Cybersecurity Risk Transfer - Pillsbury Winthrop Shaw Pittman

Comments

Transcription

Cybersecurity Risk Transfer - Pillsbury Winthrop Shaw Pittman
Cybersecurity Risk Transfer
Wednesday, October 30, 2013
Part IV in a 4 part series on Cybersecurity
Presented by:
Arthur J. Gallagher & Co.,
Huron Legal and
Pillsbury Winthrop Shaw Pittman
Pillsbury Winthrop Shaw Pittman LLP
Cybersecurity Risk Transfer
 Presented by:
 Joe DePaul, Arthur J. Gallagher & Co.
 Rene Siemens & Joe Kendall, Pillsbury Winthrop Shaw Pittman
 Laurey Harris, Huron Legal
1 | Cybersecurity Risk Transfer
Today’s Agenda

Let’s Recap:



Cybersecurity - Overview
Cybersecurity - Claims
Cybersecurity - Global Records Management & eDiscovery

What is Risk Transfer?
 Insurance/Non-Insurance

Alternative Methods of Risk Transfer

Risk Transfer via Contracting with IT Suppliers

Coverage









Network Security Liability
Privacy Liability
Media Liability
Crisis Management
Cyber Extortion
Data Asset Protection
Business Interruption
Technology Products/Services E&O
Questions?
2 | Cybersecurity Risk Transfer
Cyber Insurance Market Trends
1 Billion
800
Total Premiums
Underwritten
600
400
200
0
2005
2008
2009
2010
2011
2012
 Premiums ≈ $15,000 to $35,000 per $1,000,000 of limits, for low
retentions
 Soft market: Premiums steadily declining
 Large corporations were early adopters
 Most growth is among middle market companies
3 | Cybersecurity Risk Transfer
Who Is Issuing Cyber Insurance Policies?
4 | Cybersecurity Risk Transfer
The REGULATORY LANDSCAPE is…complex,
challenging and growing

50 State Privacy Laws (County/Local) - Laws or Regulation

Foreign Privacy Laws – UK ICO – Information Commissioner’s Office & many others (trans-border privacy issues)

Canada

White House Cybersecurity Executive Order

Federal Trade Commission

FACTA/Red Flags Rule

HIPAA / HITECH

Standard for smooth, consistent, and secure electronic transmission of health care data.

PII/PHI – personally identifiable information/health information about individuals - PII includes drivers license #’s, SS #’s, Credit
Card #’s, address, account numbers & PIN’s

PHI includes written documents, electronic files, and verbal information. (Even information from an informal conversation can be considered PHI.)
 Examples of PHI include:
 Completed health care claims forms
 Detailed claim forms
 Explanations of benefits
 Notes documenting discussions with plan participants

SEC/GLB

PCI/DSS
5 | Cybersecurity Risk Transfer
Alternative Methods to Risk Transfer
Company Strategic Priorities
 Protect company assets and viability against loss or disruption
 Achieve the appropriate level of security commensurate with the
sensitivity and amount of data collected and retained
 Protect company systems and data against threats to the network
structure and network security
 Anticipate evolving threats targeting company system vulnerabilities
 Meet compliance obligations
 Reduce litigation risks
6 | Cybersecurity Risk Transfer
Alternative Methods to Risk Transfer
Protect Data Investment
There are two primary ways to protect your data investment to avoid a
cyber incident:
1.
Minimize Risks Associated with Data Breaches by safeguarding
your data
2.
Implement Records & Information Governance
7 | Cybersecurity Risk Transfer
Safeguarding Data – Security Goals
Good security is …
Good security is not …
 A business enabler
 A business impediment
 A process
 A product or technology
 A privacy enabler
 Privacy
 Risk based
 The absence of danger
 Built in
 Continuous improvement
 Flexible and Changeable
8 | Cybersecurity Risk Transfer
 Added on
 Ahead of the adversary
 Static
Minimize Risks Associated with Data Breaches by
safeguarding your data
1. You need a security framework that addresses
 Protection – user authentication, encryption, firewalls, virus protection
 Detection – intrusion detection, open source monitoring
 Response – disaster recovery plan, incident response
2. Inventory your data by developing data maps
 Know the Who, Where, What & Why
 Limit access – commensurate with sensitivity of data
 Secure your data through appropriate means – two factor identification, strong


