Aon Risk Solutions Financial Services Group. Market Update. Cyber and privacy liability. June 2017

Size: px

Start display at page:

Download "Aon Risk Solutions Financial Services Group. Market Update. Cyber and privacy liability. June 2017"

Kelley Bridges
6 years ago
Views:

1 Aon Risk Solutions Market Update Cyber and privacy liability June 2017

2 Market Update The cyber and privacy liability market continued to have ample capacity through the fi rst half of There have been no new entrants into the Canadian cyber market, however, Beazley expanded their presence in Canada through the purchase of Creechruch Underwriters, a specialty managing general agent. When determining premiums, insurers continue to look to the number and type of records held by an organization, the scale of the business, and the extent to which records are outsourced to third party service providers. However, whether a company has an incident response plan, a business continuity plan and uses encryption are also key factors that will impact cyber insurance pricing. Clients should be aware that insurance forms available in the marketplace vary signifi cantly in the breadth and scope of coverage, which can result in signifi cant rate differences from carrier to carrier. High-risk sectors such as retail, universities, health care providers, municipalities, and ancillary services will generally command a higher rate than other sectors. Market Trends There is good market capacity for privacy risks available domestically, although coverage for more complex or individually tailored risks is generally underwritten through the London markets. There were a number of large scale data breaches in the retail sector over the last two years, resulting in hardening of the cyber insurance market for retailers in The insurance price adjustment due to those losses has now been made. Now cyber insurance rates and retentions are generally remaining flat on renewal for retailers, but carriers are implementing more stringent underwriting requirements. Insureds that process electronic credit card transactions are considered a higher risk sector and insurers are more often requiring insureds to be compliant with Payment Card Industry Data Security Standards (PCI-DSS). In fact, an insured may be refused coverage by some carriers where it is not compliant with PCI-DSS or may be subject to an exclusion for PCI-DSS fines and penalties (usually otherwise covered where an insured is PCI-DSS compliant). With fewer insurers writing retail risks, insurance can sometimes be diffi cult to procure for clients that are perceived to have a large payment card risk exposure. The market remains competitive with respect to other industries and cyber risks, with premiums and retentions generally remaining flat. Insureds that do not operate within an industry seen as high-risk have seen some decrease in pricing on renewal when the account is marketed. 2 State of the Market: Cyber and privacy liability

3 Coverage It is now standard and expected for cyber insurers to provide full-limits coverage for both fi rst and third-party expenses on cyber insurance policies. Insureds that have renewed in the fi rst half of 2017 have, for the most part, had existing sublimits removed for no additional premium. Most insurers will not provide fi rst-party expense coverage for a breach that occurs prior to the purchase of cyber insurance, even if it results in a claim after the policy is in place. However, some will provide backdated coverage for an additional premium for unknown cyber breaches (i.e. malware) that took place prior to the purchase of insurance. This will result in a claim once insurance is in place as long as no member of the organization s control group was aware of the breach or a pre-existing vulnerability that could have led to a breach. Some insurers underwriting cyber liability insurance are now providing insureds with emergency response costs coverage so that the insured can use approved vendors to mitigate losses in an emergency situation. When the insured cannot contact the insurer, this coverage provides immediate crises response coverage for the first 24 hours with a sublimit and no deductible. The internet of things (IoT) continues to be a significant cyber risk for businesses concerned with a potential cyber-breach causing injury to individuals or damage to property. Until recently, insurance coverage for these risks was piecemeal under property, casualty, and other developing insurance products. However, in late 2016, Aon launched a new insurance product, the Aon Cyber Enterprise Solution, to address property and casualty losses arising out of a cyber-breach specifically. The policy is designed to protect organizations against catastrophic cyber risk with a large limit and large retention approach. It is one of the first insurance products to clearly provide coverage for exposures such as cyber terrorism and property damage, products liability, and other major losses resulting from a network security breach. Other insurers have since introduced similar products, for example, American International Group s Cyber Edge. The market is also evolving to provide cheaper and more effi cient cyber insurance solutions for small- to mid-sized organizations. In 2016, Aon collaborated with Beazley Group (Beazley) to develop an insurance program designed specifi cally for small- to mid-sized organizations that can be applied for and purchased through an online platform. The new approach to purchasing this insurance streamlines the underwriting for this category of cyber risk and facilitates an easier and less-expensive cyber insurance purchase for these clients. The online tool is now ready to bind risks with revenue less than $200 billion. Only seven non-it related questions are required to obtain fi rm terms and the product provides full retroactive coverage. There s been a new trend for brokers to partner with risk management fi rms in order to bring complete cyber risk solutions. Aon has purchased a leading cyber security fi rm, creating a comprehensive Cyber Risk Management Advisory Group with distinct client value, including standards-based cyber assessments and industry-leading risk transfer solutions. Canadian Regulatory Update Cybersecurity is a priority in for Canadian Securities Administrators (CSA) The CSA have released Staff Notice (notice) on cybersecurity, which serves as an update to Staff Notice , previously released in September The notice reports on CSA s review of the filings of the 240 constituent issuers in the S&P/TSX Composite Index concerning their disclosure of cybersecurity issues. The review found the following: Only 61 percent of issuers addressed cyber security issues in their risk factor disclosure Few issuers provided disclosure regarding their particular vulnerability to cyber security incidents Aon Risk Solutions 3

