Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
3. Facts
When it comes to data breach, size
doesn’t matter*
It’s more than just hacking
The “we’ve got this covered” attitude is
waning
IT is now very much on board
*Source: 2013 Data Breach Investigations Report
Verizon RISK Team, et al
4. The Changing Threat Landscape
“Our 2013 findings suggest that there’s a lot of
complacency among organizations about the
risk of espionage attacks. The assumption is
that these attacks only target government,
military and high-profile organizations, but our
data shows that this increasingly isn’t true.
Don’t underestimate the likelihood that your
organization will be a target..”
Source: 2013 Data Breach Investigations Report
Verizon RISK Team, et al
RPS Technology & Cyber
9. Industry-Specific Threats
Healthcare Retail Education Hospitality Financial Public Entity Nonprofit Mfg Technology
RPS Technology & Cyber
Breach of Personally
Identifiable Info (PII)
Breach of credit card
data & PCI Fines
Breach of Protected
Health Information
(PHI)
Breach of customers’
rights to privacy
Breach of
confidential
employee data
eBusiness
Interruption
Technology Errors or
Omissions
Personal Injury –
Social Media
Environment
Intellectual Property
Infringement
Regulatory Liability
Electronic Theft
Cyber Extortion
11. Data Breach Related Costs
Average cost per compromised record = $201.00*
Direct
Coordination
Defense
Notification expenses
Credit monitoring
Regulatory fines
Indirect
Customer churn
Impact on shareholder value
Loss of future opportunity
Source: Ponemon Institute 2013 Annual Study “Cost of a Data Breach”
12. Related Costs
Per Capita Cost By Industry Classification*
Source: Ponemon Institute 2013 Annual Study “Cost of a Data Breach”
14. How Can Clients Reduce Their Risk?
Data Management*
Collection
What employee, customer, donor/volunteer (nonprofits) data are you storing?
Do you need to store it?
Access
Who in your organization has access to sensitive information?
Do those with access absolutely need access to perform their job?
What of this information is publically available?
Use
Are you using customer info in a manner it was originally intended (and consistent with the
way you communicated to your customers?)
Storage
Where is your data stored?
Is the stored information protected by access controls?
Does sensitive customer information exist in multiple formats?
Eradication
How long do you keep customer information?
What do you do with info (in any format) you no longer need?
3rd party vendor agreements for document storage,
disposal, janitorial services, etc.
Source: NTEN – Nonprofit Technology Network
15. How Can Clients Reduce Their Risk?
Policies & Procedures
Privacy
Do you have a written privacy policy in place?
Have employees and/or volunteers been trained?
Social Media
Inventory your social media presence - regularly
Restrict authority for creation and content management on behalf of your organization to
one or two designated employees
Are there restrictions for social media access on systems that connect to your network
containing personal information on customers, employees, etc.?
Websites, Intellectual Property & Electronic Communication
Consistency of content and message?
Legal review?
Have appropriate rights been secured (music, lyrics, video, etc.)
Staff training in email etiquette
Network Security
Software, patch management, spam filters, firewall protection, etc. & Credentialing
Encryption of data - at rest and in a mobile state
Vulnerability testing
BYOD policies
16. How Can Clients Reduce Their Risk?
Risk Transfer
Vendor Agreements
Appropriate transfer of liability language in vendor contracts?
Cloud providers
Payment processors
Website hosting services
Document disposal, storage and janitorial services
Insurance
Cyber/Privacy Liability Insurance
18. What is Cyber Risk Insurance?
Insurance coverage designed to protect a business from:
Liability associated with:
• Unauthorized release of confidential information
• Violation of a person’s rights to privacy
• Personal injury in an electronic/social media environment
• Intellectual property infringement
• Violations of state or federal privacy laws
Out-of-pocket expenses incurred to make the above problems go away
19. Cyber Risk Insurance
RPS Technology & Cyber
Exposure Category Description
Privacy Liability Provides liability coverage for failure to protect electronic or non-electronic information in your
care custody and control. Can include coverage for acts of vendors as well.
Network Security Liability Provides liability coverage if an Insured's Computer System fails to prevent a Security
Breach, becomes inaccessible to those who need it or unintentionally transmits a virus to a
3rd party.
