Cyber-insurance coverage: do you have it?

Robert E. Sumner, IV, Esq. and

Tosh Siao of Willis Group

September 17, 2015

Topics to be covered:

1. What is a data breach?

2. Incidence/frequency of data breaches.

3. Data on the cost/expenses associated with breaches.

4. CGL standard policies.

Topics to be covered:

5. Cyber policies and endorsements.

6.State of the cyber insurance market.

7.Evolving coverage issues

8. Role of your insurance broker.

Topics to be covered:

9. Navigating through the underwriting process.

10. How much coverage?

11. Examples of cyber insurance programs.

12. What to do when the breach occurs.

WHAT IS A DATA BREACH?

What is a data breach?

Key Defined Terms

Personal Information (PI) or Personally Identifiable Information (PII)– “Generally, the definition requires both a name (first initial and last name often suffices), and some additional item of information that could be used to steal a person’s identity or access his or her financial accounts (or, in some cases, healthcare information) without authorization.”

Florida definition (FIPA)

“Personal information” means either of the following:1. Individual’s first name or first initial and last name one of the following: (a) A social security number; (b) A driver license or identification card number; (c) A financial account number with security code,; (d) An individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or (e) An individual’s health insurance policy or ID #.2. A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

Key Defined Terms

Personal Health Information (PHI) – “Individually identifiablehealth information.”

PHI relates to:

i. Individual’s past, present or future physical or mental health or condition;ii. Provision of health care to the individual; or iii. Past, present or future payment for the provision of health care.

Key Defined Terms

•Data incident – IT term (nerd term); something “not normal”.

•Data breach – legal term (matter of interpretation); unauthorizedaccess to PII or PHI.

•A “breach” triggers the reporting/response.

•Types of breaches:i. Cyber hacking (hacktivism, cyber espionage)ii. Unintentional loss of informationiii. Employee misconductiv. Bad business practicesv. Theft

DATA BREACH EMPIRICAL DATA

Empirical Data:

Verizon Data Breach Investigation Report (2015)•79,790 security incidents in 2014;

•2122 confirmed data breaches in 2014;.

Net Diligence Cyber Claims Study (2014) [Mark Greisinger]$698,797: average cost of defense of a data breach lawsuit; and

$733,109: average claim payout ($1.3M for Healthcare);

$558,520: average settlement for a data breach lawsuit;

$1,041,906: average cost for defense of regulatory matter.

Empirical Data:

Ponemon Institute Study (2015) [Symantec & Ponemon Benchmark Study]

$3.79 million is the average total cost of data breach;

23% increase in total cost of data breach since 2013;

Healthcare industry has the highest cost associate with breach;

$6.53 million: average cost per data breach for U.S. company;

$417,000: average detection cost per breach (2014)

$509,237: average notification cost per breach (2014);

$1,599.996: average post data breach cost (2014)

Lost business cost increased from $1.33 million last year to $1.57 million in 2015.;

CGL Standard Policiesdo not have Cyber-Coverage

General commercial liability policies include three types of coverages: „

Coverage A, which covers bodily injury and property damage

Coverage B, which covers personal and advertising injury

Coverage C, which covers medical payments for bodily injury.

These policies define property damage as a physical injury to or the loss of use of tangible property.

Most policies specify that electronic data is not tangible property.

Cyber Policies and Endorsements

Effective May 1, 2014 in many jurisdictions, ISO introduced several endorsements:

• CG 21 06 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – With Bodily Injury Exception) — excludes coverage, under Coverages A and B, for injury or damage arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.

Cyber Policies and Endorsements

• CG 21 07 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included) – which is very similar to CG 21 06 but does not include the bodily injury exception described above.

• CG 21 08 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information (Coverage B Only) — exclusion with respect to any access to or disclosure of any person’s or organization’s confidential or personal information is limited to personal and advertising injury.

Cyber Policies and Endorsements

ISO Electronic Data Liability Coverage

• Form CG 00 65

• Broad coverage: Actual loss of data – no requirement for “physical injury to tangible property”

• Claims made

• Covers loss caused by “electronic data incident”

Cyber Policies and Endorsements

ISO Electronic Data Liability Coverage

ISO Business Owner Policies:

Endorsement BP 05 95 – Electronic Data Liability – limited coverage endorsement (direct damage to data of others due to insured’s negligence)

Endorsement BP 05 96 – Electronic Data Liability – broad coverage endorsement (like ISO Form CG 00 65)

Available Cyber Coverages

• Privacy Liability: Provides defense and liability coverage for claims resulting from your failure to maintain the privacy of information entrusted to you. Examples of Sensitive Information: Protected Health Information; Personally Identifiable Information; or a Third Party’s Confidential Corporate Information that you are required to keep confidential.

• Breach Events Costs: Provides coverage for costs incurred due to a breach of individuals personally identifiable information or protected health information for public relations; notification (Voluntary notification available from some carriers) of individuals; credit monitoring; call centers; obtaining legal counsel; and forensic experts and for any other expenses approved by the insurer, to respond to a breach. New: Coverage may be written as a dollar amount or person amount.

