The Eminent Presence of Cyber Liabilityy y

Created by: Alice WestAlice WestBrent RiethChris Calnon

Evaluating gCyber Exposure

CWho was compromised:

2014 Cyber Environment

• Target, Neiman Marcus, Michaels, Home Depot, Supervalu / Albertsons, PF Chang’s, Goodwill, & Many Others

How were they breached:How were they breached:• Windows based POS compromised with malware – via physical, remote, or 

email based attack• Failures to address security basics – Patching, Access Control, Segmentation, 

Default Passwords, Vendor Management, Monitoring

Actions & impact from breach: E l k d i ifi i d i i i l i• Extreme system lock down, significant increased investment in security, multi‐million dollar impact to balance sheet, brand reputation damage, loss of sales, insurance losses

C C C• Privacy awareness training

Creating a Cyber Culture

• Strong executive management support and involvement

R l bl i i h C I id R T C i i• Regular table top exercises with Computer Incident Response Team, Crisis Management Team, and third party support

Cross function involvement in privacy awareness and exposure management• Cross‐function involvement in privacy awareness and exposure management

H i i di d b h ?How are organizations responding to data breaches?

Detect Breach Determine extent of breach, number of

Review federal and state

statutes, actions

Notification, credit

monitoring,

Potential regulatory fines and penalties

Vendor fines and penalties incurred

Third party litigation and

damagesnumber of records lost,

type of information lost

statutes, actions necessary in breach response

monitoring, credit restoration

and penalties incurred

incurred damages

• Important to have an incident response plan within the organization• Collaboration between IT Legal Finance and Risk can be critical• Collaboration between IT, Legal, Finance, and Risk can be critical• Practice makes perfect – test your team and incident response plan

Impact pon Insurers

Rogue Employee Software ErrorIndustry Breakout• Healthcare – 31%

Claims and Industry Trends (as of 1/31/2014)

H k 24%

Rogue Employee15% 3%

Unknown 7%

• Healthcare – 31%• Technology – 14%• Professional Services – 12%• Retail – 10%

Hack 24%

Laptops15%

Lost/Stolen Hardware

22%

• Financial Institutions – 8%

Targeted Attacks for PI:• Lost/Stolen Devices

Hard Drives5%

Other 2%

– 2008 – 41%– 2012 – 17%– 2013 – 17%

• Hacking and Rogue EmployeePaper 6%

Human Error 14%

Privacy Policy 9%

• Hacking and Rogue Employee– 2008 – 31%– 2012 – 44%– 2013 – 44%

This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014

Triggers by Industry Segment (as of 1/31/2014)

25%Healthcare

42%Retail

10%

15%

20%

25%

4%

22%25%

19%

11%

20%25%30%35%40%

17% 15% 15%

0%

5%

10%

Hack Rogue Employee

Lost/Stolen Devices

Human Error

Privacy Policy

4%

0%5%

10%15%

Hack Rogue Employee

Lost/Stolen Devices

Human Error

Privacy Policy

6%

25%30%35%

34%

21%

Technology

25%30%35%

21%

32%Professional Services

0%5%

10%15%20%25%

Hack Rogue Lost/Stolen Human Privacy

10% 9%12%

0%5%

10%15%20%25%

14% 14%

6%

This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group.

©Copyright 2014

Hack Rogue Employee

Lost/Stolen Devices

Human Error

Privacy Policy

Hack Rogue Employee

Lost/Stolen Devices

Human Error

Privacy Policy

Average Cost of First Party Expenses (as of 1/15/2014)

$$300,000.00 

Every Breach Response is Unique

Cost Range of Each Service• Legal Fees: Under $5,000 up to about $250,000$192,049.00 

$272,428.00 

$200,000.00

$250,000.00 

• Forensics: About $10,000 to Seven Figures

• Notification & Call Center: Approximately $3 per Record

• Credit Monitoring:P t E ll

$157,577.00 

$100 000 00

$150,000.00 

$200,000.00 

Payment per Enrollee or Restoration Service

• Minimal Crisis Management Costs 

Objective: Limit Third Party Exposure

$48,091.00 

$12,600.00 

$

$50,000.00 

$100,000.00 

* ACE Data Reflects Average Incurred Costs Across Paid Claims

$‐Legal Fees Forensics Notification & 

Call CenterCredit 

MonitoringCrisis 

Management

This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014

ACE Data, Reflects Average Incurred Costs Across Paid Claims

Third Party Claims

Th T f Thi d P t Cl iThree Types of Third Party Claims• Regulatory Proceedings (Less than 2%)• Pre‐litigation Demands (8%)• Class Action Lawsuits (10%)

