Be the GAME CHANGER.
DISCLAIMER Seminar materials and presentations are intended to provide you with guidance and insight with regard to the selected topics. However, your instructor is not an attorney; and the materials and comments do not constitute, and should not be regarded as, legal advice. Although every effort has been made to assure the accuracy of these materials and the comments made during the seminar, they are not intended to serve as a substitute for legal counsel. Policy forms, clauses, rules, and court decisions constantly change and vary from company to company and state to state. These materials are intended as a general guideline and may not apply to a specific situation. The author, instructor, Professional Insurance Agents of Indiana Inc., and any organization for whom this seminar is conducted shall have neither liability nor responsibility to any person or entity with respect to any loss or damage alleged to be caused directly or indirectly as a result of information contained in this book, in the presentation, or in any ensuing discussion. Presented by Professional Insurance Agents of Indiana 50 E. 91st Street, Suite 207 Indianapolis, IN 46240 317.899.9200 www.piaindiana.com
Mark Reilly Mark has been in the insurance industry as a company production underwriter, agent, agency owner, speaker, author and expert witness almost 40 years. He was an agency owner for nearly 30 years. Mark currently is an owner of inbuzz Group, and Inbound Marketing and Sales company. He is also employed by USI Insurance, one of the largest independent insurance agencies in the word. His responsibilities with USI include employee education and mentoring. Mark and his wife Nancy live in Port Clinton Ohio.
Just the Equifax Mam - Cyber Liability Exposures and Solutions for Your Clients Are Our Clients Being Hacked 1
Are Our Clients Being Hacked 67% of Exposed Records were from the Retail Sector Small Companies Represented 47% of the Claims The Average Breach Cost was $348k and the Median Amount was $56k The Largest Regulatory Claim was $6M Cyber Event Recovery Cost High was $475k Ransomware / Cyber Extortion affected every sector with maximum breach costs in excess of $500K. 2017 Net Diligence Claims Study Are Our Clients Being Hacked Wire Transfer Fraud & Theft of Money averaged $179K in breach cost Trademark Infringement and / or the Loss of Trade Secrets averaged $865K, with a median of $182K and a maximum of $4.9M Healthcare and Professional Services suffered 44% of the fraudulent W-2 claims Breach costs were 20% higher when there was Cloud involvement. PCI data was exposed in 16% of claims but accounted for 67% of records. PHI data represented 15% of claims and 17% of exposed records, while PII data accounted for 36% of claims but only 16% of exposed records. PCI, PHI and PII data accounted for 99% of all records exposed. 2017 Net Diligence Claims Study 2
Are Our Clients Being Hacked Lost or Stolen Devices more than doubled in claims this year, and Paper Records claims almost tripled. Maliciously motivated Insider events resulted in more expensive claims by a factor of four Hackers were identified as the most common Cause of Loss, followed by Malware / Virus, Ransomware / Cyber Extortion and Staff Mistake. Notification cost was 39% higher 2017 Net Diligence Claims Study Are Our Clients Being Hacked Across the entire healthcare sector, Security Scorecard says 75 per cent have suffered a malware infection. Medical treatment centers (96 per cent) are most targeted by ransomware and medical equipment manufacturers (90 per cent) are most frequently hit by malware -Insurance Business November 09, 2016 3
Just the Facts Just the Facts 4
Just the Facts Just the Facts 5
Just the Facts Just the Facts 6
Just the Facts Just the Facts 7
Just the Facts Just the Facts 8
Just the Facts Just the Facts 9
Just the Facts Just the Facts 10
Just the Facts Just the Facts 11
Just the Facts Just the Facts 12
Growth Rate Opp by Industry Cyber Insurance Today One of the fastest growing lines of insurance Claims so far have been moderate and experience good for insurers (recent losses are negatively impacting rates up 85% since 11) Challenges are coming Breaches are growing Too many breaches will affect premiums and coverages Common attack breaches will start to show up especially cloud based There is a lack of talent in underwriting and claims Can Actuaries predict and offer stable pricing Cyber coverages are widely different and have many gaps 13
