© Copyright 2015 by K&L Gates LLP. All rights reserved.

NAVIGATING A CYBERSECURITY

INSURANCE POLICY

August 24, 2016

Introduction

Practical Risk and Exposure

Coverage Under “Cyber” Insurance Products

What the insurance policies typically cover

Pitfalls to avoid when purchasing "cyber" insurance

How to approach a successful "cyber" insurance placement

How to negotiate to enhance the coverage provided under "cyber" insurance

policies

Potential Coverage Under “Traditional” Policies

Potential CGL coverage

Potential coverage under other "traditional" policies

Potential limitations of “traditional” policies

How to Maximize Coverage in the Event of a Claim

AGENDA

9

rdardardarrrrr

Roberta D. Anderson

Insurance Coverage /

Data Privacy & Cybersecurity

Partner

INTRODUCTION rdardardarrrrr

10

PRACTICAL RISK AND EXPOSURE

PRACTICAL RISK AND EXPOSURE

12

• Malicious Attacks

– Advanced Persistent Threats

– Social Engineering

– Viruses, Trojans, DDoS attacks

– Ransomware

• Data Breach/Unauthorized Access

• Software Vulnerability

(Heartbleed)

• System Glitches

• Employee Mobility

• Lost or Stolen Mobile and Other

Portable Devices

• Vendors/Outsourcing

(Function, Not the Liability)

• The Internet Of Things

• Human Error

klgates.com 13

14

Source: 2016 Cost of Data Breach Study:

Global Analysis

PRACTICAL RISK AND EXPOSURE

15

16

Source:

Ponemon Institute LLC

2016 Cost of Data Breach Study:

Global Analysis

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 17

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 18

LEGAL AND REGULATORY FRAMEWORK

19

• Federal Cybersecurity/Data Privacy Laws

– HIPAA/HITECH

– GLBA

– FTC Act

• State Cybersecurity/Data Privacy Laws/Consumer Protection Statutes

– 47 States, D.C., & U.S. Territories Breach Notification Laws

– State Security Standards (MA, CA, CT, RI, OR, MD, NV)

• Foreign Laws

• Cross-Border Issues

– Securing data is complicated by cross-border transfer issues and the

differences in Worldwide privacy laws

– Laws are complex and can impose conflicting obligations to a multinational

enterprise.

• NIST Cybersecurity Framework

• Industry Standards, e.g., PCI DSS

• SEC Cybersecurity Risk Factor Guidance

– FCC Act

– FCRA/FACTA

NIST Cybersecurity Framework—provides a common taxonomy and

mechanism for organizations to:

Describe their current cybersecurity posture;

Describe their target state for cybersecurity;

Identify and prioritize opportunities for improvement within the

context of a continuous and repeatable process;

Assess progress toward the target state;

Communicate among internal and external stakeholders about

cybersecurity risk.

The Framework is voluntary (for now)

NIST CYBERSECURITY FRAMEWORK

20

NIST Unveils Cybersecurity Framework,

http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/

85% of security

budgets

currently go here

According to

Gartner:

By 2020, 75% of

security budgets will

go towards detection

and response

NIST CYBERSECURITY FRAMEWORK

21

“PCI DSS provides a baseline of technical and operational

requirements designed to protect cardholder data.”

PCI-DSS

22

“[A]ppropriate disclosures may include”:

“Discussion of aspects of the registrant’s business or operations that give rise to

material cybersecurity risks and the potential costs and consequences”;

“To the extent the registrant outsources functions that have material cybersecurity

risks, description of those functions and how the registrant addresses those risks”;

“Description of cyber incidents experienced by the registrant that are individually, or

in the aggregate, material, including a description of the costs and other

consequences”;

“Risks related to cyber incidents that may remain undetected for an extended

period”; and

“Description of relevant insurance coverage.”

SEC CYBERSECURITY

Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,

http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/

23

SEC CYBERSECURITY

“We note that your network-security insurance coverage is

subject to a $10 million deductible. Please tell us whether

this coverage has any other significant limitations. In

addition, please describe for us the ‘certain other coverage’

that may reduce your exposure to Data Breach losses”

Target Form 10-K (March 2014)

24

SEC CYBERSECURITY

“We note your disclosure that an unauthorized party was

able to gain access to your computer network ‘in a prior

fiscal year.’ So that an investor is better able to understand

the materiality of this cybersecurity incident, please revise

your disclosure to identify when the cyber incident occurred

and describe any material costs or consequences to you as

a result of the incident. Please also further describe your

cyber security insurance policy, including any material limits

on coverage.”

