Post on 28-Apr-2018
CUTTING-EDGE ADVANCEMENTS IN INSURANCE COVERAGE FOR
CYBER RISK AND REALITY SFOR005
Speakers: Roberta D. Anderson, Partner, K&L Gates LLP
Timothy Flaherty, Manager, Insurance Risk Management, Alcoa Inc.
CYBER 3.0
At the End of This Session, You Will: • Understand the Cutting Edge “Cyber” Products Targeted to Address Cybersecurity and Data Privacy Risks Faced by Diverse Industries • Learn Practical Tips for a Successful “Cyber” Insurance Placement, Including:
– Traps to Avoid – How Coverage Under “Off the Shelf” Insurance Forms can be Enhanced and
Broadened through Negotiation
• Obtain a Best Practices “Checklist” to Facilitate a Successful Placement • Understand Potential Coverage under “Legacy” Policies
LEARNING OBJECTIVES
• Introduction • Role and Perspective of the Risk Manager
– The Risk Manager's Role in Addressing and Mitigating Risk – Unique Challenges and Opportunities in Placing “Cyber” Insurance
• Setting the “Cyber” Stage – Practical Risk and Exposure – Latest Legal and Regulatory Developments
• Newest Cutting Edge “Cyber” Products – Third-Party, First-Party, and DIC Coverages – How to Avoid the Traps – How to Enhance “Off-The-Shelf” Forms/Best Practices “Checklist”
• Legacy Insurance Policies—Potential Coverage and Limitations
AGENDA
• rdardardarrrrr
Roberta D. Anderson Insurance Coverage/
Data Privacy & Cybersecurity Partner
Timothy Flaherty Manager
Insurance Risk Management
INTRODUCTION rdardardarrrrr
rdardardarrrrr
• The Risk Manager's Role in Addressing and Mitigating Risk • Unique Challenges
– Lack of Standardization (ISO Forms) – Lack of Claims/Legal Precedent – Capacity
• Opportunities – Tailored Coverages – Ability to Negotiate Enhancements – Increasing Market Capacity
ROLE AND PERSPECTIVE OF THE RISK MANAGER
• In Placing Coverage: – Determine the Need for Coverage – Review the Extent of Coverage under Existing Policies – Engage a Knowledgeable Broker and Outside Counsel – Execute Non-disclosure Agreements with Potential Insurers – Conduct Open Discussions and Partner with Your CFO to Complete the Application – Conduct Face-to-Face Meetings with Potential Insurers – Obtain Senior Management Concurrence or Authorization to Bind Coverage – Retro Date Logistics – Acquisitions – Aligning “Cyber” Placement with Existing Programs – Length of Time for Placement
ROLE AND PERSPECTIVE OF THE RISK MANAGER
Page 8
SETTING THE “CYBER” STAGE
PRACTICAL RISK AND EXPOSURE
• Malicious Attacks – Advanced Persistent Threats – Social Engineering – Viruses, Trojans, DDoS attacks
• Data Breach/Unauthorized Access • Software Vulnerability
(HeartBleed) • System Glitches • Employee Mobility • Lost or Stolen Mobile and Other
Portable Devices
• Vendors/Outsourcing (Function, Not the Liability)
• The Internet Of Things • Human Error
klgates.com 10
Source: Ponemon Institute 2014 Cost of Data Breach Study – Global
PRACTICAL RISK AND EXPOSURE
Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014)
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
LATEST LEGAL AND REGULATORY DEVELOPMENTS
• Federal Cybersecurity/Data Privacy Laws – HIPAA/HITECH – GLBA – FTC Act
• State Cybersecurity/Data Privacy Laws/Consumer Protection Statutes
– 47 States, D.C., & U.S. Territories Breach Notification Laws – State Security Standards (MA, CA, CT, RI, OR, MD, NV)
• NIST Cybersecurity Framework • Industry Standards, e.g., PCI DSS • SEC Cybersecurity Risk Factor Guidance
– FCC Act – FCRA/FACTA
• “[A]ppropriate disclosures may include”: – “Discussion of aspects of the registrant's business or operations that give rise to
material cybersecurity risks and the potential costs and consequences”; – “To the extent the registrant outsources functions that have material cybersecurity
risks, description of those functions and how the registrant addresses those risks”; – “Description of cyber incidents experienced by the registrant that are individually, or
in the aggregate, material, including a description of the costs and other consequences”;
– “Risks related to cyber incidents that may remain undetected for an extended period”; and
– “Description of relevant insurance coverage.”
SEC CYBERSECURITY
Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/
SEC CYBERSECURITY “We note that your network-security insurance coverage is subject to a $10 million deductible. Please tell us whether this coverage has any other significant limitations. In addition, please describe for us the 'certain other coverage' that may reduce your exposure to Data Breach losses.”
