certificate of insurance network security privacy ... · certificate of insurance important: if the...
TRANSCRIPT
Certificate of
Insurance
Network Security
Privacy Liability
and Insurance
August 20, 2015
CERTIFICATE OF INSURANCE
1
CERTIFICATE OF INSURANCE
IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s).
Date: 07/21/2015
THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPONS THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER.
2
PRODUCER Faulkner, Williams, & Wilson
6721 Baum Drive
Knoxville, TN 37919
Eric D. Faulkner, ARM, CIC
CONTACT NAME: Eric D. Faulkner, ARM, CIC PHONE: 865-450-9170 Fax: 865-450-9174 EMAIL ADDRESS:
INSURER(S) AFFORDING COVERAGE NAIC# INSURER A: WESTFIELD INSURANCE CO. 17558
INSURED
East Tennessee Foundation
520 W. Summit Hill Dr., Suite 1101
Knoxville, TN 37902
INSURER B:
INSURER C:
INSURER D:
INSURER E:
INSURER F:
AUTOMOBILE LIABILITY
CWP 4050419
08/15/2014
08/15/2015
COMBINED SINGLE LIMIT (EA ACCIDENT)
$1,000,000
ANY AUTO BODILY INJURY (Per Person)
ALL OWNED AUTO
SCHEDULED AUTOS
BODILY INJURY (Per Accident)
X HIRED AUTOS X NON-OWNED AUTOS
PROPERTY DAMAGE (Per Accident)
INSR LTR
TYPE OF INSURANCE ADDL INSD
SUBR WVD
POLICY NUMBER
POL EFF POLICY EXP LIMITS
A X COMMERCIAL GENERAL LIABILITY X
CWP 4050419
08/15/2014
08/15/2015
EACH OCCURENCE $1,000,000
CLAIMS MADE X OCCUR
DAMAGES TO RENTED PREMISES (EA OCCURRENCE)
500,000
MED EXP (Any one person) 5,000
PERSONAL & ADV INJURY 1,000,000
G ’ GG G M PP P GENERAL AGGREGATE 2,000,000
X POLICY PROJECT LOC PRODUCTS-COMP/OP AGG 2,000,000
OTHER: RENTED PR 500,000
X UMBRELLA LIAB X OCCUR CWP 4050419 08/15/2014 08/15/2015 EACH OCCURENCE 5,000,000
EXCESS LIAB CLAIMS-MADE AGGREGATE 5,000,000
DEDUCTIBLE X RETENTION $0
WORKERS COMPENSATION AND EMPLOYERS LIABILITY Y/N ANY PROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED? (Mandatory in NH) If yes, describe under DESCRIPTION OF OPERATIONS below
N/A
PER STATUTE
OTHER
EL EACH ACCIDENT
EL DISEASE – EA EMPLOYEE
EL DISEASE – POLICY LIMIT
3
CERTIFICATE OF INSURANCE
CERTIFICATE OF INSURANCE
4
DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, additional remarks schedule, may be attached if more space is required)
The City of Knoxville, its officials, officers, directors, employees and Volunteers as well as Total Race Solutions. POB 30667, Knoxville, TN 37930, Are included as Additional Insured as respects General Liability and Waiver Of Subrogation applies as respects event: 5K Road Race to Benefit the Butterfly Fund of East Tennessee Foundation; to be held August 15, 2015.
IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must be endorsed. If SUBROGATION IS
WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s).
5
ENDORSEMENT
Network Security
Privacy Liability
and Insurance
7
GLOBAL PRIVACY BREACHES*
* Source: RiskBased Security -- Open Security Foundation – Data as of 12/31/2014.
What is Different Today?
8
Familiar mediums Q injections; spear phishing; malware, spyware & ransomware (“ rypto ocker”);
denial of service attacks; web site defacing
New culprits Loosely formed groups of people who are very good at hacking and work together
to do so (e.g., Anonymous, Lulzsec, Lizard Squad) tate actors ( hina, ran, , srael, ussia, orth Korea, P ’s)
New information targeted Corporate data and trade secrets; inside information; embarrassing information;
corporate weaknesses
New targets Automobile Internet of Everything Smartphones Medical Devices The Cloud
Network Security / Privacy Data Risk
What type of sensitive data do you collect?
