![Page 1: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/1.jpg)
Data and its Perils Data and its Perils
October 2015Presented by –
Sharon A. Koches, CPCU, RPLU, AAI, AU, ITPVice President, Insurance Operations & Technical Affairs
![Page 2: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/2.jpg)
Dissecting the Cyber Liability Policy
I. Introduction and Overview
II. Data Breach Exposures
III. Regulations
IV. Coverage Gaps
V. Coverage Considerations
VI. What we need to know
![Page 3: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/3.jpg)
Breach ActivityThink you can’t be hacked….You might want to
think again after reading these headlines….~ “Federal Reserve confirms website hacked” (2012-2013)
~ “Hackers hit US Department of Energy” (2013)
~ “Cyber 9/11 may be on the horizon”~ “Romanian arrested on Pentagon, NASA hacking charges” (2012)
~ “Hackers launched Cyber attack on US Public Utility”
…if they can, so can you and your clients!
![Page 4: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/4.jpg)
Hackers broke into the company's server, taking 15 million people's names, addresses, Social Security numbers, birthdays and other identification numbers.
![Page 5: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/5.jpg)
Data Breach Trends2015 – first 6 months
1860 incidents exposing 228 million records
2014 record breaking 1.1 billion (3014 incidents) personal and sensitive records compromised
2014 - 22.3 % Increase in number of records and a 28.5% Increase in number of breaches disclosed from 2013Resource: Risk Base Security http://seclists.org/dataloss/2015/q1/134. March 2015. 2015-MidYearData BreachQuickView.pdf
Resource: Data Breach QuickView sponsored by Risk Based Security foundation. April 2014.
![Page 6: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/6.jpg)
2015 Data Breach Trends• 5 Hacking incidents alone exposed 181.3
million records (2014 – 4 incidents – 647 million incidents)
• A single act of Hacking exposed 78.8 million records (2014 – Fraud – 104 million records)
![Page 7: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/7.jpg)
2015 Data Breach Trends
• The Business Sector accounted for 43.6% of reported incidents and 59.4% of records exposed.
• Phishing accounted for 17 incidents and the exposure of 1.4 million records
• Breaches involving US entities accounted for 37.6% of incidents and 55.3 of the exposed records (2014 - 44.5% of incidents and 47.9% of exposed records)
![Page 8: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/8.jpg)
2015 Data Breach Trends Number of breaches caused by Hacking 78.4%
Hacking alone resulted in 95.5% of all exposed records
81.2% of incidents and 96.6% of the total exposed records are the result of outside activity
Resource: Risk Base Security http://seclists.org/dataloss/2015/q1/134. March 2015. RiskBasedSecurity.com 2015-MidYearDataBreachQuickView.pdf
![Page 9: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/9.jpg)
2015 Data Breach Trends
Analysis of events showed most targeted data types:
Resource: Risk Base Security http://seclists.org/dataloss/2015/q1/134. March 2015. RiskBasedSecurity.com 2015-MidYearDataBreachQuickView.pdf
2015 Mid Year 2014
Password 55.4% 62.6%
User Name 44.6% 50.5%
eMail 48.0% 49.2%
Name 26.5% 31.9%
![Page 10: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/10.jpg)
2015 US State – Top 9
2015 Incidents 2015 Exposed Records
California Indiana
Florida DC
Texas Alaska
New York California
Virginia Washington
Illinois Maryland
Pennsylvania New York
Indiana Colorado
Georgia Alabama
![Page 11: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/11.jpg)
Top Data Breaches of 2015
• Anthem - 80 million customers – names, social security numbers, medical ID’s, employment info and income data
• Premara Blue Cross – 11 million
• International Bank Hack - $1 billion in cash dispensed from ATMs without physical presence
Reference: identityforce.com
![Page 12: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/12.jpg)
Top Data Breaches of 2015
• Equifax – several hundred credit reports sent to an individual
• Internal Revenue Service – suspected 100,000 tax returns stolen; now believe over 600,000 Americans affected
• Ashley Madison • CVSphoto.com
![Page 13: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/13.jpg)
Top Data Breaches of 2014• Target – 110 million people’s personal info• Sony Pictures – internal data (employee passwords
and medical information stored, movie scripts, salaries)
• Ebay – 145 million users (email addresses and passwords)
• JP Morgan Chase – 76 million (bank customers and credit card data)
Resource: hotforsecurity.com “Top 10 Data Breaches of 2014; Lessons Learned for a Safer 2015. By Alexandria Gheorghe December 31, 2014
![Page 14: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/14.jpg)
Top Data Breaches of 2014• Home Depot – 56 million (email addresses using 3rd
party vendor credentials)• Snapchat – 4.6 million (user names and phone
numbers)• Community Health Systems – 4.5 million patients• Michael’s – 1250 stores (point of sale devices to steal
credit and debit card numbers and associated PIN numbers)
Resource: hotforsecurity.com “Top 10 Data Breaches of 2014; Lessons Learned for a Safer 2015. By Alexandria Gheorghe December 31, 2014
![Page 15: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/15.jpg)