Available Cyber Insurance Coverages (Cont’d)

• Regulatory Defense Fines and Penalties: Provides coverage for proceedings brought by a government agency for an alleged violation of privacy regulations resulting from a breach of personal information. Coverage includes, defense, consumer redress, fines and penalties (where allowable by law).

• PCI Fines and Penalties: Provides coverage for a monetary assessment of a fine or penalty by a Card Association or Acquiring Bank due to insured’s non-compliance with a PCI Data Security Standard.

• Cyber Extortion: Coverage for Costs to investigate and terminate a threat to commit an intentional attack against your Computer System.

• Crisis Management: Expenses for managing public relations and media outlets.

Evolving coverage concerns and issues

• Property Damage, yes. Bodily Injury, not sure.

• “Dumpster Diving”

• Defense Costs erode policy limits

• Legacy exposures

• Maintain “top shelf” coverage

• Vendors and subcontractors

Broker’s Role in Cyber Liability

• Advise on evolving risk with non-stop change

• Understand the financial and reputational impact

• Know best access points to the insurers

• Manage detailed underwriting and claims

• Build the “moat” with vendor management

Navigating the underwriting process

•Highest risks are retail, health care, and technology

•UWs understand there is no perfect account

•Plenty of underwriting capacity

•Revenues and deductibles drive pricing

•Application process

What is the right amount of coverage?

How much coverage do you need?

1,000 10,000 100,000 500,000 1,000,000 10,000,000 100,000,000

Privacy Expense (Forensics/Crisis) $35,000 $140,000 $270,000 $530,000 $1,050,000 $1,750,000 $3,500,000

Forensics Investigation $25,000 $100,000 $200,000 $400,000 $750,000 $1,000,000 $2,000,000

Data Breach Coach $10,000 $20,000 $30,000 $50,000 $100,000 $250,000 $500,000

Public Relations $0 $20,000 $40,000 $80,000 $200,000 $500,000 $1,000,000

Privacy Expense (Notice/Credit Monitoring) $8,500 $80,000 $800,000 $3,625,000 $4,800,000 $40,000,000 $325,000,000

Customer Notification $2,000 $15,000 $150,000 $625,000 $1,000,000 $9,000,000 $50,000,000

Call Center $1,000 $10,000 $100,000 $500,000 $800,000 $5,000,000 $20,000,000

Credit Monitoring $4,500 $45,000 $450,000 $2,250,000 $2,500,000 $25,000,000 $250,000,000

Identity Fraud Remediation $1,000 $10,000 $100,000 $250,000 $500,000 $1,000,000 $5,000,000

Privacy Expense Total: $43,500 $220,000 $1,070,000 $4,155,000 $5,850,000 $41,750,000 $328,500,000(Privacy Expense Cost per record) $43.50 $22.00 $10.70 $8.31 $5.85 $4.18 $3.29

Regulatory Defense/Fines $0 $0 $350,000 $750,000 $1,500,000 $6,000,000 $15,000,000State Regulatory (AG) $0 $0 $250,000 $250,000 $500,000 $1,000,000 $5,000,000

Federal Regulatory (FTC) $0 $0 $100,000 $500,000 $1,000,000 $5,000,000 $10,000,000

PCI Fines/Penalties $0 $10,000 $20,000 $100,000 $500,000 $1,000,000 $2,000,000Civil Liability $9,000 $180,000 $900,000 $3,900,000 $7,000,000 $45,000,000 $330,000,000

Legal Defense/Damages/Class Actions $0 $100,000 $300,000 $900,000 $2,000,000 $5,000,000 $30,000,000

Card Reissuance Liability $9,000 $80,000 $600,000 $3,000,000 $5,000,000 $40,000,000 $300,000,000

Privacy Liabilty Total: $9,000 $190,000 $1,270,000 $4,750,000 $9,000,000 $52,000,000 $347,000,000

Total Data Breach Cost: $52,500 $410,000 $2,340,000 $8,905,000 $14,850,000 $93,750,000 $675,500,000

Per Record Cost: Retail $52.50 $41.00 $23.40 $17.81 $14.85 $9.38 $6.76

Assumptions:

Credit Monitoring: $15 per individual (10%-15% take-up rate)

Identity Fraud Remediation: $100-$500 per affected individual (less than 1% typically require fraud remediation)

PRIVACY EXPENSES

PRIVACY LIABILITY

Program Example #1

Industry Cloud HostingAnnual Sales 85,000,000$ Policy Limit 2,000,000$ Deductible 100,000$ Premium 56,093$ Rate (per $ 1,000 sales) 0.66$

Program Example #2

Industry ManufacturingAnnual Sales 110,000,000$ Policy Limit 2,000,000$ Deductible 50,000$ Premium 16,506$ Rate (per $ 1,000 sales) 0.15$

When the breach occurs

Gather details of the incident

Determine insuring agreements, limits, and retentions that will apply

What triggers a loss or claim under the policy?

What are the notice requirements?

Timing around an upcoming policy renewal/expiring policy period that require an expedited notice?