cyber liability break out session
play

CYBER LIABILITY BREAK OUT SESSION Dakota Manufacturers' Day Summit - PowerPoint PPT Presentation

CYBER LIABILITY BREAK OUT SESSION Dakota Manufacturers' Day Summit October 5, 2016 Beth M. Watkins, CRM, CIC, CISR Director of Management Liability Marsh & McLennan Agency 763-746-8220 Beth.Watkins@MarshMMA.com TODAYS DISCUSSION


  1. CYBER LIABILITY BREAK OUT SESSION Dakota Manufacturers' Day Summit October 5, 2016 Beth M. Watkins, CRM, CIC, CISR Director of Management Liability Marsh & McLennan Agency 763-746-8220 Beth.Watkins@MarshMMA.com

  2. TODAY’S DISCUSSION • What does Cyber Liability look like • Legal & Financial Consequences • Managing Your Risk 1 MARSH & McLENNAN AGENCY LLC

  3. HOW A DATA BREACH OCCURS Actual or alleged theft, loss, or unauthorized collection/disclosure of confidential information that is in the care, custody, or control of the Insured, or a 3rd for whom the Insured is legally liable. Discovery can come about in several ways: Discovery • Self discovery — usually the best case. • Customer inquiry or vendor discovery. • Call from regulator or law enforcement. Forensic Investigation and Legal Review First Response • Forensic tells you what happened. • Legal sets out options/obligations. Remedial Public External Issues Notification Service Relations Offering Regulatory Damage to Fines, Long-Term Consequences Income Loss Brand or Penalties, and Civil Litigation Reputation Consumer Redress 2 MARSH & McLENNAN AGENCY LLC

  4. AN EXPOSURE SOME WANT TO IGNORE • Not easily monetized, or visualized • Many cases are kept quiet “There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” • Not tangible – Robert S. Mueller, III Director, FBI • Seen as an IT issue, challenging to understand 3 BARNES & THORNBURG, LLP MARSH & McLENNAN AGENCY LLC

  5. DOES YOUR BUSINESS OR ORGANIZATION HAVE EXPOSURE? • Do you store confidential information in your network (e.g., social security numbers, birth dates, employee evaluations, customer lists, trade secrets)? • Does your business utilize, wireless networks, laptops, smartphones or other portable devices? • Can your customers access their information via your website? • Do you receive/transmit sensitive information from/to vendors or other third parties? What about the cloud? • Do you process credit card transactions? • Are your employees able to communicate outside your business? 4 BARNES & THORNBURG, LLP MARSH & McLENNAN AGENCY LLC

  6. WHAT DATA IS EXPOSED? • Confidential client or customer information – Customer lists – Business/acquisition plans – Employee records (past, present and applicants) – Intellectual property • PII/PHI – Social Security and drivers license numbers – Credit card and financial account numbers – HIPAA 5 MARSH & McLENNAN AGENCY LLC

  7. Cyber Statistics 6

  8. NetDiligence 2015 Claims Study 7 MARSH & McLENNAN AGENCY LLC

  9. NetDiligence 2015 Claims Study 8 MARSH & McLENNAN AGENCY LLC

  10. DATA BREACH STATISTICS What Commonalities Exist • 75% driven by financial motives • 71% targeted user devices • 54% compromised servers • 75% considered opportunistic attacks • 78% rated as low difficulty • 69% discovered by external parties • 66% took months, or more to discover Source: Verizon 2013 Data Breach Investigations Report 9 MARSH & McLENNAN AGENCY LLC

  11. COMMON TYPES OF CLAIMS • Cryptolocker – Small sums demanded and paid – Forensics & investigation • Employee error – Inadvertent email to thousands of unintended recipients – Lost laptops with confidential files • Online Breaches – Accessing individual records – Self reported to payment card brands – Breach vendors engaged • Phishing and Spear Phishing Attacks – Access to confidential information and network – Social Engineering schemes 10 MARSH & McLENNAN AGENCY LLC

  12. LEGAL CONSEQUENCES OF BREACH • Notification & remediation laws – Patchwork of laws (47 states, D.C., Puerto Rico, Virgin Islands) – No Federal Law, International Laws developing - 30+ countries outside the U.S. now require or strongly recommend notification – Jurisdiction in which affected party resides governs notification requirement • Claims by clients, customers or employees, regulators – Negligence, invasion of privacy, breach of fiduciary duty, intellectual property infringement, unfair/deceptive business practices – Class Actions – Active Attorney Genera l 11 MARSH & McLENNAN AGENCY LLC

