Cybersecurity  Brief:  Understanding  Risk,  Legal  Framework,  &  Insurance  

About  SecureDocs  •  SecureDocs  is  a  virtual  data  room  for  sharing  and  storing  sensi5ve  documents  

both  internally  and  with  outside  par5es.    

Company  Basics:  •  Virtual  data  room  used  by  companies  from  fundraising  to  exit    •  Developed  by  the  team  that  created  and  launched  GoToMyPC  and  GoToMeeKng      •  Web-­‐based  business  soNware  for  financial  and  legal  professionals  

•  DisKnguished  through  it’s  ease-­‐of-­‐use,  industry-­‐leading  security,  and  flat-­‐fee  pricing    

About  Roberta  D.  Anderson  

Roberta  is  a  partner  in  the  PiSsburgh  office  of  K&L  Gates  LLP.    A  member  of  the  firm’s  Insurance  Coverage  and  Cybersecurity  pracKce  groups,  Roberta  concentrates  her  pracKce  in  insurance  coverage  liKgaKon  and  counseling  and  emerging  cybersecurity  and  data  privacy-­‐related  issues.    

Agenda  –  The  Spectrum  of  Cyber  Risk  –  Prac5cal  Risk  and  Exposure  –  Legal  and  Regulatory  Framework    –  What  to  do  Before  an  Incident?  –  Poten5al  Coverage  Under  “Legacy”  Policies    –  Limita5ons  of  “Legacy”  Insurance  Policies  –  Technology  Errors  &  Omissions  Coverage  –  CuMng  Edge  “Cyber”  Products  –  How  To  Enhance  “Off-­‐The-­‐Shelf”  Cyber  Insurance  Forms  Through  

Nego5a5on  –  A  Word  About  Vendor  Contracts    –  Audience  Q&A  

THE  SPECTRUM  OF  CYBER  RISK  

The  Spectrum  of  Cyber  Risk  –  Malicious  aXacks  (Advanced  Persistent  Threats,  spear  phishing/

social  engineering,  viruses,  worms,  Trojans,  DDoS  aXacks)  –  Data  breach    –  Unauthorized  access  (hacker  aXacks,  spyware)    –  Inadequate  security  and  system  glitches  –  Employee  mobility  and  disgruntled  employees  –  Lost  or  stolen  portable  devices    –  Inadequate  security  and  systems:    first  party  and  third-­‐party  vendors  –  Carelessness  of  an  employees  and  vendors    

“[T]here  are  only  two  types  of  companies:  those  that  have  been  hacked  and  those  that  will  be.  And  even  they  are  converging  into  one  category:  companies  that  have  been  hacked  and  will  be  hacked  again.”  -­‐    Robert  S.  Mueller,  III  Director,  FBI  

LEGAL  AND  REGULATORY  FRAMEWORK    

–  State Privacy Laws –  http://www.ncsl.org/research/telecommunications-and-

information-technology/security-breach-notification-laws.aspx

–  Federal Privacy Laws –  Gramm-Leach-Billey Act –  HIPAA/HITECH –  Federal Trade Commission (FTC v. Wyndham Worldwide Corp.) –  FACTA/Red Flags Rule

–  Foreign Privacy Laws –  PCI Data Security Standards (PCI DSS)

Legal  and  Regulatory  Framework  

Five Tips to Consider When Any Public Company Might be The Next Target, http://www.klgates.com/five-tips-to-consider-when-any-public-company-might-be-the-next-target-02-11-2014

Legal  and  Regulatory  Framework  

“appropriate  disclosures  may  include:  .  .  .  [a]  [d]escripIon  of  relevant  insurance  coverage.”  

§  SEC Guidance -- “[A]ppropriate disclosures may include”: §  “Discussion of aspects of the registrant’s business or operations that give rise

to material cybersecurity risks and the potential costs and consequences”; §  “To the extent the registrant outsources functions that have material

cybersecurity risks, description of those functions and how the registrant addresses those risks”;

§  “Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”;

§  “Risks related to cyber incidents that may remain undetected for an extended perid”; and

§  “Description of relevant insurance coverage.”

Legal  and  Regulatory  Framework  

–  NIST Cybersecurity Framework -- provides a common taxonomy and mechanism for organizations to:

–  Describe their current cybersecurity posture; –  Describe their target state for cybersecurity; –  Identify and prioritize opportunities for improvement within the context of

a continuous and repeatable process; –  Assess progress toward the target state; –  Communicate among internal and external stakeholders about

cybersecurity risk. –  The Framework is voluntary (for now)

Legal  and  Regulatory  Framework  

–  NIST Cybersecurity Framework

NIST Unveils Cybersecurity Framework, http://www.klgates.com/nist-unveils-cybersecurity-framework-02-17-2014/

Legal  and  Regulatory  Framework  

PRACTICAL  RISK  AND  EXPOSURE  

•  Breach Notification Costs/Identity Monitoring •  Computer Forensics/PR Consulting •  Loss of Customers/Revenue •  Damaged Reputation/Brand •  Regulatory Actions/Fines/Penalties/Consumer

Redress •  Lawsuits & Defense Costs •  Loss of “Crown Jewels” •  Business Interruption & Supply Chain Disruption •  Drop in Stock Price/Loss of Market Share •  Potential D&O Suits (Target)

PracKcal  Risk  and  Exposure  

WHAT  TO  DO  BEFORE  AN  INCIDENT?  

