Valuing Cyber Risks and First Party Damages
20
Valuing Cyber Risks and First Party Damages Russ Zinn Bob Kirchmeier CT Valley Chapter April 4, 2017
Transcript of Valuing Cyber Risks and First Party Damages
Valuing Cyber Risks and First Party Damages
Russ Zinn Bob Kirchmeier
CT Valley Chapter April 4, 2017
Business Interruption!
Data Breach!
Regulatory!
Data Assets!
Reputation!
Extortion/Ransom!
Network!
Cyber BCP
Cyber Insurance
Cyber Legislation
?Financial Exposure
Cyber News Cyber Planning Cyber Coverage
The Issue:
Cyber is a “PERIL” that manifests itself across MULTIPLE coverage lines
What’s the Problem? • Theft or loss of Data
– Motive: Financial gain• Data destruction
– Motive: ideological, extortion, terrorism, war• Communication Disruption
– Motive: ideological, extortion, terrorism, war• Operational or physical disruption
– Control system takeover halting operations, destroying machinery and facilities
Root Causes • Intentional – Malicious / criminal
– Nation States• Economic espionage• Destructive – influence policies
– Criminal – Low risk w/ potential high payoff• Theft• Extortion
– Personal Hacktivists• Call attention to a perceived grievance• Enjoyment
– Insider – Bad actor• Most capable of damage• Circumvents protections against unauthorized access
• Unintentional– Human error – Insider/vendor– System or software glitch
Root Causes (cont.)
Most breaches result from inadequate internal procedures and training … IT security against external threats is not enough.
Source: IBM/Ponemon “2015 Cost of Cyber Breach Study”
High Profile Targets • Retail
• Healthcare
• Financial Institutions – early adopters (late 90’s) due to network risks
• Production: energy, water, communications, manufacturing
• The rest of us, organizations and individuals, rely on technology more and more
Examples • Target: C-suite executives fired• Stuxnet : Extensive physical damage by
overtaking industrial controls• Steel Mill: destructive attack via spear
phishing on blast furnace • BTC Pipeline: Wireless network to shut
down alarms, over pressurized pipeline• Aramco: Insider deployed malware 30,000
computers inoperable 10 day recovery
Yahoo 2016 Update CEO loses bonus Chief legal resigns
Verizon acquisition renegotiated ($350 Million reduction)
43 consumer class action suitsStockholder class-action suit
(NY Times 3/2/2017)
Costs Increasing frequency, response costs, impact on business
Who is financially responsible, and what is the resulting harm
Typical Damages • Regulatory fines & penalties
– Comprehensive Written Information Security Program
• Industry fines: PCI, Card Brand
• Privacy liability
• Network security liability
• Media / content liability – IP & personal injury (often excludes patent & trade secrets); reissue credit cards
• Technology Services/Products & Professional E&O
• Other liability: accidental transmission of malware
Outsourcing the function does not outsource liability
First Party Damages • Breach response (often covered)
– Crisis Management– Legal costs– Notification costs– Credit/ID monitoring– Investigation / Forensics– Public relations
• Intellectual Property (though sometimes excludes trade secrets)– Customer information– Pricing information
• Data Restoration
• Cyber extortion – avoid an attack
First Party Damages (cont.) • Loss of income, i.e. business interruption
– Network Interruption / System Failure• Lost income from an interruption to an Insured Computer
System, resulting from:– Security failure, attack, malware– System failure: broadened to include human error & system failure
• Contingent / dependent BI• Corporate/shared platforms, like hospitality
• Reputational– Losses beyond operational disruption – Coverage limits, time limits, expectations for response.– Industries this particularly affects are health, retail and
financial services
What to do • Board level ownership
– Enterprise-wide risk, not just an IT threat – reputational / market
– Understand regulatory implications– Boards should have access to cyber security
expertise and should get regular updates– Establish cyber risk management / security
framework / culture
• Normal RM approach: identify, evaluate, control, finance, monitor
What to do (cont.) • Balance Investments
– Protection/Prevention• Employee awareness/training is biggest ROI• IT Security – Identify what’s important to you/them?
– Response / Detection• Shorten the interval for detection & containment• Adoption of outsourced / cloud enabled security – more
signal & less noise• Dedicated or assigned response?
Insurance Considerations • Traditional lines are moving to exclude anything cyber related• Plenty of capacity is available for SMB’s / non-high profile risks• Insurance coverage becoming more uniform• Pay attention to:
– Align with other coverages (CGL, property, E&O, D&O)– Application details!– Prior acts: If first year, can you get it backdated– Extra coverage grants– Vendor selection– Sublimits– Deductibles / waiting periods– Exclusions
• Coverage condition requiring “reasonable” protective measures• Breach of contract exclusions
• BI / Reputational coverage vague but becoming more relevant• Early claims are setting precedent and highly scrutinized
Other Remedies
• Contractual indemnification / hold harmless
• Additional insured status on others’ coverage– Underlying coverage requirements
Conclusion • ERM framework applies
• Business Continuity Planning is critical– Mostly peril agnostic with cyber specific
enhancements
• Benefits– Reduce impact, including uninsured losses– Gain a competitive advantage– Address scrutiny of creditors & investors– Address scrutiny of customers & suppliers– Better access to coverage / lower premiums
Business Interruption!
Data Breach!
Regulatory!
Data Assets!
Reputation!
Extortion/Ransom!
Network!
Cyber BCP
Cyber Insurance
Cyber Legislation
?Financial Exposure
Cyber News Cyber Planning Cyber Coverage
