Cyber Risks, Coverage, and the Board of Directors.

Transcription

1 Cyber Risks, Coverage, and the Board of Directors PCI Northeastern General Counsel Seminar September 19-20, 2016 Vincent J. Vitkowsky Seiger Gfeller Laurie LLP

2 CYBER RISKS and COVERAGE IF YOU HAVE A CYBER INCIDENT, HOW WILL YOUR INSURER RESPOND?

3 Data Breaches under Traditional Insurance CGL Coverage B Cases finding no coverage: Zurich v. Sony (NY 2014); Recall Total v. Federal (Conn. 2015). Cases finding coverage: Hartford v. Corcino (C.D. Cal. 2013); Travelers v. Portal (4 th Cir. 2016).

4 Crime Policies Case finding coverage: Retail Ventures v. National Union (6th Cir. 2012).;

5 Fraudulent Electronic Funds Transfers under Traditional Insurance

6 There are at least seven different potential scenarios for deceptive funds transfers: 1) The transfer can be effected entirely by a hacker remotely penetrating a computer system, and making the transfer; 2) The hack and transfer can be enabled by employee negligence; 3) The fraudster convinces an employee to reveal his credentials, enters the network by using them, and then transfers funds; 4) The fraudster gets an employee to open an attachment or click on a link, thereby allowing the network to be penetrated, and allowing the transfer of funds;

7 5) The fraudster, through s or telephone calls or both, posing as a company s executives, vendors or customers, convinces an employee to transfer funds; 6) An employee enters data believed to be accurate, but which in fact is fraudulent; and 7) a rogue employee makes an improper transfer or enters fraudulent data.

8 Crime Policies Cases finding coverage: Apache Corp. v. Great American (S.D.Tex. 2015); State Bank of Bellingham v. BancInsure (8 th Cir. 2016); Principle Solutions Group LLC v. Ironshore Indemnity Inc. (N.D.Ga. Aug. 30, 2016). Case finding no coverage: Universal American v. National Union (NY 2015); Aqua Star v. Travelers (W.D.Wa. 2016).

9 Overview of Cyber Insurance Coverage Data Breaches Network Disruption Cyber Extortion Media Liability Possibly Fraudulent Electronic Funds Transfers Very few coverage issues have been raised under the data breach coverage portion of cyber policies

10 CYBERSECURITY AND THE BOARD OF DIRECTORS

11 Source of Regulation and Governance Requirements NAIC Cybersecurity Task Force Principles for Effective Cybersecurity: Insurance Regulatory Guidance Roadmap for Cybersecurity Consumer Protections (f/k/a/cybersecurity Bill of Rights) Draft of Proposed Model Law Annual Statement Supplement for Cybersecurity

12 New York Department of Financial Services Report on Cybersecurity in the Insurance Sector (recommends participation in the Financial Services Information Sharing and Analysis Center) Request to NY Insurers for Comprehensive Risk Assessments of their Cybersecurity

13 State Pre-Breach Security Measure Laws Not Specific to Insurers Some states have laws requiring pre-beach security measures, generally requiring that they be reasonable. The California Attorney General has taken it to a greater level of specificity. Its February 2016 Data Breach Report states that failure to implement the Center for Internet Security s Critical Security Controls constitutes a lack of reasonable security.

14 Department of Homeland Security National Infrastructure Protection Plan Financial Services Sector-Specific Plan

15 National Institute of Standards and Technology ( NIST ) Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity

16 Federal Trade Commission Enforcement authority Under Section 5 Has issued Guidance and commenced over 60 enforcement actions

17 Securities and Exchange Commission

18 Considerations for the Board of Directors Recognize that Cyber Risk Management is a joint enterprise of the Board, the C-Suite, and frontline top management, which include but cannot be limited to the CIO or CISO. Consider requiring quarterly cyber reports and updates. Consider appointing a Director with cybersecurity expertise. Consider establishing a Cybersecurity Subcommittee to the Board s Audit Committee, which could include at least one technical expert, to make recommendations to the Board on its cyber responsibilities. Oversee compliance with all of the regulatory sources identified above. Approve the comprehensive enterprise Cybersecurity Policies and Procedures, which need to be continually updated.

19 Considerations for the Board of Directors Oversee specific security programs, with established metrics and benchmarks. Establish and oversee procedures for reviewing the cybersecurity of third parties with which the company interacts. Pre-approve cybersecurity software, hardware, and consultants. Retain and oversee any security firm engaged by the company. Retain independent security experts to assist the Audit Committee and the Cybersecurity Subcommittee. Oversee the identification and pre-breach retention of digital forensics experts and data breach response professionals, including attorneys. Consider buying cyber insurance.