Alion Science and Technology Corp. S-1 filing (March 2014)

25

SEC CYBERSECURITY

“Given the significant cyber-attacks that are occurring with

disturbing frequency, and the mounting evidence that

companies of all shapes and sizes are increasingly under a

constant threat of potentially disastrous cyber-attacks,

ensuring the adequacy of a company’s cybersecurity

measures needs to be a critical part of a board of director’s

risk oversight responsibilities . . . .

Thus, boards that choose to ignore, or minimize, the

importance of cybersecurity oversight responsibility, do so

at their own peril.”

Luis Aguilar, SEC Commissioner, speech given at NYSE June 10, 2014

26

27

FTC CYBERSECURITY

28

FTC CYBERSECURITY

29

FTC CYBERSECURITY

• Sony - January 21, 2014 - Standing. The court held that allegations that Sony collected

data and then it was wrongfully disclosed were sufficient to confer

standing

• Galaria - Feb. 10, 2014 - No Standing. The court stated that potential identity

theft could “hardly be said to be certainly impending” where there was

“less than a 20% chance of it occurring,” and the harm depended entirely on

what, if anything, third-party criminals would do with the plaintiffs’ information

• SAIC - May 9, 2014 - No Standing. The court held that fear of identity theft was insufficient

to confer standing

• Michael’s - July 14, 2014 - Standing. The court held that an elevated risk of

identity theft was sufficient to confer standing, but dismissed the case because

the plaintiffs failed to allege any actual damages.

• Adobe - September 4, 2014 - Standing. The court held that the risk that the plaintiffs’

information would be misused was sufficient to confer standing.

• Neiman Marcus - September 16, 2014 - No Standing. “Plaintiffs have not

alleged that any of the fraudulent charges were unreimbursed. On these

pleadings, I am not persuaded that unauthorized credit card charges for

which none of the plaintiffs are financially responsible qualify as ‘concrete’ injuries.”

STANDING TREND – TARGET

30

STANDING TREND – SONY

31

STANDING TREND – MICHAELS

32

STANDING TREND – ADOBE

33

STANDING TREND – TARGET

34

COVERAGE UNDER “CYBER”

INSURANCE PRODUCTS

klgates.com back

REMEMBER THE

SNOWFLAKE

Privacy and Network Security

Generally Covers Third-Party Liability Arising from Data Breaches and Other Failures to

Protect Confidential, Protected Information, as well as Liability Arising from Security

Threats to Networks, e.g., Transmission of Malicious Code

Regulatory Liability

Generally Covers Amounts Payable in Connection with Administrative or Regulatory

Investigations

PCI-DSS Liability

Generally Covers Amounts Payable in Connection with PCI Demands for Assessments,

Including Contractual Files and Penalties, for Alleged Non-compliance with PCI Data

Security Standards

Media Liability

Generally Covers Third-Party Liability Arising From Infringement of Copyright and Other

Intellectual Property Rights, and Torts Such as Libel, Slander, and Defamation Arising

From the Insured's Media Activities, e.g., Broadcasting and Advertising

THIRD-PARTY COVERAGE

37

Crisis Management

Generally Covers “Crisis Management” Expenses That Typically Follow in the Wake of a

Breach Incident, e.g., Breach Notification Costs, Credit Monitoring, Call Center Services,

Forensic Investigations, and Public Relations

Network Interruption

Generally Covers First-Party Business Income Loss Associated with the Interruption of

the Insured’s Business Caused by the Failure of Computer Systems

Digital Asset

Generally Covers First-Party Cost Associated with Replacing, Recreating, Restoring and

Repairing Damaged or Destroyed Programs, Software or Electronic Data

Extortion

Generally Covers Losses Resulting From Extortion, e.g., Payment of an Extortionist’s

Demand to Prevent a Cybersecurity Incident

Reputational Harm

FIRST-PARTY COVERAGE

38

First-Party Property Damage and Business Interruption

Third-Party Bodily Injury and Property Damage

[T]his policy will drop down and pay Loss caused by a Security Failure [a failure or

violation of the security of a Computer System that: (A) results in, facilitates or fails

to mitigate any: (i) unauthorized access or use; (ii) denial of service attack; or (iii)

receipt, transmission or behavior of a malicious code] that would have been covered

within an Underlying Policy, as of the inception date of this policy, had one or more

of the following not applied:

