Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
The Eminent Presence of Cyber Liabilityy y
Created by: Alice WestAlice WestBrent RiethChris Calnon
Evaluating gCyber Exposure
CWho was compromised:
2014 Cyber Environment
• Target, Neiman Marcus, Michaels, Home Depot, Supervalu / Albertsons, PF Chang’s, Goodwill, & Many Others
How were they breached:How were they breached:• Windows based POS compromised with malware – via physical, remote, or
email based attack• Failures to address security basics – Patching, Access Control, Segmentation,
Default Passwords, Vendor Management, Monitoring
Actions & impact from breach: E l k d i ifi i d i i i l i• Extreme system lock down, significant increased investment in security, multi‐million dollar impact to balance sheet, brand reputation damage, loss of sales, insurance losses
C C C• Privacy awareness training
Creating a Cyber Culture
• Strong executive management support and involvement
R l bl i i h C I id R T C i i• Regular table top exercises with Computer Incident Response Team, Crisis Management Team, and third party support
Cross function involvement in privacy awareness and exposure management• Cross‐function involvement in privacy awareness and exposure management
H i i di d b h ?How are organizations responding to data breaches?
Detect Breach Determine extent of breach, number of
Review federal and state
statutes, actions
Notification, credit
monitoring,
Potential regulatory fines and penalties
Vendor fines and penalties incurred
Third party litigation and
damagesnumber of records lost,
type of information lost
statutes, actions necessary in breach response
monitoring, credit restoration
and penalties incurred
incurred damages
• Important to have an incident response plan within the organization• Collaboration between IT Legal Finance and Risk can be critical• Collaboration between IT, Legal, Finance, and Risk can be critical• Practice makes perfect – test your team and incident response plan
Impact pon Insurers
Rogue Employee Software ErrorIndustry Breakout• Healthcare – 31%
Claims and Industry Trends (as of 1/31/2014)
H k 24%
Rogue Employee15% 3%
Unknown 7%
• Healthcare – 31%• Technology – 14%• Professional Services – 12%• Retail – 10%
Hack 24%
Laptops15%
Lost/Stolen Hardware
22%
• Financial Institutions – 8%
Targeted Attacks for PI:• Lost/Stolen Devices
Hard Drives5%
Other 2%
– 2008 – 41%– 2012 – 17%– 2013 – 17%
• Hacking and Rogue EmployeePaper 6%
Human Error 14%
Privacy Policy 9%
• Hacking and Rogue Employee– 2008 – 31%– 2012 – 44%– 2013 – 44%
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
Triggers by Industry Segment (as of 1/31/2014)
25%Healthcare
42%Retail
10%
15%
20%
25%
4%
22%25%
19%
11%
20%25%30%35%40%
17% 15% 15%
0%
5%
10%
Hack Rogue Employee
Lost/Stolen Devices
Human Error
Privacy Policy
4%
0%5%
10%15%
Hack Rogue Employee
Lost/Stolen Devices
Human Error
Privacy Policy
6%
25%30%35%
34%
21%
Technology
25%30%35%
21%
32%Professional Services
0%5%
10%15%20%25%
Hack Rogue Lost/Stolen Human Privacy
10% 9%12%
0%5%
10%15%20%25%
14% 14%
6%
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group.