  13. A SINGLE EXPOSURE CAN RESULT IN: • Direct Legal Liability • Vicarious liability for acts of vendors/service providers • Compliance with breach notification laws • Loss of revenue/extra expense due to a system outage • Loss or damage to brand reputation • Regulatory actions and scrutiny • Loss or damage to data/information 12 MARSH & McLENNAN AGENCY LLC

  14. FINANCIAL CONSEQUENCES OF BREACH • First-Party Loss • Third-Party Liability 13 MARSH & McLENNAN AGENCY LLC

  15. FIRST PARTY LOSS • Notification and credit monitoring expenses • Crisis management expenses (including public relations) • Computer forensics/data restoration • Business income loss and extra expense including dependent business interruption • Extortion payments • Reputational harm 14 MARSH & McLENNAN AGENCY LLC

  16. THIRD-PARTY LIABILITY • Defense fees and expenses • Damages (Judgments/Settlements) • Plaintiff attorney’s fees and expenses • Punitive Damages • Regulatory fines and penalties 15 MARSH & McLENNAN AGENCY LLC

  17. RISK MANAGEMENT • Identify and assess the risk • Reduce the risk • Transfer the risk 16 MARSH & McLENNAN AGENCY LLC

  18. ASSESS THE RISK • What types of sensitive data does your company store/send/receive? • How vulnerable is the data to a security breach? • What would be the potential severity of loss or liability in the event of a breach? 17 MARSH & McLENNAN AGENCY LLC

  19. REDUCE THE RISK • What reasonable measures can your company implement to reduce the likelihood and severity of a data security breach? • Do those measures meet/exceed the standard of care for data security in your type of business? • What can your company do to educate employees about the risks and consequences of data security breaches, and to enforce their compliance with data security measures? • What can you do to ensure compliance by vendors and other third parties? • Do you have a disaster recovery plan, incident response plan and business continuity plan? 18 MARSH & McLENNAN AGENCY LLC

  20. TRANSFER THE RISK • Contractually through Indemnity Agreements – Limitations of Liability? – Proof of Insurance? – Availability of Insurance? • Insurance • Traditional insurance does not respond well to cyber liability – Errors and Omissions (E&O) – tech & and sometimes mfg are excepted here; – Commercial General Liability (CGL); – Property; – Crime; – Kidnap and Ransom (K&R); – Directors and Officers (D&O) 19 MARSH & McLENNAN AGENCY LLC

  21. CYBER / NETWORK SECURITY INSURANCE • Little standardization • Fills in gap in traditional insurance • Stand-alone policies (vs. endorsed onto existing polices such as property or general liability) generally include 1st & 3rd party extensions • A good program can be a risk prevention, risk management and insurance product all in one • Claims response services and suppport are a crucial piece 20 MARSH & McLENNAN AGENCY LLC

  22. AVOID COVERAGE ISSUES BY NEGOTIATING FAVORABLE TERMS • Limited to electronic data? • Broad definition of “claim”? • Trigger on discovery or wrongful act? • Prior Acts Coverage? • Coverage for fines, penalties, punitive damages? • Coverage for Business Interruption? Data Restoration? Extortion? • Rogue Employee Coverage? • Does coverage extend to your notification of customer’s affected parties? • Exclusions – Failure to update software? – Unecrypted portable devices ? • If E&O is in place, how do these programs work (or not work) together? • Breach Response Service – pre and post loss 21 MARSH & McLENNAN AGENCY LLC

  23. It’s Not Just The Big Guys. . . IN REALITY  In 2013, businesses with revenues less than $300M accounted for over 62% of cyber claims .1  1 out of 5 small businesses falls victim to cyber crime each year. Of those, about 60% go out of business within 6 months. 2 Does Insurance Really Pay?  In 2014:  average claim payout was $733,109  average cost for legal defense was $698,797  average cost for legal settlement was $558,520 1  Small businesses can expect forensic costs alone to run $10,000 to $100,000 3 When It Happens To You, Who Do You Call? A single call connects you to a team of experts who provide all the services you need to manage a breach and mitigate 1. Net Diligence Cyber Claims Study 2014 litigation. Services Include: 2. “The Case for Cyber” National Underwriter, May 2015 citing National Cyber Security Alliance  Forensics 1. Beazley PE Data Breach Report  Legal services  Breach notification services  Call center services  Credit monitoring and restoration services 22 MARSH & McLENNAN AGENCY LLC

  24. Information Security is a Work in Progress not an Endpoint 23 MARSH & McLENNAN AGENCY LLC

Recommend


More recommend