What Every Captive Manager - Hawaii Captive Insurance Councilhawaiicaptives.com/wp-content/uploads/2013/11/Cyber-Risk... · 2013-11-13 · What Every Captive Insurance Manager Needs

Hawaii Captive Insurance Council 2013 ForumCouncil 2013 ForumGeneral Session

N b 8 2013November 8, 201311:15 am – 12:15 pm

What Every Captive Insurance Manager Needs to Know About Cyber‐Risk & Data SecuritySecurity

PresentersPresenters

Joshua Gold, Esq.Anderson Kill(212) 278‐1886

Alice WestDirector, Insurance

Corporate Risk [email protected]

New York, NYSafeway Inc.

(925) 556‐[email protected]

Pleasanton CAPleasanton, CA

21020933V1 © 2013 Anderson KIll P.C. All Rights Reserved

DisclaimerDisclaimerThe views expressed by the participants in this program are not those of the participants’ employers, their clients, or any other organization. The opinions expressed do not constitute legal advice, or risk management advice. The views discussed are for educational purposes only, and provided only for use during this session.


A RISK MANAGER’S APPROACH TO…A RISK MANAGER S APPROACH TO…

CYBER RISK!CYBER RISK!


LESSONS LEARNED AS AN EARLY BUYERLESSONS LEARNED AS AN EARLY BUYER

• Exposures warranted cyber purchaseExposures warranted cyber purchase• Continual enhancement and expansion of towertower

• Dynamic coverage evolution • Multi‐disciplinary effort • Enhanced risk management and insurance gprogram

1020933V1 © 2013 Anderson KIll P.C. All Rights Reserved 5

Can’t ‘traditional’ insurance help?Can t traditional insurance help?Property Insurance: Errors and Omissions:

U th i d l iMalware and Denial‐of‐Service attacks do not constitute ‘physical perils’ and do not damage

‘tangible property’

‐ Unauthorized access exclusions.‐ Requires negligence in provision of defined

business activities.

Common Hurdles:‐ Intentional acts and insured vs.

insured issues.‐No coverage for expensive crisis

expenses required by law or to protect

General Liability InsuranceCGL Privacy coverage limited to ‘publication or tterance’ res lting in one of traditional pri ac

Crime CoverageCrime policies require intent… theft of money,

reputation.

utterance’ resulting in one of traditional privacy torts.

p q y,securities, or tangible property.


Potential Elements of Coverage in Commercial Property, General Liability, Crime, and Kidnap & Ransom Policies

6

CURRENTLY AVAILABLE CYBER INSURANCECURRENTLY AVAILABLE CYBER INSURANCE.

Privacy Injury LiabilityPrivacy Injury LiabilityPrivacy Regulatory Proceedings and PCI Fines

k d C i biliNetwork and Content LiabilityCrisis Management FundNetwork Loss or DamageBusiness InterruptionBusiness InterruptionElectronic TheftN k E i K&R? S i l Ri k ?

7

Network Extortion: K&R? Special Risks?1020933V1 © 2013 Anderson KIll P.C. All Rights

Reserved

RISK MANAGEMENT STRATEGIESRISK MANAGEMENT STRATEGIES

Integrate Incident Response with RiskIntegrate Incident Response with Risk ManagementCompliance with industry appropriateCompliance with industry‐appropriate standards, eg PCI‐DSSSh IT Ri k M G Phi hShowcase IT Risk Management – Go Phish YourselfVendor Due Diligence


THE CASE FOR RISK MANAGEMENTTHE CASE FOR RISK MANAGEMENTPonemon 2012 Cost of a Data Breach Study

All of the below factors can either reduce or increase the cost of a data breach from its $188 per record average

Which ones hurt and which ones help?What’s the per record $$ impact of each factor?

• Notify customers ASAPNotify customers ASAP • Have a strong security posture• Trust third party vendors with data, see it breached• Have an incident response plan• Hire an outside consultant to contain and resolve breach • Appoint a Chief Information Security Officer• Lose a laptop or other device (vs. other breach methods)


THE CASE FOR RISK MANAGEMENTTHE CASE FOR RISK MANAGEMENTPonemon 2012 Cost of a Data Breach Study

Factors that…

Decrease Breach CostHave an incident response plan ‐ $42Have an incident response plan ‐ $42Have a strong security posture ‐ $34Appoint a Chief Information Security Officer ‐ $23O id l i / l b h $13Outside consultant to contain/resolve breach ‐ $13

Increase Breach CostTrust third party vendors with data, see it breached + $43Notify customers ASAP + $37Lose a laptop (or other device) + $10


Lose a laptop (or other device) + $10

WHO IS VULNERABLE?WHO IS VULNERABLE?

EVERYONE!EVERYONE!


WHO IS VULNERABLE?WHO IS VULNERABLE?2012 Data Breaches.1

Business – 36 9%Business 36.9%Medical/Healthcare– 34.6%Educational – 13.6%Government/Military – Based in headlines, this looks like it’s trending , gin a bad direction– 11.2%Banking/Credit/Banking/Credit/Financial – 3.8%

____________1

12

1Identity Theft Resource Center, www.idtheftcenter.org/ITRC%20Breach%20Report%202012.Pdr


WHAT ARE THE CAUSES?WHAT ARE THE CAUSES?

