advertising supplement - Events
Transcription
advertising supplement - Events
advertising supplement 3 advertising supplement Cyber Risk Identification a Cyber Liability Outlook A Risk Manager's Perspective Cyber Coverage Issues Executive Q&A: Patrick Donnelly Glossary of Cyber Risk Terms JLT Specialty USA Florence Levy Senior Vice President Cyber and E&O Practice www.jlt.com 720.501.2816 [email protected] 4 6 7 9 10 11 JLT Specialty USA Steve Bridges Senior Vice President Cyber and E&O Practice www.jlt.com 312.235.8223 [email protected] This special advertising supplement is not created, written or produced by the editors of Business Insurance and does not represent the views or opinions of the publication or its parent company, Crain Communications Inc. CYBER RISK OUTLOOK 4 advertising supplement RISK CYBER ecent headlines show that cyber risks are continuing to grow. Data breaches tend to capture the most attention, but other kinds of incidents are also worrisome. On July 8, a computer failure shut down trading on the New York Stock Exchange for four hours in the middle of the day, but the cause was a technical glitch, not a cyber attack. That same day, a technology problem forced United Airlines to temporarily halt its flights. Neither incident turned out to be malicious, but they nevertheless caused major disruptions. Managing cyber risks has become paramount for businesses worldwide. At the Business Insurance Cyber Risk Summit 2015, held Sept. 27-28 in San Francisco, attendees will discuss emerging technology risks, regulations and strategies for mitigating cyber attacks. exist inside companies and have technical knowledge and broad-level access within an organization.” There are a lot of different ways cyber risk can arise, she pointed out. “Human error, such as leaving a laptop at an airport, using unsecured Wifi networks or opening spear-phishing emails, also contributes to companies’ vulnerability to cyber incidents. Social media usage by employees could also expand their risk profile, sometimes unknowingly,” Ms. Levy explained. “Media attention to data breaches indicates how frequently these events are occurring,” said Shannon Groeber, senior vice president at JLT Specialty USA, and a colleague of Ms. Levy. “As a result, we’re educating our clients and prospects that everybody is at risk, though specific risks vary from one insured to the next,” she said. In November 2014, Sony Pictures En- Managing cyber risks has become paramount for businesses worldwide A Prevalent Risk “We’re learning that cyber risk is ubiquitous, and that risks can be unknown as the technology advances. It’s hard to keep up with cyber risks and the criminals’ methodologies and motivations,” said Florence Levy, senior vice president in the Cyber/E&O Practice at JLT Specialty USA in Denver. “Cyber risk can emanate from online and offline sources, particularly when we consider data privacy issues,” she said. Who perpetrates a cyber incident is closely tied to the perceived level of risk. “The most prevalent and feared source is the profit-motivated malicious external actor,” Ms. Levy said. “But we have to remember that malicious actors can CYBER RISK OUTLOOK tertainment Inc. became the victim of a cyber attack in which hackers used malware to access over a period of months enormous amounts of sensitive information, including internal communications between Sony executives. The hackers released the information publicly over several weeks, keeping Sony in the headlines. The Sony hack was a gamechanger in cyber risk, according to Ms. Groeber. “For a long time, cyber attacks focused on breaches of large volumes of payment cards or consumer records. The Sony breach expanded the focus of cyber risks. It brought forward the notion that cyber attacks could cause significant reputational harm. At the heart 5 advertising supplement IDENTIFICATI N of the second major breach at Sony was confidential corporate information, not consumer data,” Ms. Groeber said. The hackers were able to prey on Sony by exposing, over an extended period of time, internal information that may not have had a true economic value, but was certainly embarrassing, she noted. A challenge that risk managers face when a cyber incident occurs at their own organization is answering the inevitable string of questions: Who did it? How did it happen? How long were we vulnerable? What now? And other organizations have questions too: Could this happen here? What would we do if it did? Mitigating the Risk “Risk mitigation for technology risks is a moving target; technology constantly progresses and risk mitigation can be a game of catch-up,” Ms. Groeber said. “The underwriting process is very technical. Clients are looking for guidance on certain questions, potential costs associated with a breach and which third-party vendors may be available to help