©2015, amy stewart pc title here cyber insurance: the future is now texas lawyer in-house counsel...

©2015, Amy Stewart PC

Title Here

Cyber Insurance: The Future is Now

Texas LawyerIn-House Counsel Summit

May 8, 2015


Cyber Risks in 2015

Two years ago – “not if, but when” Today – those who know they’ve been

hacked and those who haven’t yet discovered the breach

Risks evolving rapidly As corporate America tries to get ahead of

cyber exposures, insurance industry scurrying to provide solutions

Assessing constantly-changing risks Underwriting challenges


Cyber Risks in 2015

Cyber security breaches rose 48% between 2013 and 2014, with 42.8 million incidents reported

Financial losses attributed to these incidents also increased 34% in 2014

Institutions hit in 2014— Adobe = 152 million records eBay = 145 million records JP Morgan Chase = 76 million records Target = 70 million records Home Depot = 56 million records


Cyber Risks in 2015

Many businesses unaware of the magnitude of their cyber risk exposure

Others are working hard to get their arms around the risk

Less than 25% of Fortune 500 companies have adequate cyber coverage in place

More than 50 insurers provide some sort of cyber insurance, some very limited

Traditional policies = very limited (if any) coverage, especially today


Cyber Risks in 2015

Most businesses unaware of the magnitude of their cyber risk exposure

Less than 25% of Fortune 500 companies have adequate cyber coverage in place

More than 50 insurers provide some sort of cyber insurance, some very limited

Traditional policies = very limited (if any) coverage


Limitations of Conventional Coverage

Commercial General Liability (CGL) Coverage A – “Bodily Injury or Property

Damage” ISSUE: Electronic data is NOT tangible

property Coverage B – “Advertising and Personal Injury”

ISSUE: Too narrow to protect insured as it covers specific types of injury—not including misuse or disclosure of private information



Case Study – Sony 2011 Playstation II Breach

Breach = publication under CGL, Coverage B

Trial court said coverage only if publication was by Sony; liability arising from hacker actions not covered

While appeal pending, Sony and Zurich settled (April 30, 2015)



Case Study – Sony 2014 Email Incident

Sony Pictures CEO: company was covered by cyber policy

Insurers paid most of loss, estimated at $100 million

Uninsured cost to Sony = $15 million



Professional Liability | Errors & Omissions (E&O) May provide coverage depending on nature of the

“professional services” ISSUE: non-technology insureds are unlikely to

have coverage for common cyber exposures Business Interruption Insurance

ISSUE: does not cover business interruption loss caused by damage to non-tangible property, i.e., data


Cyber & Privacy Insurance

Broadly speaking, cyber insurance covers risks and liability associated with e-business, the Internet, computer networks and technology, privacy issues, computer virus transmission and other means by which compromised data is passed to a third party

Policies vary widely; not standardized (although ISO has begun promulgating forms)


Cyber Policies – Basic Concepts

First-Party Coverage Covers the insured’s own loss and expenses

Cyber theft Failure of insured’s systems Network interruption coverage Privacy event management, breach

notification costs, call center expenses Cyber extortion – pays “ransom” costs Forensic investigation costs Cost associated with restoration of data (often

subject to a large retention)



Third-Party Coverage Covers the insured’s exposure to others

Defense costs for litigation initiated against insured

Indemnity for cyber-related claims Damages to third-party claimants Fines + penalties Breach notification costs Crisis management Call centers Credit / identity monitoring



Insuring agreement – sample #1

The Company shall pay Loss on behalf of an Insured on account of any Claim first made against such Insured during the Policy Period, or, if exercised, during the Extended Reporting Period, for Injury.



Insuring agreement – sample #2

The Insurer shall pay on an Insured’s behalf all Loss in excess of the applicable Retention that such Insured is legally obligated to pay resulting from a Claim alleging a Security Failure or a Privacy Event.



Definition of Claim— a written demand for money, services, non-

monetary relief or injunctive relief; a Suit; or a Regulatory Action

Regulatory Action = request for information, civil investigative demand or civil proceeding brought by or on behalf of a governmental agency, including requests for information.



Claims-made coverage v. occurrence-based coverage Claims-made = coverage triggered when a claim

is made against an insured (common for third-party coverages)

Occurrence-based = coverage triggered by an injury

Some policies providing multiple coverages may combine the two types—can be confusing

Important for determining which policy is triggered


Specific Cyber Coverages

Breach Notification Expenses Necessary due to emerging regulations on notifying

those affected by a security breach May be provided with no deductible

E-Theft Protects insured from fraudulent transfers of funds

or property as result of theft-related cyber crimes Loss, damage or destruction of media (non-tangible

property) may also be included in cyber theft coverage



Crisis Management & Reward Expenses Likely need coverage for a team to manage publicity

surrounding a privacy or security breach. This team might include: Breach Coach Legal Counsel Information security forensic investigator Public Relations Consultant Advertising or Media Relations

Also covers reward expenses incurred due to the investigation of a cyber-security event



Denial or Impairment of E-Service Fills gap in business interruption policy by covering

losses caused by damage to non-tangible property Specifically, will cover loss incurred as the result

of impairment or denial of insured’s business activities caused by a Hacker, Rogue employee, or Cyber terrorist



E-Communication Covers a loss caused by:

transfer of fund or property, debiting of an account or establishment of credit pursuant to the direction of a fraudulent e-communication that purports to have been initiated by the insured

Might protect from risk of loss to third parties for which the insured may be liable



E-Vandalism Loss to data and intangible property caused by

cyber terrorists or hackers E-Threat “Kidnap and Ransom” coverage Cyber extortion

E-Signature Loss resulting from insured’s acceptance of and

reliance upon a fraudulent e-signature


Common Exclusions

Basic exclusions— Claims arising from violations of ERISA Criminal, fraudulent or dishonest acts by an

insured Breach of contract Claims brought by insureds Patent infringement Bodily injury


Common Exclusions

Exclusions designed to push risks back to the insured— Data lost from unencrypted devices Inadequate security about which the insured

knows (potential D&O issue) Failure to take steps to design, maintain and

upgrade security systems (D&O) Failures of security software (D&O)


Negotiating Points

Make sure entities are covered, not just insured persons

Pay attention to policy provisions that limit covered locations

Make sure any war exclusions have a cyberterrorism carve-back

Consider sublimits in view of risk transfer objectives

Request pre-approval of vendors, if desired


Questions?


Contact Information

Amy Elizabeth [email protected]

AMY STEWART LAWMockingbird Station

5307 E. Mockingbird Lane, Suite 425Dallas, Texas 75206214 233 7076 main

mailto:[email protected]

©2015, amy stewart pc title here cyber insurance: the future is now texas lawyer in-house counsel...

Documents

adequate cyber coverage

amy stewart pc cyber

sort of cyber insurance

cyber insurance covers

amy stewart pc title

records slide

cyber risk exposure

cyber policy insurers