● Personally Identifiable Information (PII)
● Name, SS#, Address, Financial
● Protected Health Information (PHI)
● Medical Information
● Employee data
● Corporate Confidential Information
Where is sensitive data stored?
How well is sensitive data protected?
How long do you store sensitive data?
What is a Data Breach Incident?
● Wrongful disclosure
● Unauthorized acquisition
● Security failure or Data compromised
9
Source of Potential Data Breach
10
● Theft of Intellectual Property ● Unwary insiders susceptible to
attacks that exploit traditional
security controls (e.g. spear
phishing)
● Intent is to disrupt and/or
embarrass a target
● Motivations are fickle and
unpredictable
● Massive DDoS attack
● Patience is a virtue. Tactics have
evolved from “hit and run” to
“infiltrate and stay.”
● Industrialization - Black markets
exist for all types of personal
information
● Proliferation of mobile platforms and
BYOD policies creates new vectors
● Security compromise –
loss of sensitive client
data
● Infrastructure downtime
may lead to Dependent
Business Interruption
claim
● Users who fail to embrace
“culture of security” will find
ways to circumvent
‘inconvenient’ security
controls
● Access controls and behavior monitoring
insufficient to detect insider threats
● Growing incentive for insiders to abuse access
to sensitive data for financial gain
● Disgruntled current and former employees
exploit back-doors Malicious Insider
Negligent Insider
Criminal Hackers
Hacktivists
Cloud or 3rd party
Compromise Exposures that
lead to a potential
Data Breach
● State Laws/Regulation
● Notification - 47 and counting
● PII – Personally Identifiable Information – SS#, Account
Numbers & PIN’s, Name, Address, DL#’s, CC#’s
● Federal
● HIPAA/HITECH
● PHI – Protected Health Information – Insurance Claim Forms,
Health Care Information, Explanation of Benefits, Notes,
Conversations
● FTC
● SEC/GLB
● EU Data Privacy Directive
● Canada
o PCI-DSS compliance with Merchant agreement
developed
Complex Regulatory Landscape
11
Third and First Party Claims
● Notification and Call Center costs
● Legal – “ reach oach”
● Computer Forensic Investigation
● Credit Monitoring & ID Theft costs
● Public Relations/Crisis Management
● Civil penalties and fines
● Class Action suits
● Legal Defence costs:
o Civil, regulatory and possibly criminal defense
o Data Privacy counsel can cost $500 per hour. A major data breach will cost millions in legal costs
● Business Interruption Costs/Data Damage
Data Breach Consequences
12
● Board/Leadership Team
● Employees
● Residents/Customers/Clients
● CIO/IT/CISO
● Attorney General/General Counsel
● Chief Financial Officer
● Risk Management
Stakeholders are Important – Why?
13
What about the Board?
14
Five Principles that the Board should consider:
1. Cyber-risk is more than just an IT issue: it is a key component of enterprise risk management, requiring board-level oversight.
2. Cyber risks have important legal ramifications, which directors need to understand.
3. Cyber-risk should be a topic of regular board discussion, and boards need access to the expertise to engage with cyber-risk issues.
4. Directors should ensure management implements an effective cyber-risk framework for the company.
5. The board and management should assess cyber-risk just like other enterprise-level risks; ensuring a specific determination is made of which aspects of cyber-risk to accept, avoid, mitigate or insure against.