them.” “Because all this is so new, a lot of clients want hard rules around costs, or know whether case law is favorable or not,” in a cyber attack, Ms. Levy said. But such questions are difficult to answer, she said, because “litigation and precedentsetting case law is happening now.” Compounding that challenge is it takes time to uncover the facts surrounding a cyber event, Ms. Levy said. “It’s happening in real time. When an incident occurs, firms themselves are trying to figure out the who, what, why and when,” she said. “Buyers know their business better than anyone else,” Ms. Groeber said. “We bring our expertise in helping them identify which aspects of their business are more vulnerable than others. Blind spots happen. We have worked with clients that have very diverse exposures and risks and we’re constantly tracking trends.” When it comes to mitigating cyber risk, senior management has a vital role to play. “The strongest risk management strategy against cyber risks starts at the top of an organization, with leadership or the board focused on cyber,” Ms. Groeber said. It’s important that senior management supports decision-making when it comes to managing cyber risks, she said. Physical and virtual controls are other key components in cyber risk management, Ms. Groeber added. “Good questions for risk managers to ask include, ‘What type ofainformation does my company collect?’ and ‘How is that information collected?’” The ability to identify and mitigate cyber risk has a big influence on an organization’s insurance options. “Underwriters are looking for risk managers to demonstrate understanding and awareness of cyber risk throughout the entire organization,” she said. ● Cyber Incidents/Records Exposed YEAR DATA DATA BREACHES BREACHES RECORDS RECORDS EXP EXPOSED OSED 2010 2 010 953 9 53 96 million 2011 20 11 1,241 1,241 413 4 13 million 2012 2 012 3,220 265 million 2013 2 013 2,345 873 8 73 million 2014 2 014 3,041 3,041 11.1 .1 billion Source: Risk Based Security Inc. CYBER RISK OUTLOOK 6 advertising supplement CYBER LIAB LITY Outlook ompanies that hold data on their direct customers or on behalf of others—conditions that apply to virtually all companies—face exposure to litigation for data breaches, not only from customers but also from investors. Multiple lawsuits demonstrate that cyber liability is an area of growing interest for plaintiffs, and that is triggering action by organizations’ directors and officers. “From a board standpoint, there is growing awareness that a D&O or shareholder derivative action could arise from a cyber event,” said Florence Levy, senior vice president in the Cyber/E&O Practice at JLT Specialty USA in Denver. As a result, “we are also seeing more activity and accountability at the board level when it comes to cyber risk,” Ms. Levy said. It’s not yet clear that lawsuits against directors and officers arising from cyber events will become a trend, she said. Some insurance companies are evaluating their aggregation of risk in D&O liability, however, especially as more cyber events occur, she added. Part of the challenge for companies that suffer a breach is that courts are recognizing a broader basis for cyber litigation. For example, while consumers directly affected by a cyber incident may bring negligence claims, some investors are initiating shareholder derivative lawsuits, alleging breach of fiduciary duty, among other things. Until a ruling in the 7th U.S. Circuit Court of Appeals this year in a class-action lawsuit over a 2013 data breach at retailer Neiman Marcus Group, “consumer plaintiffs have a hard time getting standing to bring class actions after data breaches,” Ms. Levy said. In the 2013 breach, credit card data for about 350,000 Neiman Marcus customers was stolen, though only about 9,200 of the cards have been used fraudulently so far, according to court documents. Prior to the 7th Circuit’s ruling, which reinstated the class action after finding that consumers did have standing to bring the suit, most courts had dismissed such cases, Ms. Levy said. “But there still is not a lot of certainty around that issue. Case law is still being decided in the courts,” she said. Companies suffering large data breaches also have faced lawsuits from investors and, in some cases, government CYBER RISK OUTLOOK agencies. That is becoming a concern for directors and officers, industry observers note. In early 2014, a shareholder derivative lawsuit was filed in U.S. District Court in New Jersey against Wyndham Worldwide Corp.’s directors and officers, alleging breach of fiduciary duty, waste of corporate assets and unjust enrichment following three data breaches. The breaches involved the theft of credit card information of more than 600,000 Wyndham customers and fraudulent charges exceeding $10 million, according to 110 million customer records were stolen Multiple lawsuits demonstrate that cyber liability is an area of growing interest for plaintiffs the suit. The lawsuit accused the defendants at the Parsippany, N.J.