This document summarizes a presentation on cybersecurity risks, legal frameworks, and insurance. It discusses the spectrum of cyber risks including data breaches, malware attacks, and inadequate security. It outlines relevant state, federal and international privacy laws. It also summarizes strategies to mitigate risk including the NIST cybersecurity framework and outlines potential coverage under existing policies as well as new "cyber" insurance products.
2. About
SecureDocs
• SecureDocs
is
a
virtual
data
room
for
sharing
and
storing
sensi5ve
documents
both
internally
and
with
outside
par5es.
Company
Basics:
• Virtual
data
room
used
by
companies
from
fundraising
to
exit
• Developed
by
the
team
that
created
and
launched
GoToMyPC
and
GoToMeeKng
• Web-‐based
business
soNware
for
financial
and
legal
professionals
• DisKnguished
through
it’s
ease-‐of-‐use,
industry-‐leading
security,
and
flat-‐fee
pricing
3. About
Roberta
D.
Anderson
Roberta
is
a
partner
in
the
PiSsburgh
office
of
K&L
Gates
LLP.
A
member
of
the
firm’s
Insurance
Coverage
and
Cybersecurity
pracKce
groups,
Roberta
concentrates
her
pracKce
in
insurance
coverage
liKgaKon
and
counseling
and
emerging
cybersecurity
and
data
privacy-‐related
issues.
4. Agenda
– The
Spectrum
of
Cyber
Risk
– Prac5cal
Risk
and
Exposure
– Legal
and
Regulatory
Framework
– What
to
do
Before
an
Incident?
– Poten5al
Coverage
Under
“Legacy”
Policies
– Limita5ons
of
“Legacy”
Insurance
Policies
– Technology
Errors
&
Omissions
Coverage
– CuMng
Edge
“Cyber”
Products
– How
To
Enhance
“Off-‐The-‐Shelf”
Cyber
Insurance
Forms
Through
Nego5a5on
– A
Word
About
Vendor
Contracts
– Audience
Q&A
6. The
Spectrum
of
Cyber
Risk
– Malicious
aXacks
(Advanced
Persistent
Threats,
spear
phishing/
social
engineering,
viruses,
worms,
Trojans,
DDoS
aXacks)
– Data
breach
– Unauthorized
access
(hacker
aXacks,
spyware)
– Inadequate
security
and
system
glitches
– Employee
mobility
and
disgruntled
employees
– Lost
or
stolen
portable
devices
– Inadequate
security
and
systems:
first
party
and
third-‐party
vendors
– Carelessness
of
an
employees
and
vendors
“[T]here
are
only
two
types
of
companies:
those
that
have
been
hacked
and
those
that
will
be.
And
even
they
are
converging
into
one
category:
companies
that
have
been
hacked
and
will
be
hacked
again.”
-‐
Robert
S.
Mueller,
III
Director,
FBI
8. – State Privacy Laws
– http://www.ncsl.org/research/telecommunications-and-
information-technology/security-breach-notification-laws.aspx
– Federal Privacy Laws
– Gramm-Leach-Billey Act
– HIPAA/HITECH
– Federal Trade Commission (FTC v. Wyndham Worldwide Corp.)
– FACTA/Red Flags Rule
– Foreign Privacy Laws
– PCI Data Security Standards (PCI DSS)
Legal
and
Regulatory
Framework
9. Five Tips to Consider When Any Public Company Might be The Next Target,
http://www.klgates.com/five-tips-to-consider-when-any-public-company-might-be-the-next-target-02-11-2014
Legal
and
Regulatory
Framework
“appropriate
disclosures
may
include:
.
.
.
[a]
[d]escripIon
of
relevant
insurance
coverage.”
§ SEC Guidance -- “[A]ppropriate disclosures may include”:
§ “Discussion of aspects of the registrant’s business or operations that give rise
to material cybersecurity risks and the potential costs and consequences”;
§ “To the extent the registrant outsources functions that have material
cybersecurity risks, description of those functions and how the registrant
addresses those risks”;
§ “Description of cyber incidents experienced by the registrant that are
individually, or in the aggregate, material, including a description of the costs
and other consequences”;
§ “Risks related to cyber incidents that may remain undetected for an extended
perid”; and
§ “Description of relevant insurance coverage.”
