#ACICyberRisk

1

ACI’s 14th Advanced Forum onCyber & Data Risk Insurance

Sharon R. KleinPartnerPepper Hamilton LLP949.567.3506kleins@pepperlaw.com

Emerging Threats and New

Areas of CoverageEric Cernak

VP, Cyber Risk Practice Leader

The Hartford Steam Boiler

Inspection and Insurance Co.

860.722.5229

Eric_Cernak@hsb.com

William T. Um

Policyholder Counsel

Kilpatrick Townsend & Stockton LLP

310.777.3747

WUm@KilpatrickTownsend.Com

November 30 – December 1, 2016

Wendi L. Boyden

Vice-President, Underwriting

OneBeacon Technology Insurance

617.725.6206

WBoyden@onebeacontech.com

Tweeting about this conference?

#41243695v.2

#ACICyberRisk

2

Internet Of Things –The Risk Of The Machines

#ACICyberRisk

3

What is the “Internet of Things”

“Devices or sensors that connect,communicate or transmit informationwith or between each other throughthe Internet.”

FTC Report on Internet of Things “Privacy & Security in a Connected World”https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices

#ACICyberRisk

4

Examples of IoTs

• Fitness Trackers

• “Smart [INSERT ITEM]”, including thermostats, outlets,

appliances, etc.

• Personal assistants

• Wearables

• Tracking devices connected to keys, luggage, personal

items

• Baby monitors

#ACICyberRisk

5

Potential Benefits

• Convenience, data gathering, tracking

• Specific benefits to insurance companies of new tech

a. Identification

b. Tracking

c. Usage

d. Monitoring structural stress and providing alerts

e. Auto-alerts or shutdowns of systems and structures to prevent failure

f. Wearable fitness devices (watches, Ralph Lauren Polotech shirt with biometric monitoring)

#ACICyberRisk

6

Potential Risks

• Privacy concerns

• Lack of or inadequate encryption

• Lack of software updating

• Default settings ignore security and privacy concerns

• Entry

• Control

• Sabotage

• Theft

• Fraud

• Info collected and transmitted to device manufacturer

#ACICyberRisk

7

RANGE OF ENTERPRISE RISKS

Securities/Shareholder Lawsuits

Regulators

Individual Plaintiff

Class Action

HR Issues

Audits

Investigations

Remediation

Fines

Civil Penalties

Sales/Profit Loss

Media

Loss of Trust

Customer Loss

#ACICyberRisk

8

A narrow lens on cyberattacks can leave organizations unprepared for the broader potential costs

• Customer breach notification

• Post-breach customer protection

• Regulatory compliance costs

• Public relations costs

• Attorney fees and litigation

• Cybersecurity improvements

• Cost of lost customers

• Impact to current contracts

• Devaluation of trade name

• Loss of IP

• Impact of operational

disruption and/or destruction

• Insurance premium increases

• Increased cost to raise debt

Above the surface:

Below the surface:

#ACICyberRisk

9

…and unprepared for the duration of recovery efforts

Costs are incurred and impacts are felt over years, in several phases

Incident triage

Impact management

Business recovery

Repair damage to the business

and prevent occurrence of future

incidents

Minimize and address the direct

consequences of the incident

Analyze and take

immediate steps to stop

compromises in progress

Magnitu

de o

f costs

Impact over time

#ACICyberRisk

10

What does it cost?

Cost FactorsCost

(millions)

%

Total

Customer breach notification -- --

Post-breach customer protection -- --

Regulatory compliance -- --

Public relations $1.00 0.02%

Attorney fees and litigation $11.30 0.24%

Cybersecurity improvements $13.00 0.27%

Insurance premium increases $1.00 0.02%

Increased cost to raise debt -- --

Operational disruption $1,200.00 25.09%

Lost value of customer relationships -- --

Value of lost contracts $1,617.00 33.81%

Devaluation of trade name $1,697.00 35.48%

Loss of intellectual property $242.50 5.07%

Total 100.00%

Know

n c

osts

Hid

den c

osts

Total potential

impact >$4B

• Many of the costs

commonly associated

with PII-type data

breaches do not factor in

• Greatest impacts are

intangible costs

• The value of lost IP is not

the major cost, but the

theft of IP has rippling

impacts $4,782.80

#ACICyberRisk

11

There’s a big disconnect with the business

Cybersecurity programs continue to

focus on the threats, vulnerabilities and

probability.

