CYBER RISK & CYBER INSURANCE An MAIA Member Information White Paper MAIA F.A.C.T.S.

COMMITTEE 10-14-11

1 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

Part 1 Cyber Risk

o Cyber Risk & Cyber Exposures o Cyber Laws & Law Suits o Cyber Risk Terms o Why Cyber Risk Is Not Likely Insured Elsewhere o Cyber Claims Examples

Part 2 Cyber Insurance

o Cyber Insurance Policies o 1st Party Insurance: Business Interruption, Crisis Management, Expense Coverage for Notification, Extortion, Threat & Reward

2 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

o 3rd Party Insurance: Privacy (Data Breach), Security, Intellectual Property, Media Content o Loss Control (Cyber Security) o 16. Questions You Need to Ask

Part 1 - Cyber Risk

What is Cyber Risk ?
"Financial Damages resulting from Any E-Business (electronic transmissions) o Internet o Internal Business Network o Any Electronic Data! & o We cant forget the paper exposure! (server or "cloud" storage, email attachments, faxes, mail, etc.)

1st Party Cyber Risk:

Your financial loss because of injury to your electronic data or systems resulting from acts of others Examples o Costs of fixing your problem

3 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

o Expenses to protect clients (including notification costs) o Other expenses to mitigate loss (including publicity costs) o Theft of data & intangible property o Loss of your future income o Cyber extortion

3rd Party Cyber Risk:

Your liability for financial losses or costs sustained by others [Financial damages resulting from client law suits and law suits from others for their personal/content injury, intellectual property claims, professional services, and injury from a security or privacy breach]

Cyber Risk Claim Examples

Privacy An online retailer attempted to sell its customers' personal information to pay creditors as part of the retailer's bankruptcy! But the retailer's privacy policy had stated that personally identifiable information (PII) would not be sold. Several parties threatened to sue. Privacy & Security A hacker infiltrated an online shopping website and stole 300,000 customer credit card numbers. The website faced claims from
4 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

the customers for unauthorized charges made on their credit cards. Security Businesses that unknowingly spread a worm, virus, or other corrupting files via email to 3rd parties could face liability from those 3rd parties for revenues lost as a result of the virus overloading the 3rd parties' computer network (denial of service).

Media/Content A university pathologist

posted a message on a bulletin board accusing another doctor with receiving kickbacks from a company trying to obtain a contract to provide pathology services to the university. The university doctor sued, and a jury awarded him $675,000.

Intellectual Property A business that used

a competitor's trademarked name on its website was sued by the competitor for trademark infringement and unfair competition.

Federal Cyber Laws

The protection and disclosure of confidential consumer information, both personally identifiable information (PII) and protected health information (PHI), is currently governed by a patchwork of federal and state laws that target different exposures. Some of these federal statutes include:

Family Educational Rights Privacy Act (FERPA) HIPAA Gramm Leach Bliley Act
5

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

Fair Credit Reporting Act Sarbanes-Oxley (SOX) Federal Privacy Act.

Two of the newest additions HITECH Act

It beefed-up HIPAA by requiring notification of potential private health information (PHI) breaches. It went into effect 2/17/09, but as of 9/23/09 HITECH now includes all "business associates Business associates are persons or entities who perform services on behalf of a HIPAA-covered entity and in so doing access the PHI of the covered entity. Businesses have 60 days to report a breach once discovered. Breaches over 500 persons requires notice to the media! HITECH will be enforced by the Department of Health and Human Services (DHHS). DHHS will do annual audits and levy fines for non-compliance.

"Red Flags" Rule (FTC)

Was supposed to go into effect 11/1/2009, but was postponed for the 5th time to June 2010. is now part of 2009 Omnibus Healthcare Law and now in effect! requires any business that has any creditor relationships to have a written Identity Theft Prevention Program. broadly defines "creditor" to include essentially any business that defers payments for services, including healthcare providers.

