session 3 (April 29, 2015) Testing Your Cybersecurity Infrastructure and Enforcement—Related

Developments Session 4 (Today) Breach – What to Do When Things Go Wrong and Cybersecurity

Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity

Practices and Public Policy Developments

3

Session 4 Topics Development of a Breach Response Plan

Testing the Breach Response Plan

State Breach Notification Requirements

Types of Cyber Insurance and Legal Considerations

What Does a Cyber Policy Cover

Obtaining Coverage and Examples of Coverage Prerequisites

Filing a Claim

4

THE BREACH RESPONSE PLAN

The phone rings in the middle of the night about discovery of a data security breach . . . what are you going to do?

6

Importance of Having a Breach Response Plan Firm typically will need to take immediate action to protect

client and firm data, processes and systems from further harm, including coordination of various internal and external constituencies and resources to respond to the incident, including information technology, legal counsel, compliance, risk management and communications

Firm may be required to provide notice of a breach to affected individuals and/or state law enforcement authorities/regulators

Firm may need to prepare for possible regulatory actions, investigations or lawsuits that may follow notice of the breach

Firm may need to disclose incidents or actions in SEC filings

Firm may need to notify cyber insurance carriers about breach to comply with coverage requirements

Firm may need to take additional steps to address reputational and other considerations

7

Developing a Breach Response PlanLegal background

Breach response plan is not required under the federal securities laws, but the SEC and other regulators strongly suggest having one

IM Guidance Update (April 2015) -- Advisers and funds should “[c]reate a strategy that is designed to … respond to cybersecurity threats. Such a strategy could include … development of an incident response plan.” (Emphasis added.)

Common elements of a breach response plan Breach response team and command structure (IT, CISO, Legal, Compliance, Senior

Management, Outside Counsel, and Other Third Party Resources) Initial actions (the “Roadmap/Plan of Battle”) Strategies to diagnose the breach Containment and mitigation strategies for multiple incident types Continuing actions and resolution, including investigation, eradication, recovery and damage

assessment Client and other notifications and regulatory reporting obligations Post-mortem analysis

Activity LogsRole of LegalMedia Relations

8

Testing the Breach Response Plan

Importance of regular testing

IM Guidance Update -- “Routine testing of strategies could also enhance the effectiveness of any strategy” designed to prevent, detect and respond to cybersecurity threats

Testing a breach response plan is similar to testing a business continuity plan

Common testing scenarios Table read Tabletop simulation Incorporation into business continuity plan testing Third party reviews

Review of cybersecurity testing (penetration testing)

9

Incident Response Guidance from NIST

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

10

DEALING WITH A DATA BREACH

1. Record the date and time of discovery and time when response efforts begin

2. Alert and activate everyone on the response team, including external resources, to begin executing your preparedness plan

3. Investigate, while preserving evidence

4. Stem additional data loss5. Document everything known

about the breach

6. Interview those involved in discovering the breach and anyone else who may know about it

7. Consider notifying law enforcement after consulting with legal counsel

8. Revisit applicable legal requirements governing the type of data lost

9. Determine all persons/entities that need to be notified (e.g., clients, employees and others)

10.Ensure all notifications occur within any mandated timeframes

The First 24 HoursDo not Panic Follow the Plan

12

Ask the Right Questions

13

When did the breach occur? Recently? Longstanding breach?

Where did the breach occur? At the adviser? At the fund? At a service provider?

How did the breach occur? Computer Intrusion? Employee error?

When, Where and How

14

What Data Was or May Have Been Compromised?

15

Examples of 3rd Party Forensic Analysis Tools

• Data collection and preservation: Identification, isolation and preservation of electronic data using forensically sound methodologies

• Data recovery and forensic analysis: Forensic analysis of the clues left behind to uncover critical information regarding the breach and systems impacted

• Malware and advanced persistent threat analysis: Forensic analysis of malware to determine how it works and identify the scope of impact on systems

16

How Many Records are Impacted and Was the Data Encrypted?

Under state law, the number of people impacted by the data breach often dictates whether consumer and state regulator notice is required

Whether the data was encrypted may also impact whether notice of the breach is required under state law

17

Where Are You Doing Business and What is the Residency of the People Whose Data was Impacted?

