© Copyright 2015 by K&L Gates LLP. All rights reserved.
NAVIGATING A CYBERSECURITY
INSURANCE POLICY
August 24, 2016
Introduction
Practical Risk and Exposure
Coverage Under “Cyber” Insurance Products
What the insurance policies typically cover
Pitfalls to avoid when purchasing "cyber" insurance
How to approach a successful "cyber" insurance placement
How to negotiate to enhance the coverage provided under "cyber" insurance
policies
Potential Coverage Under “Traditional” Policies
Potential CGL coverage
Potential coverage under other "traditional" policies
Potential limitations of “traditional” policies
How to Maximize Coverage in the Event of a Claim
AGENDA
9
rdardardarrrrr
Roberta D. Anderson
Insurance Coverage /
Data Privacy & Cybersecurity
Partner
INTRODUCTION rdardardarrrrr
10
PRACTICAL RISK AND EXPOSURE
PRACTICAL RISK AND EXPOSURE
12
• Malicious Attacks
– Advanced Persistent Threats
– Social Engineering
– Viruses, Trojans, DDoS attacks
– Ransomware
• Data Breach/Unauthorized Access
• Software Vulnerability
(Heartbleed)
• System Glitches
• Employee Mobility
• Lost or Stolen Mobile and Other
Portable Devices
• Vendors/Outsourcing
(Function, Not the Liability)
• The Internet Of Things
• Human Error
klgates.com 13
14
Source: 2016 Cost of Data Breach Study:
Global Analysis
PRACTICAL RISK AND EXPOSURE
15
16
Source:
Ponemon Institute LLC
2016 Cost of Data Breach Study:
Global Analysis
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 17
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 18
LEGAL AND REGULATORY FRAMEWORK
19
• Federal Cybersecurity/Data Privacy Laws
– HIPAA/HITECH
– GLBA
– FTC Act
• State Cybersecurity/Data Privacy Laws/Consumer Protection Statutes
– 47 States, D.C., & U.S. Territories Breach Notification Laws
– State Security Standards (MA, CA, CT, RI, OR, MD, NV)
• Foreign Laws
• Cross-Border Issues
– Securing data is complicated by cross-border transfer issues and the
differences in Worldwide privacy laws
– Laws are complex and can impose conflicting obligations to a multinational
enterprise.
• NIST Cybersecurity Framework
• Industry Standards, e.g., PCI DSS
• SEC Cybersecurity Risk Factor Guidance
– FCC Act
– FCRA/FACTA
NIST Cybersecurity Framework—provides a common taxonomy and
mechanism for organizations to:
Describe their current cybersecurity posture;
Describe their target state for cybersecurity;
Identify and prioritize opportunities for improvement within the
context of a continuous and repeatable process;
Assess progress toward the target state;
Communicate among internal and external stakeholders about
cybersecurity risk.
The Framework is voluntary (for now)
NIST CYBERSECURITY FRAMEWORK
20
NIST Unveils Cybersecurity Framework,
http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/
85% of security
budgets
currently go here
According to
Gartner:
By 2020, 75% of
security budgets will
go towards detection
and response
NIST CYBERSECURITY FRAMEWORK
21
“PCI DSS provides a baseline of technical and operational
requirements designed to protect cardholder data.”
PCI-DSS
22
“[A]ppropriate disclosures may include”:
“Discussion of aspects of the registrant’s business or operations that give rise to
material cybersecurity risks and the potential costs and consequences”;
“To the extent the registrant outsources functions that have material cybersecurity
risks, description of those functions and how the registrant addresses those risks”;
“Description of cyber incidents experienced by the registrant that are individually, or
in the aggregate, material, including a description of the costs and other
consequences”;
“Risks related to cyber incidents that may remain undetected for an extended
period”; and
“Description of relevant insurance coverage.”
SEC CYBERSECURITY
Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,
http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/
23
SEC CYBERSECURITY
“We note that your network-security insurance coverage is
subject to a $10 million deductible. Please tell us whether
this coverage has any other significant limitations. In
addition, please describe for us the ‘certain other coverage’
that may reduce your exposure to Data Breach losses”
Target Form 10-K (March 2014)
24
SEC CYBERSECURITY
“We note your disclosure that an unauthorized party was
able to gain access to your computer network ‘in a prior
fiscal year.’ So that an investor is better able to understand
the materiality of this cybersecurity incident, please revise
your disclosure to identify when the cyber incident occurred
and describe any material costs or consequences to you as
a result of the incident. Please also further describe your
cyber security insurance policy, including any material limits
on coverage.”