Top Data Breaches of 2014• AOL – 120 million registered accounts (user info
including encrypted passwords, encrypted answers to security questions, postal addresses and address book contacts)
• Neiman Marcus – 1.1 million (backdoor software to steal customer email addresses, user names, credit card data and encrypted PINs)
• Staples – 1.16 million payment cards (115 retail stores affected with malware )
Resources: Hotforsecurity.com “Top 10 Data Breaches of 2014; Lessons Learned for a Safer 2015”. By Alexandria Gheorghe December 31, 2014
SecurityWeek.com “Top Data Breaches of 2014”. By Brian Prince, December 29, 2014
![Page 16: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/16.jpg)
Key Homeland Security official urges passage of cybersecurity bill
“A top Department of Homeland Security official on October 1, 2014 called on Congress to pass cyber security legislation, saying there is a ‘dire need’ to strengthen the department’s ability to defend against cyberattacks.”
Resource: Washington Post by Jerry Markon, October 1, 2014
![Page 17: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/17.jpg)
Breach Activity
Resource: Carrier Management, October 21st, 2014 by Chris Stromhttp://www.carriermanagement.com/news/2014/10/21/130678.htm
![Page 18: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/18.jpg)
Breach Activity
![Page 19: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/19.jpg)
Small Business
It’s not just about the big guys!
•Cyber Extortion
•EFT Issues
And more!
![Page 20: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/20.jpg)
“Breach Fatigue”
Are consumers becoming complacent due to the increase number of breach notifications?
Are consumers less likely to protect themselves thereby leaving companies assuming responsibility for increasing levels of fraud and identity theft?
![Page 21: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/21.jpg)
Data at Risk
Exposures Hacking Websites Fraud Email Skimming Viruses Lost/stolen laptops/USBs Improper Disposal Stolen Computers Cyber Extortion
From Outside Inside – Malicious Inside - Accidental
![Page 22: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/22.jpg)
Data at RiskElectronic Data
Databases Websites Electronic Security
Paper Files YES – PAPER Files Large amounts of Personal Data
(PII and PHI) Physical Security (shredder operations)
![Page 23: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/23.jpg)
Data at RiskPasswordsNameEmailUser NameAddressSocial Security NumberPhone NumberMedicalCredit CardDrivers License Number
![Page 24: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/24.jpg)
Data at Risk
PII – Personal Identifiable Information
PHI – Protected Health Information*
PCI – Payment Card Industry
![Page 25: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/25.jpg)
What you should be doing
• Encrypt devices• Automate patch management• Password protect• Be alert to phishing• Double check mailing details• Identify risks, plan, practice and training
Resource: Beazley URMI Presentation
![Page 26: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/26.jpg)
Regulations
Federal LawsGramm-Leach-Bliley – personal financial informationHIPAA – Health Insurance Portability & Accountability ActHITECH – Health Information Technology for Economic &
Clinical Health PCI Security Standards Council – Payment Card Industry
Data & Security Standards Compliance
At least 35 Federal Laws with Data Protection or Privacy Protection
![Page 27: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/27.jpg)
Regulations
47 States, District of Columbia, Guam, Puerto Rico and the Virgin Islands have Data Breach laws
Residence of affected individuals determines applicable notice law
![Page 28: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/28.jpg)
Traditional Policies
Traditional Property and Liability Insurance
Damage to Tangible Property
Loss of revenue or extra expenses resulting from damage to tangible property
Liability for bodily injury and tangible property damage including loss of use of that property• Loss of use of undamaged tangible property
![Page 29: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/29.jpg)
Cyber Reality
• Damage to intangible property
• Loss of use of intangible property
• Third party liability for negligent use of intangible property
• First party legal costs to protect intangible property
![Page 30: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/30.jpg)
Commercial Property
Coverage Issues Physical loss or damage to property to trigger both
property damage and time element Non-physical events (eCommerce) Denial of Service (Non-physical event) Indemnity Period Provisions Computer Viruses Employee Dishonesty Valuation
![Page 31: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/31.jpg)
CGL Coverage Gaps• Definition of “Property Damage” Physical damage to “Tangible Property”• Limited Worldwide Territory• No Advertising Injury if “in the business”• No Advertising Injury if “Advertising Products/Services
of Others”• Professional Services• No Patent coverage• Limited Copyright/Trademark Coverage• Fines and Penalties
![Page 32: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/32.jpg)
Liability CoverageBodily Injury or Property Damage Liability• Excludes “loss of, loss of use of, damage to, corruption
of, inability to access, or inability to manipulate electronic data.”
