December 2014
Cyber Risk –What Boards Need To Know
2| 2| 2|
NOT DEFINED
• Can be any or all of the following:
•Loss of Personally Identifiable
Information (Clients & Employees)
•Failure to Prevent Unauthorized
Access (Virus/Hacking)
•Network or Security Failure (and
Subsequent Loss of Income)
•Misuse/Infringement of Copyright,
Trademark, Patent
•Etc.
What is Cyber Liability?
3| 3| 3|
OUTSIDE, INSIDE & SYSTEM FAILURES
•Hackers & Unauthorized Access
•Viruses, Trojans & Malicious Codes
•Rogue Employees
•System Failure
•Vendors
•Failure to Comply With Company Policies
•Cloud
•Denial of Service
•Phishing
Where do the threats come from?
5| 5| 5|
Cyber Facts
Only 20% of companies believe current incident response programs to be “very effective.” - Information
Security Media Group
2012/13 supply chain disruptions were from technology & cyber events, not weather-related events. –
Guy Carpenter
Reputation management was #1 in 2013 survey of executives’ top risk concerns. – TechAssure
Association
30% of customers will not be back after a data breach; 70% after second incident. – Independent
Consumer Poll
46% of companies surveyed in 2011 reported network intrusion attempts.
- Computer Security Institute
6| 6| 6|
CEO + CFO + CIO = ?
•False Assumptions of Security
•Perceived Proactive Safeguards
•Failed Expectations of Compliance
The “C-Level” Disconnect
7| 7| 7|
Spencer Hoole ModeratorPresident and CEO
Diversified Insurance Group
William Stern PanelistEVP, General Counsel
Ancestry.com
Susan Miner PanelistSenior Partner
Woodruff-Sawyer
Daniel Burke PanelistSenior Underwriter
Hiscox
8|
Facts
• In 2013 the FBI notified 3,000 companies in the United States that they had been victims of cyber-attacks.
• Reports estimate that cybercrime cost the global economy up to $575 billion annually and approximately $100 billion in the United States alone.
• According to one 2013 survey, the average annualized cost of cyber-crime to a sample of U.S. companies was $11.6 million per year, representing a 78% increase since 2009.
• 77% of respondents to a 2014 PricewaterhouseCoopers study detected a security event in the past 12
8
9|
Relevant Regulation in the US
• FTC regulates whether commerce is fair or deceptive
Privacy statements and use of information
Deceptive and/or Unfair practices
Section 5 liability governed by “reasonableness” test regarding security and statements made about security in light of sensitivity, volume, size, complexity, cost/benefit of better security and reduced vulnerability (perfect security neither expected nor required).
• Other regulators:
Health: HIPAA (HHS); Finance: GLBA (CFPB)
International: Safe Harbor (Commerce)
DOT; OMB; IRS; EEO; ADA; DHS; ETC!
9
10|
Standards Imposed by Private Organizations
• Payment Card Industry Data Security Standards (PCI DSS)
• ISO 27001 (high level organizational rules, policies procedures – a checklist, certifiable by outside auditors)
• ISO 27002 (guidelines and principles for initiating, maintaining and improving security within an organization – not required and cannot be certified)
• SSAE 16 auditing standards for compliance controls at “service” organizations
• Industry best practice – Cloud providers
10
11|
Judicial/SEC Standards
• Caremark decision:
Boards are protected by the Business Judgment Rule unless:
- “utterly failed” to oversee system of controls
- “consciously” failed to monitor or oversee risks
- Result is obligation to ask for security updates/reports
• SEC:
2011 Guidance regarding disclosure of cybersecurity risks and incidents
Must provide specific, non-boilerplate disclosure in risk factors and MD&A
Provide disclosure of Board risk oversight
11
12|
What Your Board Needs to Know
• Cyber-risk evaluation/response.
• Require regular reports on security risks.
• Review cybersecurity as part of budget.
Does cybersecurity take a backseat to other IT or physical security projects?
65% of IT departments cite budget constraints as their #1 obstacle to delivering value
• Re-evaluate cyber insurance.
12
13|
What You Need to Know
• Your information network will be compromised. Accept it!
• Physical security and cybersecurity are linked.
Target breach, hackers got access to the network through the HVAC system
• Cyber damage goes beyond the dollars
Reputational damage with customers
Increased cost of new systems for prevention (EMV)
• Everything cannot be protected equally
Identify the crown jewels and really, really protect them
• Walls are probably high enough – look at detection13
14|
Recommended steps:
cyber-risk education for directors, including periodic updates to the board on new
developments;
determine what part of the Board will oversee cybersecurity risks (could be entire board
or a committee);
invest time and resources into making sure that management has developed a well-constructed and deliberate response plan that is consistent with best practices for a company in the industry;
develop a business culture that prioritizes cybersecurity;
review terms of insurance policy and coverage of cybersecurity issues; and
assess the need to bring in external advisors.
