GSBA RMS Webinar Topic: GSBA Coverage Solution for Member’s Cyber Risk Exposures July 23, 2013.
19
GSBA RMS Webinar Topic: GSBA Coverage Solution for Member’s Cyber Risk Exposures July 23, 2013
-
Upload
darren-merritt -
Category
Documents
-
view
223 -
download
0
Transcript of GSBA RMS Webinar Topic: GSBA Coverage Solution for Member’s Cyber Risk Exposures July 23, 2013.
GSBA RMS Webinar Topic: GSBA Coverage Solution for Member’s Cyber Risk Exposures July 23, 2013
Cyber-Risk ProtectionIntroduction
Today’s speakers1. Tom Flynn, Managing Director, Marsh USA
2. Max Perkins, Specialty Lines Underwriter, Beazley Group
Today’s Webinar: Definitions, Exposures/Threats, Legal, Case Examples, Estimated Costs, GSBA Solution, Conclusion
Cyber-Risk ProtectionPrivacy & Computer Security Protection
Privacy & Data Breach
Coverage has many names in the industry but basic risk is the same:
1. School district “mishandles” personal data resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach”; or
2. School district is hacked and the information is stolen resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach” plus any potential liability resulting from the hackers stealing the data
Threats to a School District
Internal Threats: Rogue employee who was fired and wants to “hurt” School District “Idealist” who wants to “change” the School District policies by disrupting
normal operations Accidental or careless staff who loose the data in either paper format or
electronic via a lost laptop
External Threats: Outside vendor or business associate with access to School District data
who steals personal data sources Organized crime – both foreign and domestic Hackers or “Hacktivists” who do it “to change the world”
Threats to a School District
Technology: Viruses, SQL Injections, etc Structural vulnerability to your network Employee use of Social Media / networking “opening the door” for
hackers to enter your network Remote teaching putting strain on the security of your internal network
firewalls Phishing
“Old School”: Dumpster diving for discarded papers that are not shredded Loss or theft of a laptop with personal data on it
Threats to a School District
Regulatory/Legal: 47 states now have breach notification laws
o Georgia is one of the 47 states and it applies to any entity, government or private, that has a breach, the law requires that they notify the people affected by the breach – Georgia Personal Identity Protection Act of 2007
Many breaches do not develop into identifiable theft but the notification and tracking requirement is very expensive to the School District
School nurses have to be careful with HIPAA information especially At the present time, it is unclear how immunity would apply if the District
were sued by a third party injured by a breach
Case Example One Scenario:
Your employee is mad about furlough days and lack of raises so they deliberately post private resident information and employee salary data on your website for everyone to see, and use inappropriately
Are you covered and for what?o Not under traditional policies nor under GSBA manuscript formo Personal Injury coverage section covers mental anguish but it excludes “willful
violation of penal statute or ordinance committed by or with the consent of the Member including the unsolicited transmission of printed, electronic, oral, (including “robotic” phone messages), facsimiles and or e-mails
o School Leaders Liability excludes “any dishonest, fraudulent or criminal act or intentional act performed with intent to do malice” and also excludes “an utterance or publication from which a claim of libel, slander, …………, or an utterance or publication in violation of an individual’s right of privacy …”
Case Example Two Scenario:
A hacker gains unauthorized access to your network and steals the social security numbers, full names and addresses of all employees of your School District so that he can sell them to organized crime for identify theft purposes
Are you covered and for what?o Not under traditional policies nor under GSBA manuscript formo No bodily injury or property damage and same personal injury exclusions
would applyo Crime coverage would cover “other property” under the Computer Theft
portion of coverage but that only applies to tangible property with intrinsic value
o Same School Leaders Liability exclusion would applyo Biggest cost item, however, is the notification requirement to the families
and the monitoring expense of the credit files
Case Example Three Scenario:
A school guidance counselor is working with seniors to make sure all the college applications are filed in a timely manner. Due to the deadlines, he takes home a large quantity of data on his laptop to work on it over the weekend but the laptop is either lost or stolen over the weekend
