Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
-
Upload
securedocs -
Category
Business
-
view
901 -
download
1
description
Transcript of Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
About SecureDocs • SecureDocs is a virtual data room for sharing and storing sensi5ve documents
both internally and with outside par5es.
Company Basics: • Virtual data room used by companies from fundraising to exit • Developed by the team that created and launched GoToMyPC and GoToMeeKng • Web-‐based business soNware for financial and legal professionals
• DisKnguished through it’s ease-‐of-‐use, industry-‐leading security, and flat-‐fee pricing
About Roberta D. Anderson
Roberta is a partner in the PiSsburgh office of K&L Gates LLP. A member of the firm’s Insurance Coverage and Cybersecurity pracKce groups, Roberta concentrates her pracKce in insurance coverage liKgaKon and counseling and emerging cybersecurity and data privacy-‐related issues.
Agenda – The Spectrum of Cyber Risk – Prac5cal Risk and Exposure – Legal and Regulatory Framework – What to do Before an Incident? – Poten5al Coverage Under “Legacy” Policies – Limita5ons of “Legacy” Insurance Policies – Technology Errors & Omissions Coverage – CuMng Edge “Cyber” Products – How To Enhance “Off-‐The-‐Shelf” Cyber Insurance Forms Through
Nego5a5on – A Word About Vendor Contracts – Audience Q&A
THE SPECTRUM OF CYBER RISK
The Spectrum of Cyber Risk – Malicious aXacks (Advanced Persistent Threats, spear phishing/
social engineering, viruses, worms, Trojans, DDoS aXacks) – Data breach – Unauthorized access (hacker aXacks, spyware) – Inadequate security and system glitches – Employee mobility and disgruntled employees – Lost or stolen portable devices – Inadequate security and systems: first party and third-‐party vendors – Carelessness of an employees and vendors
“[T]here are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” -‐ Robert S. Mueller, III Director, FBI
LEGAL AND REGULATORY FRAMEWORK
– State Privacy Laws – http://www.ncsl.org/research/telecommunications-and-
information-technology/security-breach-notification-laws.aspx
– Federal Privacy Laws – Gramm-Leach-Billey Act – HIPAA/HITECH – Federal Trade Commission (FTC v. Wyndham Worldwide Corp.) – FACTA/Red Flags Rule
– Foreign Privacy Laws – PCI Data Security Standards (PCI DSS)
Legal and Regulatory Framework
Five Tips to Consider When Any Public Company Might be The Next Target, http://www.klgates.com/five-tips-to-consider-when-any-public-company-might-be-the-next-target-02-11-2014
Legal and Regulatory Framework
“appropriate disclosures may include: . . . [a] [d]escripIon of relevant insurance coverage.”
§ SEC Guidance -- “[A]ppropriate disclosures may include”: § “Discussion of aspects of the registrant’s business or operations that give rise
to material cybersecurity risks and the potential costs and consequences”; § “To the extent the registrant outsources functions that have material
cybersecurity risks, description of those functions and how the registrant addresses those risks”;
§ “Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”;
§ “Risks related to cyber incidents that may remain undetected for an extended perid”; and
§ “Description of relevant insurance coverage.”
Legal and Regulatory Framework
– NIST Cybersecurity Framework -- provides a common taxonomy and mechanism for organizations to:
– Describe their current cybersecurity posture; – Describe their target state for cybersecurity; – Identify and prioritize opportunities for improvement within the context of
a continuous and repeatable process; – Assess progress toward the target state; – Communicate among internal and external stakeholders about
cybersecurity risk. – The Framework is voluntary (for now)
Legal and Regulatory Framework
– NIST Cybersecurity Framework
NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/
Legal and Regulatory Framework
PRACTICAL RISK AND EXPOSURE
• Breach Notification Costs/Identity Monitoring • Computer Forensics/PR Consulting • Loss of Customers/Revenue • Damaged Reputation/Brand • Regulatory Actions/Fines/Penalties/Consumer
Redress • Lawsuits & Defense Costs • Loss of “Crown Jewels” • Business Interruption & Supply Chain Disruption • Drop in Stock Price/Loss of Market Share • Potential D&O Suits (Target)
PracKcal Risk and Exposure
WHAT TO DO BEFORE AN INCIDENT?