• CG 04 37 04 13 – Electronic Data Liability Endorsement– Modifies above exclusion to give this coverage back ONLY if a
result of physical injury to tangible property– Modifies definition of “property damage” to include “loss of,
loss of us of, damage to, corruption of, inability to access or inability to manipulate electronic data resulting from physical injury to tangible property.
![Page 33: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/33.jpg)
Liability CoverageCG 00 65 Electronic Data Liability Coverage
• Claims-Made form• Legal liability because of “loss of electronic data” from
an “electronic incident”• Exclusions
Providing computer products or services Damage to your data Infringement of intellectual property rights, copyright or
trademark Unauthorized use of electronic data by insureds and
employees Criminal or Fraudulent Acts
![Page 34: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/34.jpg)
Personal and Advertising Injury Liability
• Excludes “infringement of copyright, patent, trademark, trade secret or other intellectual property rights.”
• Excludes media and internet type business
• Excludes chat rooms or bulletin boards
![Page 35: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/35.jpg)
ISO CGL
• May 1, 2014 – The day the Cyber Liability insurance world changed forever
• CG 21 06 – Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability
• Mandatory endorsement on all CGL policies after May 1
![Page 36: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/36.jpg)
Crime Employee theft• Theft committed by an employee, identified or not
Computer Fraud & Electronic Funds Transfer• Using computers to fraudulently transfer property• Fraudulently misdirecting transfer of funds(Money and securities)
Only covers money, security and “other property” Key definitions : “electronic data”, “Computer
programs”, “Fraudulent instruction”
![Page 37: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/37.jpg)
Property Coverage
Direct – EDP Coverage
• Hardware• Software•Media• Data Recovery• Business interruption and extra expense
![Page 38: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/38.jpg)
ISO E-Commerce Policy (EC 00 10)
Eight Insuring Agreements1. Web Site Publishing Liability2. Security Breach Liability3. Programming Errors and Omissions Liability4. Replacement or Restoration of Electronic Data5. Extortion Threats6. Business Income and Extra Expense7. Public Relations Expense8. Security Breach Expense
![Page 39: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/39.jpg)
ISO E-Commerce Policy (EC 00 10)
Exclusions• Natural causes of loss• War• Biological, chemical or nuclear• Destruction of tangible property or bodily injury and
property damage• Insufficient capacity in computer systems• Impairment of the internet• Failure, reduction or surge of power
![Page 40: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/40.jpg)
ISO E-Commerce Policy (EC 00 10)
Exclusions• RICO losses• Satellite failure• Intentional damage by “insured”• Publication of material with knowledge of falsity• Contractual liability• Patent or trade secret violations• Pollution
![Page 41: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/41.jpg)
ISO E-Commerce Policy (EC 00 10)
Exclusions• Pending claims, suits or processed prior to “policy
period”• Employment practices• “Loss” prior to retroactive date• “Loss” reported under prior policies with the same
insurer• Criminal acts of “insured” alone or in collusion
![Page 42: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/42.jpg)
ISO E-Commerce Policy (EC 00 10)
Exclusions• “Loss” determination expenses• Governmental action including seizure or destruction• Computer upgrade expenses• Insured v. insured• “Electronic data” input errors• Territory – Worldwide “wrongful acts”, US suits
![Page 43: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/43.jpg)
ISO E-Commerce Policy (EC 00 10)
Endorsements• Nonbinding Arbitration (EC 10 03)• Binding Arbitration (EC 10 04)• Supplemental Extended Reporting Period (EC 20 01)• Include Specified Individuals as Employees (EC 20 02)• Amend Territory Condition for Wrongful Acts or Suits
(EC 20 03)– Exclude scheduled territories– Include scheduled territories
![Page 44: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/44.jpg)
Professional Liability
Coverage limitations
Other Insurance Clause
![Page 45: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/45.jpg)
Considerations
• Types of Coverage needed• Terminology/Definitions• Available Limits• Coverage Provided• Coverage Triggers• Types of Data Covered• Remediation Costs Covered• Remediation Coverage Services
![Page 46: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/46.jpg)
Coverage ComparisonAggregate Limit $1,000,000 $1,000,000 $1,000,000
Retention $5,000 $5,000 $10,000
Premium (Not including policy fee or taxes) $3,157 $3,498 $4,402
Privacy/Network Security Liability $1m limit within the agg. $1m limit within the agg. $1m limit within the agg.