Often, not enough attention is paid to

the true damages a particular

type of cyberattack can cause.

By looking realistically at the

potential costs, business leaders

can right-size investments to

better protect their most valuable

assets.

What are the

threats?

Where

are our

vulnerabilities?

How likely is

this type of

attack?

What is

the

business

impact?

#ACICyberRisk

12

What Are Some Of The Technologies That Are Already Present In Our Society That Pose New Risks?

#ACICyberRisk

13

Emerging Technologies

• Mobile Medical Applications

• Augmented/Virtual Reality

• Driverless or Connected Automobiles

#ACICyberRisk

14

What Are Mobile Medical Applications (MMA)

Applications Transmitting Medical Data on Individuals including:

• wellness tracking information created and shared by individual consumers

• medical data sent to a person directly from his or her medical device

• information sharing that is not with a health care provider, health plan or other covered entity

• mobile medical application used by consumers

• exchange of health care information in the cloud.

#ACICyberRisk

15

MMA Understanding Risk

15

BMI calculator

Trending algorithm for

determining next clinical action

Medication

reminder

Influenced by:

• General acceptance

• Pervasiveness

• Complexity

• Extent of reliance

Low Risk High Risk

Radiation dose

calculator

Medical image analyzer for

disease/anomaly detection

Cancer treatment

recommendation

Complex analyzer for

untrained user

Drug-drug interaction/

allergy verification

#ACICyberRisk

16

MMA Benefits

• Provides more complete patient data to Doctor for diagnosis and treatment

• Improves disease prevention and healthcare quality

• Engages patient in treatment plans

• Drives healthcare costs down

• Revolutionizes medical research and population health

#ACICyberRisk

17

MMA Risks

• Heightening security risks through cloud and network connections

• Increasing unauthorized access to and misuse of personal information

• Facilitating attacks as a gateway to other computers/systems

• Creating risks to personal safety

• Failing to warn in labels/privacy policies

• Jeopardizing intellectual property rights

#ACICyberRisk

18

MMA Underwriting Challenges

• Evaluating scope of privacy concerns

• What are the costs/risks associated with potential HIPAAviolations

• How would traditional GL policies fit in? Would bodily injury claims continue to be covered?

• Insufficient loss history to evaluate scope of risk

#ACICyberRisk

19

Augmented/Virtual Reality

Virtual Reality

• Creation of a virtual world that users can interact with

• Mainly used through a VR Helmet/goggles either alone or used in combination with games• FaceBook’s Oculus Rift

• Sony Playstation VR

• HTC’s Vive

#ACICyberRisk

20

Augmented/Virtual Reality

Augmented Reality

• Software that overlays the real world with the digital one

• Examples are:• Pokemon Go; • Wearable A/R glasses that can be paired with smartphones

such as Google Glass, Epson Moverio, Vuziox’s M100 Smart Glasses or Head Mounted Displays like Microsoft HoloLens

• Auto rear cameras with virutal lines that show where the steering wheel is pointing, and displays that project speed, song and GPS info on the front glass

• Applications that enable projection of a captured image on a specific area – Ex. Veinviewer (captures the image of the veins by an infrared camera and projects the images on the skin)

• Google, Samsung and Sony investing in smart contact lensetechnology

#ACICyberRisk

21

Augmented/Virtual Reality - Benefits

Healthcare

• used to treat human cognitive and behavioral conditions and provide training to medical students.

Real estate and automotive

• used to show properties and cars to potential buyers.

Sports industry

• provide zero-impact training to athletes.

Education

• incorporating the technology into learning tools designed to engage children.

• Also being used for advertising, space exploration, tourism, military and law enforcement purposes, and, naturally, entertainment

#ACICyberRisk

22

Augmented/Virtual Reality - Risks

Consumer Safety

1. Arising out of consumer use

2. Malware infection whicha. Deceives the user into falsely believing that certain

objects are or are not present in the real worldb. causes a sensory overload to users that could

physically harm them by flashing bright lights in the display, playing loud sounds, or delivering intense haptic (touch) feedback (i.e., attackers have been known to target epilepsy forums posting messages containing flashing animated gifs to trigger headaches or seizures.