-based company of “knowingly, recklessly or with gross negligence” failed to implement “a system of internal controls to protect customers’ personal and financial data,” and “caused or allowed the company to conceal its data breaches from investors,” among other things. In 2012, the Federal Trade Commission sued Wyndham in U.S. District Court in Arizona alleging that the company’s security practices were unfair and deceptive and violated the FTC Act. The FTC litigation was transferred to U.S. District Court in New Jersey. In a memorandum filed earlier this year with the New Jersey court, the FTC said it had declared inadequate data security as an unfair practice under the FTC Act and that it had issued 20 similar complaints. Minneapolis-based Target Corp. faced a barrage of lawsuits from consumers and shareholders following its massive data breach in 2013, in which as many as 110 million customer records were stolen. In 2014, many of the consumer suits were consolidated into a class action. Earlier this year, Target proposed a $10 million settlement of the class-action litigation, which is awaiting a November court hearing to approve or reject the settlement. Target’s proposed settlement includes the appointment of a chief information security officer, along with more robust data security procedures. ● credit card data for about 350,000 customers were stolen 7 advertising supplement A Risk Manager’s Perspective yber risk, to our company, is the threat of unauthorized access to data, be it Rackspace’s or our customer’s,” said Anna Ziegler, risk manager of Rackspace, a San Antonio, Texas-based global cloud computing company that provides data hosting and other services. Cyber security is paramount to Rackspace and its more than 300,000 customers, she said. “Cyber risk is in the forefront of our minds every day.” For a technology company like Rackspace, cyber is a round-the-clock risk. “Rackspace is like a big apartment building. We rent apartments to our customers, and even though we provide certain levels of security, customers know they need to put a lock on their door,” Ms. Ziegler said. “In our data centers, we have very robust physical security that incorporates biometric screening, and no one is allowed on our data center floor unless authorized – and very few people are.” ANNA ZIEGLER sonable expectation that we will also take the steps necessary to protect their data. However, we’re experts at a protecting our customers’ data and work with them to deploy all available security options,” she said. As a result, Rackspace’s risk management and information security departments collaborate, Ms. Ziegler said. “We meet regularly on different issues. We have a mature incident response team that provides real-time information. I manage the insurance piece, and we work closely with all the units to make sure that our security processes are the best they can be,” she explained. “We have some cutting-edge tools and people monitoring our network around the clock, to make sure doors aren’t being opened or data accessed by the wrong people. We’ve been doing this for years, but we continue to evolve and develop our security posture,” Ms. Ziegler said. Ms. Ziegler offers some advice Cyber risk is in the forefront of our minds every day. “ Ms. Ziegler said Rackspace views its cyber risks as: first-party loss, including costs that Rackspace would incur to mitigate an incident and system damage; and third-party loss, such as unauthorized access to customer data and breach-related expenses including notifications and legal costs. “The inherent nature of our business is we’re a data aggregator. We hold a lot of data on behalf of our customers. Contractually, our customers are responsible for protecting their own data. But they have a rea- ” for her peer risk managers, especially at organizations that don’t yet comprehend their cyber exposures: “My advice to risk managers is to research cyber risk, point out incidents that occur and show how expensive they can be for companies.” “I would also encourage risk managers to talk to their IT departments and IT security departments. Group together with like-minded folks and get in front of your leadership to say, ‘These are the problems and here’s how we want to solve them,’” she said. ● CYBER RISK OUTLOOK 8 advertising supplement CYBER C VERAGE s the cost of data breaches increases and cyber events become more frequent, more insurance companies are stepping forward to offer coverage, which continues to evolve. Despite ample capacity for cyber risks, insurance buyers generally have not been eager to purchase cyber insurance. Among their concerns is a nagging uncertainty that the coverage