Target Form 10-K (March 2014)
SEC CYBERSECURITY “We note your disclosure that an unauthorized party was able to gain access to your computer network 'in a prior fiscal year.' So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage.”
Alion Science and Technology Corp. S-1 filing (March 2014)
SEC CYBERSECURITY “Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company's cybersecurity measures needs to be a critical part of a board of director's risk oversight responsibilities . . . . Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
Luis Aguilar, SEC Commissioner, speech given at NYSE June 10, 2014
22
24
FTC CYBERSECURITY
25
FTC CYBERSECURITY
STANDING TREND – SONY
STANDING TREND – MICHAELS
STANDING TREND – ADOBE
STANDING TREND – TARGET
Page 30
NEWEST CUTTING EDGE “CYBER” PRODUCTS
klgates.com back
REMEMBER THE SNOWFLAKE
• Privacy and Network Security – Generally Covers Third-Party Liability Arising from Data Breaches and Other Failures to
Protect Confidential, Protected Information, as well as Liability Arising from Security Threats to Networks, e.g., Transmission of Malicious Code
– Questions: – Coverage for the Acts, Errors, Omissions of Third Parties, e.g., Vendors? – Coverage for Data in the Care, Custody, Control of Third Parties, e.g., Cloud Providers? – Coverage for Proliferating and Expanding Privacy Laws/Regulations? – Coverage for Data in Any Form, e.g., Paper Records? – Coverage for Confidential Corporate Data, e.g., Third-Party Trade Secrets? – Coverage for “Rogue” Employees? – Coverage for Wrongful Collection of Data? – Coverage for TCPA Violations?
THIRD-PARTY COVERAGE
• Regulatory Liability – Generally Covers Amounts Payable in Connection with Administrative or Regulatory
Investigations
– Questions: – Coverage for Fines and Penalties? – Coverage for Consumer Redress Funds? – Regulatory Exclusion Carve Backs? – Sufficient Sublimit?
• PCI-DSS Liability – Generally Covers Amounts Payable in Connection with PCI Demands for Assessments,
Including Contractual Files and Penalties, for Alleged Non-compliance with PCI Data Security Standards
THIRD-PARTY COVERAGE
• Media Liability – Generally Covers Third-Party Liability Arising from Infringement of Copyright and Other
Intellectual Property Rights, and Torts Such as Libel, Slander, and Defamation Arising from the Insured's Media Activities, e.g., Broadcasting and Advertising
– Questions: – Coverage for “Rogue” Employees? – Coverage for Media Content in Any Form, e.g., Printed Publications, or Limited to Digital
Media Content? – Coverage Limited to Certain Locations of Media Content Display, e.g., on the Insured's
Website or Social Media Sites? – Coverage for Liability Arising out of the Insured's Own Advertising Activities? – “Occurrence”-Based or Claims Made Coverage? – Appropriate for Media Companies?
THIRD-PARTY COVERAGE
• Crisis Management – Generally Covers “Crisis Management” Expenses That Typically Follow in the Wake of a
Breach Incident, e.g., Breach Notification Costs, Credit Monitoring, Call Center Services, Forensic Investigations, and Public Relations
– Questions: – Triggered by Failures of Security? – Coverage for Forensic Investigation and PCI Forensic Investigator? – Coverage for Public Relations, Crisis Management, “Breach Coach” Counsel? – Coverage for Notification? How about ID Theft Education, ID Theft Restoration Services,
Call Center Services, Credit Monitoring, Reimbursement Insurance? – Insured's Reasonable Selection of Counsel/Vendors? – Outside or Inside Limits? – Sufficient Sublimits?
FIRST-PARTY COVERAGE
• Network Interruption – Generally Covers First-Party Business Income Loss Associated with the Interruption of
the Insured's Business Caused by the Failure of Computer Systems
– Questions: – Coverage for Third-Party Systems? – Coverage for Cloud Failure? – Coverage for Non-Malicious Acts, e.g., Unintentional, Unplanned Outage? – Exclusion for Power Failure, Blackout/Brownout, etc.? – Coverage Beyond the Interruption, e.g., 120 Days? – Waiting Period, e.g., 12 Hours? – Hourly Sublimits? – Sufficient Sublimit(s), e.g., Contingent and Non-Malicious Acts Coverage? – What about Loss Caused by Physical Perils, e.g., Flood?