Alion Science and Technology Corp. S-1 filing (March 2014)
25
SEC CYBERSECURITY
“Given the significant cyber-attacks that are occurring with
disturbing frequency, and the mounting evidence that
companies of all shapes and sizes are increasingly under a
constant threat of potentially disastrous cyber-attacks,
ensuring the adequacy of a company’s cybersecurity
measures needs to be a critical part of a board of director’s
risk oversight responsibilities . . . .
Thus, boards that choose to ignore, or minimize, the
importance of cybersecurity oversight responsibility, do so
at their own peril.”
Luis Aguilar, SEC Commissioner, speech given at NYSE June 10, 2014
26
27
FTC CYBERSECURITY
28
FTC CYBERSECURITY
29
FTC CYBERSECURITY
• Sony - January 21, 2014 - Standing. The court held that allegations that Sony collected
data and then it was wrongfully disclosed were sufficient to confer
standing
• Galaria - Feb. 10, 2014 - No Standing. The court stated that potential identity
theft could “hardly be said to be certainly impending” where there was
“less than a 20% chance of it occurring,” and the harm depended entirely on
what, if anything, third-party criminals would do with the plaintiffs’ information
• SAIC - May 9, 2014 - No Standing. The court held that fear of identity theft was insufficient
to confer standing
• Michael’s - July 14, 2014 - Standing. The court held that an elevated risk of
identity theft was sufficient to confer standing, but dismissed the case because
the plaintiffs failed to allege any actual damages.
• Adobe - September 4, 2014 - Standing. The court held that the risk that the plaintiffs’
information would be misused was sufficient to confer standing.
• Neiman Marcus - September 16, 2014 - No Standing. “Plaintiffs have not
alleged that any of the fraudulent charges were unreimbursed. On these
pleadings, I am not persuaded that unauthorized credit card charges for
which none of the plaintiffs are financially responsible qualify as ‘concrete’ injuries.”
STANDING TREND – TARGET
30
STANDING TREND – SONY
31
STANDING TREND – MICHAELS
32
STANDING TREND – ADOBE
33
STANDING TREND – TARGET
34
COVERAGE UNDER “CYBER”
INSURANCE PRODUCTS
klgates.com back
REMEMBER THE
SNOWFLAKE
Privacy and Network Security
Generally Covers Third-Party Liability Arising from Data Breaches and Other Failures to
Protect Confidential, Protected Information, as well as Liability Arising from Security
Threats to Networks, e.g., Transmission of Malicious Code
Regulatory Liability
Generally Covers Amounts Payable in Connection with Administrative or Regulatory
Investigations
PCI-DSS Liability
Generally Covers Amounts Payable in Connection with PCI Demands for Assessments,
Including Contractual Files and Penalties, for Alleged Non-compliance with PCI Data
Security Standards
Media Liability
Generally Covers Third-Party Liability Arising From Infringement of Copyright and Other
Intellectual Property Rights, and Torts Such as Libel, Slander, and Defamation Arising
From the Insured's Media Activities, e.g., Broadcasting and Advertising
THIRD-PARTY COVERAGE
37
Crisis Management
Generally Covers “Crisis Management” Expenses That Typically Follow in the Wake of a
Breach Incident, e.g., Breach Notification Costs, Credit Monitoring, Call Center Services,
Forensic Investigations, and Public Relations
Network Interruption
Generally Covers First-Party Business Income Loss Associated with the Interruption of
the Insured’s Business Caused by the Failure of Computer Systems
Digital Asset
Generally Covers First-Party Cost Associated with Replacing, Recreating, Restoring and
Repairing Damaged or Destroyed Programs, Software or Electronic Data
Extortion
Generally Covers Losses Resulting From Extortion, e.g., Payment of an Extortionist’s
Demand to Prevent a Cybersecurity Incident
Reputational Harm
FIRST-PARTY COVERAGE
38
First-Party Property Damage and Business Interruption
Third-Party Bodily Injury and Property Damage
[T]his policy will drop down and pay Loss caused by a Security Failure [a failure or