will respond, said Shannon Groeber, senior vice president at JLT Specialty USA. “We’ve heard consistent feedback, going back to the first iterations of cyber-related insurance policies in the coverage if the policyholder failed to follow “minimum required practices.” A U.S. District Court in Los Angeles dismissed the insurer’s lawsuit, citing a mediation clause in the policy, but left unanswered whether the exclusion should apply. Irrespective of whether an organization has cyber insurance, data breaches are increasingly costly events. According to the Ponemon Institute, the average organizational cost of a data breach in the United States rose to $6.53 million in fiscal year 2015 from $5.85 million a year earlier. The institute’s research found that 47% of data breaches resulted from Despite ample capacity for cyber risks, insurance buyers generally have not been eager to purchase cyber insurance. late ’90s, from non-buyers that cyber policies won’t respond to their exposures,” she said. That concern may stem from media reports of claim denials, but the marketplace overall has increased its appetite to underwrite cyber risks. After some breaches, there has been media attention on some carriers denying cover, without focusing on which policies are actually involved, Ms. Groeber noted. For as many insurance denials as have recently appeared in the news, which may reference non-cyber-specific policies, there are just as many incidents that suggest standalone cyber policies are paying claims, she said. In Columbia Casualty Co. vs. Cottage Health System, a unit of CNA Financial Corp. sought declaratory judgment that it was not obligated to pay a $4.1 million settlement or defense costs following a 2013 data breach at the Santa Barbara, Calif.-based health care system. The insurer cited an exclusion in Cottage Health’s cyber policy that precluded CYBER RISK OUTLOOK malicious attacks, 29% came from system glitches, and 25% stemmed from human error. The Ponemon Institute attributes the cost of a data breach to four components: lost business, ex-post response, detection and escalation, and notification. Ex-post response items include help desk activities, inbound communications, product discounts and identity protection services. All of these cost components have increased over the past three years, except for notification, which fell slightly, the institute reported. Coverage Evolving Cyber insurance has evolved significantly in the last several years, but it has only existed for about two decades–far shorter than other types of property and casualty insurance. As new technologies —and risks—emerge, cyber insurance continues to evolve. “People talk about cyber insurance being new. The first solution was available in the late ’90s. It evolved from technology 9 advertising supplement ISSUES a errors and omissions to network liability to privacy and data breach in 2000s,” Ms. Levy said. “Cyber insurance is not completely mature, but the market is able to most comprehensively address the data breach elements of cover.” “Cyber insurance was just a liability product in the early days. It has evolved immensely for companies that may not have a professional services exposure,” she said. “You could have a cyber event that prohibits your firm from providing your services. Is that an E&O exposure or a cyber exposure? It largely depends on the specific facts along with the resulting damage.” Today, cyber and E&O are often seen blended together on the same policy, which is one reason that JLT Specialty USA's resources are dedicated to this risk area are known as the Cyber/E&O Practice, Ms. Levy and Ms. Groeber explained. Evolution of the cyber insurance market “has been significant in the last five years,” Ms. Groeber said. “Now, it’s flooded with capacity, though not all policies are created equal. Carriers often compete on terms when they can’t compete on price, which is a trend that we’ve seen over the last several years. Now with more claims activity occurring, some insurers aren’t as willing to negotiate on certain coverage terms or as aggressively on price within certain classes of business. The market has become much more diversified among the various classes of business, reflective of the perceived risk.” For most organizations that want to purchase cyber insurance, obtaining the desired coverage limits is not difficult. “While some industries have more limited capacity than others, overall there certainly is a lot of capacity for cyber exposures, when you consider domestic markets, London and Bermuda,” Ms. Groeber said. Even so, cyber insurance “is still a discretionary purchase” for many organizations, she said. “A misunderstanding among many buyers is that they’ll dedicate any available budget to security updates instead of buying insurance, which is an incomplete risk management strategy, as