Breach Response Costs/Notification Costs
100,000 notified individuals; cost is separate from and in addition
to the aggregate limit.
250,000 notified individuals; cost is separate from and in addition
to the aggregate limit.
$250k included within the agg. ($5k retention)
Business Interruption Aggregate $1m limit ; $250,000 hourly; $1m limit ; $250,000 hourly; $250k included within the agg.
Privacy Regulatory Defense and Penalties $1m limit within the agg. $1m limit within the agg. $500k included within the agg.
PCI Fines and Costs $500,000 limit within the agg. $500,000 limit within the agg. Unclear; no specific mention
Cyber Extortion $1m limit within the agg. $1m limit within the agg. $250k included within the agg. ($5k retention)
![Page 47: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/47.jpg)
Media Liability
$1m limit within the agg. Covers media on insured's website and
media created by insured on a third party website.
$1m limit within the agg. Covers media on insured's website and
media created by insured on a third party website.
$1m limit within the agg.
Credit Monitoring Included Included Included
$1m included within the agg. $1m included within the agg. $250k included within the agg. ($5k retention)
Crisis Management $250k included within the agg. $250k included within the agg. $250k included within the agg. ($5k retention)
Funds Transfer Fraud N/A N/A $250k included within the agg. ($5k retention)
Computer Forensic Costs $250k included within the agg. $250k included within the agg. Included within notification costs limit
Loss Prevention and Risk Management Services
Yes - Policyholders are enrolled in NoDataBreach.com for pre claim
risk management services; in-house claims team that assist along with
selected vendors post claim.
Yes - Policyholders are enrolled in NoDataBreach.com for pre claim
risk management services; in-house claims team that assist along with
selected vendors post claim.
Yes - Insured has access to a third party vendor to provide guidance
pre claim and post claim.
Minimum Earned Premium
![Page 48: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/48.jpg)
What we need to Know
Applications First party Coverage Third Party Coverage Business Income Risk Management Claims Services How to Handle Objections
![Page 49: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/49.jpg)
Applications
• Application interpretations• Application is a warranty• Information requested:
General information Revenue Information Management of Privacy Exposures Computer System Controls Content Controls Prior InsurancePrior Claims or complaints
![Page 50: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/50.jpg)
Coverage Overview
• First Party Coverage (differs greatly among carriers)
• Third Party Coverage
• Risk & Crisis Management Services (not all carriers)
![Page 51: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/51.jpg)
First Party CoverageDirect loss to your organization. Can Include:
Forensic analysis and remediation of breach Damage to computer systems and networks Notification Expenses (including VOLUNTARY Notification) Data Restoration Business Income (eCommerce) Contingent Business Income Regulatory Fines and Penalties PCI Fines and Penalties Cyber Extortion Crisis Management – Legal, Public Relations Credit Monitoring Intellectual Property – Copyright, Trademarks, other
![Page 52: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/52.jpg)
Third Party CoverageLiability imposed due to negligence• Breach or Privacy Liability• Advertising Injury/Personal Injury • Professional Liability – “in the business of”
Software development Network maintenance Security Services
![Page 53: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/53.jpg)
Cyber Risk Insurance – Coverage Options
Media LiabilityAll media activities or just online media (including social
media)• Facebook• Twitter• Blogs• YouTube
Intellectual Property liability coverage:• Copyright infringement – can be included• Trade or Service Mark infringement – can be included• Patent infringement – cannot be included in most forms
![Page 54: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/54.jpg)
Additional concerns• Application interpretations• Application is a warranty• Coverage trigger – suspected or confirmed breach?• Does it cover social media?• Is defense inside or outside the limit?• Sublimit reduction of aggregate?• First Party – expenses included?• Voluntary notification (not just minimum legal
requirements)
![Page 55: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/55.jpg)
Additional concerns
• Encryption requirements• Transmission of computer viruses• Third party – i.e.: the cloud• Contractual Liability• Intentional acts• Other than electronic data (paper)• Package or ala carte• Pricing• Capacity
![Page 56: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/56.jpg)
Carrier & Coverage Trends Notification on number of records breached vs.