6 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

requires doctors offices, hospitals and other providers (including business associates) to establish a written procedure to identify warning signs ("red flags) of identity theft .

State Cyber Laws

Consumer Notification o Is now required in 46 states, PR & DC o Is based on the location of the consumer, not the business location o Example: In New York - NY Business Law Section 899-aa requires notice of breach of security of all computerized personal information held by both public and private entities (Consumers Union 8/21/2007)

Credit monitoring & restoration is not typically required by state law, but may soon be imposed by judicial or regulatory decision, based on precedents being set by current settlements

TJX class action for damages to ID theft victims as well as credit monitoring services: $40,800,000 settlement with VISA, $24,000,000 settlement with MasterCard

(Source: Media/Professional Insurance)

Cyber Negligence
Plaintiffs are now challenging the standard of care on their Personal Identifiable Information (Pll) and Personal Health Information (PHI). Example

7 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

o One publicly-disclosed case involved San Diego-based Ligand Pharmaceuticals Inc... o A lab assistant found a box with 38 former employees' personnel records o The assistant then used the information to acquire 75 credit cards, $100,000 in merchandise, opened 20 cellular telephone accounts and rented three apartments! o The assistant was subsequently convicted and imprisoned, but then 14 of the former employees filed suit, charging Ligand with negligence. o A confidential "significant six-figure" settlement was approved by the court.

Cyber Risk Terms

Personally Identifiable Information (PII) o Any Credit Card Information o Any Personal Financial Information o All Social Security Numbers o All Drivers License Numbers o Any Banking Information o Any Employment Information o Any Insurance Information

Personal Health Information (PHI)

8 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

Any Business Information of Others (including their Trade Secrets)

Cyber Risk Includes

o Network Data o Non-Network Data o Corporate Servers o Third Party Data Storage (Cloud Computing) o Spam o Virus o Hackers o Storage Media o PCs

Servers Electronic Tape Backup Laptops USBs (flash drives) Handheld Devices (iPads) CDs/DVDs/floppy disks Paper!
9 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

 Cyber Risk Why Its Likely Not Covered Elsewhere

1. General Liability covers Bodily Injury and Property Damage, not stolen identities. Personal Injury coverage may be limited to "invasion of privacy" arising from the publication of material. 2. Property Insurance does not consider data as tangible property. 3. Media Liability policies only cover libel, slander and copyright. 4. E&O policies cover services for others for a fee. Some may cover invasion of privacy, but will only respond to actual damages But, many businesses hold PII but are not a service industry thats eligible to buy E&O (example: gas stations!) 5. Intellectual Property (Patent/Copyright). These policies are designed to protect the insured from claims brought by competitors and other third parties. This coverage responds to theft of ideas, products or content, not identities or money. 6. Crime Insurance covers theft of money, securities and property. In the absence of a cyber insurance policy, there wouldn't be coverage for notification and credit monitoring .

Part 2 - Cyber Insurance

o An Evolving Coverage
10 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

o Insurers vary widely on:

Coverage Policy wording Policy structure Terminology

o No standard policies yet Cyber

Insurance

Who sells it? 1. 2. 3. 4. 5. 6. 7. 8. 9. Chartis (AIG) (netAdvantage) CNA (netProtect) Beazley Chubb Evanston Hiscox (affirmative Contractual Liability included) Markel American Philadelphia + 9 other insurers to date

Cyber Insurance Insuring Agreements

1st Party (The Insured):

11 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

1. Business Interruption 2. Crisis Management Expense 3. Extortion/Threat Expenses 4. Privacy (Notification Expense of Data Breach) [if 3rd Party (Other-Than-The-Insured)] 5. Privacy Liability (Data Breach) 6. Security 7. Administrative & Regulatory Actions 8. Intellectual Property 9. Media/Content 3rd Party - Privacy Coverage Regulatory Defense & Expenses many new regulations exist related to the protection of confidential data. Insurance will provide defense cost coverage for regulatory proceeding and even penalties where insurable. Credit Monitoring policies may cover up to 1 year of credit monitoring services for those exposed. In some cases 2 years of monitoring may be available. Credit Repair Services policies may cover 1 year of services to repair credit of an actual identity theft. Privacy: Data Breach Example Hackers broke into a Virginia web site used by pharmacists to track prescription drug abuse The hackers made a copy of the records, deleted the original, then encrypted their copy A ransom demand was then made for $10,000,000 in exchange for the password to the encrypted records 8 million records were stolen and encrypted !