breaches can occur with non-electronic information or as a result of human error. In fact, when there are concerns over funds available for insurance, a prospective buyer should also be evaluating how they’ll pay for a breach should one occur,” Ms. Groeber said. “Five years ago, the market was much softer. It was easier to have broad coverage for relatively inexpensive capacity,” Ms. Levy said. “There has also been a tightening of terms where we’ve had real losses. Some underwriting companies are willing to explore areas they haven’t in the past. In exchange, they want to conduct more due diligence on these areas,” she said. Anna Ziegler, risk manager for Rackspace, a global cloud computing company based in San Antonio, Texas, said it’s important for insurers to understand their policyholders’ businesses. “Over the years, it’s clear that the technology industry moves much faster than the insurance industry. It’s important for us to make sure carriers understand the language we’re speaking and how our business works, and our broker helps us do that,” Ms. Ziegler said. “We partnered with JLT in April. They’ve been really creative in helping us identify ways to increase our coverage and how our insurance policy would respond to an incident. It’s important that we have the right legal counsel, and that we have adequate limits on the firstparty and third-party side,” she said. “We would never have a third-party incident without incurring a lot of first-party costs.” At Rackspace, “our insurance program is influenced by the current landscape of cyber risks and by our customers, in terms of what they are asking us for, such as higher limits of liability,” Ms. Ziegler said. ● The average cost of a data breach rose to $6.53 million in 2015 from $5.85 million a year earlier CYBER RISK OUTLOOK 10 advertising supplement Q&A Patrick Donnelly, JLT Specialty USA Patrick Donnelly joined JLT Group in 2014 as president and deputy chief executive officer of its U.S. Specialty division. He shares leadership responsibility for JLT’s U.S. operation and expansion. Before joining JLT, Mr. Donnelly created and led the U.S. cyber and professional liability practice at Aon Risk Solutions, a division of Aon P.L.C. He has extensive career experience in technology architecture and consulting. Mr. Donnelly spoke recently with Business Insurance Custom Media about JLT Specialty USA’s expansion plans. Q. What role does cyber risk play in JLT Specialty’s U.S. expansion? A. Cyber risk fits ideally within our specialty focus. JLT Group saw in the U.S. market areas of growing risk with extreme complexity, which require experts to help companies manage and mitigate. Cyber is an area of exposure and insurance products that didn’t exist until the late 1990s. It’s new, complex and evolving -- just the kind of challenge that our specialty focus can help clients address. Q. How does JLT Specialty USA see cyber risk evolving? A. Cyber risk is dynamic. Insurance products that address cyber incidents are influenced by changes in law, regulations and geopolitics. Technology risks themselves are evolving, and they require experts who are supported with tools and resources. While cyber insurance has developed in the U.S. market over the last 14 years, there is a need to continue to work with clients on other elements, such as industrial espionage, bodily injury and property damage. Clients really need expert advice to help understand and manage those things. PATRICK DONNELLY Q. What are JLT Specialty USA’s short-term expansion plans? A. We’re building tremendous momentum. We now have more than 150 people in our U.S. platform, and while we are growing that number quickly, we’re more focused on the fit, experience, and quality of those people. Our primary objective in our expansion is to identify specialty risk areas and create a culture and environment to attract the right people. People like working on a winning and dynamic team. We’re seeing validation of this by both the market and clients. All across the insurance industry, people talk about efficiencies, and every insurance market looking at our model wants to meet with us and appoint us. Clients are attracted to our specialty focus and the expertise of our people. The clients know that we’re aligned with them and their needs. We pride ourselves on being agile, and we hear a lot that we have a creative, passionate and agile team, which is a reflection of the broader JLT platform. JLT is a global company that is attracting people because we’re investing in innovation and bringing enormous resources and analytical tools to help our clients. We believe very strongly in our model, and the next three to four years are about building out our capabilities and expertise in a disciplined way. We are planning to hire 50 to 60 people a year over that time. JLT Specialty USA is in 12 cities