16
“[T]here are only two types of companies: those that have been hacked and those that will be. And even they are converging into one
category: companies that have been hacked and will be hacked
again.”
Robert S. Mueller, III, Director, Federal Bureau of InvesKgaKon, RSA Cyber Security Conference San Francisco, CA (Mar. 1, 2012)
POTENTIAL COVERAGE UNDER “LEGACY” POLICIES
– Directors’ and Officers’ (D&O) – Errors and Omissions (E&O)/Professional Liability – Employment Practices Liability (EPL) – Fiduciary Liability – Crime
– Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)
– Property? – Commercial General Liablity (CGL)?
PotenKal Coverage Under “Legacy” Policies
– Coverage B provides coverage for damages because of “personal and advertising injury”
– “Personal and Advertising Injury” is defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy”
– What is a “Person’s Right of Privacy”? – What is a “Publication”?
PotenKal Coverage Under “Legacy” Policies
LIMITATIONS OF “LEGACY” INSURANCE POLICIES
klgates.com
ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”
– Zurich American Insurance Co. v. Sony Corp. of America et al.
TECHNOLOGY ERRORS & OMISSIONS COVERAGE
– Essen5al for a provider of e-‐commerce-‐related solu5ons – Covers
• Errors & Omissions in the Provision of Technology Services • Failure of Technology Products to Serve Their Purpose
– But there are limita5ons • Triggered By a “Claim” That Alleges An Act or Omission • May Exclude Security Beach or Unauthorized Access to Informa5on • May Not Include Breach No5fica5on Costs, Which is Viewed As More of a “First-‐
Party” Loss
Technology E&O Coverage
CUTTING EDGE “CYBER” PRODUCTS
– Privacy And Network Security – Provides coverage for liability (defense and indemnity) arising out of
data breaches, transmission of malicious code, denial of third-‐party access to the insured’s network, and other network security threats
– Regulatory Liability – Provides coverage for liability arising out of administra5ve or
regulatory proceedings, fines and penal5es
– Media Liability – Provides coverage for liability (defense and indemnity) for claims
alleging infringement of copyright and other intellectual property rights and misappropria5on of ideas or media content
Specialty “Cyber” Policies – Third Party
– Informa5on Asset Coverage – Coverage for damage to or thee of the insured’s own systems and
hardware, and may cover the cost of restoring or recrea5ng stolen or corrupted data.
– Network Interrup5on And Extra Expense (and CBI) – Coverage for business interrup5on and extra expense caused by
malicious code , DDoS aXacks, unauthorized access to, or thee of, informa5on, and other security threats to networks.
– Extor5on – Coverage for losses resul5ng from extor5on (payments of an
extor5onist’s demand to prevent network loss or implementa5on of a threat)
– Crisis Management
Specialty “Cyber” Policies – First Party
HOW TO ENHANCE “OFF-‐THE-‐SHELF” CYBER INSURANCE
FORMS THROUGH NEGOTIATION
klgates.com
Data Breach Example 1
Data Breach Example 2
Data Breach Example 3
Network Security Example 1
Network Security Example 2
Network Security Example 3
TIPS For A Successful Placement § Embrace a Team Approach § Understand the Risk Profile
§ Review Existing Coverages § Purchase Cyber Coverage as Needed
§ Remember the “Cyber” Misnomer
§ Spotlight the “Cloud”
§ Consider the Amount of Coverage
§ Pay attention to the Retroactive Date and ERP
§ Look at Defense and Settlement Provisions
BEWARE. THE.
FINE.
PRINT.
49
“A well drafted policy will reduce the likelihood that an insurer will be able to avoid or limit insurance coverage in the event of a claim.”
Roberta D. Anderson, Partner, K&L Gates LLP (June 25, 2014)
A WORD ABOUT VENDOR CONTRACTS