passwords and robust network security
Train all stakeholders – personal online security hygiene
Monitor your systems
9 | Cybersecurity Risk Transfer
Minimize Risks Associated with Data Breaches by
safeguarding your data
3. Create a Data Breach Response Plan
 Cross-disciplinary team – legal, business partners, vendors and law enforcement
 Repeatable process that is well documented
 Conduct assessments and drills
4. Implement Information Governance Program - by
developing record retention schedules and policies
 Records and information are retained for as long as legally or operationally



required
Systematic destruction of records and information in the ordinary course of
business
Protection of PII, vital and confidential records and information
Improved customer service
10 | Cybersecurity Risk Transfer
“Moving to the Left” – Data Disposition
“Costs are volume driven
If we shrink volumes, we shrink costs.”
Figure out how to get their electronic houses in order to cut costs (e-Discovery and data
breach) risks associated with ESI, from initial creation through final disposition
11 | Cybersecurity Risk Transfer
Takeaways for Big Data and Cybersecurity
 Good security is a process that is necessarily risk based
 100% security does not exist … anywhere
 Threats and attackers are real and interested in your data
 Educate employees on personal security hygiene
 Develop a plan for information governance
 Big Databases are valuable assets and therefore; targets
 You need a security framework that addresses Protection, Detection, and
Response to minimize the risk of a breach
 Know who is responsible for protection in 3rd Party hosting
 Prepare for incident response before the crisis
 Prepare for e-Discovery in advance of litigation
12 | Cybersecurity Risk Transfer
Risk Transfer via Contracting with IT Suppliers
Step 1 - Include Security Obligations
 Supplier shall maintain an information security program that  ensures security of Customer Data and
 protects against unauthorized use or access of Customer Data
 Supplier shall comply with Customer’s Policies & Procedures
 Specific IT requirements. Supplier shall  encrypt all data
 maintain firewalls and security gateways
 monitor usage of User IDs / Passwords to access System

Customer has right to modify Customer policies – only question is cost
 Cloud Contracts
 Cloud Providers will not sign up for Customer’s Policies and Procedures
 Business model depends on standardized service offering
 Cloud Providers require the right to change their security policies
13 | Cybersecurity Risk Transfer
Risk Transfer via Contracting with IT Suppliers
Step 2 – Audit and Compliance Provisions
 Customer should have robust rights to audit Supplier
 Supplier should provide Customer with audits performed for Supplier by
third parties


SAS 70 Type 2 – previously used to evaluate Supplier’s security, but was not designed to be a
security audit
AICPA established SSAE 16 and Service Organization Controls (“SOC”) reporting Framework
in June 2011
 SOC 1 – tests controls at a Supplier relevant to internal controls over financial reporting
 SOC 2 – tests controls at a service organization relevant to security, availability,
processing integrity, confidentiality and privacy
 Type I versus Type II – Type I verifies the existence of the controls, and Type II audits
whether the controls are being observed
 ISO 27001 Certification
 Add rep and warranty that Supplier will provide this Certification annually
14 | Cybersecurity Risk Transfer
Risk Transfer via Contracting with IT Suppliers
Step 3 - Subcontracting and other Protections
 Subcontracting
 Approval Right or Notice at a minimum
 Key is understand who may access data
 Subs obligated to comply with same security obligations as Supplier
 Supplier responsible for actions of subcontractors
 Restrictions on Supplier’s Delivery Location
 Supplier will not change location from which it provides Services without
Customer’s consent
 Obligations to Destroy/Clean Media
 Supplier shall remove all Customer Data from any media which is retired and

destroy or securely erase such media as Customer directs
Instructions on wiping, shredding, destroying can be very specific
15 | Cybersecurity Risk Transfer
Risk Transfer via Contracting with IT Suppliers
Step 4 - What if there is a Cybersecurity Incident? Supplier shall 
notify Customer within X Hours

investigate the Incident and provide a report

remediate the Incident in accordance with plan approved by Customer

conduct forensic investigation to determine cause and what data / systems
are implicated

provide daily updates of its investigation to Customer and permit Customer
reasonable access to the investigation

cooperate with Customer’s investigation

Customer (and not Supplier) makes final decision on whether notices will be
sent to affected individuals
16 | Cybersecurity Risk Transfer
Risk Transfer via Contracting with IT Suppliers
Step 5 – Risk Shifting Liability Provisions

Traditionally Supplier’s Liability for data breach was unlimited

Today, due to increasing number of cybersecurity incidents, Suppliers seek to
limit liability as much as possible by:
 inserting liability cap
 limit liability to their breach of data security obligations
 preserve defense that damages are consequential (not recoverable)

Supplier should be liable for any issues caused by Supplier’s “fault or
negligence” (includes an omission as well as not performing an obligation)