Are you covered and for what?o Not under traditional policies nor under GSBA manuscript formo Same basic exclusions as under Scenario Two. There would be coverage for
the laptop itself and for the cost to re-create the data on the laptop but there would not be any coverage for the liability resulting from the data being released into the cyber-world (if stolen for criminal purposes) nor for the cost of notification or credit monitoring as would be required under Georgia law
The Cost of a Breach
$500.00$500.00$500.00Other liability cost per record
1%1%1%Other liability experience rate
$6.00$6.00$6.00Consumer Redress & Fines per record
$6.00$6.00$6.00Credit card reissuance cost per card
$500.00$500.00$500.00Identity theft per record cost
0.75%0.75%0.75%Identity theft rate of occurrence
$15.00$20.00$20.00Credit monitoring per record cost
15%15%15%Credit monitoring participation rate
$5.00$5.00$5.00Per call cost
20%20%20%Call center participation rate
$1.00$2.00$2.00Per record notification cost
Assumptions
$26,250,000$13,975,000$2,875,000Estimated Privacy Event Insurable Cost
$18,000,000$9,000,000$1,800,000Estimated Third Party Liability (Inc. defense)
$1,000,000$500,000$100,000Defense Costs
$5,000,000$2,500,000$500,000Other Liability
$6,000,000$3,000,000$600,000Consumer Redress Fund & Fines
$6,000,000$3,000,000$600,000Credit Card Reissuance Costs
$8,250,000$4,975,000$1,075,000Estimated First Party Costs
$3,750,000$1,875,000$375,000Identity Theft Repair Costs
$2,250,000$1,500,000$300,000Credit Monitoring Costs
$1,000,000$500,000$100,000Call Center Costs
$1,000,000$1,000,000$200,000Notification Costs
$250,000$100,000$100,000Forensics, Legal & Advisory Costs
1,000,000500,000100,000Number of Credit Card Numbers Compromised
1,000,000500,000100,000Number of Records Compromised
$500.00$500.00$500.00Other liability cost per record
1%1%1%Other liability experience rate
$6.00$6.00$6.00Consumer Redress & Fines per record
$6.00$6.00$6.00Credit card reissuance cost per card
$500.00$500.00$500.00Identity theft per record cost
0.75%0.75%0.75%Identity theft rate of occurrence
$15.00$20.00$20.00Credit monitoring per record cost
15%15%15%Credit monitoring participation rate
$5.00$5.00$5.00Per call cost
20%20%20%Call center participation rate
$1.00$2.00$2.00Per record notification cost
Assumptions
$26,250,000$13,975,000$2,875,000Estimated Privacy Event Insurable Cost
$18,000,000$9,000,000$1,800,000Estimated Third Party Liability (Inc. defense)
$1,000,000$500,000$100,000Defense Costs
$5,000,000$2,500,000$500,000Other Liability
$6,000,000$3,000,000$600,000Consumer Redress Fund & Fines
$6,000,000$3,000,000$600,000Credit Card Reissuance Costs
$8,250,000$4,975,000$1,075,000Estimated First Party Costs
$3,750,000$1,875,000$375,000Identity Theft Repair Costs
$2,250,000$1,500,000$300,000Credit Monitoring Costs
$1,000,000$500,000$100,000Call Center Costs
$1,000,000$1,000,000$200,000Notification Costs
$250,000$100,000$100,000Forensics, Legal & Advisory Costs
1,000,000500,000100,000Number of Credit Card Numbers Compromised
1,000,000500,000100,000Number of Records Compromised
The GSBA Solution Conservative approach but one based in making sure
School Districts in Georgia have a competitive, broad coverage option to address this growing exposure
RMF has worked with Beazley, a prominent carrier in the Cyber Insurance space, to initially offer a group purchased option for each School District in RMF
Over the next couple of years, RMF will assume some of the risk via the pool to make sure pricing remains stable and any underwriting profits accrue to the benefit of School Districts
Beazley will issue policies and has the infrastructure to guide a Member through any type of breach and how to help reduce the exposure of a breach
The GSBA Solution The goal is to adapt the Beazley form into the RMF
coverage document as of July 1st, 2014 so that we have an affirmative grant of coverage in the coverage document
For July 1st, 2013, coverage purchased will be on a stand-alone basis with a policy issued from Beazley
Even once the form is adapted into the RMF coverage document, and RMF assumes a layer of risk like it does now on the property and liability coverage lines, Beazley will provide the specialty claims and risk control services to the Members
The GSBA Solution There are five coverage parts in the policy that has been
negotiated with Beazley In keeping with the pool approach, there is some sharing of
limits amongst all the Members in exchange for more competitive pricing for each Member
A full proposal with individual pricing has been sent by the GSBA RMS to each Member next week
Coverage is not mandatory although the program is built with some minimum levels of participation due to the pricing agreed upon with Beazley
The GSBA Solution Overview of Program Structure:
