CYBER LIABILITY BREAK OUT SESSION Dakota Manufacturers' Day Summit October 5, 2016 Beth M. Watkins, CRM, CIC, CISR Director of Management Liability Marsh & McLennan Agency 763-746-8220 Beth.Watkins@MarshMMA.com
TODAY’S DISCUSSION • What does Cyber Liability look like • Legal & Financial Consequences • Managing Your Risk 1 MARSH & McLENNAN AGENCY LLC
HOW A DATA BREACH OCCURS Actual or alleged theft, loss, or unauthorized collection/disclosure of confidential information that is in the care, custody, or control of the Insured, or a 3rd for whom the Insured is legally liable. Discovery can come about in several ways: Discovery • Self discovery — usually the best case. • Customer inquiry or vendor discovery. • Call from regulator or law enforcement. Forensic Investigation and Legal Review First Response • Forensic tells you what happened. • Legal sets out options/obligations. Remedial Public External Issues Notification Service Relations Offering Regulatory Damage to Fines, Long-Term Consequences Income Loss Brand or Penalties, and Civil Litigation Reputation Consumer Redress 2 MARSH & McLENNAN AGENCY LLC
AN EXPOSURE SOME WANT TO IGNORE • Not easily monetized, or visualized • Many cases are kept quiet “There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” • Not tangible – Robert S. Mueller, III Director, FBI • Seen as an IT issue, challenging to understand 3 BARNES & THORNBURG, LLP MARSH & McLENNAN AGENCY LLC
DOES YOUR BUSINESS OR ORGANIZATION HAVE EXPOSURE? • Do you store confidential information in your network (e.g., social security numbers, birth dates, employee evaluations, customer lists, trade secrets)? • Does your business utilize, wireless networks, laptops, smartphones or other portable devices? • Can your customers access their information via your website? • Do you receive/transmit sensitive information from/to vendors or other third parties? What about the cloud? • Do you process credit card transactions? • Are your employees able to communicate outside your business? 4 BARNES & THORNBURG, LLP MARSH & McLENNAN AGENCY LLC
WHAT DATA IS EXPOSED? • Confidential client or customer information – Customer lists – Business/acquisition plans – Employee records (past, present and applicants) – Intellectual property • PII/PHI – Social Security and drivers license numbers – Credit card and financial account numbers – HIPAA 5 MARSH & McLENNAN AGENCY LLC
Cyber Statistics 6
NetDiligence 2015 Claims Study 7 MARSH & McLENNAN AGENCY LLC
NetDiligence 2015 Claims Study 8 MARSH & McLENNAN AGENCY LLC
DATA BREACH STATISTICS What Commonalities Exist • 75% driven by financial motives • 71% targeted user devices • 54% compromised servers • 75% considered opportunistic attacks • 78% rated as low difficulty • 69% discovered by external parties • 66% took months, or more to discover Source: Verizon 2013 Data Breach Investigations Report 9 MARSH & McLENNAN AGENCY LLC
COMMON TYPES OF CLAIMS • Cryptolocker – Small sums demanded and paid – Forensics & investigation • Employee error – Inadvertent email to thousands of unintended recipients – Lost laptops with confidential files • Online Breaches – Accessing individual records – Self reported to payment card brands – Breach vendors engaged • Phishing and Spear Phishing Attacks – Access to confidential information and network – Social Engineering schemes 10 MARSH & McLENNAN AGENCY LLC
LEGAL CONSEQUENCES OF BREACH • Notification & remediation laws – Patchwork of laws (47 states, D.C., Puerto Rico, Virgin Islands) – No Federal Law, International Laws developing - 30+ countries outside the U.S. now require or strongly recommend notification – Jurisdiction in which affected party resides governs notification requirement • Claims by clients, customers or employees, regulators – Negligence, invasion of privacy, breach of fiduciary duty, intellectual property infringement, unfair/deceptive business practices – Class Actions – Active Attorney Genera l 11 MARSH & McLENNAN AGENCY LLC
A SINGLE EXPOSURE CAN RESULT IN: • Direct Legal Liability • Vicarious liability for acts of vendors/service providers • Compliance with breach notification laws • Loss of revenue/extra expense due to a system outage • Loss or damage to brand reputation • Regulatory actions and scrutiny • Loss or damage to data/information 12 MARSH & McLENNAN AGENCY LLC
