CYBER INSURANCE: A DEEP DIVE Jdy Selby Febrary 24, 2017 BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by garantee, and forms part of the international BDO network of independent member firms.
WITH YOU TODAY JUDY SELBY Managing Director BDO Conslting Technology Advisory Services +1 203-905-6252 jselby@bdo.com Page 2
AGENDA Page 3 Today s Threat Landscape Understanding Yor Risk Cybersecrity Risk Management Overview Cybersecrity Mitigation Cyber Insrance Conclsion
TODAY S THREAT LANDSCAPE Page 4
CYBERSECURITY TODAY INTERNAL THREAT: Internal actors were responsible for 43% of data loss, half of which is intentional, half accidental. TODAY S THREAT LANDSCAPE Page 5 COMPUTER INTRUSIONS: This year, companies that had data breaches involving less than 10,000 records, the average cost of data breach was $4.9 million and those companies with the loss or theft of more than 50,000 records had a cost of data breach of $13.1 million. BUSINESS E-MAIL COMPROMISE: Between Janary 2015 and Jne 2016, there has been a 1,300% increase in identified exposed losses, a combined exposed dollar loss of more than $3 billion. RANSOMWARE: Nearly 80% of organizations [srveyed in the U.S.] have been victim of a cyber attack dring the past 12 months and nearly 50% have been victim of a ransomware attack. Intel Secrity Report, Grand Theft Data: Data exfiltration stdy: Actors, tactics, and detection 2016 Data Breach Stdy: United States, Benchmark research sponsored by IBM Independently condcted by Ponemon Institte LLC, Jne 2016 FBI Pblic Service Annoncement, Jne 14, 2016; Alert Nmber I-061416-PSA Understanding the Depth of the Global Ransomware Problem, Osterman Research Srvey Report, Pblished Agst 2016, Sponsored by Malwarebytes
TODAY S LANDSCAPE: DATA BREACHES BY THE NUMBERS 48% TODAY S THREAT LANDSCAPE $4 million 29% average cost of a data breach increase in total cost of data breach since 2013 cased by malicios or criminal attacks $158 average cost per lost or stolen record Page 6 $355 average cost per lost or stolen record in healthcare organizations 2016 Data Breach Stdy: Global Analysis, Benchmark research sponsored by IBM Independently condcted by Ponemon Institte LLC Jne 2016
CYBER INTRUSIONS INCREASING 2016 2015 2014 HackingTeam 2013 2012 2011 2010 2009 ü Rate of breaches increasing since 2005 ü Cross-indstry impact: healthcare, retail, insrance, technology, financial services ü Mltiple types of breaches/threats ü Hottest breaches phishing and ransomware 2008 2007 2006 2005 Page 7
ANATOMY OF A HACK Page 8
UNDERSTANDING YOUR RISK Page 9
UNDERSTANDING YOUR RISK + THREAT VULNERABILITY CONSEQUENCE RISK Page 10
TARGETED DATA PII PCI PHI Defense, National Secrity, Critical Infrastrctre IP Bsiness Intelligence MNPI Page 11
LIFE CYCLE OF DATA PRIVACY AND PROTECTION Creation / Collection UNDERSTANDING YOUR RISK Disposition Storage Dration Use Page 12
MOTIVATIONS AND INCENTIVES Page 13
EMPLOYEE RISKS Employees as cyber targets UNDERSTANDING YOUR RISK Page 14 Phishing Spear Phishing / Social Engineering Email spoofing and hijacking Negligent Employees Non-compliant Employees
VULNERABILITIES SOFTWARE PATCHING Lack of software pdates UNDERSTANDING YOUR RISK ACCESS CONTROL Who has access to yor system and do they really need it? THIRD PARTY VENDORS Are yor third party vendors secre? PEOPLE Internal actors p to no good or being exploited Page 15
CYBERSECURITY RISK MANAGEMENT OVERVIEW Page 16
WHAT IS CYBERSECURITY RISK MANAGEMENT PROGRAM? CYBERSECURITY RISK MANAGEMENT OVERVIEW Integrated set of policies, processes, technologies and controls that minimize vlnerabilities and protect against threat to spport Confidentiality information kept private and secre Integrity data not inappropriately modified, deleted or added Availability systems/information available to whom reqires them Page 17
A HOLISTIC APPROACH CYBERSECURITY RISK MANAGEMENT OVERVIEW Page 18
CYBERSECURITY MITIGATION Page 19
BDO CYBERSECURITY FRAMEWORK Key Policy & Process Domains Governance & Strategy Cybersecrity Lifecycle IDENTIFY Data privacy / Cybersecrity risk protection profile management Identity & access management Cybersecrity risk ASSETS management program Threat & risk intelligence Third party / vendor RECOVER INTEGRITY AVAILABILITY CONFIDENTIALITY management Incident response & planning PROTECT VULNERABILITIES THREATS optimization Metrics / reporting Page 20 and responsibilities (Board of Directors, Exective Management, etc.) Investment Asset inventories Training / awareness Organization roles RESPOND DETECT Legal & compliance Cyber insrance
THREAT INTELLIGENCE CYBERSECURITY MITIGATION Page 21 Private Sector Threat Information Government Classified and Unclassified Evidence and Intelligence Cyber Threat Intelligence