4 Only 31 issuers identifi ed a person, group, or committee responsible for cybersecurity risk management Some issuers disclosed that a disaster recovery plan had been put in place, while few issuers disclosed holding insurance against cybersecurity incidents No issuer disclosed the occurrence of a material cybersecurity breach When preparing their disclosure, issuers should consider the reasons they may be exposed to a cyber security breach, the source and nature of the risks, the potential consequences of a cyber security breach, and the adequacy of preventative measures. Disclosure should focus on material and entity specific information and avoid boilerplate language as much as possible. It is expected that issuers tailor their disclosure of cyber security risk to their particular circumstances, without disclosing details regarding their cyber security strategy or their vulnerability to cyberattacks. The notice serves as a further indication that regulators are taking cybersecurity very seriously and market participants are expected to do the same. A cyber security roundtable took place on 27 February 2017 to discuss issues related to cyber security and opportunities for greater collaboration, communication, and coordination in the event of a cyber security incident. No information has been released on the discussions from the roundtable. The CSA is expected to continue reviewing disclosure of cyber security risks and incidents, monitor trends in disclosure, and review the extent and timing of reporting of cyber security incidents. IoT botnets present unmanageable cyber security risk Juniper Research Limited (Juniper), a UK based company, has cautioned that the scale of embedded connectivity could lead to an unmanageable cyber security risk created by botnets. Botnets are a network of private computers infected with malicious software and controlled as a group without the owners knowledge. Juniper estimates that the consumer IoT installed base will reach 15 billion-plus units by 2021, a 120 percent increase over 2016, leading to botnets in excess of one million units. Juniper s research found that using botnets to disrupt internet services will form part of the near-term threat landscape. While there have not yet been any direct regulatory adjustments to deal with the unique issues this risk presents, a review of existing Canadian laws may be desirable. In particular, Canada s current laws around consent and personally identifi able information may need to be reviewed or updated. In the meantime, IoT device manufacturers should take a proactive approach by implementing security-by-design. Canadian Litigation Update Privacy class action authorized against Target The Superior Court of Québec recently authorized a privacy class action in Zuckerman v. Target Corporation. The petitioner alleged damages as a results of a data breach involving an estimated 40 million credit and debit cards, as well as the personal information of up to 70 million customers. Target made a public acknowledgement in late 2013, stating that there had been unauthorized access to payment card data in its U.S. stores. Names, card numbers, expiration dates, and security codes were accessed. More than 80 class actions followed in the U.S., ultimately consolidating into a single proceeding. In Canada, only the Zuckerman class action was filed. On behalf of the class, the petitioner alleged damages for fear, confusion, and loss of time, costs or fees for credit monitoring services, Target s failure to notify some members of the breach, and potential fraud or identity theft. In contrast to the Home Depot s quick and proactive response to a cyber breach in 2014, the Privacy Commission found that Target did not provide timely notifi cation to its customers. While breach notifi cation is only mandatory in Alberta, organizations may still decide to notify on a voluntary basis, especially if customers are going to argue that their damages were aggravated because they did not receive timely notification. Businesses may wish to invest in prevention and ensure that they have adequate security measures in place. 4 State of the Market: Cyber and privacy liability