o Coverage Part 1.A. – Information Security and Privacy Liability Liability to a third part as a result of a failure of your network security to
protect against identified threats Liability to a third party as a result of the disclosure of confidential
informationo Coverage Part 1.B. – Privacy Breach Response Services
Crisis Management and Identify Theft response services and expense coverage in order to comply with regulatory compliance issues
This also includes the expense for retaining a crisis management firm to perform a forensic investigation to protect or restore the School District’s reputation as a result of a breach of privacy event
o Coverage Part 1.C. – Regulatory Defense and Penalties Fines and penalties associated with School District’s violation of a Privacy
Law related to an insured breach
The GSBA Solution Overview of Program Structure:
o Coverage Part 1.D. – Website Media Content Liability Expansion for Cyber exposures of the coverage provided for under Personal
Injury and School Leaders Liability coverage but without some of the electronic means limitations
o Coverage Part 1.E. – Crisis Management and Public Relations To pay for the Public Relations and Crisis Management expenses associated
with the costs to manage a breach that gets into the public eye via newspaper, radio, television in order to re-build the School District’s reputation or to avoid undue damage in the reporting of the breach event
o Coverage Part 1.F. – PCI Fines and Costs Coverage for direct monetary fines and penalties owed by the School District
under the terms of a Merchant Services Agreement and where the alleged breach was due to the result of a non-compliance with the published PCI Data Security Standards
The GSBA Solution Limits of Liability to Members:
o Any one claim limit combined from all sections except Privacy Breach Response Services, is $1,000,000 subject to no more than $500,000 from Regulatory Defense and Penalties and $50,000 each from Crisis Management and PCI Fines and Costs
o For Privacy Breach Response Services, there is no limit of liability as the coverage is based on the number of Notified Individuals. The RMF fund has an aggregate of 500,000 Notified Individuals subject to sub-limits for the legal and forensic expense coverage part which is limited to 250,000 and the foreign Notified Individuals extension which is limited to 50,000
o The overall RMF fund aggregate limits for all Members from all coverage lines except Privacy Breach Response Services is $10,000,000 subject to no more than $5,000,000 from Regulatory Defense & Penalties and $500,000 each from Crisis Management and PCI Fines and Costs
o Under the Privacy Breach Response Services coverage, the RMF fund has an aggregate of 5,000,000 Notified Individuals subject to sub-limits for the legal and forensic expense coverage part which is limited to 2,500,000 and the foreign Notified Individuals extension which is limited to 500,000
The GSBA Solution Retention / Deductibles for Members:
o Any one claim limit combined from all sections except Privacy Breach Response Services, is $25,000
o For Privacy Breach Response Services, the retention is broken into two parts: All costs and services under the legal and forensic services combined with
the notification costs would be $10,000 combined subject to a sub-retention of no more than $5,000 in legal expenses exposed
Under the Call Center Services and Credit Monitoring Program, the retenion of any expenses are limited based on the size of the district: Small Members, which are less than 1,000 FTE’s, would be responsible for any
breaches involving less than 25 individuals Medium Members, which are more than 1,000 FTE’s but less than 10,000 FTE’s,
would be responsible for any breaches involving less than 50 individuals Large Members, which are those Members with more than 10,000 FTE’s, would be
responsible for any breaches involving less than 100 individuals
The GSBA Solution Premium Brackets
o Premium is based on FTE (current student and staff combined)o Includes coverage for alumni records even though alumni count is not
included in the FTE for premium determinationo Here are the proposed pricing ranges based on Student Enrollment:
30,000 plus $29,638 to $31,453 20,000 to 29,999 $24,432 to $28,227 10,000 to 19,999 $13,903 to $21,683 5,000 to 9,999 $7,111 to 11,504 2,500 to 4,999 $4,392 to $6,658 1,000 to 2,499 $1,942 to $4,005 999 or less $500 to $1,628
ConclusionThe exposure is here to stay
Computers and mobile devices that store personal information about your employees and your students are an integral part of your District
Accidental loss of, or criminal appropriation of, that personal information will continue to happen
Attacks are getting more frequent and more sophisticatedGSBA RMF and Beazley offer you broad coverage at a
reasonable premium and a team ready to respond when necessary