16

“[T]here are only two types of companies: those that have been hacked and those that will be. And even they are converging into one

category: companies that have been hacked and will be hacked

again.”

Robert  S.  Mueller,  III,  Director,  Federal  Bureau  of  InvesKgaKon,  RSA  Cyber  Security  Conference  San  Francisco,  CA  (Mar.  1,  2012)  

POTENTIAL  COVERAGE    UNDER  “LEGACY”  POLICIES    

–  Directors’ and Officers’ (D&O) –  Errors and Omissions (E&O)/Professional Liability –  Employment Practices Liability (EPL) –  Fiduciary Liability –  Crime

–  Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)

–  Property? –  Commercial General Liablity (CGL)?

PotenKal  Coverage  Under  “Legacy”  Policies    

–  Coverage B provides coverage for damages because of “personal and advertising injury”

–  “Personal and Advertising Injury” is defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy”

–  What is a “Person’s Right of Privacy”? –  What is a “Publication”?

PotenKal  Coverage  Under  “Legacy”  Policies    

LIMITATIONS  OF  “LEGACY”  INSURANCE  POLICIES  

klgates.com

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

–  Zurich American Insurance Co. v. Sony Corp. of America et al.

TECHNOLOGY  ERRORS  &  OMISSIONS  COVERAGE  

–  Essen5al  for    a  provider  of  e-­‐commerce-­‐related  solu5ons  –  Covers    

•  Errors  &  Omissions  in  the  Provision  of  Technology  Services  •  Failure  of  Technology  Products  to  Serve  Their  Purpose  

–  But  there  are  limita5ons    •  Triggered  By  a  “Claim”  That  Alleges  An  Act  or  Omission  •  May  Exclude  Security  Beach  or  Unauthorized  Access  to  Informa5on  •  May  Not  Include  Breach  No5fica5on  Costs,  Which  is  Viewed  As  More  of  a  “First-­‐

Party”  Loss  

 

Technology  E&O  Coverage  

CUTTING  EDGE  “CYBER”  PRODUCTS  

–  Privacy  And  Network  Security  –  Provides  coverage  for  liability  (defense  and  indemnity)  arising  out  of  

data  breaches,  transmission  of  malicious  code,  denial  of  third-­‐party  access  to  the  insured’s  network,  and  other  network  security  threats  

–  Regulatory  Liability  –  Provides  coverage  for  liability  arising  out  of  administra5ve  or  

regulatory  proceedings,  fines  and  penal5es  

–   Media  Liability  –  Provides  coverage  for  liability  (defense  and  indemnity)  for  claims  

alleging  infringement  of  copyright  and  other  intellectual  property  rights  and  misappropria5on  of  ideas  or  media  content    

Specialty  “Cyber”  Policies  –  Third  Party  

–  Informa5on  Asset  Coverage    –  Coverage  for  damage  to  or  thee  of  the  insured’s  own  systems  and  

hardware,  and  may  cover  the  cost  of  restoring  or  recrea5ng  stolen  or  corrupted  data.    

–  Network  Interrup5on  And  Extra  Expense  (and  CBI)  –  Coverage  for  business  interrup5on  and  extra  expense  caused  by  

malicious  code  ,  DDoS  aXacks,  unauthorized  access  to,  or  thee  of,  informa5on,  and  other  security  threats  to  networks.    

–  Extor5on  –  Coverage  for  losses  resul5ng  from  extor5on  (payments  of  an  

extor5onist’s  demand  to  prevent  network  loss  or  implementa5on  of  a  threat)    

–  Crisis  Management    

Specialty  “Cyber”  Policies  –  First  Party  

HOW  TO  ENHANCE  “OFF-­‐THE-­‐SHELF”  CYBER  INSURANCE  

FORMS    THROUGH  NEGOTIATION  

klgates.com  

Data  Breach  Example  1  

Data  Breach  Example  2  

Data  Breach  Example  3  

Network  Security  Example  1  

Network  Security  Example  2  

Network  Security  Example  3  

TIPS  For  A  Successful  Placement    §  Embrace a Team Approach §  Understand the Risk Profile

§  Review Existing Coverages §  Purchase Cyber Coverage as Needed

§  Remember the “Cyber” Misnomer

§  Spotlight the “Cloud”

§  Consider the Amount of Coverage

§  Pay attention to the Retroactive Date and ERP

§  Look at Defense and Settlement Provisions

BEWARE. THE.

FINE.

PRINT.

49

“A well drafted policy will reduce the likelihood that an insurer will be able to avoid or limit insurance coverage in the event of a claim.”

Roberta  D.  Anderson,  Partner,  K&L  Gates  LLP    (June  25,  2014)  

A  WORD  ABOUT  VENDOR  CONTRACTS