NACD Report 2014
Liability Coverage
Privacy Liability
Network Security Liability
Media and Content Liability
Regulatory Liability
Technology E&O
Direct (Loss Mitigation – First Party) Coverage
Data Breach Expenses:
Notification, Forensic, Credit Monitoring/ID Theft Monitoring, Public elations expenses, egal “ reach oach”
Direct (First Party) Coverage
Business Income Loss (Network Security)
System Failure
Data Reconstruction
Extortion Costs
Privacy/Network Liability Coverage
15
16
Property General
Liability
Crime/Bond K&R E&O Cyber/
Privacy
1st Party Privacy/Network Risks
Physical damage to Data
Virus/Hacker damage to Data
Denial of Service attack
B.I. Loss from security event
Extortion or Threat
Employee sabotage
3rd Party Privacy/Network Risks
Theft/disclosure of private info
Confidential Corporate Info breach
Technology E&O
Media Liability (electronic content)
Privacy breach expense/notification
Damage to 3rd party’s data
Regulatory Privacy Defense/Fines
Virus/malicious code transmission
Coverage Provided
Limited Coverage
No Coverage
Cyber Risk Gaps in Traditional Insurance
What about D&O?
Type of Coverage
17
3rd Party Coverage
Network and Privacy Liability • Coverage for:
• Claims arising from the unauthorized access to data containing identity
information,
• Failure to protect non-public information (PII/PHI/Corporate Confidential
Information in your care, custody and control,
• Transmission of a computer virus, and Liability associated with the failure to
provide authorized users with access to the company’s website
Media Liability – Including online and offline Media • Coverage for: Claims arising online/offline content
• Libel
• Slander
• Defamation
• Emotional Distress
• Infringement of copyright/trademark/etc.
• Invasion of Privacy
Type of Coverage
18
• Technology Products/Services Errors & Omissions • Coverage for:
• Claims arising from the failure of a technology product or service to perform
as indicated.
3rd Party Coverage
• Regulatory Liability • Coverage for:
• State/Federal/International fines & penalties
• Technology Products/Services Errors & Omissions • Coverage for:
• Claims arising from the failure of a technology product or service to perform
as indicated.
3rd Party Coverage
• Regulatory Liability • Coverage for:
• State/Federal/International fines & penalties
Type of Coverage
19
1st Party Coverage
• Crisis Management/Security Breach Remediation and
Notification Expenses • Coverage for:
• Crisis Management Expenses - expenses to obtain legal assistance to
navigate the event, determine which regulatory bodies need to be notified
and which laws would apply
• Public relations services to mitigate negative publicity as a result of cyber
liability
• Forensic costs incurred to determine the scope of a failure of Network
Security and determine whose information was accessed
• Notification to those individuals of the security breach
• Credit monitoring
• Call center to handle inquiries
• Identity fraud expense reimbursement for those individuals affected by the
breach
1st Party Coverage
• Crisis Management/Security Breach Remediation and
Notification Expenses • Coverage for:
• Crisis Management Expenses - expenses to obtain legal assistance to
navigate the event, determine which regulatory bodies need to be notified
and which laws would apply
• Public relations services to mitigate negative publicity as a result of cyber
liability
• Forensic costs incurred to determine the scope of a failure of Network
Security and determine whose information was accessed
• Notification to those individuals of the security breach
• Credit monitoring
• Call center to handle inquiries
• Identity fraud expense reimbursement for those individuals affected by the
breach
Type of Coverage
20
1st Party Coverage
• Computer Program and Electronic Data Restoration Expenses
• Coverage for: • Expenses incurred to restore data lost from damage to computer systems
due to computer virus or unauthorized access
• Cyber Extortion
• Coverage for: • Money paid due to threats made regarding an intent to fraudulently transfer
funds, destroy data, introduce a virus or attack on computer system, or
disclose electronic data/information
• Business Interruption and Additional Expense
• Coverage for: • Loss of income, and the extra expense incurred to restore operations, as
result of a computer system disruption caused by a virus or other
unauthorized computer attack