Media Content Liability Provides liability coverage for Intellectual Property and Personal Injury lawsuits stemming
from your website or social media content under your direct control.
Regulatory Liability Defense coverage for legal proceedings or investigations by Federal, State, or Foreign
regulators relating to Privacy Laws.
Crisis Management
Legal Assistance Expense Expenses incurred to hire an attorney to help navigate the breach response process in accordance
with the multitude of State and federal laws.
Forensic Expense Expenses incurred to hire a firm to conduct IT forensics investigations following a data breach.
Notification Expense Expenses incurred to notify members of a breach in accordance with State and Federal laws.
Credit Monitoring Expense Expenses incurred to provide donors with access to identity protection services.
Public Relations Expense Expenses incurred to hire a public relations consultancy, media expenses, etc. in the wake of a data
breach.
Data Recovery/Restoration Expenses incurred to re-create data that is damaged as a result of a cyber incident.
Business Interruption The reduction of business income as a result of an interruption or use of a computer system as a
result of a network breach to their system.
Cyber Extortion Expenses incurred resulting from threats to introduce a system hack, virus, etc. or from threats to
disseminate or use information contained in your computer systems to destroy or alter your
computer systems.
Fines and Penalties Where permissible by law, expenses incurred as a result of a State, Federal or other (PCI DSS) fine or
penalty resulting from a data breach.
21. ISO General Liability Form
Coverage exclusion for claims of copyright,
trademark infringement.
22. ISO Property Form
Protects physical computers
but not the data that is stored on them.
23. CGL Data Breach Exclusions
Current ISO CGL form
coverage is provided:
“For personal and advertising
injury as the offense of an oral or
written publication in any manner,
or material that violates a person’s
right of privacy.”
New ISO GL Exclusion (effective
May 2014):
“Exclusion – Access or Disclosure of
confidential or personal information
and data-related liability – with limited
bodily injury exception.”
24. Doesn’t My Insurance Cover This?
General Liability Property Crime Professional K&R Cyber
3rd Party Privacy/Network
Security/Personal Injury/IP
Theft/Unauthorized Disclosure PII
Breach of Confidential Corporate Info
Technology E&O
Media Liability/Social Networking
Regulatory Defense/Penalties
Virus/Malicious Code Transmission
1st Party Privacy / Network Risks
Legal Assistance/Breach Coach
IT Forensics
Physical Damage to Data
Denial of Service Attack
Business Income from Security Event
Extortion or Threat
Rogue Employee - Data Related
Public Relations/Crisis Management
Coverage Provided?
Coverage Possible?
No Coverage?
* For reference and discussion only; policy language and facts of claim will require further analysis. This is not a
guarantee of coverage.
26. Cyber Risk Coverage
Samples of Key Differentiators:
Look carefully at the definitions
Unauthorized acts of employees
Coverage for electronic and non-electronic information
Vicarious liability - 3rd parties/vendors/cloud providers
Defense of privacy regulatory actions (at full privacy limits)
Regulatory fines & penalties
Sublimits for 1st party vs full limits
Breadth of media coverage
31. Application Process & Rating Factors
Pricing
Class of business
• High/Medium/Low
• Number of patients and records held – medical
Annual revenue
Number of employees
Network defense parameters in place and update procedures
Information security policies
Loss history
Application
New streamlined options available
33. Coverage Trends
The tale of two worlds
Large retail – appetite, capacity, underwriting
Small business
Business Interruption triggers
Aggregation
Reputational Harm
Electronic Theft – monetary & otherwise
Retro date
34. Summary
Why Your Client Needs Cyber Risk Coverage
Specific exclusions exist in traditional policies for:
• Privacy breach
• Network related incidents
• eBusiness Interruption
• Personal Injury in Social Media, websites, blogs, etc.
• Regulatory defense, fines
Buying coverage aligns pre and post-breach resources not
afforded under other policies
Claims are on the rise
Laws are driving demand:
• GLB, HIPAA, HI-TECH Act, FTC’s Red Flag Rule, etc.
• 47 of 50 States require notification
Coverage is more accessible and affordable than ever
35. Thank You
Steven R. Robinson
Area President
Steven_Robinson@RPSins.com
www.RPSins.com
410-901-0704 direct
800-336-5659 toll free