Separate liability pool for these damages

Stipulate types of costs that are recoverable to avoid claim that the damages
are “consequential” and therefore not recoverable. Include: Preparation /
sending of Notices, Credit monitoring services, etc.
17 | Cybersecurity Risk Transfer
Where are the Gaps with Traditional Insurance?
General
Liability
Property
E&O/D&O
Crime
Cyber
Network security
POSSIBLE
POSSIBLE
POSSIBLE
POSSIBLE
COVERAGE
Privacy breach
POSSIBLE
POSSIBLE
POSSIBLE
POSSIBLE
COVERAGE
Media liability
POSSIBLE
NONE
POSSIBLE
NONE
COVERAGE
Professional services
POSSIBLE
NONE
POSSIBLE
POSSIBLE
COVERAGE
Virus Transmission
POSSIBLE
POSSIBLE
POSSIBLE
POSSIBLE
COVERAGE
Damage to data
POSSIBLE
POSSIBLE
POSSIBLE
POSSIBLE
COVERAGE
Breach notification
POSSIBLE
NONE
POSSIBLE
POSSIBLE
COVERAGE
Regulatory
investigation
POSSIBLE
NONE
POSSIBLE
POSSIBLE
COVERAGE
Extortion
POSSIBLE
NONE
POSSIBLE
POSSIBLE
COVERAGE
Virus/hacker attack
POSSIBLE
POSSIBLE
POSSIBLE
POSSIBLE
COVERAGE
Denial of service attack
POSSIBLE
POSSIBLE
POSSIBLE
POSSIBLE
COVERAGE
NONE
POSSIBLE
POSSIBLE
NONE
COVERAGE
Business interruption
loss
18 | Cybersecurity Risk Transfer
Available Insurance Coverage
Exposure Category
Description
Network Security Liability
Provides liability coverage if an Insured's Computer System fails to prevent a Security Breach or a
Privacy Breach
Privacy Liability
Provides liability coverage if an Insured fails to protect electronic or non-electronic information in their
care custody and control
Media Liability
Covers the Insured for Intellectual Property and Personal Injury perils the result from an error or
omission in content (coverage for Patent and Trade Secrets are generally not provided)
Regulatory Liability
Coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws
Notification Expense
Credit Monitoring Expense
Crisis
Management
Forensic Investigations
Public Relations & Call Center
1st Party expenses to comply with Privacy Law notification requirements
1st Party expenses to provide up to 12 months credit monitoring
1st Party expenses to investigate a system intrusion into an Insured Computer System
1st Party expenses to hire a Public Relations firm & manage a Call Center
Data Recovery
1st party expenses to recover data damaged on an Insured Computer System as a result of a Failure of
Security
Business Interruption
1st party expenses for lost income from an interruption to an Insured Computer System as a result of a
Failure of Security
Cyber Extortion
Payments made to a party threatening to attack an Insured's Computer System in order to avert a cyber
attack
Technology Services/Products & Professional
Errors & Omission Liability
Technology Products & Services and Miscellaneous E&O can be added to a policy when applicable
19 | Cybersecurity Risk Transfer
3rd Party Coverage
 Network and Privacy Liability
 Coverage for:
 Claims arising from the unauthorized access to data containing identity



information,
Failure to protect non-public information (PII/PHI/Corporate Confidential
Information in your care, custody and control
Transmission of a computer virus, and
Liability associated with the failure to
provide authorized users with access to
the company’s website
20 | Cybersecurity Risk Transfer
3rd Party Coverage
 Technology Products/Services Errors & Omissions
 Coverage for:
 Claims arising from the failure of a technology product or service to perform
as indicated.
 Media Liability
 Coverage for:
 Claims arising from Personal Injury perils – on/off line
 Defamation/Infringement/libel/slander
*Not Patent/Trade secret
21 | Cybersecurity Risk Transfer
1st Party Coverage
 Crisis Management/Security Breach Remediation and Notification
Expenses
 Coverage for:
 Crisis Management Expenses
 Covers expenses to obtain legal assistance to navigate the event, determine which