12 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

Privacy: Claims Examples

An online business processer inadvertently provided access to a non-authorized user. Confidential customer contact information was exposed to unauthorized users. A regulatory investigation for the data privacy incident lead to a fine. Loss: Private suit for loss of/damage to data settled for $875,000. Defense expenses incurred were in excess of $275,000.

A bank employee had a laptop with sensitive client data missing. Regulatory investigation is ongoing. Multiple lawsuits are pending by individuals whose data has been compromised. Loss: Total defense costs now exceed $700,000.

A pharmacy sold to an individual a computer that still contained prescription records including the names, addresses, social security numbers and medication lists of pharmacy customers. State law required certified notification to all of the affected parties. Two lawsuits were filed: 1) Employee plaintiff alleged damages due to job loss as a result of the disclosure; 2) Client plaintiff alleged her identity was stolen and sued to recover the costs of correction and emotional distress. A HIPAA investigation was triggered. Loss in excess of $410,000

Security Coverage
Covers:

Third party economic loss resulting from a network and information security failure (security breach) Unauthorized access & unauthorized use

13 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

Denial of service (eg: WikiLeaks jamming)

Security: Statistics for 2008 o At least 43% of businesses have experienced some kind of cyber security incident. o Annual reported losses from cyber security in 2008 were $288,618 per business. incidents

o Financial fraud was the most expensive type of incident with an average reported cost of $463,100. [Source: Computer Security Institute, CSI Computer Crime and Security Survey 2008. ] Security: Losses Breakdown The percentage of incidents for each category has remained consistent from 2007 to 2008. Insider abuse, laptop & virus incidents are still the more common occurrence.

Cyber Loss Control

All businesses need to establish

Corporate Cyber Policies/Plans:

Privacy Policy Information Security Policy Computer Usage Policy Incident Response Plan

Employee Cyber Risk Awareness Training

14

MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

Cyber Software Security Controls

Firewalls, passwords, encryption, antivirus

Physical (Hardware) Security Controls Locks, portable equipment restrictions, theft controls

16 Questions You Need to Ask

1. Do you hold any private data of clients, vendors, employees or others? 2. Are you aware of the notice requirements in each state if you lose control of that data? 3. What steps would you take/who would you call if you lost those private records? 4. Do you have a corporate-wide privacy policy? 5. Do you have a disaster plan specific to data breaches? 6. Are your records stored electronically? Paper? Are the records secure? Do you shred? 7. Do any employees have access to private client records? 8. Do you allow use of USB drives on computers that can access private data? 9. .Are your records ever handled by a 3rd party? 10. Are all of your laptops and wireless connections encrypted? Email encrypted? 11. Are you confident your antivirus and firewall systems are 100% effective?
15 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11

12. Have any of your systems been programmed by nonemployees? 13.How would your clients respond if you lost their private records? 14.If your network was damaged or disabled by a virus or hacker attack, would it affect your income? 15.Do you have a backup system? 16.How long would it take you to recover?

Summary Basically
Every business has an exposure to Cyber Risk! Every business needs Cyber Insurance!

Credits o June Wysocki, AmWins, Grand Rapids, MI o Jim Whetstone, Hiscox US, Chicago, IL o Dark Reading (IWKBTnewsletters@techweb.com) o National Underwriter o Rough Notes o American Agent & Broker o IRMI o Business Insurance

16 MAIA F.A.C.T.S. Committee Information White Paper 10-14-11