18

BREACH NOTICE REQUIREMENTS

Notice Requirements

Different types of notice State law notice requirements to affected individuals Business partners notice requirements (e.g., New

Jersey) Industry-specific notice requirements Others (e.g., state law notice requirements to

regulators, AGs or law enforcement) SEC filings for public companies and other

disclosure considerations

20

State Data Security Breach Laws

Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information

While there are many commonalities, there are also many differences

A significant breach that is national in scope can result in the need to apply 47 different state breach notification laws to the event

21

Definition of Sensitive Information Varies State by State

Most laws apply to sensitive personal information

What constitutes “sensitive personal information” varies by jurisdiction. For example:

California -- An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (A) social security number; (B) driver’s license number or California identification card number; (C) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; and (D) medical information.

Nebraska -- Similarly to California, but also includes an individual’s first name or first initial and last name in combination with: (a) a unique electronic identification number or routing code, in combination with any required security code, access code or password; or (b) unique biometric data, such as fingerprint, voice print, or retina or iris image, or other unique physical representation.

22

Notification Requirements Also Vary State by State Notification requirements also vary by

state For example, in New York, the company must

not only notify affected consumers, but also state law enforcement agencies

Seehttp://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx for list of state data security breach laws published by the National Conference of State Legislatures as of January 12, 2015

23

Assessing Whether Notice is Required

Firm may need to assess whether notification requirement has been triggered Some states’ statutes apply only if the data was

unencrypted, while others (including the federal banking interagency guidance) have no similar limitation Some states require notification whenever data is

accessed by an unauthorized person, while others only require notification if the company determines that the data is reasonably likely to be misused (immaterial breaches)

24

Assessing Whether Notice is Required (cont.)

Some states require loss or injury Some states permit the institution to work with law

enforcement agencies before notifying the consumer, while others impose set time limits May be civil or criminal penalties A number of states have no private right of action

25

Every Notice Breach Law is Different, So Determine Which Applies

26

27

The security breach notification shall be written in plain language The security breach notification shall include, at a minimum, the following information:

The name and contact information of the reporting company A list of the types of personal information that were or are reasonably believed to have

been the subject of a breach If the information is possible to determine at the time the notice is provided, then any of the

following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice

Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided

A general description of the breach incident, if that information is possible to determine at the time the notice is provided

The toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a social security number or a driver's license or California identification card number

At the discretion of the company, the security breach notification may also include any of the following: Information about what the company has done to protect individuals whose information has

been breached Advice on steps that the person whose information has been breached may take to protect

himself or herself

Anatomy of a Breach Notice (California Example)

The Media

28

Social Media

29

AFTERMATH

Postmortem

What was learned and what needs to be fixed, then fix it

Revise breach response plan based on what worked and what did not

Review and update policies and procedures based on experience

Review and update service contracts

Enhance training based on the incident

31

An International Issue

32

CYBER INSURANCE

Insurance Coverage for Cybersecurity Risks Why Should Investment Advisers Care About Cyber Insurance? What Policies Potentially Cover “Cyber” Risks (potentially both

traditional policies and specialized cyber policies)? What Do Specialized Cyber Policies Cover? What Terms May Be of Particular Interest to Investment Advisers? What Terms May Be of Interest to all Policyholders? What is the Process of Purchasing a Cyber Policy? What is the Process of Filing a Claim?

34

Why Should You Care about Cybersecurity Insurance?

Transfer of risk: In the event of a cybersecurity event, insurance may provide valuable protection for: Claims by third parties seeking damages; Notification costs and/or costs for call centers, credit monitoring

services, and ID theft monitoring services; Cost to investigate and repair computer systems; Certain regulatory actions (potentially related to privacy

violations, including fines and penalties); Certain business interruption costs (lost profits); and Certain extortion threats.