FIRST-PARTY COVERAGE
• Digital Asset – Generally Covers First-Party Cost Associated with Replacing, Recreating, Restoring and
Repairing Damaged or Destroyed Programs, Software or Electronic Data
• Extortion – Generally Covers Losses Resulting from Extortion, e.g., Payment of an Extortionist's
Demand to Prevent a Cybersecurity Incident
• Reputational Harm – Generally Covers “Crisis Management” Type Costs in the Event of a Publication Likely
to be Seen by an Insured's Stakeholders, e.g., Customers, Investors, Vendors, or Regulators, and to Have an Adverse Impact on Public Perception of the Insured or its Brand. Can Also Cover Business Income Loss Caused by a Publication Likely to be Seen by an Insured's Stakeholders, and to Have an Adverse Impact on Public Perception of the Insured or its Brand
FIRST-PARTY COVERAGE
Source: Willis 2015 Marketplace Realities Spring Update
CYBER INSURANCE MARKET
CYBER INSURANCE MARKET Source: Willis 2015 Marketplace Realities Spring Update
CYBER INSURANCE MARKET Source: Willis 2015 Marketplace Realities Spring Update
41
CYBER INSURANCE MARKET • Market capacity:
• Over 50 Markets Selling or Participating in “Cyber” Insurance • Total Capacity Over $600M
• Premium: • Excess of $2B at the Close of 2014 • $5B Projected Growth Potential
• Source: The Cyber Liability Insurance Market 2015 - Jim Blinn, Advisen. www.cyberrisknetwork.com
DIC COVERAGE
v v
• First-Party Property Damage and Business Interruption ~$350M • Third-Party Bodily Injury and Property Damage ~$100M
[T]his policy will drop down and pay Loss caused by a Security Failure [a failure or violation of the security of a Computer System that: (A) results in, facilitates or fails to mitigate any: (i) unauthorized access or use; (ii) denial of service attack; or (iii) receipt, transmission or behavior of a malicious code] that would have been covered within an Underlying Policy, as of the inception date of this policy, had one or more of the following not applied: A. a Cyber Coverage Restriction [a limitation of coverage in an Underlying
Policy expressly concerning, in whole or in part, the security of a Computer System (including Electronic Data stored within that Computer System)]; and/or
B. a Negligent Act Requirement [a requirement in an Underlying Policy that the event, action or conduct triggering coverage under such Underlying Policy result from a negligent act, error or omission].
DIC COVERAGE
DIC COVERAGE
klgates.com
AVOID THE TRAPS
47
POLICY EXAMPLE 1
POLICY EXAMPLE 2
49
POLICY EXAMPLE 2
POLICY EXAMPLE 1
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 2
POLICY EXAMPLE 3
POLICY EXAMPLE 3
57
POLICY EXAMPLE 1
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 2
POLICY EXAMPLE
Any member of the “Control Group.” e.g., CEO, CFO ,RM, CRO, CIO, GC
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 3
Request a “Retroactive Date” of at Least a Year
BEWARE THE
FINE
REMEMBER THE DEVIL IS IN THE DETAILS
REMEMBERING THE SNOWFLAKE BEST PRACTICES “CHECKLIST”
BEST PRACTICES CHECKLIST • Embrace a Team Approach
• Understand the Risk Profile
• Review Existing Coverages
• Purchase Appropriate Other Coverage as Needed
• Remember the “Cyber” Misnomer
• Spotlight the “Cloud”
• Remember the Retro Date
• Selection of Counsel and Vendors
• Engage a Knowledgeable Broker and Outside Counsel
• Carefully Review the Application
“A well-drafted policy will reduce the likelihood that an insurer will be able to avoid or limit insurance
coverage in the event of a claim.”
Roberta D. Anderson, Partner, K&L Gates LLP (April 27, 2015)
Page 74
“LEGACY” INSURANCE POLICIES
75
• Directors' and Officers' (D&O) • Errors and Omissions (E&O)/Professional Liability • Employment Practices Liability (EPL) • Fiduciary Liability • Crime
– Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)
• Property • Commercial General Liability (CGL)
POTENTIAL COVERAGE
• Coverage B Provides Coverage for Damages Because of “Personal and Advertising Injury”
• “Personal and Advertising Injury”: “[o]ral or written publication, in any manner, of material that violates a person's right of privacy”
– What is a “Person’s Right of Privacy”? – What is a “Publication”? – Does the Insured Have to “Do” Anything Affirmative and Intentional to Get
Coverage?
• Coverage A Provides Coverage for Damages Because of “Property Damage”
• “Property Damage”: “Loss of use of tangible property that is not physically injured”
POTENTIAL COVERAGE
POTENTIAL LIMITATIONS
POTENTIAL LIMITATIONS
ISO states that “when this endorsement is aOached, it will result in a reducPon of coverage due to the delePon of an excepPon with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corrupPon of, inability to access, or inability to manipulate electronic data.”
POTENTIAL LIMITATIONS
POTENTIAL LIMITATIONS
POTENTIAL LIMITATIONS
cv
cv
POTENTIAL LIMITATIONS
– Zurich American Insurance Co. v. Sony Corp. of America et al.
POTENTIAL LIMITATIONS
Page 85
QUESTIONS