A. a Cyber Coverage Restriction [a limitation of coverage in an Underlying

Policy expressly concerning, in whole or in part, the security of a Computer

System (including Electronic Data stored within that Computer System)];

and/or

B. a Negligent Act Requirement. [a requirement in an Underlying Policy that

the event, action or conduct triggering coverage under such Underlying

Policy result from a negligent act, error or omission]

$350M Capacity First-Party

$100M Capacity Third-Party

DIC COVERAGE

39

klgates.com

AVOID THE TRAPS

41

42

POLICY EXAMPLE 1

POLICY EXAMPLE 2

43

44

POLICY EXAMPLE 2

45

POLICY EXAMPLE 1

46

POLICY EXAMPLE 1

47

POLICY EXAMPLE 2

48

POLICY EXAMPLE 2

49

POLICY EXAMPLE 3

50

POLICY EXAMPLE 3

51

52

POLICY EXAMPLE 1

53

POLICY EXAMPLE 1

54

POLICY EXAMPLE 2

55

POLICY EXAMPLE 2

56

57

POLICY EXAMPLE

Any member of the “Control Group.” e.g., CEO, CFO ,RM, CRO, CIO, GC

58

POLICY EXAMPLE 1

60

POLICY EXAMPLE 2

61

POLICY EXAMPLE 3

62

Request a “Retroactive Date”

of At Least a Year

63

BEWARE THE

FINE

PRINT

64

BEST PRACTICES CHECKLIST

• Embrace a Team Approach

• Understand the Risk Profile

• Review Existing Coverages

• Purchase Appropriate Other

Coverage as Needed

• Remember the “Cyber”

Misnomer

• Spotlight the “Cloud”

• Remember the Retro Date

• Selection of Counsel and Vendors

• Engage a Knowledgeable Broker

and Outside Counsel

• Carefully Review the Application

65

“A well drafted policy will

reduce the likelihood that

an insurer will be able to

avoid or limit insurance

coverage in the event of a

claim.”

Roberta D. Anderson, Partner, K&L Gates LLP (August 24, 2016)

66

POTENTIAL COVERAGE UNDER

“TRADITIONAL” POLICIES

Coverage B Provides Coverage for Damages Because of

“Personal and Advertising Injury”

“Personal and Advertising Injury”: “[o]ral or written publication,

in any manner, of material that violates a person’s right of

privacy”

What is a “Person’s Right of Privacy”?

What is a “Publication”?

Does the Insured Have to “Do” Anything Affirmative And Intentional to Get

Coverage?

POTENTIAL COVERAGE

UNDER CGL POLICIES

68

Coverage A Provides Coverage for Damages Because of

“Property Damage”

“Property Damage”: “Loss of use of tangible property that is

not physically injured”

POTENTIAL COVERAGE

UNDER CGL POLICIES

69

Directors’ and Officers’ (D&O)

Errors and Omissions (E&O)/Professional Liability

Employment Practices Liability (EPL)

Fiduciary Liability

Crime

Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821

(6th Cir. 2012) (DSW covered for expenses for customer communications, public

relations, lawsuits, regulatory defense costs, and fines imposed by Visa and

Mastercard under the computer fraud rider of its blanket crime policy)

Property

Commercial General Liability (CGL)

COVERAGE UNDER OTHER

“TRADITIONAL” POLICIES

70

POTENTIAL LIMITATIONS

71

POTENTIAL LIMITATIONS

72

ISO states that “when this endorsement is

attached, it will result in a reduction of

coverage due to the deletion of an

exception with respect to damages

because of bodily injury arising out of loss

of, loss of use of, damage to, corruption of,

inability to access, or inability to manipulate

electronic data.”

POTENTIAL LIMITATIONS

73

POTENTIAL LIMITATIONS

74

POTENTIAL LIMITATIONS

75

cv

cv

POTENTIAL LIMITATIONS

76

Zurich American Insurance Co. v. Sony Corp. of America et al.

POTENTIAL LIMITATIONS

77

HOW TO MAXIMIZE COVERAGE IN

THE EVENT OF A CLAIM

“Cyber” Policies Impose Time Requirements Regarding Notification

Permissive Notice of Circumstances

Compliance is Important

MANAGING A CLAIM

79

“Cyber” Policies Impose “Cooperation” Requirements

MANAGING A CLAIM

80

QUESTIONS

THANK YOU