Cyber Insurance Markets
• Underwriting expertise and creativity
Sample Markets: - ACE - Travelers - Navigators
- AXIS - Chubb - One Beacon
- Beazley - AEGIS - RLI
- AIG - HCC - Swiss Re
- Zurich - Torus - Hiscox
- C.N.A. - Ironshore - XL
- AWAC - Liberty - London Markets
Over 60 insurers writing coverage – a very robust market
Substantial claims paid without insurers withdrawing from market
Recognized underwriting standards
Estimated $1B premium volume moving to $5B
VALUE – EXPERTS, PROFESSIONALS, RE-ACTIVE & PRO-ACTIVE
A Maturing Market:
21
Cost per Affected Record - Breach Calculator
22
Personally Identifiable Information 1,000 10,000 100,000 500,000 1,000,000 10,000,000 100,000,000
Breach Expenses (Forensics/Crisis) $40,000 $160,000 $300,000 $580,000 $1,070,000 $2,000,000 $3,800,000
Forensics Investigation $30,000 $100,000 $200,000 $400,000 $750,000 $1,000,000 $2,000,000
Data Breach Coach $10,000 $40,000 $60,000 $100,000 $120,000 $200,000 $300,000
Public Relations $0 $20,000 $40,000 $80,000 $200,000 $800,000 $1,500,000
Breach Expenses (Notice/Credit Monitoring) $8,500 $85,000 $800,000 $3,625,000 $4,800,000 $40,000,000 $325,000,000
Customer Notification $2,000 $15,000 $150,000 $625,000 $1,000,000 $9,000,000 $50,000,000
Call Center $1,000 $15,000 $100,000 $500,000 $800,000 $5,000,000 $20,000,000
Credit Monitoring $4,500 $45,000 $450,000 $2,250,000 $2,500,000 $25,000,000 $250,000,000
Identity Fraud Remediation $1,000 $10,000 $100,000 $250,000 $500,000 $1,000,000 $5,000,000
Breach Expense Total: $48,500 $245,000 $1,100,000 $4,205,000 $5,870,000 $42,000,000 $328,800,000
(Breach Expense Cost per record) $48.50 $24.50 $11.00 $8.41 $5.87 $4.20 $3.29
Regulatory Defense/Fines $0 $10,000 $400,000 $1,750,000 $2,000,000 $6,000,000 $15,000,000
State Regulatory (AG) $0 $0 $250,000 $250,000 $500,000 $1,000,000 $5,000,000
Federal Regulatory (FTC, HHS) $0 $10,000 $150,000 $1,500,000 $1,500,000 $5,000,000 $10,000,000
PCI Fines $0 $10,000 $20,000 $100,000 $432,800 $432,800 $432,800
Civil Liability $34,000 $180,000 $1,100,000 $5,000,000 $7,164,000 $14,664,000 $54,664,000
Legal Defense/Damages $25,000 $100,000 $500,000 $2,000,000 $2,500,000 $10,000,000 $50,000,000
Card Reissuance Liability $9,000 $80,000 $600,000 $3,000,000 $4,664,000 $4,664,000 $4,664,000
Privacy Liabilty Total: $34,000 $200,000 $1,520,000 $6,850,000 $9,596,800 $21,096,800 $70,096,800
Total Data Breach Cost: $82,500 $445,000 $2,620,000 $11,055,000 $15,466,800 $63,096,800 $398,896,800
Per Record Cost: $82.50 $44.50 $26.20 $22.11 $15.47 $6.31 $3.99
Assumptions:
Credit Monitoring: $15 per individual (5-15% take-up rate)
Identity Fraud Remediation: $100-$500 per affected individual (less than 1% typically require fraud remediation)
Willis Estimated Data Breach Costs (based on number of affected individuals compromised)
PRIVACY LIABILITY
PRISM – Privacy Risk Insurance Strategy Model
- Sample
23
PRISM – Privacy Risk Insurance Strategy Model
- Sample
24
Benchmark Sample
25
Benchmark Report
Industry Retail
Product E&O
Parameters $1B - $45B
Total Limits SIR/Deductible
Average $31,153,846 Average $1,003,846
First Quartile $10,000,000 First Quartile $312,500
Median $20,000,000 Median $1,000,000
Third Quartile $40,000,000 Third Quartile $1,000,000
Maximum $150,000,000 Maximum $5,000,000
Minimum $5,000,000 Minimum $100,000
Count 26 Count 26
First Quartile - one quarter of the observations are at or below this value
Median - half the observations are less than or equal to this value, half are greater
Third Quartile - three quarters of the observations are at or below this value
$0
$200,000
$400,000
$600,000
$800,000
$1,000,000
$1,200,000
$0
$5,000,000
$10,000,000
$15,000,000
$20,000,000
$25,000,000
$30,000,000
$35,000,000
$40,000,000
$45,000,000
Case Studies
26
Data Breach Case Study #1
Company: Target*
Date: Nov. 27 – Dec. 15., 2013
40 million Number of Credit and Debit Cards
Stolen
70 million Number of Records Stolen with
Personally Identifiable Information
(PII)
46% % Drop in Profit in 4th Qrt
$200 million Cost to Financial Institutions to
Reissue Stolen Cards
$100 million Amount Earmarked for new POS
terminals with Chip and PIN
technology
$88 million Total Losses, including expenses, net
insurance recoveries
* Source: Published May 6, 2014, The Target Breach by the Numbers, Krebs on
Security
Data Breach Case Study #2
Company: Home Depot
Date: April – Sept. 2014
56 million Number of Credit and Debit Cards
