CYBER LIABILITY INSURANCE OVERVIEW FOR Prepared by: Evan Taylor NFP
Targeted Industries Business Sector Financial Services 10% Non-Profit 11% Retail 10% Other 37% Other 18% Type of Data PII 40% Professional Services 13% Healthcare 19% PHI 15% PCI 27% NetDiligence 2016 Claims Study 2
Targeted Industries Screen capture, Mandiant M-Trends 2014 Google Images 3
Common Attack Types Ransomware BEC Business Email Compromise Distributed Denial of Service DDoS 4
How Bad is It? Average breach cost $665K Average claim payout $495K $32K was average Ransomware ransom payment Time of Compromise to Discovery 2015 146 days 2014 205 days 2013 229 days 2012 243 days 2,982 days 2 million records lost on average Mandiant M-Trends Reporting NetDiligence 2016 Claims Study 5
Cyber Liability Insurance Forensic Services Get the Bad Guys Out Victim Notification Letters to Victims Credit/ID Monitoring Lifelock, etc. Legal Services Outside Counsel Public Relations Stay Out of the News Total (Average) $357,000 6
Questions To Ask Your Broker What specifically is covered? What is excluded? How long after a breach occurs does the company have to report it without losing coverage? After reporting a breach, how quickly does the carrier respond? Is the provider, to include the carrier and the experts they employ, knowledgeable about your industry (e.g.: HIPAA, PCI-DSS, etc.)? How much will this cost? How will a breach impact your premium moving forward? Have a Plan Incident Response Plan (For Hire/for Free*) Insurance Limits SMBs $1MM-5MM initially, scaling to $5MM-20MM, sometimes layered across a number of carriers 7
Tips Have a Plan Incident Response Plan (For Hire/for Free*) Know the Cyber Landscape What data do you have? PCI, HIPAA, PII, Etc. How is that data protected? Who would want to steal it and how? Do you have a team of advisors with breach experience such as legal counsel, an incident response firm, insurance broker, accountant? Vendors Insurance Limits SMBs $1MM-5MM initially, scaling to $5MM-20MM, sometimes layered across a number of carriers 8
State of the Market Estimated Gross Written Revenue in Excess of $3.25 Billion Excess of $200m US and Int l Capacity Available In Excess of 70 Markets Writing Business 9
Evolving Legal Landscape Personal Data Privacy & Security Act of 2007 Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Gramm Leach-Bliley Act of 1999 (GLBA) Fair Credit Reporting Act Fair & Accurate Credit Transactions Act of 2003 Electronic Communications Privacy Act of 1986 Family Educational Rights & Privacy Act (FERPA) State Specific Security Breach Notification Laws* High Tech Act (enacted with Jan 2009 Federal Stimulus Package) MA GL, 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts 10
Evolving Legal Landscape 48 States Now Have Breach Notification Requirements: Alabama and South Dakota are the remaining states that do not have any specific legislation pertaining to security breach notification. 11
Why Buy a Cyber Liability Policy? Cyber Liability was created to close coverage gaps in other insurance lines such as: Commercial General Liability Most cyber claims would not be covered under this policy because the resulting loss is not considered a property damage or bodily injury. Crime Policy While there may be some limited coverage under some policy forms, many traditional crime policies are adding exclusions for costs associated with the theft of personal identifiable information (PII) and trade secrets. D&O Policy This may potentially cover the Directors and Officers actions leading up to a breach, but would not cover the bulk of the associated expenses, including but not limited to: notification, crisis management, credit monitoring, and business interruption. 12
What is Covered? Privacy Liability Covers loss arising out of the organization s failure to protect sensitive personal or corporate information in any format. Regulatory Proceeding Sublimit/Fines and Penalties Provides coverage for regulatory proceedings brought by a government agency alleging the violation of any state, federal, or foreign identity theft or privacy protection legislation. Data Breach Expenses Covers expenses to retain a computer forensics firm to determine the scope of a breach, to comply with privacy regulations, to notify and provide credit monitoring services to affected individuals, and to obtain legal, public relations or crisis management services to restore the company s reputation. Network Security Liability Covers liability of the organization arising out of the failure of network security, including unauthorized access or unauthorized use of corporate systems, a denial of service attack, or transmission of malicious code. 13
What is covered? Network Extortion Threat Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive information or bring down a network. Digital Asset Coverage Covers reasonable and necessary costs incurred to replace, restore, or recollect Digital Assets in the event of a Network Security Failure. Business Interruption Coverage Covers the Income Loss and Extra Expense incurred during the Period of Restoration, resulting directly from a Claim. Media Liability Coverage Covers copyright or trademark infringement, libel, slander, defamation, plagiarism, invasion of privacy or liability with respect to media content of any nature released by or on behalf of the Insured. Example, covers electronic content, such as websites and email and media in any format including social media Facebook, Twitter, Tumblr, etc. Payment Card Industry Fines Or Penalties (PCI) Covers fines or penalties assessed due to non-compliance with the Payment Industry Data Security Standards. 14
The Market and the Coverage Response Cyber liability insurance is evolving rapidly in response to high demand, high level of claims, and increased awareness. The types of coverage offered by cyber-risk insurers vary dramatically. Based on the available capacity in the market (as compared to 1998), cyber liability is a maturing market. The coverage continues to evolve. More and more clients are buying the coverage because they are required to if they want to do business with other parties. In some instances clients are unknowingly responsible by contract for unlimited losses. 15
Coverage 101 First Party Loss Third Party Loss First Party Breach Response Expenses Breach Coach/Legal Services Incident Response/Digital Forensics Victim Notifications Credit Monitoring Services Call Center Services Reputational Risk: PR/Crisis Management Business Income and Extra Expense Data Restoration Expense Dependent Business Interruption Extortion/Ransomware Payments Failure to Implement and Maintain Reasonable Security Measures Negligence Unfair, Deceptive and Unlawful Business Practices Violation of Privacy Invasion of the Customer s Right to Privacy Breach of Contract and Violation of Consumer Fraud Act Defense and Damages Media/Intellectual Property Regulatory Actions Including Fines and Penalties, ie: PCI, HIPAA, etc. 16
Thank You. Evan Taylor Risk Consultant Evan.Taylor@NFP.com 704.641.9941 linkedin.com/in/evan-taylor-22488866 @HackInsurance Copyright 2017 NFP Corp. All rights reserved.