Regulators care about cyber insurance

35

Regulators Care about Cyber Insurance April 15, 2014 Office of Compliance Inspections and Examination

(“OCIE”) Cybersecurity Initiative:

Discussed OCIE’s planned examinations of more than 50 registered broker-dealers and registered investment advisers

Examination included question on insurance: “Does the Firm maintain insurance that specifically covers losses and expenses attributable to cybersecurity incidents? If so, please briefly describe the nature of the coverage and indicate whether the Firm has filed any claims, as well as the nature of the resolution of those claims”

February 2015: SEC reports on results of examination sweeps, including that more than half of broker-dealers and 21% of advisers have cybersecurity insurance

36

Regulators Care About Cyber Insurance April 2015: SEC issued IM Update on Cybersecurity Guidance, which

identifies “cybersecurity of registered investment companies … and registered investment advisers … as an important issue” Identifies “measures that funds and advisers may wish to consider when

addressing cybersecurity risks” States that “[f]unds and advisers may also wish to consider assessing

whether any insurance coverage related to cybersecurity risk is necessary or appropriate”

Focuses on whether funds and advisers should take into account issues related to “compliance obligations under the federal securities laws” when assessing their cyber programs (e.g., identify theft and data protection, fraud, business continuity, disruptions in service that could impact fund’s ability to process shareholder transactions)

States that, because funds and advisers rely on service providers, funds and advisers “may also wish to consider assessing” the cyber programs of such service providers

37

Regulators Care About Cyber Insurance The SEC has identified certain risks that are unique to or heightened

for advisers and funds Risk of “hackers gaining unauthorized access … to steal information

about funds’ investment strategies and pending transactions” and using such information to “front-run large, market moving trades”1

Risk that “third-party service providers—such as transfer agents, custodians, and administrators—will be the subject of cyber-attacks, which … could … cause harm to the fund and its investors.”2

38

1 Luis Aguilar, Commissioner, U.S. Sec. and Exchange Comm’n, Taking an Informed Approach to Issues Facing the Mutual Fund Industry (Apr. 2, 2014).2 Id.

TYPES OF POLICIES

What Policies Potentially Cover Cyber Risks? Policyholders should consider the unique risks they are facing and

carefully review all of their policies to determine the scope of their existing policies and/or the need to purchase additional cyber coverage

Potential policies at issue: (1) traditional policies (general liability, D&O, E&O, property,

bonds); and (2) specialized cyber policies (which may blend various types of

policies and/or expand coverage) A single cyber event potentially could trigger claims under multiple

policies (one event might trigger notification costs and repair costs (cyber); claims for wrongful acts in providing professional services (E&O); regulatory investigations (E&O/D&O); breach of duty claims (D&O); etc.)

40

Coverage under Traditional Policies

There is extensive case law addressing whether traditional policies respond to cyber-related claims (beyond the scope of this presentation)

As insurers have focused on selling cyber policies, insurers have added exclusions to traditional policies that restrict coverage for cyber-related issues

41

Traditional First-Party Policies First-party property policies potentially cover: “Physical damage” to the insured’s own property and/or “Loss of

use” of “tangible property”; Business interruption losses and Extra Expenses arising from

covered property damage; and Some policies exclude damage to “electronic data” or “loss of use

of [or] damage to electronic data.” Some cover “electronic data.” Reported cases address various arcane issues: Is “data” stored on a computer “tangible property”? Does damage to electronic data constitute “physical damage”? Whether bits and bytes are “physical” or “tangible” and/or whether the

re-arrangement of atoms or molecules on a disc or tape constitutes “direct physical loss”?

42

Traditional General Liability Policies Third-party policies may cover “personal or advertising injury,” which

may include “oral, written, or electronic publication of material that violates a person’s right of privacy”

Frequent issues:

Does the disclosure of confidential information in a public manner constitute a “publication” of material?

Who must “publish the material” (Does it cover “publication” by a hacker as opposed to the policyholder itself? Does the policyholder have to intend to “publish”?)?

When is there is a “publication” (as soon as material is potentially available to the public or stolen or only if a third party actually reads it)?

43

Traditional General Liability Policies Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 1:13-cv-917

(GBL), 2014 WL 3887797 (E.D. Va. Aug. 7, 2014) (alleged that policyholder posted confidential medical records on Internet; rejecting insurer arguments that “publication” required intent by policyholder to disclose and proof that someone viewed the data; holding that “publication occurs when information is placed before the public not when a member of the public reads the information placed before it”).

