Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Hawaii Captive Insurance Council 2013 ForumCouncil 2013 ForumGeneral Session
N b 8 2013November 8, 201311:15 am – 12:15 pm
What Every Captive Insurance Manager Needs to Know About Cyber‐Risk & Data SecuritySecurity
PresentersPresenters
Joshua Gold, Esq.Anderson Kill(212) 278‐1886
Alice WestDirector, Insurance
Corporate Risk [email protected]
New York, NYSafeway Inc.
(925) 556‐[email protected]
Pleasanton CAPleasanton, CA
21020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
DisclaimerDisclaimerThe views expressed by the participants in this program are not those of the participants’ employers, their clients, or any other organization. The opinions expressed do not constitute legal advice, or risk management advice. The views discussed are for educational purposes only, and provided only for use during this session.
31020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
A RISK MANAGER’S APPROACH TO…A RISK MANAGER S APPROACH TO…
CYBER RISK!CYBER RISK!
41020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
LESSONS LEARNED AS AN EARLY BUYERLESSONS LEARNED AS AN EARLY BUYER
• Exposures warranted cyber purchaseExposures warranted cyber purchase• Continual enhancement and expansion of towertower
• Dynamic coverage evolution • Multi‐disciplinary effort • Enhanced risk management and insurance gprogram
1020933V1 © 2013 Anderson KIll P.C. All Rights Reserved 5
Can’t ‘traditional’ insurance help?Can t traditional insurance help?Property Insurance: Errors and Omissions:
U th i d l iMalware and Denial‐of‐Service attacks do not constitute ‘physical perils’ and do not damage
‘tangible property’
‐ Unauthorized access exclusions.‐ Requires negligence in provision of defined
business activities.
Common Hurdles:‐ Intentional acts and insured vs.
insured issues.‐No coverage for expensive crisis
expenses required by law or to protect
General Liability InsuranceCGL Privacy coverage limited to ‘publication or tterance’ res lting in one of traditional pri ac
Crime CoverageCrime policies require intent… theft of money,
reputation.
utterance’ resulting in one of traditional privacy torts.
p q y,securities, or tangible property.
1020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
Potential Elements of Coverage in Commercial Property, General Liability, Crime, and Kidnap & Ransom Policies
6
CURRENTLY AVAILABLE CYBER INSURANCECURRENTLY AVAILABLE CYBER INSURANCE.
Privacy Injury LiabilityPrivacy Injury LiabilityPrivacy Regulatory Proceedings and PCI Fines
k d C i biliNetwork and Content LiabilityCrisis Management FundNetwork Loss or DamageBusiness InterruptionBusiness InterruptionElectronic TheftN k E i K&R? S i l Ri k ?
7
Network Extortion: K&R? Special Risks?1020933V1 © 2013 Anderson KIll P.C. All Rights
Reserved
RISK MANAGEMENT STRATEGIESRISK MANAGEMENT STRATEGIES
Integrate Incident Response with RiskIntegrate Incident Response with Risk ManagementCompliance with industry appropriateCompliance with industry‐appropriate standards, eg PCI‐DSSSh IT Ri k M G Phi hShowcase IT Risk Management – Go Phish YourselfVendor Due Diligence
81020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
THE CASE FOR RISK MANAGEMENTTHE CASE FOR RISK MANAGEMENTPonemon 2012 Cost of a Data Breach Study
All of the below factors can either reduce or increase the cost of a data breach from its $188 per record average
Which ones hurt and which ones help?What’s the per record $$ impact of each factor?
• Notify customers ASAPNotify customers ASAP • Have a strong security posture• Trust third party vendors with data, see it breached• Have an incident response plan• Hire an outside consultant to contain and resolve breach • Appoint a Chief Information Security Officer• Lose a laptop or other device (vs. other breach methods)
91020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
THE CASE FOR RISK MANAGEMENTTHE CASE FOR RISK MANAGEMENTPonemon 2012 Cost of a Data Breach Study
Factors that…
Decrease Breach CostHave an incident response plan ‐ $42Have an incident response plan ‐ $42Have a strong security posture ‐ $34Appoint a Chief Information Security Officer ‐ $23O id l i / l b h $13Outside consultant to contain/resolve breach ‐ $13
Increase Breach CostTrust third party vendors with data, see it breached + $43Notify customers ASAP + $37Lose a laptop (or other device) + $10
101020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
Lose a laptop (or other device) + $10
WHO IS VULNERABLE?WHO IS VULNERABLE?
EVERYONE!EVERYONE!
111020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
WHO IS VULNERABLE?WHO IS VULNERABLE?2012 Data Breaches.1
Business – 36 9%Business 36.9%Medical/Healthcare– 34.6%Educational – 13.6%Government/Military – Based in headlines, this looks like it’s trending , gin a bad direction– 11.2%Banking/Credit/Banking/Credit/Financial – 3.8%
____________1
12
1Identity Theft Resource Center, www.idtheftcenter.org/ITRC%20Breach%20Report%202012.Pdr
1020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
WHAT ARE THE CAUSES?WHAT ARE THE CAUSES?
Negligence – 39%Negligence 39%Malicious or Criminal Attack 37%Attack – 37%
System Error – 24%3
________________32011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012.
131020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
WHAT IS THE COST?WHAT IS THE COST?Information Loss – 44%Business Disruption – 30%Revenue Loss – 19%E i t D 5%Equipment Damages – 5%Other Miscellaneous Costs – 2%4
________________42011 Cost of Data Breach Study: United States Ponemon Institute2011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012
141020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
WHAT’S THE REAL COST?WHAT S THE REAL COST?