©Copyright 2014
Hack Rogue Employee
Lost/Stolen Devices
Human Error
Privacy Policy
Hack Rogue Employee
Lost/Stolen Devices
Human Error
Privacy Policy
Average Cost of First Party Expenses (as of 1/15/2014)
$$300,000.00
Every Breach Response is Unique
Cost Range of Each Service• Legal Fees: Under $5,000 up to about $250,000$192,049.00
$272,428.00
$200,000.00
$250,000.00
• Forensics: About $10,000 to Seven Figures
• Notification & Call Center: Approximately $3 per Record
• Credit Monitoring:P t E ll
$157,577.00
$100 000 00
$150,000.00
$200,000.00
Payment per Enrollee or Restoration Service
• Minimal Crisis Management Costs
Objective: Limit Third Party Exposure
$48,091.00
$12,600.00
$
$50,000.00
$100,000.00
* ACE Data Reflects Average Incurred Costs Across Paid Claims
$‐Legal Fees Forensics Notification &
Call CenterCredit
MonitoringCrisis
Management
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
ACE Data, Reflects Average Incurred Costs Across Paid Claims
Third Party Claims
Th T f Thi d P t Cl iThree Types of Third Party Claims• Regulatory Proceedings (Less than 2%)• Pre‐litigation Demands (8%)• Class Action Lawsuits (10%)
Regulatory Fines• Bad Actor – Lack of Proper Response or Compliance• Repeat Offender Lawsuits – 10%Repeat Offender• Lack of Internal Privacy Policies and Procedures
Pre‐Litigation DemandsM l i H l h
Non‐Lawsuits – 8%
Regulatory Proceedings – 2%
• Mostly in Healthcare• Disclosure of Extremely Sensitive Information• Adverse Employment Action
This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014
CoveragegAvailable
C A il blCoverage Available
• Breach Event Expenses • Security Liability p
• Cyber Extortion
• Business Interruption
y y
• Privacy Liability
• Regulatory Proceedings • Business Interruption
• Digital Information Asset
• Regulatory Proceedings
• Media Liability
• PCI Fines and Penalties
State of The Marketplace
CMarket Update – Cyber Pricing Pricing • Pricing continues to harden
- Pricing continues to rise in the wake of significant breaches, particularly in the affected i d i f il h l h d fi i l i i iindustries of retail, healthcare and financial institutions
- Many insurers are looking to achieve rate increases ranging from 5 – 15% for insureds with no change in exposure profile
- Common justification of increases: - Cyber risk evolving- Investment income- Development of losses specific to large retail- Overall book profitability (some markets have dropped out of the primary running all together)
- New risks are being looked at with more scrutiny with a focus on existing Security & Privacy- New risks are being looked at with more scrutiny, with a focus on existing Security & Privacy controls and procedures, number of PII records being collected and third party payment processors utilized
- Minimum Excess Premium near $6,000 per million; however quickly increasing - Increased renewal rates have been accompanied by coverage enhancements as insurers reach minimum pricingminimum pricing
C C• Capacity for Cyber coverage continues to grow both domestically and abroad
- There are approximately 35 ‐ 40 unique markets that can provide Cyber capacity, with new h
Capacity
Market Update – Cyber Capacity
entrants each year- Markets exist domestically (primary and excess), the UK (primary and excess) and Bermuda (excess only)
- Markets who provide most robust coverage and innovative forms include AIG, ACE, Beazley, Liberty, XL and Zurich
- Realistic capacity near $300M; Breach Expense capacity closer to $200M; Business Interruption at $150M
- The insured’s buying trends continue to be the purchasing of new programs or additional capacity on pre‐existing programs; particularly for Cyber‐driven coverage there has been drastic increases in limits at renewal and midterm
- The interest in expanding Data Breach, PCI Fines, and Regulatory coverage continues to trend upwards; looking to build full limit programs for these first party coverage items
CMarket Update – Cyber Underwriting Appetite Retentions • Retentions remain varied and increasing in regards to Cyber
- Retentions of all levels are available in the market, but vary based on industry class, revenue and unique exposuresunique exposures
- Adjusting retentions can lead to more coverage/sublimit flexibility- Hesitation from insurers when offering retentions below $1M for organizations with revenues in the range of $500M‐$1B
- Continued pressure from insurers to increase retentions when collection of data is present and/or growing
• Underwriting due diligence continues to fluctuate from one risk to the next- More ‘committee’ style underwriting, which can make negotiations drawn out and challenging - Greater focus on Insured’s Breach Response Plan
Underwriting
Greater focus on Insured s Breach Response Plan- Intensified market need for more and varied information due to recent, very large retail breaches- Increased scrutiny of vendor management and outsourcing:
Cloud ComputingSocial Networking SitesPortable wirelessPortable wireless
C CMarket Update – Cyber Claims Claims & Losses
• Stronger data is being gathered as breaches continue to occur- There continue to be numerous breaches reported with additional reports tracking costs of th b hthe breaches
- Policies are responding, particularly to the breach mitigation, allowing a better understanding of specific “claims” payments
- Increasingly punitive legal/regulatory environment; inclusive of PCI fines and penalties - Plaintiff’s bar continues to evolve proof of ‘damages’ theories in security/privacy context- Law enforcement community has established cyber/information security crime, espionage, and terrorism as a top threat to national security
- Recent breaches including top names such as Target, Neiman Marcus, Home Depot, P.F. Chang’s, StubHub and Lowes continue to allow more factual support to limit purchasing
Q i ?Questions?