violation of the security of a Computer System that: (A) results in, facilitates or fails
to mitigate any: (i) unauthorized access or use; (ii) denial of service attack; or (iii)
receipt, transmission or behavior of a malicious code] that would have been covered
within an Underlying Policy, as of the inception date of this policy, had one or more
of the following not applied:
A. a Cyber Coverage Restriction [a limitation of coverage in an Underlying
Policy expressly concerning, in whole or in part, the security of a Computer
System (including Electronic Data stored within that Computer System)];
and/or
B. a Negligent Act Requirement. [a requirement in an Underlying Policy that
the event, action or conduct triggering coverage under such Underlying
Policy result from a negligent act, error or omission]
$350M Capacity First-Party
$100M Capacity Third-Party
DIC COVERAGE
39
klgates.com
AVOID THE TRAPS
41
42
POLICY EXAMPLE 1
POLICY EXAMPLE 2
43
44
POLICY EXAMPLE 2
45
POLICY EXAMPLE 1
46
POLICY EXAMPLE 1
47
POLICY EXAMPLE 2
48
POLICY EXAMPLE 2
49
POLICY EXAMPLE 3
50
POLICY EXAMPLE 3
51
52
POLICY EXAMPLE 1
53
POLICY EXAMPLE 1
54
POLICY EXAMPLE 2
55
POLICY EXAMPLE 2
56
57
POLICY EXAMPLE
Any member of the “Control Group.” e.g., CEO, CFO ,RM, CRO, CIO, GC
58
POLICY EXAMPLE 1
60
POLICY EXAMPLE 2
61
POLICY EXAMPLE 3
62
Request a “Retroactive Date”
of At Least a Year
63
BEWARE THE
FINE
64
BEST PRACTICES CHECKLIST
• Embrace a Team Approach
• Understand the Risk Profile
• Review Existing Coverages
• Purchase Appropriate Other
Coverage as Needed
• Remember the “Cyber”
Misnomer
• Spotlight the “Cloud”
• Remember the Retro Date
• Selection of Counsel and Vendors
• Engage a Knowledgeable Broker
and Outside Counsel
• Carefully Review the Application
65
“A well drafted policy will
reduce the likelihood that
an insurer will be able to
avoid or limit insurance
coverage in the event of a
claim.”
Roberta D. Anderson, Partner, K&L Gates LLP (August 24, 2016)
66
POTENTIAL COVERAGE UNDER
“TRADITIONAL” POLICIES
Coverage B Provides Coverage for Damages Because of
“Personal and Advertising Injury”
“Personal and Advertising Injury”: “[o]ral or written publication,
in any manner, of material that violates a person’s right of
privacy”
What is a “Person’s Right of Privacy”?
What is a “Publication”?
Does the Insured Have to “Do” Anything Affirmative And Intentional to Get
Coverage?
POTENTIAL COVERAGE
UNDER CGL POLICIES
68
Coverage A Provides Coverage for Damages Because of
“Property Damage”
“Property Damage”: “Loss of use of tangible property that is
not physically injured”
POTENTIAL COVERAGE
UNDER CGL POLICIES
69
Directors’ and Officers’ (D&O)
Errors and Omissions (E&O)/Professional Liability
Employment Practices Liability (EPL)
Fiduciary Liability
Crime
Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821
(6th Cir. 2012) (DSW covered for expenses for customer communications, public
relations, lawsuits, regulatory defense costs, and fines imposed by Visa and
Mastercard under the computer fraud rider of its blanket crime policy)
Property
Commercial General Liability (CGL)
COVERAGE UNDER OTHER
“TRADITIONAL” POLICIES
70
POTENTIAL LIMITATIONS
71
POTENTIAL LIMITATIONS
72
ISO states that “when this endorsement is
attached, it will result in a reduction of
coverage due to the deletion of an
exception with respect to damages
because of bodily injury arising out of loss
of, loss of use of, damage to, corruption of,
inability to access, or inability to manipulate
electronic data.”
POTENTIAL LIMITATIONS
73
POTENTIAL LIMITATIONS
74
POTENTIAL LIMITATIONS
75
cv
cv
POTENTIAL LIMITATIONS
76
Zurich American Insurance Co. v. Sony Corp. of America et al.
POTENTIAL LIMITATIONS
77
HOW TO MAXIMIZE COVERAGE IN
THE EVENT OF A CLAIM
“Cyber” Policies Impose Time Requirements Regarding Notification
Permissive Notice of Circumstances
Compliance is Important
MANAGING A CLAIM
79
“Cyber” Policies Impose “Cooperation” Requirements
MANAGING A CLAIM
80
QUESTIONS
THANK YOU