Negligence – 39%Negligence 39%Malicious or Criminal Attack 37%Attack – 37%

System Error – 24%3

________________32011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012.


WHAT IS THE COST?WHAT IS THE COST?Information Loss – 44%Business Disruption – 30%Revenue Loss – 19%E i t D 5%Equipment Damages – 5%Other Miscellaneous Costs – 2%4

________________42011 Cost of Data Breach Study: United States Ponemon Institute2011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012


WHAT’S THE REAL COST?WHAT S THE REAL COST?

Average Resolution Time:24 days24 days

Average Cost:$5.5 Million5

________________52011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012


CAPTIVE INSURANCE COMPANY DATACAPTIVE INSURANCE COMPANY DATA

• What information does the captive have?What information does the captive have?Workers Compensation InfoEmployee DataEmployee DataProprietary DataWh t if th ti i f M lti l• What if the captive serves as insurer for Multiple un‐affiliated companiesExponential Risk Increase?Exponential Risk Increase?


THIRD‐PARTY DATA MANAGEMENT & RISKS.C i M U ili d?Captive Manager Utilized?Cloud is the Trend in any EventCost SavingsData Security Risks Increase/Decrease?Lack of ControlCan delegate the data management but not g gthe responsibilityWhat are the risks; Amazon/Sony Breach

17

; / y


BEST PRACTICESBEST PRACTICES. SEC GuidanceS C Gu da ce FFIEC Guidance Due Diligence on Vendors Due Diligence on Vendors Negotiate Strong Terms in Vendor/Cloud

Contracts Risk Transfer Indemnity/Insurance Security Assessment of Captive Manager or y p g

Vendor: Tricky in a Multi‐Tenant Cloud Platform Make Sure There is Adequate Notice/Disclosure

18

of Use of Cloud to Stakeholders1020933V1 © 2013 Anderson KIll P.C. All Rights

Reserved

RISK MANAGEMENT STEPSRISK MANAGEMENT STEPS Contracts with Captive Managers & Vendors Notice of Incident (even if your data is not disclosed) Cooperation with regulation authorities and law

enforcementenforcement Periodic audit rights Notification costs responsibilityp y Costs of computer forensic experts Use of sub‐contractors Cl d S i T i i H d h d d Cloud Services Termination: How does hosted data

get disposed of? / Who pays? Representations and Warranties about firm

19

pprotecting data


SECURITY & INSURANCESECURITY & INSURANCE.• EncryptionEncryptionAutomatic red flag for AGs/FTC if data disclosed and not encrypteddisclosed and not encrypted

• Contractual Indemnity/Hold Harmless• Mandate insurance purchase by vendor• Require additional insured statusq


DEALING WITH A SECURITY BREACHDEALING WITH A SECURITY BREACH.Data Breach Team and Plan needs to be in placeData Breach Team and Plan needs to be in placeCompliance with State Notice

k i id hMake sure your insurance provides cover where cloud usedNotice all potentially applicable insurance


POLICIES COVERING LOSSPOLICIES COVERING LOSS.Take Inventory of PoliciesTake Inventory of PoliciesGL, D&O, E&O, Crime, All Risk Property, Cyber PoliciesPolicies

1st Party, 3rd Party, Hybrid Coverage IssuesWhat Are The Captives Covering?GL?Property?Other?


COVERAGE UNDER CGL?COVERAGE UNDER CGL? Data Loss Data Loss Business Interruption Third Party Losses Privacy Privacy


WHEN STANDARD INSURANCE IS NOTWHEN STANDARD INSURANCE IS NOT ENOUGH.

CYBER POLICIES!CYBER POLICIES!


RISK MANAGEMENT CONSIDERATIONSRISK MANAGEMENT CONSIDERATIONS.Virus Coverage or ExclusionsVirus Coverage or ExclusionsVirus Defined in a Manner that Might Affect Hacker CoverageHacker Coverage

“Confidential” Information vs. Trade Secrets vs. C I f iCustomer Information

Coverage for Regulatory Matters (e.g., FTC)


RISK MANAGEMENT / INSURANCE /CONSIDERATIONSCONDITIONS/EXCLUSIONS FORCONDITIONS/EXCLUSIONS FOR: Data Security Efforts and Policyholder

Protective Measures Coverage for Network Computers Only?g p y What about Laptops? Insured Property / Locations / Premises Insured Property / Locations / Premises Where are Servers / Computers Housed?

( l )26

(Territorial Limits)1020933V1 © 2013 Anderson KIll P.C. All Rights

Reserved

TIME SENSITIVE PROVISIONSTIME SENSITIVE PROVISIONS.

Fear of Reporting Claims?Fear of Reporting Claims?Timely NoticeyProofs of LossSuit Limitation Clauses


LITIGATION ISSUESLITIGATION ISSUES. Not a Ton of Precedent Not a Ton of PrecedentWhat Exists is Not Uniform Careful What Gets Disclosed During

Discovery, Including What Is Provided y, gPursuant To Subpoena:– E g Sensitive Data Customer InformationE.g., Sensitive Data, Customer Information, Network Security Blueprints


QUESTIONS?QUESTIONS?


Thank YouThank You

Joshua Gold, Esq.Anderson Kill(212) 278‐1886

Alice WestDirector, Insurance

Corporate Risk [email protected]

New York, NYSafeway Inc.

(925) 556‐[email protected]

Pleasanton CAPleasanton, CA


Documents

What Every Captive Manager - Hawaii Captive Insurance Councilhawaiicaptives.com/wp-content/uploads/2013/11/Cyber-Risk... · 2013-11-13 · What Every Captive Insurance Manager Needs