Average Resolution Time:24 days24 days
Average Cost:$5.5 Million5
________________52011 Cost of Data Breach Study: United States, Ponemon Institute, March 2012
151020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
CAPTIVE INSURANCE COMPANY DATACAPTIVE INSURANCE COMPANY DATA
• What information does the captive have?What information does the captive have?Workers Compensation InfoEmployee DataEmployee DataProprietary DataWh t if th ti i f M lti l• What if the captive serves as insurer for Multiple un‐affiliated companiesExponential Risk Increase?Exponential Risk Increase?
161020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
THIRD‐PARTY DATA MANAGEMENT & RISKS.C i M U ili d?Captive Manager Utilized?Cloud is the Trend in any EventCost SavingsData Security Risks Increase/Decrease?Lack of ControlCan delegate the data management but not g gthe responsibilityWhat are the risks; Amazon/Sony Breach
17
; / y
1020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
BEST PRACTICESBEST PRACTICES. SEC GuidanceS C Gu da ce FFIEC Guidance Due Diligence on Vendors Due Diligence on Vendors Negotiate Strong Terms in Vendor/Cloud
Contracts Risk Transfer Indemnity/Insurance Security Assessment of Captive Manager or y p g
Vendor: Tricky in a Multi‐Tenant Cloud Platform Make Sure There is Adequate Notice/Disclosure
18
of Use of Cloud to Stakeholders1020933V1 © 2013 Anderson KIll P.C. All Rights
Reserved
RISK MANAGEMENT STEPSRISK MANAGEMENT STEPS Contracts with Captive Managers & Vendors Notice of Incident (even if your data is not disclosed) Cooperation with regulation authorities and law
enforcementenforcement Periodic audit rights Notification costs responsibilityp y Costs of computer forensic experts Use of sub‐contractors Cl d S i T i i H d h d d Cloud Services Termination: How does hosted data
get disposed of? / Who pays? Representations and Warranties about firm
19
pprotecting data
1020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
SECURITY & INSURANCESECURITY & INSURANCE.• EncryptionEncryptionAutomatic red flag for AGs/FTC if data disclosed and not encrypteddisclosed and not encrypted
• Contractual Indemnity/Hold Harmless• Mandate insurance purchase by vendor• Require additional insured statusq
201020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
DEALING WITH A SECURITY BREACHDEALING WITH A SECURITY BREACH.Data Breach Team and Plan needs to be in placeData Breach Team and Plan needs to be in placeCompliance with State Notice
k i id hMake sure your insurance provides cover where cloud usedNotice all potentially applicable insurance
211020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
POLICIES COVERING LOSSPOLICIES COVERING LOSS.Take Inventory of PoliciesTake Inventory of PoliciesGL, D&O, E&O, Crime, All Risk Property, Cyber PoliciesPolicies
1st Party, 3rd Party, Hybrid Coverage IssuesWhat Are The Captives Covering?GL?Property?Other?
221020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
COVERAGE UNDER CGL?COVERAGE UNDER CGL? Data Loss Data Loss Business Interruption Third Party Losses Privacy Privacy
231020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
WHEN STANDARD INSURANCE IS NOTWHEN STANDARD INSURANCE IS NOT ENOUGH.
CYBER POLICIES!CYBER POLICIES!
241020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
RISK MANAGEMENT CONSIDERATIONSRISK MANAGEMENT CONSIDERATIONS.Virus Coverage or ExclusionsVirus Coverage or ExclusionsVirus Defined in a Manner that Might Affect Hacker CoverageHacker Coverage
“Confidential” Information vs. Trade Secrets vs. C I f iCustomer Information
Coverage for Regulatory Matters (e.g., FTC)
251020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
RISK MANAGEMENT / INSURANCE /CONSIDERATIONSCONDITIONS/EXCLUSIONS FORCONDITIONS/EXCLUSIONS FOR: Data Security Efforts and Policyholder
Protective Measures Coverage for Network Computers Only?g p y What about Laptops? Insured Property / Locations / Premises Insured Property / Locations / Premises Where are Servers / Computers Housed?
( l )26
(Territorial Limits)1020933V1 © 2013 Anderson KIll P.C. All Rights
Reserved
TIME SENSITIVE PROVISIONSTIME SENSITIVE PROVISIONS.
Fear of Reporting Claims?Fear of Reporting Claims?Timely NoticeyProofs of LossSuit Limitation Clauses
271020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
LITIGATION ISSUESLITIGATION ISSUES. Not a Ton of Precedent Not a Ton of PrecedentWhat Exists is Not Uniform Careful What Gets Disclosed During
Discovery, Including What Is Provided y, gPursuant To Subpoena:– E g Sensitive Data Customer InformationE.g., Sensitive Data, Customer Information, Network Security Blueprints
281020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
QUESTIONS?QUESTIONS?
291020933V1 © 2013 Anderson KIll P.C. All Rights Reserved
Thank YouThank You
Joshua Gold, Esq.Anderson Kill(212) 278‐1886
Alice WestDirector, Insurance
Corporate Risk [email protected]
New York, NYSafeway Inc.
(925) 556‐[email protected]
Pleasanton CAPleasanton, CA
301020933V1 © 2013 Anderson KIll P.C. All Rights Reserved