FINANCIAL CONSEQUENCES OF BREACH • First-Party Loss • Third-Party Liability 13 MARSH & McLENNAN AGENCY LLC
FIRST PARTY LOSS • Notification and credit monitoring expenses • Crisis management expenses (including public relations) • Computer forensics/data restoration • Business income loss and extra expense including dependent business interruption • Extortion payments • Reputational harm 14 MARSH & McLENNAN AGENCY LLC
THIRD-PARTY LIABILITY • Defense fees and expenses • Damages (Judgments/Settlements) • Plaintiff attorney’s fees and expenses • Punitive Damages • Regulatory fines and penalties 15 MARSH & McLENNAN AGENCY LLC
RISK MANAGEMENT • Identify and assess the risk • Reduce the risk • Transfer the risk 16 MARSH & McLENNAN AGENCY LLC
ASSESS THE RISK • What types of sensitive data does your company store/send/receive? • How vulnerable is the data to a security breach? • What would be the potential severity of loss or liability in the event of a breach? 17 MARSH & McLENNAN AGENCY LLC
REDUCE THE RISK • What reasonable measures can your company implement to reduce the likelihood and severity of a data security breach? • Do those measures meet/exceed the standard of care for data security in your type of business? • What can your company do to educate employees about the risks and consequences of data security breaches, and to enforce their compliance with data security measures? • What can you do to ensure compliance by vendors and other third parties? • Do you have a disaster recovery plan, incident response plan and business continuity plan? 18 MARSH & McLENNAN AGENCY LLC
TRANSFER THE RISK • Contractually through Indemnity Agreements – Limitations of Liability? – Proof of Insurance? – Availability of Insurance? • Insurance • Traditional insurance does not respond well to cyber liability – Errors and Omissions (E&O) – tech & and sometimes mfg are excepted here; – Commercial General Liability (CGL); – Property; – Crime; – Kidnap and Ransom (K&R); – Directors and Officers (D&O) 19 MARSH & McLENNAN AGENCY LLC
CYBER / NETWORK SECURITY INSURANCE • Little standardization • Fills in gap in traditional insurance • Stand-alone policies (vs. endorsed onto existing polices such as property or general liability) generally include 1st & 3rd party extensions • A good program can be a risk prevention, risk management and insurance product all in one • Claims response services and suppport are a crucial piece 20 MARSH & McLENNAN AGENCY LLC
AVOID COVERAGE ISSUES BY NEGOTIATING FAVORABLE TERMS • Limited to electronic data? • Broad definition of “claim”? • Trigger on discovery or wrongful act? • Prior Acts Coverage? • Coverage for fines, penalties, punitive damages? • Coverage for Business Interruption? Data Restoration? Extortion? • Rogue Employee Coverage? • Does coverage extend to your notification of customer’s affected parties? • Exclusions – Failure to update software? – Unecrypted portable devices ? • If E&O is in place, how do these programs work (or not work) together? • Breach Response Service – pre and post loss 21 MARSH & McLENNAN AGENCY LLC
It’s Not Just The Big Guys. . . IN REALITY In 2013, businesses with revenues less than $300M accounted for over 62% of cyber claims .1 1 out of 5 small businesses falls victim to cyber crime each year. Of those, about 60% go out of business within 6 months. 2 Does Insurance Really Pay? In 2014: average claim payout was $733,109 average cost for legal defense was $698,797 average cost for legal settlement was $558,520 1 Small businesses can expect forensic costs alone to run $10,000 to $100,000 3 When It Happens To You, Who Do You Call? A single call connects you to a team of experts who provide all the services you need to manage a breach and mitigate 1. Net Diligence Cyber Claims Study 2014 litigation. Services Include: 2. “The Case for Cyber” National Underwriter, May 2015 citing National Cyber Security Alliance Forensics 1. Beazley PE Data Breach Report Legal services Breach notification services Call center services Credit monitoring and restoration services 22 MARSH & McLENNAN AGENCY LLC
Information Security is a Work in Progress not an Endpoint 23 MARSH & McLENNAN AGENCY LLC
Recommend
More recommend