today, where there are a lot of companies with complex risks. We’ll add locations as we grow, but our expansion is less about our geographic footprint and more about specialist expertise. Right now, we have specialties in aerospace, construction, energy, entertainment and hospitality, private equity, real estate and technology, and our teams provide support across these areas with expertise in D&O, cyber, E&O, environmental, transactional liability, and credit, political and security risks. And we’re still building. Q. What kinds of organizations is JLT Specialty USA looking to serve? A. As a specialist risk adviser and brokerage firm, we work with companies that have complex needs, regardless of size. We look to help organizations that need and value specialist expertise, rather than target a specific client size. Many smaller entities are very sophisticated. Where their risk is global in nature, that’s a strength for us. We’re able to leverage one of the strongest global networks in the industry, and that’s a sweet spot. Agility, rigor and collaboration are hallmarks of JLT, and our culture fosters collaboration to help clients no matter where their needs are. CYBER RISK OUTLOOK 11 advertising supplement GLOSSARY of cyber risk terms BOTNET: A network of bots (short for “robot”) computers infected with malicious software, usually for a criminal purpose such as sending spam email, spreading viruses, attacking computers or servers or to commit other crimes or fraud. CRACKER: A person who breaks into a network or computer’s programs without authorization. DOS: Denial of service. A common type of cyber attack that prevents legitimate users from accessing online services or information by flooding a network with information. A distributed denial-of-service, or DDoS, may use one or more computers to launch an attack. FIREWALL: A method of shielding computers from outside attacks utilizing hardware or software to block malicious or unnecessary Internet traffic. Firewalls can be configured to block data from certain locations and allow data from specific sources. HACKER: A person who creates and modifies computer software or hardware, including programming and security-related items. Criminal hackers create malware to commit crimes and may operate in gangs of cybercriminals. “White hat” hackers are computer experts who probe security weaknesses for ethical purposes. LOGIC BOMB: A type of Trojan horse that executes when specific conditions are met, such as a change in a file, or a series of keystrokes. When the program is triggered by a specific time or date, it is called a “time bomb.” MALWARE: Unwanted, often malicious, software installed without a device owner’s consent. Viruses, worms and Trojan horses are examples of malware. PHISHING: A type of online identity theft. Phishing uses email or fraudulent websites to capture personal information such as passwords, credit card numbers, account data and other information. SOCIAL ENGINEERING: A non-technical form of intrusion that relies on human interaction. Social engineering is a a component of many kinds of cyber attacks and aims to trick people into providing passwords and other information. Phishing relies on social engineering to obtain sensitive information. SPAM: Undesired or unsolicited bulk electronic messages. Spam can come in the form of email, instant messaging, mobile phone messaging and other channels, and may contain phishing messages. SPEAR PHISHING: A form of phishing that uses the appearance of familiarity to obtain access to personal or corporate information. Perpetrators of spear-phishing attacks usually have obtained basic information about their target, enabling them to personalize the communication or reference a recent purchase, for example. Opening an attachment or link in the email may enable the attacker to install malware. SPY WARE: A range of unwanted programs that can launch unsolicited pop-up advertisements, monitor browsing activity, steal personal information or direct Internet requests to alternate sites. TROJAN HORSE: A malicious computer program that masquerades as a benign application. Distinct from viruses, Trojan horses do not replicate. VIRUS: A malicious computer program that installs and replicates itself, typically without the user’s knowledge or permission. Viruses often damage or modify files on the host computer. WORM: A malicious computer program that replicates itself to spread to other computers. Worms may harm networks by consuming bandwidth. ZOMBIE: A bot-infected computer controlled by malware. RANSOMWARE: Malicious software that encrypts the hard drive of an infected computer. A hacker using ransomware may extort money from the computer’s owner in exchange for decryption software. Sources: McAfee Inc., Microsoft Inc., Symantec Corp., U.S. Computer Emergency Readiness Team CYBER RISK OUTLOOK