5 Under the new the Personal Information Protection and Electronic Documents Act it will be a criminal offence for an organization to knowingly fail to report breaches, punishable by significant fines. This may also serve as a warning to businesses that their actions in one jurisdiction can lead to signifi cant legal exposure in another, in situations where their customer bases extend beyond provincial, state, or national borders. U.S. Regulatory Update New York cyber security regulations for financial institutions come into effect On 1 March 2017, the New York Department of Financial Services (DFS) cyber security regulations came into full effect. All financial institutions must formally assess their cyber security risks and establish and maintain a cyber security program. In addition, they must also ensure that all third-party companies in which they do business demonstrate a minimum level of cyber security and report any breaches that impacts their data. The cyber security regulations are in direct response to the increasing number of cyberattacks on insurers and fi nancial institutions, such as the 2016 cyber-attack on the central bank of Bangladesh in which stolen SWIFT credentials and malware were used to illegally transfer $81 million of funds held at the Federal Reserve Bank of New York. The cyber security regulations are the fi rst state-mandated regulations to address cyber security threats. Most of the cyber security regulations are practiced by financial institutions and subject to the Gramm-Leach-Bliley Act (GLBA). However, the regulations are broader in some key respects. The regulations have a wider defi nition of fi nancial institutions; information protected extends beyond personally identifiable financial information to include all non-public electronic information, mandatory multi-factor authentication for remote access to secure company networks, obligation to designate a qualifi ed individual to act as a chief information security offi cer (CISO), and mandatory reporting of all breaches. The last three requirements have Canadian security experts taking notice as Canada s current regulations are not as robust. The regulations demonstrate the ongoing shift in public policy towards a more watchful and regulated approach with respect to data privacy and serve as an apt reminder of the importance of continually assessing and managing risk in an environment of escalating cyber security threats. Other legislative measures addressing cyber risks are expected to be adopted both in the U.S. and Canada, including the requirement to report security breaches under the Digital Privacy Act. U.S. Litigation Update Home Depot settles data breach suit with financial institutions Home Depot Inc. (Home Depot) has reached a $25 million settlement with banks and credit unions in connection with its massive 2014 data breach. The lawsuit and settlement represent the consolidation of over 25 class actions against Home Depot by 50 financial institutions. The $25 million will be paid into a fund to be distributed to financial institutions that have not already released their claims. Home Depot will pay another $2.25 million to compensate certain entities whose claims had been released by a sponsor, adding to the $14.5 million in premiums already paid to MasterCard and Visa issuers in exchange for releases. According to the proposed settlement, Home Depot will pay the costs of notice and administration and attorney s fees and expenses separately. They have also agreed to implement security measures to reduce the risk of a future data beach. Home Depot had previously reached a $19.5 million settlement with consumers impacted by the data breach. Aon Risk Solutions 5