dollar limit (aggregate issues) Notification expenses separate from limit of liability Sublimits part of the aggregate Liability for loss of personally identifiable information
Not just electronic, but all types of data, including paper Corporate information, not just individuals All types of data, not just financial Some cover loss of data when in the possession of a 3rd party such as a
vendor
![Page 57: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/57.jpg)
Carrier & Coverage Trends
Risk Management Services
More carriers are entering the market including mutual insurers and small regionals – often backed by an established cyber liability insurers
![Page 58: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/58.jpg)
Risk & Crisis Management
Web based training and risk assessment tools
Vulnerability analysis
Cyber Coach
Claims management
![Page 59: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/59.jpg)
Post Claim Risk & Crisis Management Services
1. Notification of affected individuals2. Credit monitoring if required3. Call center if needed4. Forensic experts to determine the cause of the
breach as well as help identify financial loss (Business Income, Data Loss)
5. Assistance with data and system restoration6. Public relations to help manage reputational risk7. Legal Assistance
![Page 60: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/60.jpg)
Underwriting and Pricing Considerations
Underwriting Considerations Type of data stored Types of controls in place
Firewalls Encryptions Detection Systems Risk Management Plans Vendors
Type of exposure (retail, public entity, medical, financial, etc) Type of web presence (interactive vs. informational) Claims History
![Page 61: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/61.jpg)
Underwriting and Pricing Considerations
Primary Rating and Premium FactorsIndustryRevenueNumber of records storedLimits purchasedRetention
![Page 62: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/62.jpg)
Main Reasons for NOT Purchasing Cyber Insurance
52% Premiums too expensive44% Too many exclusions, restrictions & uninsurable risks38% Property & Casualty Policies are sufficient26% Unable to get insurance underwritten because of
current risk profile26% Coverage is inadequate based on exposure 9% Risk does not warrant insurance 6% Executive management does not see the value of this
Insurance
Resource: Ponemon Institute, August 2013 (Respondents were asked to choose top two reasons)
![Page 63: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/63.jpg)
Overcoming Objections
• Not if but when• National Small Business Association • Fire insurance even though you take
precautions• Claims that hit home• Educate the business owner• Applications
![Page 64: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/64.jpg)
Resources• The Betterley Report – Cyber/Privacy Insurance Market
Survey – 2014: “Maybe Next Year” Turns into “I need it Now”http://www.irmi.com/online/betterley-report-free/cyber-
privacy-media-liability-summary.pdf
• IRMI – Whitepaper – What Every Insurance Professional Should Know about Network Security and Privacy Liabilityhttp://www.irmi.com/online/privacy-liability/network-security-and-privacy-liability.pdf
• Ponemon Institute http://www.ponemon.org/index.php
![Page 65: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/65.jpg)
• IRMI “Analyzing Nonstandard Cyber and Privacy Insurance Policies”
http://www.irmi.com/expert/articles/2014/austin10-commercial-property-insurance.aspx?cmd=print
• Verizon 2014 Data Breach Investigations Report www.verizonenterprise.com/DBIR/2014
![Page 66: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/66.jpg)
Resources
• Experian Data Breach Report 2014http://www.experian.com/data-breach/data-breach-industry-forecast.html
• Advisen Cyber Risk Networkhttp://www.cyberrisknetwork.com/data/
• Symantec Internet Security Threat Report 2014http://www.techrepublic.com/resource-library/whitepapers/symantec-internet-security-threat-report-copy1/
![Page 67: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/67.jpg)
Resources
• Insurance Information Institute – Cyberliability: The Growing Threat
http://www.iii.org/white-paper/cyber-risks-the-growing-threat
• Net Diligencehttp://netdiligence.com/services.php
![Page 68: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/68.jpg)
Resources
• Legis.sd.gov22-40-8 Identity Theft – Felony
• Atg.sd.gov - Identity Theft
![Page 69: Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice President, Insurance Operations & Technical Affairs](https://reader036.vdocument.in/reader036/viewer/2022062301/5697bf8e1a28abf838c8cd0f/html5/thumbnails/69.jpg)
Questions?