Cyber InsuranceYes, Mutual Insurance Company, you
need it!
Presented by:Jamie Orye, JD, RPLU
Beazley Group
Pennsylvania Association of Mutual Insurance Companies
Annual Spring ConferenceMarch 12, 2015
What is Cyber Insurance?
What Coverages are Typically in a Cyber Insurance Policy?
What’s Truly Important to Have (or Not Have) in YOUR policy?
Agenda
The term “cyber insurance” has a variety of different meanings depending on who is using it and how they are applying it.
Cyber insurance policy forms and coverages differ significantly from carrier to carrier.
Cyber insurance and coverages are constantly evolving and changing.
First, a few notes …
Technology Errors and Omissions Coverage
“Cyber and privacy insurance is often confused with technology errors and omissions (tech E&O) insurance. In contrast to cyber and privacy insurance, tech E&O coverage is intended to protect providers of technology products and services, such as computer software and hardware manufacturers, website designers, and firms that store corporate data on an off-site basis. Nevertheless, tech E&O insurance policies do contain a number of the same insuring agreements as cyber and privacy policies.
-- International Risk Management Institute (IRMI)
Let’s Start with What It’s Not
Covered under a Commercial General Liability policy
As of May 1, 2014, the Insurance Services Office introduced “Exclusion – Access or Disclosure of Confidential or Personal Information and Data-related Liability – with Limited Bodily Injury Exception”.
Let’s Start with What It’s Not
Insurance “designed to [respond to and ] mitigate losses from a variety of cyber incidents, including data breaches, business interruption and network damage.”
-- US Department of Homeland Security
So … What is it?
Breach Response Services (1st party) Information Security & Privacy Liability (3rd party) Regulatory Defense & Penalties Coverage (3rd
party) Business Interruption Coverage (1st party) Data Restoration Coverage (1st party) Cyber Extortion Coverage (1st party) Media Liability (3rd party)
Components of a Cyber Insurance Policy
Legal Analysis: costs associated with hiring specialized attorneys to determine your responsibilities and duties under applicable data breach and privacy statutes
Computer Forensics: costs associated hiring specialized computer forensics firms to determine the existence and extent of a data breach
Notification: costs to print and mail letters to affected individuals
Breach Response Services
Credit Monitoring: costs of offering 12 or 24 months of credit monitoring with one or all three of the national credit bureaus
Call Center: costs of setting up a call center that affected individuals receiving the notice can call with questions or for additional information
Crisis Management/Public Relations: costs associated with hiring a specialized crisis management firm to assist in the mitigation of any adverse publicity resulting from the data breach
Breach Response Services
12
Typical CostsComputer Forensics $500 - $600 per hour
Pre-Claim Legal Fees $500 - $600 per hour
Notification Costs $1-$2 per affected individual
Credit Monitoring $20-$30 per affected individual
15%-25% acceptance rate
Call Center $4,000 - $5,000 setup costs plus per minute charge for each phone call received. For dedicated support, add $50-$60 per hour per person.
Claim / Regulatory Defense $600 - $700 per hour
Liability Varies
Average Cost of a Data Breach in the US
$5.4M per breach / $188 per record*
*The 2013 Cost of Data Breach: Global Analysis by the Ponemon Institute
Liability (and defense) resulting from harm suffered by third-parties due to a data breach
Examples:
◦ Costs incurred by an affected individual in dealing with identity theft and fraud resulting from the breach of their private information
◦ Costs incurred by a business for which you handle private information in dealing with their own notification requirements resulting from the breach of that private information
Information Security & Privacy Liability
October 2012: Nationwide Mutual Insurance discovered a data breach in which impacted the “name, Social Security number, driver's license number and/or date of birth and possibly marital status, gender, and occupation, and the name and address of their employer” of approximately 1.1M Americans. FBI and various Attorneys General including North Carolina’s are notified. Affected individuals are notified.*
February 2014: Federal judge in Kansas dismisses two proposed class actions due to no evidence of actual harm.**
Liability Illustration: Nationwide
* http://www.zdnet.com/article/nationwide-mutual-hack-affected-1-1-million-americans/
** http://www.law360.com/articles/508534/nationwide-mutual-defeats-data-breach-class-actions
Costs associated defending a claim brought by a regulatory/law enforcement entity or agency pursuant to federal or state data breach regulations and any resulting penalties assessed.
Office of Civil Rights (OCR): tasked with enforcement of HIPAA & HITECH statutes
State Attorneys General: may bring regulatory enforcement actions under state data breach laws or unfair trade practices/consumer protection laws
Regulatory Defense & Penalties
An insured’s loss of income and extra expense costs resulting from a data breach or computer network security event.
Sony Corporation: cyber attack took down entire system for two days and left them operating on reduced systems for several weeks.
Business Interruption
Costs to recreate deleted, destroyed, corrupted or altered data due resulting from a data breach.
Restoring data from backup tapes
Manually entering data from paper files if no backup tape is available
Data Restoration
Payment made to terminate the threat to breach your computer network security in order to:
◦ Destroy data◦ Prevent access to computer systems◦ Introduce a virus to your computer system or a
third party’s computer system◦ Interrupt or suspend the functioning of your
computer system
Cyber Extortion
Coverage for liability arising out of content created or used by you. May be limited to online content only.
◦ Defamation, libel, slander◦ Plagiarism, misappropriation of ideas◦ Copyright and trademark infringement
Media Liability
Adequate limits
Separate limit of coverage for first party breach response coverage
Coverage for your vendors’ breaches involving your information
Coverage for a suspected incident
Modified Intentional Acts Exclusion / Rogue Employee Coverage
The “Haves”
February 2013: Mass Mutual Life Insurance Company notifies a number of its customers (more than 500 in California; 37 in Maryland) of a data breach resulting when a third-party service provider, Convey Compliance Solutions, inadvertently mailed 1099 tax forms to incorrect addresses.
Two years of credit monitoring was offered to all affected individuals.*
Illustration: Coverage for Your Vendors’ Breaches
*Privacy Rights Clearinghouse; CA & MD Office of Attorney General Websites
Unencrypted Data Exclusion
Safeguard exclusion
Coverage that only extends to personally identifiable information
Failure to follow your own privacy policy exclusion
The “Have Nots”
Traditional insurance policies (commercial general liability, property, workers compensation) do not provide cyber coverage.
Policy forms and coverage differ significantly from carrier to carrier
Carrier and breach response vendor(s) experience is an important factor to consider when purchasing a policy
Conclusion
Top Related