Cyber Insurance Today Gaps will include Reduction in business market capital Reputational harm Business Interruption and extra expense costs Lost time from staff and business focus This exposure is cradle to grave Legendary vs. evidentiary Focus needs to be on risk avoidance, risk mitigation, risk reduction, and duplication of value added services Risk control through advances in technology needed New Credit Cards as example the EMV Liability Shift (10/01/2015) Recent Denial of Service from IoT and smarthomes Which Clients and Prospects Need Coverage? Who Needs Coverage Two Major Categories Users of Technology They Need Data Breach or Cyberliability Coverage Sellers of Technology They Need E&O, Professional, Content and /or Media Coverage 14
Let s ID some Exposures What State enacted the first Data Security Breach law? What is FERPA? What does it protect What is the Opt Out requirements for the CAN-SPAM act? What is the Red Flag Rule Who has to comply with HIPPA What is the HITECH Act What is COPPA and how will it affect your clients? Let s ID some Exposures http://www.privacyrisksadvisors.com/da ta-breach-toolkit/data-breachcalculators/ https://eriskhub.com/mini-dbcc https://www.privacyrights.org/databreaches 15
Let s ID some Exposures http://www.privacyrisksadvisors.com/da ta-breach-toolkit/data-breachcalculators/ http://www.privacyrisksadvisors.com/data -breach-toolkit/data-breach-calculators/ IBM Data Breach Calculator http://www.ibmcostofdatabreach.com/resu lt 16
erisk Calculator https://eriskhub.com/mini-dbcc Let s ID some Exposures http://www.privacyrisksadvisors.com/da ta-breach-toolkit/data-breachcalculators/ https://www.privacyrights.org/databreaches 17
Cyber Risk Exposure Scorecard Presented by Diversified Insurance Service QUESTION RESPONSE SCORE Does your organization have a wireless network, or do employees or customers access your internal systems from remote locations? Yes 5 Does anyone in your organization take company-owned mobile devices (e.g., laptops, smartphones and USB drives) with them, either home or when travelling? Yes 5 Does your organization use Cloud-based software or storage? Yes 5 Does your organization have a bring your own device (BYOD) policy that allows employees to use personal devices for business use or on a company network? Yes 5 Are any employees allowed access to administrative privileges on your network or computers? No 0 Does your organization have critical operational systems connected to a public network? No 0 Does anyone in your organization use computers to access bank accounts or initiate money transfers? Yes 5 Does your organization store sensitive information (e.g., financial reports, trade secrets, intellectual property and product designs) that could potentially compromise your organization if stolen? Yes 5 Does your organization digitally store the personally identifiable information (PII) of employees or customers? This can include government-issued ID numbers and financial information. Yes 5 Is your organization part of a supply chain, or do you have supply chain partners? Yes 5 Does your organization conduct business in foreign countries, either physically or online? No 0 Has your organization ever failed to enforce policies around the acceptable use of computers, email, the Internet, etc.? Unsure 5 Instructions In recent years, cyber attacks have emerged as the most significant threats facing organizatio sizes. The Internet and other network operatio created risks that were unheard of less than a ago. When cyber attacks (such as data breache hacks) occur, they can result in devastating da such as business disruptions, revenue loss, leg and forensic analysis and customer or employ notifications. It is important to remember that no organizati immune to the impact of cyber crime. As a res liability insurance has become an essential com to any risk management program. Begin by answering the questions on the left. response will be assigneda numerical value depending on the answer. At the end, we will your score to determine your organization's l cyber risk. Can the general public access your organization s building without the use of an ID card? Yes 5 Is network security training for employees optional at your organization? No 0 Can employees use their computers or company-issued devices indefinitely without updating passwords? No 0 Has your IT department ever failed to install antivirus software or perform regular vulnerability checks? No 0 Can employees dispose of sensitive information in unsecured bins? No 0 Would your organization lose critical information in the event of a system failure or other network disaster? Yes 5 Can employees easily see what co-workers are doing on their computers? No 0 SCORE: 55 Has your organization neglected to review its data security or cyber security policies and procedures within the last year? No 0 LEVEL OF RISK: Escalated Yes No Unsure Let s look at Some Losses Sony DSW Target and it s Vendor Doctors Office and the Love Interest Facebook and the Non-Profit Advertising Infringement Claim for Plumbing Supply Company that Stopped Carrying a Line Ace Hardware and the Academy Awards The Swimming Pool Flier 18
What Are the Risks Rapid change in the marketplace and ISO/Company reaction in policy language affecting Cyber Loss both First and Third Party claims. Understanding the client and the exposure Knowledge Policy Client Ways to avoid loss Know the client and their exposures Understand your markets treatment of these types of loss Listening Techniques and Tools to determine exposure What Are the Risks Net expansion outruns General Liability (GL) coverage - Existing policies do not account for web-based liabilities Data theft is commonplace Increasing intellectual property liability claims 19
What Are the Risks Employee misuse of websites, emails and other electronic communications that involve: - Harassment of other employees or outside individuals - Accidental or purposeful slander or copyright infringement - Use of pirated or unstable software - Misuse of company data Economic Exposures Trademarks Copyright implications Intellectual property rights Defamation Security Breaches Systems failures 20
Trademarks Risks: Cyber-squatting - Registering domain names without consent Deep linking - Linking to Web pages within sites Using unauthorized links - To Web sites without consent -ttp://goo.gl/k5ki2 Copyright Implications Risks: Unlicensed duplication of copyrighted material - Pinterest Agreement - Licensing Violations - Theft or unauthorized distribution of trade secrets - ://goo.gl/k5ki2 21
Licensing Agreement Violation Intellectual Property Rights Risks: Website content - Ownership issues - Who owns what content? - http://goo.gl/6cjkm - What is the scope of the licenses? - Patent infringement How to manage: Decrease legal liability with terms-of-use agreement Security and encryption concerns Review methods of authenticating information 22
Defamation Risks: Defamatory statements - Opinions versus facts Postings - Via websites - - Chat rooms Linkedin, - Publications - Blogs - - Online bulletin boards Data Security Risks: Collection, storage and use of information Privacy issues Security breaches Risk Management: Data Security Policy Data Encryption Employee Training Transfer liability to third-party vendor 23
Systems Failure Risks: Virus attacks - Transmission of Malicious Code or Virus Physical damage or interruption to servers - Income/Extra Exp Natural disasters Hacking/Cracking Computer Extortion Employee Related Employment liabilities Privacy violations Discrimination and harassment 24
Privacy Violations Employees claim their privacy rights were violated after the employer reviewed e-mails or personal files Employees claim privacy violations for website tracking or blocking of Internet sites Fight between employee/employer on social media. Passwords, free speech issues Discrimination and Harrassment Employees receive unwelcome verbal, visual or physical conduct that is sexual or discriminatory in nature - Conduct interferes with employee s work - Employee feels violated and uncomfortable on the job - Conduct occurs via e-mail, bulletin board postings on the Internet or by physically showing another employee explicit websites 25
Social Media Misuse of social media can open a company up to a variety of risks Keep track of what s being said about your company online, through social networks and blogs Risk Finance Solutions for Clients Self Insurance Options Formal plan requires planning for payment and budgeting for organization s losses in any given category. (Not just for large risks) Limit the impact of loss by partially self funding (SIR) with fixed amount on per claim or occurrence. Still may need Cyber Coverage You need to replace services often provided by insurer Usually self funded internally but may establish captive or collective funding Transfer Plans Insurance or Non-insurance 26
Risk Finance Solutions for Clients Usually a firm will use a combination of both Insurance and Non-insurance Non-insurance (often contractual risk transfer) Cyber Contracts Shrink Wrap, Licensing Agreements etc. Not really transfer of the exposure but the obligation to pay either on behalf of or as indemnification Most prevalent forms of non-insurance transfer is by the use of hold harmless agreements and risk transfer to the transferee s insurer Risk Finance Solutions for Clients Insurance Transfer Monoline vs. Package Transfer Plans/Coverage Forms Monoline 1 st party Cyber Property or 3 rd Party Cyber Liability only Package 1 st and 3 rd Party Executive Liability Chubb, Chartis, Travelers, CAN. Incorporated in the D&O Combination with other forms EDP Coverage - like Selective Electronic Information Systems Policy which gives $50,000 per occurrence and $150,000 Aggregate from virus and harmful code, also has cyber business income limit 27
Cyber Coverage ISO Property Forms Tangible vs. Intangible Property Impaired vs. Damaged Scope: Any company with a Web presence or performing e-commerce activities Storage of any information of a private nature Coverage: (First Party) Intangible economic losses Destruction of home pages Network and server failure Unauthorized obstruction of customer information Restoration costs Fake orders Viruses Industrial espionage Cyber Coverage CGL Limitations CGL not intended to cover electronic data and other cyber related losses The definition of Property Damage in the ISO CGL coverage form clearly states that electronic data is not tangible property. Coverage exclusion is further reinforced with the Electronic Data Exclusion found in Coverage A There may be some coverage under CGL for some offenses such as the use of internet, email or certain website notices under Coverage B Personal/Advertising Injury but this is subject to significant exclusions 28
Cyber Coverage Cyber Liability is not usually an ISO Coverage Form Many policies are non standard in language Many polices have the words Cyber, Internet or Security but without careful review policy may not address the clients exposure Coverage Analysis is critical Common Characteristics of Cyber Liability Policies Typically include Insuring Agreement Definitions Exclusions Limits of Liability/Declarations Defense and Settlement Cyber Coverage Multiple Insuring Agreements Like other Specialty Policies many included numerous insuring agreements (D&O, E&O, EPLI) Examples of insuring Agreements Associated with Cyber Privacy Injury Security Breach Expense Network Security Liability Content Injury Liability 29
Cyber Liability Cyber Coverages Cyber Liability Privacy Liability 30
Cyber Coverages System Damage Business Interruption Cyber Coverages Consequential Reputational Harm Regulatory Actions and Investigation 31
Cyber Coverages Cyber Coverages 3 rd Party Notification Costs Computer Crime 32
Cyber Coverages Identity Theft Defamation Cyber Coverages Intellectual Property 33
Cyber Coverages Cyber Threats & Extortion Cyber Coverages Invasion of Rights to Privacy 34
Cyber Coverages Cyber Coverages 35
Selling Cyber Coverage Must sell this product, it is not often bought Deal with decision maker but involve IT to determine need and buy in Stress Website Breaches Erode Vital Company Resources (Financial, Personal, Reputation, Confidence and Long Term Value to the Company) Firewalls are not foolproof, about 65% of organizations with firewalls have been penetrated. Virus Protection is reactive Help Client assess or encourage them to assess exposure Attacks are growing in frequency and severity 5 Top Objections from Small Business My business is not attractive to hackers I have all my stuff in the cloud Cyber Attacks are just like any other Computer Problem (Data Breach, Transmission of Malware or Virus) Cyber Policy does not cover my risk (I just need some crime and BOP) I will fix it myself (or I will just ignore and bury it) 36
Real Live Claims Ransomware / Cyber Extortion A company provides customers with hosting and connectivity solutions, including Internet access, hosted environments for internal and external facing websites, hosted application services, etc. Access is restricted to authorized users through assigned user identification with user-controlled passwords. Situation: The company receives a threat from an unknown third party that will cause an interruption of the company s network and unauthorized access to the data stored on the company s servers. After investigating the threat, it s determined that the threat is credible and the company makes an extortion payment to the person or group making the threat. Challenge: The cyber extortion threat results in the following expenses for the company: $25,000 cyber extortion expenses Resolution: The total expenses incurred by the insurer were $25,000. Claims Examples from Bizlock/Arlington& Roe Real Live Claims Medical Records Hacked When an insured hospital was notified by the United States Secret Service of a potential HIPAA breach that may have compromised data for 40,000 patients, our experienced team of dedicated cyber claims specialists quickly engaged a breach coach and a forensic investigator. As a result, the insured had knowledgeable partners to provide advice, handle notifications, create a call center, offer patients access to identity-monitoring products, and ensure the incident was properly reported to the state regulatory agencies. Claims Examples from Bizlock/Arlington& Roe 37