INFORMATION SHARING CHANNELS CYBERSECURITY MITIGATION Page 22
CYBER INSURANCE Page 23
THE GROWING CYBER INSURANCE MARKET Proportion of companies bying secrity & privacy insrance 65% CYBER INSURANCE 35% 2011 2016 Page 24 SOURCE: https://www.zrichna.com/en/abot/news/news-releases/2016/10272016_overallpward-trend-contines-zrichs-advisen-cyber-srvey
THE GROWING CYBER INSURANCE MARKET View cyber risk as a significant threat CYBER INSURANCE Personal datadriven indstries 76% Non-data-driven indstries 55% Prchase secrity & privacy insrance Personal datadriven indstries 78% Non-data-driven indstries 59% Page 25 SOURCE: https://www.zrichna.com/en/abot/news/news-releases/2016/10272016_overallpward-trend-contines-zrichs-advisen-cyber-srvey
THE GROWING CYBER INSURANCE MARKET C-site exectives who view cyber secrity as a significant threat 85% CYBER INSURANCE 58% 2011 2016 Page 26 21% Have no employee edcation program in place SOURCE: https://www.zrichna.com/en/abot/news/news-releases/2016/10272016_overallpward-trend-contines-zrichs-advisen-cyber-srvey
Information (own and of others) Bsiness Reptation/Crisis Management Bsiness Interrption Reglatory Investigations POTENTIAL EXPOSURES Media Liability Cyber Extortion Third Party Liability Network Itself Page 27
INSURABLE CYBER RISKS CYBER INSURANCE Legal liability to others for compter secrity breaches Legal liability to others for breaches of confidential information Reglatory actions, fines and investigations Loss or damage to data and information Loss of revene de to a compter attack Extra expense to recovery or respond to a compter attack Loss or damage to reptation Cyber-extortion Cyber-terrorism Page 28
First Party COVERAGE GRANTS Damage to digital assets Bsiness interrption CYBER INSURANCE Extortion Privacy breach expenses Third Party Privacy liability Network secrity liability Internet media liability Reglatory liability Contractal liability Page 29
AVAILABLE COVERAGES CYBER INSURANCE Network Secrity Liability Liability to a third party as a reslt of a failre of yor network secrity to protect against destrction, deletion, or corrption of a third party s electronic data, denial of service attacks against internet sites or compters; or transmission of virses to third party compters and systems. Privacy Liability Liability to a third party as a reslt of the disclosre of confidential information collected or handled by yo or nder yor care, cstody or control. Incldes coverage for yor vicarios liability where a vendor loses information yo had entrsted to them in the normal corse of yor bsiness. Page 30
AVAILABLE COVERAGES Reglatory Investigative Defense Coverage for legal expenses associated with representation in connection with a reglatory investigation, inclding indemnification of fines and penalties where insrable. CYBER INSURANCE Event Response and Crisis Management Expense Expenses incrred in response to a data breach event, inclding retaining forensic investigator, crisis management. Cyber Extortion Ransom and/or investigative expenses associated with a threat directed at yo that wold case an otherwise covered event or loss. Page 31
AVAILABLE COVERAGES Network Bsiness Interrption Reimbrsement of yor loss of income and/or extra expense reslting from an interrption or sspension of compter systems de to a failre of technology. Incldes coverage for dependent bsiness interrption. CYBER INSURANCE Data Asset Protection Recovery of costs and expenses yo incr to restore, recreate, or recollect yor data and other intangible assets that are corrpted or destroyed by a compter attack. Page 32
UNDERWRITING FACTORS Indstry Process CYBER INSURANCE Size of company Type and volme of data Risk management Technology Incident response Claims People Page 33
COVERAGE DANGER ZONES CYBER INSURANCE Notice to the Insrer Retention of Consel or Forensics Firm Before Notice Panel Firms? Pre-Notice Costs Effect of Breach Start Date Isses with Bsiness Interrption Coverage Valing a Cyber Claim Are the Limits Sfficient? Page 34
PCI ISSUES CYBER INSURANCE Fines Penalties Assessments PFIs PCI Compliance Certifications PCI Recertification Affirmative Claims Against Processor, Card Brands, and QSAs Coverage for costs of responding to sbpoenas or civil investigative demands Page 35
NON-PII CYBER EVENTS CYBER INSURANCE Intellectal Property Proprietary and Confidential Bsiness Information Bodily Injry Property Damage Page 36
EFFECTIVE INDEMNITY AGREEMENTS Privacy Liability CYBER INSURANCE Page 37 With respect to all Insring Clases, [Federal] shall not be liable for any Loss on accont of any Claim, or for any Expense... based pon, arising from or in conseqence of any... liability assmed by any Insred nder any contract or agreement.