Regulatory Fines• Bad Actor – Lack of Proper Response or Compliance• Repeat Offender Lawsuits – 10%Repeat Offender• Lack of Internal Privacy Policies and Procedures

Pre‐Litigation DemandsM l i H l h

Non‐Lawsuits – 8%

Regulatory Proceedings – 2%

• Mostly in Healthcare• Disclosure of Extremely Sensitive Information• Adverse Employment Action

This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of the ACE Group. ©Copyright 2014

CoveragegAvailable

C A il blCoverage Available

• Breach Event Expenses • Security Liability  p

• Cyber Extortion 

• Business Interruption

y y

• Privacy Liability 

• Regulatory Proceedings • Business Interruption 

• Digital Information Asset 

• Regulatory Proceedings 

• Media Liability 

• PCI Fines and Penalties 

State of The Marketplace

CMarket Update – Cyber Pricing Pricing • Pricing continues to harden 

- Pricing continues to rise in the wake of significant breaches, particularly in the affected i d i f il h l h d fi i l i i iindustries of retail, healthcare and financial institutions 

- Many insurers are looking to achieve rate increases ranging from 5 – 15% for insureds with no change in exposure profile

- Common justification of increases: - Cyber risk evolving- Investment income- Development of losses specific to large retail- Overall book profitability (some markets have dropped out of the primary running all together) 

- New risks are being looked at with more scrutiny with a focus on existing Security & Privacy- New risks are being looked at with more scrutiny, with a focus on existing Security & Privacy controls and procedures, number of PII records being collected and third party payment processors utilized 

- Minimum Excess Premium near $6,000 per million; however quickly increasing - Increased renewal rates have been accompanied by coverage enhancements as insurers reach minimum pricingminimum pricing 

C C• Capacity for Cyber coverage continues to grow both domestically and abroad

- There are approximately 35 ‐ 40 unique markets that can provide Cyber capacity, with new h

Capacity

Market Update – Cyber Capacity

entrants each year- Markets exist domestically (primary and excess), the UK (primary and excess) and Bermuda (excess only) 

- Markets who provide most robust coverage and innovative forms include AIG, ACE, Beazley, Liberty, XL and Zurich 

- Realistic capacity near $300M; Breach Expense capacity closer to $200M; Business Interruption at $150M

- The insured’s buying trends continue to be the purchasing of new programs or additional capacity on pre‐existing programs; particularly for Cyber‐driven coverage there has been drastic increases in limits at renewal and midterm 

- The interest in expanding Data Breach, PCI Fines, and Regulatory coverage continues to trend upwards; looking to build full limit programs for these first party coverage items

CMarket Update – Cyber Underwriting Appetite Retentions • Retentions remain varied and increasing in regards to Cyber

- Retentions of all levels are available in the market, but vary based on industry class, revenue and unique exposuresunique exposures

- Adjusting retentions can lead to more coverage/sublimit flexibility- Hesitation from insurers when offering retentions below $1M for organizations with revenues in the range of $500M‐$1B

- Continued pressure from insurers to increase retentions when collection of data is present and/or growing

• Underwriting due diligence continues to fluctuate from one risk to the next- More ‘committee’ style underwriting, which can make negotiations drawn out and challenging - Greater focus on Insured’s Breach Response Plan

Underwriting

Greater focus on Insured s Breach Response Plan- Intensified market need for more and varied information due to recent, very large retail breaches- Increased scrutiny of vendor management and outsourcing:

Cloud ComputingSocial Networking SitesPortable wirelessPortable wireless

C CMarket Update – Cyber Claims Claims & Losses

• Stronger data is being gathered as breaches continue to occur- There continue to be numerous breaches reported with additional reports tracking costs of th b hthe breaches

- Policies are responding, particularly to the breach mitigation, allowing a better understanding of specific “claims” payments

- Increasingly punitive legal/regulatory environment; inclusive of PCI fines and penalties  - Plaintiff’s bar continues to evolve proof of ‘damages’ theories in security/privacy context- Law enforcement community has established cyber/information security crime, espionage, and terrorism as a top threat to national security

- Recent breaches including top names such as Target, Neiman Marcus, Home Depot, P.F. Chang’s, StubHub and Lowes continue to allow more factual support to limit purchasing 

Q i ?Questions?