Real Live Claims Malware Data Breach A regional retail computer system was compromised when a third party sent a malware program via email to a number of employees. The invasive software allowed the third party to access the system and capture the names, addresses and credit card numbers for more than 500,000 customers. Claims Examples from Bizlock/Arlington& Roe Real Live Claims Stolen Laptop An employee s company laptop containing private customer information is stolen from his home. As a result, customers sue the company for damages resulting from alleged failure to protect their private financial information. Claims Examples from Bizlock/Arlington& Roe 38
Real Live Claims enetwork Interruption When an insured with hundreds of outlets experienced a 48-hour systems failure at the start of a busy holiday weekend due to a hack, the insured could not process sales and payments quickly and its operations were disrupted. The response team added expertise, assisted the retailer in retaining a forensic accountant, and verified the lost sales calculation for the holiday weekend. The insured was also reimbursed for approximately $200,000 of lost sales incurred after the waiting period applicable to the network interruption caused by a malicious attack. Claims Examples from Bizlock/Arlington& Roe Real Live Claims Rogue Employee An employee stole a donor s credit card information from a non profit that resulted in a forensics investigation, a lawsuit and a PCI fine. The per record insured cost for that incident was $50,000. Claims Examples from Bizlock/Arlington& Roe 39
Real Live Claims Data Theft From Server When a server and hard drive maintained by a company acquired by an insured were stolen, sensitive data for nearly 45,000 individuals was compromised. The insured was provided $1 million to cover notification, public relations, and other incident-related services. Claims Examples from Bizlock/Arlington& Roe Real Live Claims Payment Card Industry (PCI) Related Fines and Penalties A large movie theater operation had its transaction processing systems at a specific movie theater location hacked. Thieves collected card data from one machine over Pharmacy Procedural Error A woman purchased a used computer from a pharmacy. The computer still contained the prescription records, including names, addresses, social security numbers, and medication lists of pharmacy customers. The cost of notifying affected parties per state law totaled nearly $110,000. Two lawsuits were filed: one alleged damages in excess of $200,000 from a party who claimed she lost her job as a result of the disclosure; the second alleged the plaintiff s identity was stolen, and the costs of correction and emotional distress exceeded $100,000. the course of one year before the Secret Service notified the movie theater owners. A forensic investigation ensued. Mastercard issued PCI related contractual fines and penalties in excess of $250,000 to the payment processor, who in-turn contractually passed the obligation to the movie theater owners. The insurance aggregate limit was reached at $100,000. Claims Examples from Bizlock/Arlington& Roe 40
Real Live Claims Pharmacy Procedural Error A woman purchased a used computer from a pharmacy. The computer still contained the prescription records, including names, addresses, social security numbers, and medication lists of pharmacy customers. The cost of notifying affected parties per state law totaled nearly $110,000. Two lawsuits were filed: one alleged damages in excess of $200,000 from a party who claimed she lost her job as a result of the disclosure; the second alleged the plaintiff s identity was stolen, and the costs of correction and emotional distress exceeded $100,000. Claims Examples from Bizlock/Arlington& Roe Real Live Claims Media Liability Exposure Two employees at a Pizza chain posted derogatory comments and a video online. The video captured their employee uniforms and work location. Claims Examples from Bizlock/Arlington& Roe 41
Thank you 42