CYBER INSURANCE BUSINESS INTERRUPTION CONCERNS With respect to the NETWORK INTERRUPTION INSURING AGREEMENT of this Clase 1., solely with respect to a Secrity Failre first occrring dring the Policy Period and reported to the Insrer prsant to the terms of this policy, this Network Interrption Coverage Section affords the following coverage: NETWORK INTERRUPTION INSURING AGREEMENT The Insrer shall pay all Loss in excess of the Remaining Retention that an Insred incrs after the Waiting Hors Period and solely as a reslt of a Secrity Failre. (l) Waiting Hors Period means the nmber of hors set forth in Item 6 of the Declarations that mst elapse once a Material Interrption has begn. Page 38
HOW DO YOU SUBMIT A CLAIM? CYBER INSURANCE Page 39 Docmentation reqirements Application of waiting periods/sb-limits (e.g., bsiness interrption verss network interrption) Common items of dispte in the adjstment process
CONCLUSION Page 40
OUR CYBERSECURITY SERVICES Page 41 Cyber Risk Management Strategy & Program Design Cyber Risk Assessment & Secrity Testing Data Privacy & Protection Secrity Architectre & Transformation Incident Response Planning Bsiness Continity Planning & Disaster Recovery Digital Forensics & Cyber Investigations Cyber Insrance Claim Preparation & Coverage Adeqacy Evalation
JUDY SELBY Managing Director BDO Conslting Technology Advisory Services +1 203-905-6252 jselby@bdo.com SPEAKER BIO Jdy Selby is a Managing Director in BDO Conslting s Technology Advisory Services practice, having more than 20 years of experience in insrance and technology. Known as one of the premier voices in legal technology by Legaltech News, she conslts with clients on cyber insrance, cybersecrity, information governance, data privacy and complex insrance matters. She advises clients on best practices for handling information throghot its life cycle, from creation or collection throgh disposition. In addition, Jdy works with organizations and their consel to advise on data privacy and cyber insrance isses, having depth of experience in coverage adeqacy evalation, international arbitration and all phases of insrance coverage litigation. Prior to joining BDO, Jdy was a partner at Baker Hostetler, where she was cochair of the Information Governance team and fonder of the ediscovery and Technology team. She is the co-chair of the Claims and Litigation Management (CLM) Alliance Cyber Liability Committee and serves on the Law360 Insrance and Legaltech News editorial boards. Jdy has completed corses on the internet of things (IoT), big data, crisis management / bsiness continity and cybersecrity at the Massachsetts Institte of Technology. Page 42
Abot BDO Conslting BDO Conslting, a division of BDO USA, LLP, provides clients with Financial Advisory, Bsiness Advisory and Technology Services in the U.S. and arond the world, leveraging BDO s global network of more than 64,000 professionals. Having a depth of indstry expertise, we provide rapid, strategic gidance in the most challenging of environments to achieve exceptional client service. BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assrance, tax, advisory and conslting services to a wide range of pblicly traded and privately held companies. BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by garantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: www.bdo.com. Material discssed is meant to provide general information and shold not be acted on withot professional advice tailored to yor firm s individal needs. 2016 BDO USA, LLP. All rights reserved.