Stolen as well as 53 million email
addresses
TBD % Drop in Profit – This is NOT
expected to be significant
$90 million Cost to community banks to Reissue
Stolen Cards
$43 million Spent to mitigate the event that has
been disclosed
$100 million Est. expenses, net insurance
recoveries
Best Practices
• Maintain a Risk Transfer Instrument
• Have a Proper Background Screening Program for new hires and vendors.
• Pre-Arrange a Breach Service Providers, Outside Counsel and Reputational Risk
Advisor
• All specializing in Privacy Law and Breach Crisis Management
• Provide “Certification” through e-Learning to employee base on safeguarding data
• Develop an Incident Response Plan
• Encryption
• Conduct annual Risk Assessments and Tabletop Exercises.
• Hold an internal “Privacy Summit” to identify vulnerabilities
• Risk Management, Compliance and Privacy, HR, Legal, IT, Administration, CFO
27
Best Practices, Cont.
• Keep General Counsel’s office current to state disclosure laws, federal regulations,
foreign requirements and updates
• Maintain an Effective Vendor Security Management Program
• Utilize Data Encryption in Appropriate Sensitive Data Settings
• Ensure that User Access Controls are Current, Effective, and Audited Regularly
• Utilize Effective Vulnerability Scanning and Penetration Testing Capabilities to Detect
Potential Exploit/Compromise Possibilities Ahead of Actual Attempts
• Employ Layered and/or Multi-Vendor Solutions Where Feasible
• If Original Application Development Exists, Ensure that it Occurs Within Compliance
with Secure Coding Practices (OWASP)
• If Bring-Your-Own-Device (BYOD) in place, Ensure Effective Use of a Contemporary
Mobile Device Management (MDM) Solution
28
Our Differentiators
29
• INSURANCE PROGRAM
GAP ANALYSIS
• Assess and outline the gaps or deficiencies in your traditional insurance policy, highlighting those areas potentially addressed in a cyber policy
• ANALYTICS TRIFECTA
• DATA BREACH CALCULATION • Using Willis Data Breach calculator, we
assess your potential breach costs
• PEER GROUP BENCHMARK
• Utilizing basic placement details we are able
to provide you with a comparison of basic
program features against relative peer
companies
• Conduct analytics based on Monte Carlo
Simulation to model loss probability and
program comparisons. This help clients
decide how much cyber insurance would
provide value for the premium spent
• PRISM ANALYSIS –
PRIVACY RISK INSURANCE
STRATEGY MODEL USING
CCOR
Willis is focused on being the broker authority in the Cyber space
Team of 20 professionals within the U.S. focused on cyber
Developed proprietary models to assess privacy risk & limit adequacy
Dedicated cyber claim professionals that work with you to ensure your event is being handled properly
Proactive assistance in evaluating your individual needs, risks and exposures
Collaborate with your team on manuscript language to ensure your specific operations, risks and exposures are covered properly
Provide contractual advise and guidance related to cyber issues with customers, partners and vendors
Assist with Executive and Board presentations
Our Differentiators
30
Our Differentiators – We HAVE handled Cyber
Claims
31
Number of claims
We have handled 360 Cyber claims
Responses varied from full limits loss coverage to outright denials
Number of covered claims has far outweighed those where coverage was denied either wholly or substantially
In short, the coverage works
Claim success involving various Types of Cyber Exposure/Loss
Legal liability to others for computer security breaches
Legal liability to others for privacy breaches
Legal liability from systems errors
Notification, monitoring costs in response to a systems breach
Privacy regulatory actions and scrutiny
Loss or damage to data/information
Loss of revenue due to a computer attack
Loss of revenue due to programming or systems errors
Extra expense to recover/respond to a computer attack
Loss or damage to reputation
Cyber-terrorism
Our Differentiators – We HAVE handled Cyber
Claims
32
Continued:
Known claims or prior acts before policy inception
Items intended to be covered by other traditional policies
ircumstances that fall outside the definitions of “Privacy vent” and “ onfidential nformation”
Patent/Trade Secret violations
Insured v. Insured Exclusion
Claims process related defense (late notice, lack of cooperation, failure to use panel counsel, etc.)