Zurich Am. Ins. Co. v. Sony Corp. of Am., et al., No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014) (claim arising from hackers theft of personal information of PlayStation users; holding in favor of insurer on grounds that “publication” required intentional publication by Sony itself, not by third parties). Sony appealed, but the case then settled.

Hartford Cas. Ins. Co. v. Corcino & Assocs, et al., No. CV 13–3728 GAF, 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013) (policyholder sought coverage for class actions alleging violation of statutes protecting patients’ privacy rights due to posting of medical records on a public website; insurer denied coverage based on exclusion for claims “[a]rising out of the violation of a person’s right to privacy created by any state or federal act”; the court held that the exclusion was inapplicable because the statutes at issue did not “create” privacy rights, but rather codified existing rights).

44

D&O Policies

Consider D&O policies, which may cover potential claims against directors and officers arising from cyber-events, including claims for breach of fiduciary duty

Outside of the adviser space, there have been a few shareholder lawsuits against directors and/or officers. Allegations have included failure to take reasonable steps to protect customer data; failure to maintain industry-standard security protocols; etc.

Open question: To what extent will claims for breach of privacy be followed by claims for breach of duties?

Open question: What impact will the April 2015 SEC IM Guidance Update’s focus on the relationship between cyber programs and duties under the federal securities laws have on potential D&O claims?

45

What Do Specialized Cyber Policies Cover?

There is a strong existing market for cyber policies The trend is for insurers to develop more specialized forms, but

insurers typically are still using policy forms designed for financial institutions generally, rather than specific adviser or fund forms (which are common for D&O and E&O)

Terms vary widely, and insurers are often willing to negotiate to clarify or enhance

Policyholders should focus on attempting to tailor policies to focus on their specific risks and industries

Policies often blend numerous first-party components and third-party components (policyholder may be able to select among various components)

46

OVERVIEW OF CYBER POLICIES

Overview of Cyber Policy Coverage Parts/First Party

Remediation expenses (may include cost to investigate and repair damage to Computer Systems, including use of forensic experts)

Notification or crisis management expenses (may include costs incurred under notification laws, credit monitoring, call centers, ID theft monitoring, etc.)

PR expenses

48

Overview of Cyber Policy Coverage Parts/First Party

Extortion (may be based on threat to introduce malicious code or shut down system; may cover legal expenses, amounts paid, rewards paid; may require cooperation with FBI or law enforcement)

Funds transfer fraud (terms vary widely and may include restrictions)

Business interruption (lost profits following disruption of service) and extra expense (extra costs incurred to get business running again)

49

Overview of Cyber Policy Coverage Parts/Third Party

Privacy and network security (may cover damages and defense costs arising from claims alleging unauthorized access to or dissemination of information, data breaches, transmission of malicious code, denial of service)

Impaired access (may cover claims arising from insured’s systems being unavailable to customers)

Media liability (claims for libel, slander, invasion of the right of privacy, copyright, trademark, etc.)

Certain regulatory investigations (may be limited to privacy-related issues, but may expressly cover certain regulatory fines and penalties)

50

KEY ISSUES FOR ADVISERS

Key Issues for Advisers There are heightened risks for advisers/funds given reliance on

third-party service providers who may possess the “data” and computer systems

Coverage varies widely: Some policies may limit coverage to wrongful acts of the insured

and/or attacks on the insured’s system Some policies afford coverage with respect to qualified service

providers or third party contractors (which may be defined to include third parties that the insured hires via a written contract to perform services for the insured)

Some policies afford coverage with respect to third parties for whom the insured is “legally responsible”

52

Key Issues for Advisers Denial of service

In addition to “theft” or “unauthorized use” of data, does policy include denial of service? DoS generally means attack that restricts or prevents access to computer system

Some liability policies afford coverage for a claim against the insured alleging a wrongful act by the insured or qualified service provider resulting in failure to network security. Coverage may turn on activities of insured to protect against unauthorized use, DoS attacks by a third party, transmission of harmful code, etc. Coverage may be limited to “Loss” or “Damages” (may not include

fine/penalties)

Some first-party policies may cover business interruption or extra expense resulting from DoS attack

