This presentation discusses the current status of Cyber Liability Insurance and how carriers are managing to understand and cover cyber risk. If one views "cyber risk" from a operational risk perspective versus IT risk, then Cyber liability insurance can be one of the most effective countermeasures available to you.
However, buyer beware...as this is a nascent market where underwriters, actuaries, and others involved in providing cyber insurance are on a steep learning curve. Aligning insurance policy language with your security program is paramount...so that when the time comes and you need it most, you'll have a smooth claims process, without litigation with your carrier.
Effectively implementing a cyber insurance policy as another arrow in your quiver, requires collaboration across your organizations.
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
Cyber liability insurance and your security program
1. Cyber Liability Insurance and
Your Security Program – How
They Fit Together
SCOTT TAKAOKA
SCOTT@VERSPRITE.COM, 415.509.8071
VP BUSINESS DEVELOPMENT
2. Cyber Insurance Basics
o Sold as specialty insurance
o General liability, Errors & Omissions policies often do not
cover cyber events
o Covers costs associated with breach
o First party – outside counsel, notification, PR, forensics, credit
monitoring, extortion payments
o Third party – class action suits, regulatory investigations/fines
o Brokers line up multiple carriers to bid on your policy
o Security often participates on discovery calls
o Multiple carriers may participate in a “risk tower”
3. Risk Tower Example
1st $10M - Carrier A
2nd $10M – Carrier B
3rd $ 10M - Carrier C
4th $10M - Carrier D
5th $10M - Carrier A
$50m in
coverage
Payout for 1st $10M in loss
4. Wild, Wild West
I N S U R AN C E C AR R I E R S AR E ON A S T E E P
L E AR N I N G C U R VE
o GL insurance may provide
coverage example - “property”
o Cyber - non admitted policies
o No standard language – caveat
emptor!
o SMB gets off-the-shelf language
o Your policy will change
5. What’s Behind the Curtain?
I N S U R AN C E C AR R I E R S AR E ON A S T E E P
L E AR N I N G C U R VE
o No actuarial models for cyber risk
o Steep learning curve for infosec
o Less rigor on application - tight
scrutiny on claims
o Imperfect information – working
through brokers
o Broad range in pricing
Write policies with
basic underwriting
Understand claims
Write more
exclusions
Adjust premiums
6. Interesting Case Law
• Columbia Casualty Company (CNA) v. Cottage Health System
• Server mis-configuration: anonymous FTP
• Exposure of 32,500 records – settled class action suit of $4.1M
• Claim initially accepted by CNA
• Examined application, then reversed course and sued Cottage
• Case dismissed on procedure
7. Cottage “failed to apply minimum required security
practices”…and must “continuously implement” security
measures…
— CNA
Interesting Case Law
An unresolved argument
8. AgendaTake Action
• Collaborate across silos - pen-testers to general counsel
• Understand context – your threats/attack scenarios and loss potential
• PASTA (process for attack simulation and threat analysis)
• FAIR (factor analysis for information risk)
• Strength of security vs. business impact cyber insurance requirement
Legal Business Risk Security
9. AgendaTake Action
• Governance – easiest deficiencies to spot when applying for cyber
• Collaborate to review and negotiate policy language - exclusions, BYOD,
cloud, vendors risk…
• Be careful what you state – you answers are a “warranty”
• Be mindful of time limits on notification of breach
Legal Business Risk Security
10. Cyber Liability Insurance and
Your Security Program – How
They Fit
SCOTT TAKAOKA
VP BUSINESS DEVELOPMENT