6 Yahoo faces another securities class action lawsuit due to a data breach In December 2016, Yahoo announced that an unauthorized third party stole data associated with more than one billion user accounts. The account information was believed to included names, addresses, telephone numbers, dates of birth, hashed passwords (using MD5), and in some cases, encrypted or unencrypted security questions and answers. Yahoo believes that this attack, which took place in 2013, is distinct from the incident the company disclosed in September A securities class action lawsuit was fi led on 24 January 2017 in the Northern District of California alleging that Yahoo made false or misleading statements or failed to disclose that they did not encrypt its users personal information, among other things. The complaint also alleges that following the company s December 2016 data breach disclosure, the company s share price declined 6.11 percent. There have been few date breach-related security class action lawsuits fi led in the U.S., in part because companies share prices generally do not react to data breach disclosures. It remains to be seen if this claimant will have more success than other claimants that have tried to pursue data breach related directors and offi cers claims. Data breach-related shareholder derivative lawsuit filed against Wendy s In January 2016, Wendy s began investigating a potential data breach and by June 2016, discovered malware that affected at least 350 restaurant s point of sale systems. The data breach, which occurred from October 2015 to June 2016, is alleged to have affected over 1,000 customers personal and financial information. On 16 December 2016, a plaintiff shareholder fi led a derivate lawsuit in the Southern District of Ohio against Wendy s and 19 of its current and former directors and offi cers. The complaint sets forth causes of action for breach of fi duciary duty, waste of corporate assets, unjust enrichment, and gross mismanagement. Wendy s is now defending itself against three lawsuits. First, a class action litigation on behalf of fi nancial institutions for negligence. Second, a class action lawsuit on behalf of Wendy s customers alleging claims for breach of implied contract, negligence, violations of state consumer protection laws, and violations of state data breach statutes. Lastly, this shareholder derivative suit, which can often follow a cyber data breach incident. This is the latest in a line of U.S. derivative lawsuits related to cyber security incidents, most of which have been dismissed by the courts. Although cyber-breach-related derivative lawsuits have not fared particularly well, it is unlikely that we have seen the last of them as the outcome may change where an organization is found to have inadequate security processes or have given minimal time and attention to cybersecurity issues. We-Vibe will pay $5 million to settle privacy class action A Canadian sex toy manufacturer has reached a settlement in a class action lawsuit over allegedly unauthorized data collection linked to its We-Vibe vibrators. The lawsuit claimed the app collected data on use of the vibrator, including the date and time of each use as well as vibration, temperature and intensity settings, and how often the toys were used without the user s knowledge. The suit also alleged the data and the user s personal address were transmitted to company servers in Canada. Under the terms of the settlement, Standard Innovation Corp. will pay $5 million as well as destroy collected data and stop recording users personal information. The settlement offers compensation for persons who purchased bluetooth-enabled We-Vibe products or who downloaded and used the We- Connect app. Class members who want to object to the settlement or opt out must do so by 29 June State of the Market: Cyber and privacy liability

7 Key Contacts Brian Rosenbaum, LL.B. Senior Vice President and National Director Legal and Research Practice t brian.rosenbaum@aon.ca Desiree Money, CAIB, CRM Senior Vice President and Regional Manager t desiree.money@aon.ca Catherine Richmond, LL.B., CRM Senior Vice President and Regional Manager t m catherine.richmond@aon.ca Catherine Lanctôt, B.A. Vice President and Manager t catherine.lanctot@aon.ca Denise Hall Senior Vice President and National Broking Leader t m denise.hall@aon.ca About Aon Risk Solutions Canada Aon Reed Stenhouse For more than 160 years, in one form or another, Aon Reed Stenhouse has been a major force in the Canadian insurance industry. Aon Reed Stenhouse, operating under the brand name Aon Risk Solutions, is Canada s leading insurance brokerage and risk management services firm. We serve an extensive client base, handling more than $2 billion in annual premiums on behalf of our clients. Insurance brokerage Risk management Employee health and benefi ts Our 1,600 professionals serve clients from 23 offi ces located across Canada. We provide our clients with a wide range of innovative solutions. Each day, Aon professionals work to deliver the best solutions to our clients. Aon Risk Solutions 7

8 About Aon Aon plc (NYSE:AON) is a leading global professional services fi rm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance. Aon Reed Stenhouse 2017 Inc. All rights reserved. The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Aon Risk Solutions Financial Services Group. Market Update. Employment practices liability. June Risk. Reinsurance. Human Resources.

Aon Risk Solutions Financial Services Group. Market Update. Employment practices liability. June Risk. Reinsurance. Human Resources. Aon Risk Solutions Market Update Employment practices liability June 2017 Risk. Reinsurance. Human Resources. Market Overview The Canadian market for employment practices liability (EPL) insurance coverage