53

Key Issues for Advisers

Coverage for fraudulent wire transfers varies widely:

Some policies bar coverage for loss arising from the transfer of, or the failure to transfer, funds, money or securities

Some policies may cover loss resulting from the insured making payments due to fraudulent input of data into the insured’s system or due to fraudulent “instructions.” But coverage may be limited to e-mails or faxes, not phone calls or other written advice

Coverage may turn on whether insured followed specific procedures (encryption/callback verifications)

Some policies may afford coverage for hacks by unauthorized users, but not by authorized users

54

Key Issues for Advisers

Definition of “Data” Typically includes “Personally Identifiable Information” (definitions

vary widely) Does it include other types of data, such as proprietary corporate

information or trading strategies?

55

Other Terms of Interest Exclusions based on ongoing compliance with standards:

Failure to ensure that computer system remained protected by security practices that were disclosed in application for coverage

Use of laptops or back-up tapes that do not meet certain encryption standards

Use of Wi-Fi networks that do not meet security protocols Use of software that is no longer supported by the vendor

56

Other Terms of Interest Prior acts exclusions (some polices include broad exclusions based

on acts or errors known as of the inception that reasonably could be expected to give rise to a claim)

Fraud or intentional acts exclusions Is coverage barred only if there is a “final adjudication” in an

underlying proceeding? Do you have favorable severability provisions?

Defense Who controls the defense and/or selects defense counsel? Do you have to choose your attorneys and vendors (PR firms,

call centers, monitoring firms) from a list? “Other insurance” clause (address how multiple policies that might

apply to the same risk fit together)

57

What is the Process of Purchasing a Cyber Policy?

State of market

Application process

Information considered by insurers

58

What is the Process of Purchasing a Cyber Policy?

Certain insurers ask for the following in their application: Loss experience Computer attack history Computer virus protection, password controls, and user rights

and privileges Intruder detection systems Computer back-up procedures Auditing practices Disaster planning and recovery

59

What is the Process of Purchasing a Cyber Policy? Certain insurers consider whether so-called “best

practices” are followed, such as: Screening program for new hires and vendors Pre-arranged breach service providers and counsel Provide “certification” through e-Learning to employee base on

safeguarding data Existence of incident response plan Encryption programs Programs to audit user accounts Policies surrounding Bring-Your-Own-Device (BYOD) programs

60

What is the Process of Filing a Claim?

Consider all potentially relevant policies

Policies typically contain specific notice provisions

Defense counsel – even if the policy says that the insurer gets to select defense counsel, you may have the right under case law to demand independent counsel if the insurer reserves rights on certain issues

Some policies include lists of approved forensic firms, PR firms, crisis management firms, etc.

Duty to cooperate

Duty to seek consent to settlement

61

What is the Process of Filing a Claim?

Insurers typically issue detailed reservation of rights letters and/or deny coverage

These are new policies and will raise many issues that courts may need to resolve. Insurers may pick and choose when to litigate where they think that they can develop pro-insurer case law

Confer with coverage counsel and protect your rights

62

Summary

Consider specific risks facing your business

Review traditional policies to identify potential coverage for cyber risks and potential exclusions/limitations

Consider obtaining cyber policies based on your evaluation

In the event of a cyberattack, consider coverage issues under all insurers and/or give notice to your insurer(s)

Be prepared to push back on insurer defenses

63

Speaker Contact Information

64

Mark C. Amorosi, Investment Management Partner, K&L Gates LLP202-778-9351mark.amorosi@klgates.com

Laura L. Grossman, Assistant General Counsel, Investment Adviser Association202-507-7201laura.grossman@investmentadviser.org

Andras P. Teleki, Investment Management Partner, K&L Gates LLP202-778-9477andras.teleki@klgates.com

Jason Warmbir, Vice President, Head of the Midwest Cyber Placement Team, Willis Group Holdings Limited312-288-7846jason.warmbir@willis.com

Gregory S. Wright, Insurance Coverage Partner, K&L Gates LLP202-778-9250gregory.wright@klgates.com

Additional Cybersecurity ResourcesTo access our firm’s additional cybersecurity related recorded webinars, presentations, articles and checklists please visit www.klgateshub.com.

65

THANK YOU