Narrow scope of coverage for PCI fines and penalties
Breach involved a third party system
What we have learned:
Policy wording is critical
Forms vary on key coverage terms
Early involvement of the insurer is critical
Insurers usually must provide consent to any privacy or breach notification counsel and consent to the retention of a forensic IT vendor to investigate the facts of the breach/loss
Insurers frequently have panels or lists of pre-approved breach counsel and IT vendors who can provide a prompt response, usually at preferred rates
All avenues of coverage must be explored, as an incident frequently will involve first party loss, actual or potential third-party loss, crisis loss and regulatory investigations
Insurer notifications must be tailored accordingly
If there is an incident that is highly confidential and non-public, there are certain steps we can take when providing notice to narrow the circle of knowledge
Our Differentiators – Adding Value Pre/Post Claim
33
What is the Application Process?
Completing applications will require gathering information from many parts of your
organization:
In addition to Risk Management
• IT and Network Security teams
• Information about the types of technology your organization uses
• Outside vendors and cloud providers that touch your networks
• Details on your monitoring capabilities and third-party audits.
• Finance
• Revenues
• Customers, demographics
• Other organizational issues.
• Input into your desired program structure as you evaluate the different levels of risk transfer
(premium, limits, deductibles and scope of coverage).
• Legal
• Information on contractual protections
• What your customers are demanding from you, and what you are demanding of your
vendors in your contracts.
• Underwriters are very focused on how successful companies are in limiting their liability,
and how aggressively they are seeking indemnity from vendors.
• Information on your privacy policies, relationships with privacy counsel, and any breach
response planning that has happened to this point.
34
The Willis Advantage - We Are The Industry Leader
Globally
E&O and Information Risk Product Team of 20 specialists in the US and 25 outside the US focused on Privacy, Network Security, Media, Technology, E&O and Intellectual Property risk and insurance
• Multidisciplinary experience including broking, underwriting, law, IT, claims, alternative risk transfer and finance.
• 20 years average experience
35
Restaurants – Darden
Hotels – Radisson
Retail – TJX, Staples, Best Buy, Polo
Pharmacies – Rite Aid
Exchanges – NYSE
Financial Services– American Express, Discover
Card Processing – Global Payments
Securities Dealers – Schwab
Airlines – US Airways
Investment Banks – Morgan Stanley
Banks – Citizens Financial
Law Firms – Baker & McKenzie
Insurance – ACE, Hartford, Tokio Marine
Software – BMC
Hardware - TruePosition, Amkor
Manufacturing – 3M
Media – Hachette
Advertising – Publicis
Higher Education – Emory University
Title Insurance – Fidelity National Financial (FNF)
Consumer Goods – Kimberly Clark
Managed Care – Humana
Hospitals – Kaiser Permanente
Casinos – Wynn Resorts
ISP – Time Warner Cable
Consulting – Boston Consulting
For More Information
Dee Anderson
Client Advocate
(865) 583 3740
Steven McGhee
Client Advocate
(865) 583 3752
36
Contacts: