Cyber liability Insurance
2013
Table of Contents 1 Overview ......................................................................................................................... 3 2 Data Security & Cyber Liability Landscape ........................................................................ 4 2.1 Nature of Cyberliability Exposures................................................................................................... 5
3 Ten Reasons to buy Cyberliability Insurance ..................................................................... 7 4 Data Breach Statistics ...................................................................................................... 8 5 Regulations for Cybersecurity in United States ............................................................... 10 6 Cyberliability Insurance Adoption .................................................................................. 11 7 Cyberliability Solutions – Insurance Coverage ................................................................. 14 8 Recent Cyberliability Cases............................................................................................. 15 9 Conclusion ..................................................................................................................... 16 10 References ..................................................................................................................... 17
2
1 Overview Cyber liability covers third party liability for alleged wrongful acts arising from the performance of services as a technology professional or consultant. Typical covered services included computer hardware/software consulting, system integration, website design, online services and content and online commerce. The definition of wrongful act may or may not include a personal injury component, which could include an invasion of privacy. The definition of wrongful act also may or may not include liability coverage for a breach of security caused by the named insured. There are technology insurance policies in the marketplace that specifically exclude security liability. Modern definition of Cyber Liability Policy coverage additionally includes: Privacy Liability (Covers loss of personally identifiable employee and customer information) Security Liability (Covers failure to prevent the entrance or spread of a virus/hacker attack) Website Media Liability (Covers libel, slander and copyright infringement from your website content) First Party Cyber Extortion (Covers expenses to respond to a threat to harm or release your data as well as cover ransom payments if necessary) –
First Party Privacy Breach Response (It is common to sublimit the coverage to an amount lower than the annual aggregate limit)
–
Customer Notification Expense
–
Credit Monitoring Expense
–
Computer and Legal Forensic Expense
–
Credit and Identity Repair Expense
First Party Business Interruption and Data Recovery Extra Expense Regulatory Defense and Penalty Cybersecurity (or Cyberliability) insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage, and cyber extortion. The Department of Commerce Internet Policy Task Force has described cybersecurity insurance as a potentially “effective, marketdriven way of increasing cybersecurity” because it may help reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures, encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection, and limiting the level of losses that companies face following a cyber attack.
3
2 Data Security & Cyber Liability Landscape Data security & cyber liability landscape
Contributing Trends – The risks of cyberliability emerge from a variety of trends which includes legislation to protect individuals – creating compliance requirements with the use of legislations for consumer protection, financial transactions etc. The growth of social media and Web 2.0 collaboration, mobile communications, rampant rise in data volumes, and cloud architectures have all contributed to increase in data security and cyberliability risks. According to the Federal Trade Commission, 9 million Americans become identity theft victims each year. Public awareness of data breaches and confidentiality issues are increasing with victimization becoming more prevalent. Causes of Loss – A variety of factors can cause losses – physical theft or mysterious disappearance of data sources, employee communications, scanning of credit or debit cards the point of sale, fake social media web pages, web interference and complex network invasion. The reasons for both negligent and malicious behavior can include social and political involvement, monetary gain, or employee avengement. Areas of Exposure – Cyberliability risks includes first-party such as investigations and remedial action following a data breach and third-party liability resulting from the use of Information and Communication Technologies (ICT). These risks can be categorized in three areas: a) Strategic Risks; b) Operational Risks; and (c) Pure Risks. Operational risk is the largest component – especially Data Breach,
4
or loss of personally identifiable information (PII) or other sensitive information either in electronic form or in physical documents. Sensitive information may include data protected under Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, criminal records, and other data such as intellectual property and trade secrets. Other types of risks may include defamatory communications on social media which seem to be misleading. Pure risks such as hacking attack or ICT service disruption enhances the risk of information breach. Strategic risks may arise from cloud related delivery models and use of outsourced IT providers – third party accounting for 46% of data loss and as clients demand cost efficiencies and disposition of speed through cloud delivery models risks such as business model obsolescence and IT vendor negligence occur.
2.1 Nature of Cyberliability Exposures Management information systems of most organizations rely heavily on information technology (IT) infrastructure; thereby increasing the importance of information security. Some organizations, such as Internet trading companies like bank, the IT infrastructure is an integral part of the company’s operations. Almost every firm is exposed to data loss arising from damage or destruction of its computers and computer networks, including any resulting loss of income or business interruption and/or increased cost of operation. Risks and potential losses associated with the use of computers can arise from firstparty exposures and third-party exposures. First-party cyber risk exposures Loss or damage to digital assets – loss or damage to data or software programs, resulting in cost being incurred in restoring, updating, recreating or replacing these assets to the same condition they were in prior to the loss or damage Business interruption from network downtime – interruption, degradation in service or failure of the network, resulting in loss of income, increased cost of operation and/or cost being incurred in mitigating and investigating the loss Cyber extortion – attempt to extort money by threatening to damage or restrict the network, release data obtained from the network and/or communicate with the customer base under false pretences to obtain personal information Reputational damage – arising from a data protection breach being reported (whether factually correct or not), that results in loss of intellectual property, income, loss of customers and/or increased cost of operation Theft of money and digital assets – direct monetary losses and associated disruption from theft of computer equipment, as well as electronic theft of funds / money from the organisation by hacking or other type of cyber crime
5
Third-party cyber liability exposures Security and privacy breaches – investigation, defence cost and civil damages associated with security breach, transmission of malicious code, or breach of third-party or employee privacy rights or confidentiality, including failure by outsourced service provider Business interruption from network downtime – interruption, degradation in service or failure of the network, resulting in loss of income, increased cost of operation and/or cost being incurred in mitigating and investigating the loss Customer notification expenses – legal, postage and advertising expenses where there is a legal or regulatory requirement to notify individuals of a security or privacy breach, including associated reputational expenses Multi-media liability – investigation, defence cost and civil damages arising from defamation, breach of privacy, negligence in publication of any content in electronic or print media, as well as infringement of the intellectual property of a third party Loss of third party data – liability for damage to or corruption / loss of third-party data or information, including payment of compensation to customers for denial of access, failure of software, data errors and system security failure
6
3 Ten Reasons to buy Cyberliability Insurance 1. Data as an important asset – Comprehensive cover for data restoration and rectification in the event of a loss no matter how it was caused. 2. Block the downtime – In the event that a hack attack, computer virus or malicious employee brings down the systems where a traditional business interruption policy would not respond. Cyber insurance can provide cover for loss of profits associated with a systems interruption caused by an intangible hazard like a computer virus. 3. Cyber crime is the fastest growing crime in the world – Phishing scams, identity theft, and telephone hacking are all crimes that traditional insurance policies cover. Cyberliability insurance can provide comprehensive crime cover for a wide range of electronic perils that are increasingly threatening the financial resources of modern-day businesses. 4. Liability with third party data – Non-disclosure agreements and commercial contracts often contain warranties and indemnities in relation to the security of this data that can trigger expensive damages in the event of a breach. Consumers are increasingly seeking legal aid in the event of a business losing their data. 5. A high penalty for retailers on loosing credit card data – Globally credit card crime is worth over $7.5 billion and retailers who lose data are at the receiving end as the risks get transferred to them. Under merchant service agreements, compromised retailers can be held liable for forensic investigation costs, credit card reissuance costs and also for the actual fraud conducted on stolen cards. These losses can run into hundreds of thousands of dollars for even a small retailer. Cyberliability insurance can help protect against all of these costs. 6. Complying with breach notification laws – Cyberliability insurance policies can provide cover for the costs associated with providing a breach notice which are required by breach notification laws which are slowly being introduced across many different countries. These generally require businesses that lose sensitive personal data to provide written notification to those individuals that were potentially affected. 7. Safeguarding organization’s reputation – Organizations may lose reputation on the event of a data security breach by loss of customer’s trust / loyalty resulting in instant financial losses. Cyber insurance help pay for the costs of engaging a PR firm to help restore these losses and also for the loss of future sales that arise as a direct result of customers switching to their competitors. 8. Rising Social Media usage with growing number of claims – Cyber insurance provides cover for claims arising from leaked information, defamatory statements or copyright infringement on social media. 9. Portable devices use increases the risk of loss or theft – Portable dices are being increasingly used in businesses. Loss of a computing or a storage device or the attacks on such devices with viruses can result in significant data and financial losses. Cyber insurance can help cover the losses associated with a data breach should a portable device be lost, stolen or fall victim to a virus. 10. Hackers are coming down on all big or small – Big companies are not the only favorites for hack attacks; smaller companies also have much at risk – especially as they often don’t have the financial resources to get back on track after a hacking attack or other kind of data loss. About, over a third of global targeted attacks were aimed at businesses with less than 250 employees. Cyber attacks are quickly becoming one of the greatest challenges for smaller companies. Cyberliability insurance can help protect smaller companies against the potentially crippling financial effects of a privacy breach or data loss.
7
4 Data Breach Statistics According to a report on Data Breach investigation by Verizon, published in 2012 shows: Threat agents over time by percent of breaches
Data breach by external sources is the highest and this trend is observed to be rising over the years. (The study contains data from 2004 to 2011 and include about 855 incidents across the globe.)
In a study published by Risk Based Security indicating Data Breach Trends in 2012 shows: Incidents by breach type
Exposed records by breach type
Hacking represents the largest type of data breach by incidents and Fraud Se is the largest type of data breach by exposed records.
8
2012 Incidents by data type exposed
Email address, password and name are the most common type of data breach available.
9
5 Regulations for Cybersecurity in United States Cyber Intelligence Sharing and Protection Act The House of Representatives in Washington D.C. passed a cybersecurity (H.R. 624) bill on April 18 2013, which would allow for real-time, voluntary and bi-directional information sharing between private companies and the government in the event of a cyber attack. Cyber Intelligence Sharing and Protection Act (known as “CISPA”) is intended to break down legal barriers to sharing cybersecurity threat information between the intelligence community within private industry and the U.S. government with procedures established by the Director of National Intelligence. In the wake of growing cyber attacks on U.S. businesses by foreign entities trying to obtain intellectual property and trade secrets, the intent of CISPA is to promote greater cooperation between companies and the government by making it easier to share information on these events. Various federal laws regulate data protection in certain industries, such as Health Insurance Portability and Accounting Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH), which regulate the use of health information. Forty six states, the District of Columbia and Puerto Rico all have legislation in place requiring notification when confidential personal information (includes an individual’s name plus one or more other data elements, such as social security number; driver’s license number; or bank account details.) is breached. The response time varies across states from 45 days to five days for any healthcare institution in California. Other regulators want to go further than mandatory notification. In 2011 the Securities and Exchange Commission (SEC), which regulates the US capital markets, issued guidance calling on companies to include statements about their management of cyber risk issues in their annual reports. The SEC has since written directly to a number of companies such as Amazon and Google to insist that their future filings recognise any data breaches the companies have experienced. Under most federal and state laws, data breaches require notification to affected individuals, government agencies, state attorneys general, and in instances where the breach exceeds a certain amount of individuals, to law enforcement and credit reporting agencies, as well as local media outlets. Additionally, federal and state laws also prescribe their own requirements in terms of the format, timing, content, and delivery of the notifications. The failure to notify in accordance with a particular notification law may give rise to fines and penalties and potentially increase exposure in any third party action brought by consumers or patients. The cost to businesses can be humongous, including investigative and corrective costs, exposure to governmental action and private lawsuits where some settlements have reached tens of millions of dollars. Insurers doing business in the US have begun to respond to these complex liabilities by offering specialized data breach insurance products, some of which provide notification and credit-monitoring services as well as forensic and specialist legal assistance.
10
6 Cyberliability Insurance Adoption Cyberliability coverage is a relatively new insurance product that’s come in as a result of the expansion of liabilities against companies for breach of private information, and insurance for digital assets. Most insurers realize the best opportunities to sell Cyberliability coverage are the mainstream companies that have significant cyber risk exposure. Many of these prospective targets are already customers to the insurer and are looking for additional coverage not included in the traditional policies. This may just be the tip of the iceberg and coverage for businesses like hospitals, educational institutions public entities would be much importance. The cyberliability market is expanding especially in health care and small to mid-sized segments. Health care systems and their vendors in particular are buying Cyberliability insurance (and in the case of vendors, often buying Technology E&O) at a fast pace. Insurers are offering specialized products to these policy holders. In addition to health care, much of the growth seems to come from the small to mid-sized firms that are recently aware of the possibilities of liability, and more so a breach and resulting response costs, arising out of the possession of private data. This however, is increasing the number of policies and not much increase in new premiums written. According to a survey report by Betterley Risk Consultants (offering risk and insurance management consulting advice) in 2012, annual gross written premium is in the $1 billion range (up from $800 million in 2011). Growth has been dampened by some rate competition as new carriers try to gain market share, and much of the growth has come from smaller policy holders. Rates for Cyber Risk insurance are still showing signs of softness. Some of the markets which are writing relatively low volumes of premium have plans to reduce rates on the order of 5%, while the larger insurers indicate that rates will stay flat or perhaps drop a bit (about 5%). According to a Marsh study, in 2012, there was a significant increase in the cyberliability insurance due to increased awareness of cyber and privacy risks and clarification by underwriters of the scope of cyber and related insurance policies. The number of clients purchasing cyber insurance increased 33% from 2011 to 2012. Cyber insurance limits purchased in 2012 averaged $16.8 million across all industries, an increase of nearly 20% over 2011. Rates for cyber insurance were essentially flat in the fourth quarter of 2012, but market conditions varied significantly by company size.
11
Percent increase of 2012 US clients – Cyber liability
Source: Marsh Global Analytics
Services (75.5%) and the Education industry (72.2%) were the leaders in percentage increase in cyberliability insurance clients. Total limits purchased, by industry – Cyber liability, all revenue size
Source: Marsh Global Analytics
Cyber insurance limits purchased in 2012 averaged $16.8 million across all industries, an increase of nearly 20% over 2011. Communications, media, and technology led all industries, both by average limits purchased ($33.4 million) and the rate of increase over 2011 (nearly 36%). A survey of perceptions about cyber risk sponsored by the American International Group, Inc. (AIG) reports: More than 85% of the 258 decision-makers surveyed said they were very or somewhat concerned about cyber risks to their organizations, compared with the group’s response to six other areas of risk, including income loss (82% of executives were very or somewhat concerned), property damage (80%), and securities and investment risk (76%).
12
Other findings of note provide further insight into the pervasiveness of cyber risk concern among executives and brokers: More than two out of three (69%) executives and brokers believe that the reputational risk from a cyber attack is far greater to a company than the financial risk. More than seven in ten (75%) executives and brokers say legal compliance issues are making companies think more about cyber risks. The vast majority of brokers and executives (82%) believe hackers are the primary source of cyber threats, though a significant portion of those surveyed (71%) also perceive human error as a significant component of cyber risk. (The survey includes a mix of AIG customers and other companies, including 60 companies; 323 risk managers, IT decision makers, C-suite executives, and brokers in the United States and Canada.)
13
7 Cyberliability Solutions – Insurance Coverage Many cyberliability insurance products are available in the market – each one is unique from the other with some products more comprehensive than the other. Some examples:
14
8 Recent Cyberliability Cases 1. In 2012, employees of Dun & Bradstreet’s marketing unit, Shanghai Roadway D&B Marketing Services Co. Ltd., stole and sold 150 million customer records. Categorized as Malicious-Insider Fraud, this incident resulted in the closure of the business unit, fines for Dun & Bradstreet, and fines and jail term for four employees. 2. In June 2012, LinkedIn was hacked resulting in approximately 6.4 million passwords stolen from the website. Within hours of the incident, the passwords were posted on the internet and were used to direct traffic to fraudulent websites. The massive security breach also resulted in a class action lawsuit against Linkedin in the Northern District of California. The plaintiff class alleged that LinkedIn failed to adequately and properly secure the personal information stored on its website. This is the classic example of cyber-liability exposure. 3. Atlanta based Global Payments Inc., revealed a data breach for 1.5 million payment cards in April 2012. This has cost the firm about $94 million. In reporting its costs related to the data breach, Global Payments offers this breakdown of specific expenses and recoveries: •
$60 million for professional fees and other costs associated with the investigation and remediation, incentive payments to certain business partners and costs associated with credit monitoring and identity protection insurance
•
$35.9 million for the total of estimated fraud losses, fines and other charges that will be imposed by the card networks
•
$2 million received for insurance recoveries, based on claims submitted to date (Jan 2013)
4. In 2011, Sony Corporation discovered that 77 million PlayStation network and Qriocity user names, email addresses, phone numbers and – reportedly – credit card details had been maliciously breached. The first breach was followed shortly after by a second breach of the personal details of its 24.6 million Sony Online Entertainment customers. The breaches resulted in a 23-day closure of the PlayStation online network, and Sony has suffered significant financial loss to an estimated tune of $171 million. This estimate cost does not include any lawsuits that Sony will have to defend as a result of class actions being filed against the Corporation by affected customers. The costs do however, include the cost of notifying and assisting customers, IT forensic costs and system overhaul as well as reputation management. The Sony brand and share price took a significant battering dropping 55% in just four months as a result of the breach and resulting negative publicity. •
Estimated financial loss: $171 million
•
55% drop in share value in four months post the breach
•
23 day shutdown of the PlayStation online network
15
9 Conclusion Cyberliability insurance cannot stop or prevent incidents from happening – it can respond to incidents when they do occur. In the event of a data breach, most Cyberliablility insurance policies have a team of experts already in place to help determine how the incident has occurred and whether any sensitive Personally Identifiable Information (PII) or Personal Health Information (PHI) has been exposed and helps determine if the security breach needs to be reported. Cyberliablility insurance offers policy holders the ability to abate risk, losses and associated costs in the event of a data breach. Small and Mid-sized Enterprises are at a greater risk due to lack of financial resources to overcome the costs that might have to be incurred in the event of a Cyberliability. Reputational risk is considered more important than the financial risk – especially for the larger firms. Legal compliances are acting as a driver to adoption of Cyberliability insurance. Cyberliablility insurance remains a specialized product. Firms need to work with their insurers to develop smart tailored products that add value to the firm. Recruitment of HIPAA/HITECH certified consultants would be of immense value to ascertain right things are done at the right cost. Currently the Cyberliability insurance products tends to be underpriced as this insurance market segment is developing and insurers are looking to gain market share in the growing market, however, the policy prices would stabilize in the medium to long-term with more historical claims data available. Outsourcing continues to be a key area of focus for Cyberliability coverage and Cloud Computing and Mobile Technology are emerging to be a big cyber risk concern. Communications, Media & Technology companies, healthcare companies, financial institutions and retailers are more interested for coverage than others. Cyberliability insurance are becoming easier to sell in the U.S. (continues to lead the global Cyberlibility market which is one of the fastest growing insurance segments in the country) as mandatory data breach notifications laws are being introduced across nearly all states, besides rise in the number of high profile data breach events like Sony, LinkedIn, and Global Payments.
16
10 References 1. Cyber Liability Insurance Explained http://www.insurenewmedia.com/page s/cyberliability.asp 2. 10 reasons http://www.mspalliance.com/wp/wpcontent/uploads/2008/11/Cyber10Reas ons.pdf 3. Marsh: Amid High-Profile Attacks, Interest in Cyber-Liability Insurance on the Rise https://www.propertycasualty360.com/ 2013/03/15/marsh-amid-high-profileattacks-interest-in-cyber-?t=cyberliability-insurance 4. Top Cybersecurity Trends and Risks For 2013 Identified https://www.propertycasualty360.com/ 2012/12/20/top-cybersecurity-trendsand-risks-for-2013-identi?t=cyberliability-insurance 5. A Study of Actual Payouts for Covered Data Breaches http://www.netdiligence.com/files/Cyb erClaimsStudy-2012sh.pdf 6. Cyber Liability: Where to Find Cyber Coverage http://www.insurancejournal.com/mag azines/coverstory/2013/01/28/278213. htm 7. Cybersecurity Insurance Workshop Readout Report http://www.dhs.gov/sites/default/files/ publications/cybersecurity-insuranceread-out-report.pdf 8. Data Security & Cyber Liability MidSouth Assurance http://www.midsouthassurance.com/fil es/53958/MidSouth%20Assurance%20%20Data%20Security%20%26%20Cyber %20Liability.pdf 9. Cyber-Privacy Insurance Market Survey 2012 - Betterley Report – http://betterley.com/samples/cpims12 _nt.pdf
10. AmWINS Group, Inc. – What is Cyberliability? 11. AIG Survey Finds More Insurance Decision Makers Concerned about Cyber Threat than Other Major Risks – http://www.businesswire.com/news/h ome/20130206006044/en/AIG-SurveyFinds-Insurance-Decision-MakersConcerned 12. Let’s not sacrifice our privacy on the altar of cyber security – http://www.loganbanner.com/view/full _story/22680214/articleLet%E2%80%99s-not-sacrifice-ourprivacy-on-the-altar-of-cybersecurity?instance=popular 13. Cyber liability from a U.S. and Canadian view – http://www.clydeco.com/insight/article s/cyber-liability-from-a-us-andcanadian-view 14. Cyber Intelligence Sharing and Protection Act Passes House http://www.govtech.com/security/Cyb er-Intelligence-Sharing-and-ProtectionAct-Passes-House.html 15. LinkedIn Escapes Cyber-Liability Exposure – http://professionalliabilitymatters.com/ 2013/04/11/linkedin-dodges-a-cyberliability-claim/ 16. Global Payments Breach Tab: $94 Million http://www.bankinfosecurity.com/glob al-payments-breach-tab-94-million-a5415/op-1 17. Risk Frontiers: Cyber Risk 2012 Seminar Report – http://www.aigassurance.fr/aigeurope/ internet/fr/files/cre-cyberrisk2012_tcm759-463376.pdf 18. Cyber risks decoded – Lockton ,Feb 2012
17