14
15|
Keys to an Effective Cyber Program
• Led by executives defining cyber risk management priorities and risk appetite
• Involve everyone – not just an IT or finance issue
• Identify all stakeholders – internal and external (suppliers, vendors, partners)
• Program not project – requires continuous monitoring and review
• Comprehensive and integrated
Understand how events impact the business
Integrate IS insights into management decision making process
15
16|
Cyber Risk Strategy
• Align Cyber Risk strategy with business strategy
• Outsource? – Determine which security functions are performed in house, which are outsourced and in the cloud
• Use trusted standards to increase confidence (ISO, COSO, COBIT)
• Conduct independent third party assessments
• Identify and define KPI to monitor success (up-time)
• Corporate culture that anticipates risks rather than reacts
• Leverage expertise of others
16
www.wsandco.com |
The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.
17
Cyber Liability Exposure Overview
www.wsandco.com |
The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.
18
First-Party v. Third-Party Coverage
www.wsandco.com |
The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.
19
Business Interruption
Insuring for Business Interruption from the failure of your technology network is a relatively new concept.
Categorized into three types of failures, coverage varies based on the triggers and sources of the failure.
Typical Losses: Profits and extra expenses
* Property BI coverage may be applicable
Source of Failure Triggered by
Direct Bi
(Your Own Network)
Contingent Bi
(Outsourced/Cloud
Network)
Security Failure Hacker / 3rd Party Breach / Denial of Service Attack that renders a
network inoperable
Widely available Limited
System Failure Unplanned / unintentional outage of a network Few markets Few markets
Physical Damage Failure of a network due to physical peril such a fire, wind, flood, etc. N/A* Rare*
Coverage in Today’s Cyber Market
www.wsandco.com |
The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.
20
• Contractual Liability
– Coverage disputes over PCI “assessments “ due to faulty policy language in breach of contract exclusions
– Look for affirmative language – “demand from a payment card association or [bank] for a monetary assessment including a
contractual fine or penalty for failing to comply with PCI-DSS”
• Choice of counsel/vendors
– Carrot vs Stick approach (Incentives for using or mandatory)
– Pre-approval vs game-time decision
• Prior Acts Coverage
– Key issue when first purchasing coverage, as new breaches discovered during policy term may have first began months earlier
– Some carriers will offer 1 year backdated for a price: PAY THIS
Emerging Coverage Trends
www.wsandco.com |
The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.
21
Cyber Risk and D&O Litigation
In October 2011, the SEC published guidance for companies that suggested issuers should consider
• the “probability of cyber incidents occurring”
• “the quantitative and qualitative magnitude of those risks”
• that appropriate disclosure may include a “description of relevant insurance coverage.”
Significant Data Breaches Can Lead to D&O Issues
Company Cyber Event D&O Matter Status
ChoicePoint (2005) 500,000 PII exposed via a data warehouser. (2005) Class Action (2008) Settled $10M
TJX (2006-2007) 45M+ customer credit card data and other PII hacked
; cost $171M.
(2007) Books & Records
(2007) Derivative Suit
(breach of fiduciary duty)
(2010) Settled $595K plaintiffs fee
award & therapeutics
Heartland Payment (2009) 130M cards at payment processor; cost $140M. (2009) Class Action (2009) Dismissed
Target (2013) 70M+ credit/debit cards breach at POS system; estimated
cost over $1 billion.
(Jan 2014) Derivative Suit
(breach of fiduciary duty)
Pending
Wyndham
(2008 - 2010) Three breaches; 619,000 customers impacted. (Feb 2014) Derivative Suit (breach of
fiduciary duty)
Dismissed
www.wsandco.com |
The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.
22
Board-Level Cyber Liability Questions
State of Cyber Risk Insurance Market
• Growing industry segment within Insurance - more
carriers entering the space
• Coverage grants getting more nuanced
• More industries buying cyber insurance
– Healthcare
– Financial Institutions
– Retail
– Services Companies (professional, technology, etc)
– Others (Construction, Manufacturing, Energy, etc)
23
How Cyber Insurance is Underwritten
• Premium calculated off industry class, number of
records, revenues, controls and claims.
• Statutory and regulatory liabilities drive coverage
need – industry type matters.
• Personally Identifiable Information (PII) most
often triggers coverage – how many and what
type of records do you have?
• Do you know where all your records are stored?
How are they protected?
– Outsourcing the services does not outsource the
liability
– Encryption, encryption, encryption
– Two-factor authentication
– Contracts
24
How to Respond to a Breach
Have A Plan!
– 67% of companies suffering Data Breaches
are out of business within 6 months.
(Symantec Corporation. 2013 Internet Security Threat Report. Vol. 18. California: Symantec
Corporation, 2013.)
– Breach Response Plan should be formalized
and tested
• Risk Management, IT, and Legal should all be
involved
– Insurance Carriers offer turn-key solutions
25
Navigating the Claims Process
• Immediate response is key, but the claims process will take time
• Multiple 1st party elements to a breach response
– Computer Forensics
– Legal Consultation
– Breach Notification
– Credit Monitoring
– Public Relations
• Class action litigation
26