Can be difficult to avoid if contained in wearables or implanted technology (contact lenses, windshields that display augmented content over the user’s view of the road)

#ACICyberRisk

23

Augmented/Virtual Reality - Risks

User Privacy

• Can collect a multitude of information in order for the device to function as intended• such as physical movement (head, hand, eye, whether the user is sitting or

standing, etc.), user location in order for the application to function as intended

• Location, shopping history, financial details, etc. – depends on the type of “reality” experience that each user is looking for

• Continuous collection of information even when the device is not in use

Ex: the software used for Oculus Rift continuously collects this information and sends it to FaceBook, even when the device is not in use. Thus FB, through Oculus, knows what content users are viewing on the Rift, where they are viewing it and the positional tracking of the device.

AR/VR apps are still in the young stage and may not have built in privacy as a fundamental feature (Ex. Pokemon in it’s initial version).

#ACICyberRisk

24

Augmented/Virtual Reality - Risks

Information Security

1) Regulatory Action – Federal Trade Commission

2) Theft of information by cyber criminals

#ACICyberRisk

25

Augmented/Virtual Reality -Underwriting Considerations and Challenges

• There are no universally approved security standards for IoT and Augmented Reality and chances are not many such risks have made privacy and security as fundamental and therefore merit a higher level of scrutiny

• Examine the company’s experience in the marketplace with AR/VR and their experience with building in security and privacy features in other products

• Analyze what the product does and what types of information needs to be collected in order to optimize use.

• Ensure privacy policy sets forth all sensitive information collected or to which the user is allowing access, and clearly spells out what the company does with the information collected and provides the appropriate opt out choices to the consumer.

• Additional guidance to the user on how they can achieve the most secure use of the product is a plus.

• Examine network security controls to weigh exposure to cyber theft• Access Controls in place – where multiple applications are being run on a single platform

are there appropriate access control measures in place to ensure that the AR application is not making its data accessible to other applications running on the platform, which may be malicious

• Encryption – is data that is being appropriately “shared” with other applications being done in a secure manner such as use of encryption

#ACICyberRisk

26

Connected Autos

•Semi-Autonomous Vehicle – One having driver assistance features, e.g. adaptive cruise control

•Connected Vehicle – One having a connection to the Internet

•Autonomous Vehicle – Capable of driving without human input

#ACICyberRisk

27

Connected Auto Benefits

•Less congestion and pollution – shared vehicles

• Increased mobility for aging population

•Potentially safer - Less driver fatigue

• Improved fleet management

• Improved crash response

•Car problem diagnosis

#ACICyberRisk

28

Connected Auto - Risks

Consumer Safety

•Vehicle-to-vehicle (V2V) communication issues

•Moral & Ethical decisions – programing for an unavoidable accident

#ACICyberRisk

29

Connected Auto - Risks

User Privacy

•Geo Tracking (GPS)

•Driving habits

•Personal Schedule

•Theft of user credentials – infotainment services

#ACICyberRisk

30

Connected Auto - Risks

Information Security

•Lack of Security by Design• Patching

• Long development cycles

•Extortion/ransomware/disablement

•Hacking/Loss of control

•Remote car theft

#ACICyberRisk

31

Underwriting Considerations and Challenges

•Who’s being “underwritten”? • Who is the “Driver”• OEM• Tier 1, Tier 2, etc.• Retrofitter • Gearhead/tech head

•Claims adjudication – mechanical breakdown, system corruption, wear & tear

•Mixed ‘ecosystem’ – Traditional, semi-autonomous, autonomous vehicles

• Interplay with products liability claims

#ACICyberRisk

32

FTC Guidance

What Should Companies Be Doing to Address These Risks?

• Make privacy a fundamental feature if sensitive personal information is collected

• Let prospective customers know what you’re doing to secure customer information

• Advise the consumer to change the factory default setting and ensure that process is a simple one for the consumer

• Take advantage of readily available security tools, and test security measures before launching your product

• Design your product with authentication in mind

• Protect the interfaces between your product and other devices or services

• Establish an effective approach for updating your security procedures

#ACICyberRisk

33