regulatory bodies need to be notified and which laws would apply
Public relations services to mitigate negative publicity as a result of cyber liability
Forensic costs incurred to determine the scope of a failure of Network Security and
determine whose information was accessed
Notification to those individuals of the security breach
Credit monitoring
Call center to handle inquiries
Identity fraud expense reimbursement for those individuals affected by the breach
22 | Cybersecurity Risk Transfer
1st Party Coverage
 Computer Program and Electronic Data Restoration Expenses
 Coverage for:
 Expenses incurred to restore data lost from damage to computer systems due
to computer virus or unauthorized access
 Cyber Extortion
 Coverage for:
 Money paid due to threats made regarding an intent to fraudulently transfer
funds, destroy data, introduce a virus or attack on computer system, or
disclose electronic data/information
 Business Interruption and Additional Expense
 Coverage for:
 Loss of income, and the extra expense incurred to restore operations, as
result of a computer system disruption caused by a virus or other unauthorized
computer attack
23 | Cybersecurity Risk Transfer
Ten Tips For Buying Cyber Insurance
#1 – Make sure your limits and sub-limits are adequate
 Average remediation cost is $7.2 million per data breach event
 Average remediation cost is $214 per record
 Source: Symantec Corp. and Ponemon Institute: Global Cost of a Data

Breach (2010)
WARNING! Many policies impose inadequate limits for “crisis management
expenses” and “regulatory action” expenses
24 | Cybersecurity Risk Transfer
Ten Tips For Buying Cyber Insurance
#2 – Ask for retroactive coverage
 What if a breach happens before you buy insurance, but you were unaware of it?
 Retroactive coverage insures prior unknown events that result in claims or


expenses during the policy period
Commonly available for 1, 2, 5 or 10 year periods and sometimes is unlimited
Insurers may not offer it, so ask!
25 | Cybersecurity Risk Transfer
Ten Tips For Buying Cyber Insurance
#3 – Watch out for “panel” and “consent” provisions
 Policies often provide that you must use the insurance company’s pre-approved

forensic consultants, defense counsel, etc.
 Make sure that your advisers and attorneys are pre-approved
 Or reject panel provisions and insist on control
Policies often say that forensic, notification and defense costs are covered only if
you obtain the insurer’s “prior consent”
 Ask for policy language specifying that the insurer’s consent “shall not be
unreasonably withheld”
 Or insist that such provisions be deleted
26 | Cybersecurity Risk Transfer
Ten Tips For Buying Cyber Insurance
#4 – Make sure you are covered for your vendors’ errors and omissions
Example:
 Bad
 “The Insurer shall pay all Loss that an Insured incurs as a result of your actual

or alleged breach of duty to maintain security of confidentiality Confidential
Information”
Good
 “The Insurer shall pay all Loss that an Insured incurs as a result of any alleged
failure to protect Confidential Information in the care, custody and control of
the Insured or a third party to which an Insured has provided Confidential
Information”
27 | Cybersecurity Risk Transfer
Ten Tips For Buying Cyber Insurance
#4, cont’d – Conversely if you handle data for others, make sure your
liability to them is covered too
Example:
 Bad
 “The Insurer will not make any payment for any claim alleging or arising from


… your performance of services under a contract with your client”
Better
 “The Insurer will not pay for Claims arising out of breach of contract; provided,
however, that this exclusion shall not apply to liabilities that the Insured would
have in the absence of contract, or arising out of breach of a confidentiality
agreement or a professional services agreement for the handling of
confidential information”
Best
 “The Insurer will pay on behalf of the Insured all Damages and Claim Expense
which the Insured becomes legally obligated to pay because of liability
imposed by law or Assumed Under Contract”
28 | Cybersecurity Risk Transfer
Ten Tips For Buying Cyber Insurance
#5 – Make sure you are covered for loss of data, not just theft or
unauthorized access
Example:
 Bad
 “A covered breach shall include the unauthorized acquisition, access, use,

or disclosure of confidential information”
Good
 “A covered breach shall include the unauthorized acquisition, access, use,
disclosure or loss of confidential information”
29 | Cybersecurity Risk Transfer
Ten Tips For Buying Cyber Insurance
#6 – Avoid “one size fits all” crisis management coverage
Example:
 Bank suffers loss of thousands of customer credit card numbers
 Insurance policy covers cost of providing notice and credit monitoring
 Bank would rather just cancel and re-issue the cards, but that cost isn’t covered
Lesson: When procuring insurance, negotiate for the coverage you
will actually need
30 | Cybersecurity Risk Transfer
Ten Tips For Buying Cyber Insurance
#7 – Beware of hidden traps
Example:
 Bad
 “The Insurer shall pay Crisis Management Expenses incurred by an Insured

arising out of a Claim”
Good
 “The Insurer shall pay Crisis Management Expenses incurred by an Insured in
response to an actual or alleged security breach”
31 | Cybersecurity Risk Transfer
Ten Tips For Buying Cyber Insurance
#8 – Harmonize cyber insurance with your indemnity agreements
 Bad
 “The Insurer’s liability applies only to amounts in excess of the policy’s Self

