CYBER LIABILITY INSURANCE: CLAIMS ISSUES AND TRENDS THAT AUDITORS NEED TO KNOW INSURANCE RISK MANAGEMENT EMPLOYEE BENEFITS Presented by: Douglas R. Jones, CPCU, ARM, Senior Vice President, Principal www.rhsb.com www.techassure.org
Today s Discussion Deeper understanding of cyber insurance coverage and claims Understand future trends and issues impacting cyber insurance Practical steps to secure favorable coverage at lower total cost of risk 2
2014 NetDiligence Claim Study Business Sector 3
2015 NetDiligence Claim Study Business Sector 4
2015 NetDiligence Claim Study Business Sector 5
Breach Notification Costs the Real Numbers Cost per Record (Total=$201) 6
2014 NetDiligence Claim Study Total Claim Costs 7
2015 NetDiligence Claim Study Total Claim Costs 8
2014 NetDiligence Claim Study Crisis Service Costs 9
2015 NetDiligence Claim Study Crisis Service Costs 10
Maricopa County Community College 2.5 million records lost Costs $9.3M legal fees $7.5M security consulting and repair $7.0M notification and credit monitoring $2.2M records management, public relations, photocopying, etc. 11
2015 NetDiligence Claim Study Total Costs Data Type 12
2015 NetDiligence Claim Study Total Costs Cause of Loss 13
Spear Phishing Losses 14
Types of Events Over Time 15
Industry Composition 16
Industry Composition over Time 17
More Small Companies Targeted According to the Identity Theft Resource Center (ITRC), nearly 800 data breaches were publicly reported in 2015, representing over 169 million records Many on breach list were small or midsize including: Sole-proprietor Certified Public Accountants Dry Cleaning companies Car wash businesses Sporting and recreational goods manufacturers Food courts Gift shops 18
Types of Data Lost 19
2014 NetDiligence Claim Study Third-Party Breaches 20
2015 NetDiligence Claim Study Third-Party Breaches 21
Ransomware Attacks 22
Practical Steps To Lower Your Total Cost of Risk Knowledge of market and coverage Develop a risk profile Have a process 23
Navigating Cyber Insurance Understand the market Coverage is still evolving Terms are not consistent Demand and capacity Understand the product 1 st and 3 rd Party coverages Varying applications and sublimits Interaction with other coverages E&O, Crime, D&O, GL Additional resources 24
Cost Variation: Example of carrier benefits Breach of approximately 50,000 records, including social security numbers Two years of credit monitoring services provided to victims Insured's Vendor Cost Carrier Vendor Cost Savings Legal Assistance with Notification Letters $24,190 $10,000 $14,190 Print/Mail Letters $63,551 $56,341 $7,209 Call Center Services $118,642 $66,852 $51,790 Credit Monitoring Services * $34,199.80 - $683,996 $15,864.85 - $317,297 $18,334.95 - $336,698 Totals $240,583 - $890,379 $149,058 - $450,490 $91,524 - $409,887 25
Breach Response Resources 26
Insurance Applications Insurance applications are awful, but provide opportunity to demonstrate that you thought through exposures Don t stress about the perfect application Supplement with separate risk profile 27
Develop a Risk Profile Demonstrate a commitment to risk management from senior leadership Incident response plan should be formalized and tested Security review and analysis by third party Manage contractual liability exposures Insurance, Indemnifications, Limitations of Liability Third party vendor evaluation Cloud providers and data holders 28
Develop a Risk Profile Controls and Procedures Limit access to electronic information only as needed Encryption whenever possible, esp. mobile devices Review physical security procedures Privacy policy in place, monitored for compliance, updated Sharing of customer information with any 3rd parties International privacy rules Include policy on Social Media 29
Have a Process Include Senior Mgt IT, Legal, Risk Mgt, Finance Evaluation of carriers and coverages Use exposure based risk assessment Prioritize coverage features and map quotes against priorities Limit Determination Benchmarking Breach Calculators Review claims & trends Review data and aggregation 30
Limit Selection Breach Calculators 31
Limit Selection Peer Benchmarking 32
Navigating the Claims Process Your information network will be compromised Immediate response is key, but the claims process will take time Many involve both 1 st and 3 rd party losses Multiple 1st party breach responses Computer Forensics Legal Consultation Breach Notification Credit Monitoring Public Relations Class action litigation 33
Douglas R. Jones, CPCU, ARM Senior Vice President & Principal djones@rhsb.com 972-744-2743 www.rhsb.com / www.techassure.org 34