Insured Retention. Such Retention Amount shall be borne by the
Insured’s uninsured and at their own risk”
Good
 “The Insurer’s liability applies only to amounts in excess of the policy’s SelfInsured Retention. Such Retention Amount may be paid either by the
Insured, or by the Insured’s other insurance or indemnified by third
parties”
Emerging Issues:
 If you contractually waive or cap your indemnity rights against vendors, will
your insurer use that as an excuse to deny coverage?
 “Cloud” vendors often refuse to indemnify
 Ask for a subrogation waiver but you might not get it
32 | Cybersecurity Risk Transfer
Ten Tips For Buying Cyber Insurance
#9 – Harmonize cyber insurance with your other insurance & vendors’
insurance
 Review your agreements with vendors
 Make sure your vendors are required to have adequate insurance
 Ask to be added as an additional insured on their policies
 Make sure your policy’s “other insurance” clause specifies that their policy will

apply first
Example:
 “This Policy shall be primary, unless the Insured is also covered for the loss
under the insurance of a third party, in which case this insurance shall apply
excess of amounts actually paid by that other insurance”
33 | Cybersecurity Risk Transfer
Ten Tips For Buying Cyber Insurance
#10 – Negotiate favorable defense provisions
 “Pay defense costs on behalf of” vs. “duty to defend”
 Will you control your own defense?
 At least negotiate the right to choose your own counsel if the policy has a “panel”


provision
Negotiate specific deadlines for payment by the insurer (e.g., within 30 days of
invoicing)
If rates are an issue, negotiate them up front!
34 | Cybersecurity Risk Transfer
What If You Don’t Have Cyber Insurance?
 Insurance industry often asserts that there is no coverage under most
conventional insurance for privacy and network security breaches, but
many courts disagree.
 The most recent example: DSW, Inc. v. National Union (6th Cir. July 17, 2012)
holds that costs of customer communications, public relations, lawsuits, attorneys’
fees, and fines imposed by Visa and Mastercard resulting from a hacking incident
in which 1.4M customers’ information was stolen were covered losses under a
crime policy
 Therefore, even if you have cyber insurance policy, tender to your
other insurers! You have little to lose and much to gain.
35 | Cybersecurity Risk Transfer
“Many company
networks are
compromised…
without them
even knowing it.”
36 | Cybersecurity Risk Transfer
36
37 | Cybersecurity Risk Transfer
Cybersecurity Webinar Series

9/18:
Cybersecurity Overview
 Catherine Meyer and David Stanton – Pillsbury Winthrop Shaw Pittman
 Joe DePaul – Arthur J. Gallagher & Co.

10/2:
Cybersecurity Claims
 Joe DePaul – Arthur J. Gallagher & Co.
 Rene Siemens - Pillsbury Winthrop Shaw Pittman
 Chris Adams – Huron Legal

10/16:
Cybersecurity Issues Related to Global Records Management and
E-Discovery
 Catherine Meyer and David Stanton – Pillsbury Winthrop Shaw Pittman
 Carolyn Southerland – Huron Legal

10/30:
Cybersecurity Risk Transfer
Joe DePaul – Arthur J. Gallagher & Co.
Laurey Harris) – Huron Legal
Rene Siemens, Joe Kendall – Pillsbury Winthrop Shaw Pittman



Please complete our Cybsecurity survey:
http://pillsburylaw.draft-cybersecurity-survey.sgizmo.com/s3/
38 | Cybersecurity Risk Transfer
Contact Details
Joe DePaul
Managing Director, CyberRisk
Services
Arthur J. Gallagher & Co.
[email protected]
35 Waterview Blvd. - 3rd Floor
Parsippany, NJ 07054
Ph +1.973-939-3646
Laurey Harris
Huron Legal
[email protected]
9101 Kings Parade Blvd., Ste. 300
Charlotte, NC 28273
Ph + 1.704.697.1424
Rene Siemens
Pillsbury Winthrop Shaw Pittman
LLP
[email protected]
725 South Figueroa Street, Suite
2800
Los Angeles, CA 90017-5406
Ph +1.213.488.7277
Joseph E. Kendall
Pillsbury Winthrop Shaw Pittman
LLP
[email protected]
2300 N Street, NW
Washington, DC 20037
Ph +1.202.663.8350
39 | Cybersecurity Risk Transfer

Similar documents