11. – NIST Cybersecurity Framework -- provides a common taxonomy and
mechanism for organizations to:
– Describe their current cybersecurity posture;
– Describe their target state for cybersecurity;
– Identify and prioritize opportunities for improvement within the context of
a continuous and repeatable process;
– Assess progress toward the target state;
– Communicate among internal and external stakeholders about
cybersecurity risk.
– The Framework is voluntary (for now)
Legal
and
Regulatory
Framework
16. 16
“[T]here are only two types of
companies: those that have been
hacked and those that will be. And
even they are converging into one
category: companies that have
been hacked and will be hacked
again.”
Robert
S.
Mueller,
III,
Director,
Federal
Bureau
of
InvesKgaKon,
RSA
Cyber
Security
Conference
San
Francisco,
CA
(Mar.
1,
2012)
18. – Directors’ and Officers’ (D&O)
– Errors and Omissions (E&O)/Professional Liability
– Employment Practices Liability (EPL)
– Fiduciary Liability
– Crime
– Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th
Cir. 2012) (DSW covered for expenses for customer communications, public
relations, lawsuits, regulatory defense costs, and fines imposed by Visa and
Mastercard under the computer fraud rider of its blanket crime policy)
– Property?
– Commercial General Liablity (CGL)?
PotenKal
Coverage
Under
“Legacy”
Policies
19. – Coverage B provides coverage for damages because of “personal
and advertising injury”
– “Personal and Advertising Injury” is defined in part as injury
arising out of “[o]ral or written publication,
in any manner, of material that violates a person’s
right of privacy”
– What is a “Person’s Right of Privacy”?
– What is a “Publication”?
PotenKal
Coverage
Under
“Legacy”
Policies
23. ISO states that “when this endorsement is
attached, it will result in a reduction of
coverage due to the deletion of an
exception with respect to damages
because of bodily injury arising out of loss
of, loss of use of, damage to, corruption of,
inability to access, or inability to manipulate
electronic data.”
29. – Essen5al
for
a
provider
of
e-‐commerce-‐related
solu5ons
– Covers
• Errors
&
Omissions
in
the
Provision
of
Technology
Services
• Failure
of
Technology
Products
to
Serve
Their
Purpose
– But
there
are
limita5ons
• Triggered
By
a
“Claim”
That
Alleges
An
Act
or
Omission
• May
Exclude
Security
Beach
or
Unauthorized
Access
to
Informa5on
• May
Not
Include
Breach
No5fica5on
Costs,
Which
is
Viewed
As
More
of
a
“First-‐
Party”
Loss
Technology
E&O
Coverage
31. – Privacy
And
Network
Security
– Provides
coverage
for
liability
(defense
and
indemnity)
arising
out
of
data
breaches,
transmission
of
malicious
code,
denial
of
third-‐party
access
to
the
insured’s
network,
and
other
network
security
threats
– Regulatory
Liability
– Provides
coverage
for
liability
arising
out
of
administra5ve
or
regulatory
proceedings,
fines
and
penal5es
–
Media
Liability
– Provides
coverage
for
liability
(defense
and
indemnity)
for
claims
alleging
infringement
of
copyright
and
other
intellectual
property
rights
and
misappropria5on
of
ideas
or
media
content
Specialty
“Cyber”
Policies
–
Third
Party
32. – Informa5on
Asset
Coverage
– Coverage
for
damage
to
or
thee
of
the
insured’s
own
systems
and
hardware,
and
may
cover
the
cost
of
restoring
or
recrea5ng
stolen
or
corrupted
data.
– Network
Interrup5on
And
Extra
Expense
(and
CBI)
– Coverage
for
business
interrup5on
and
extra
expense
caused
by
malicious
code
,
DDoS
aXacks,
unauthorized
access
to,
or
thee
of,
informa5on,
and
other
security
threats
to
networks.
– Extor5on
– Coverage
for
losses
resul5ng
from
extor5on
(payments
of
an
extor5onist’s
demand
to
prevent
network
loss
or
implementa5on
of
a
threat)
– Crisis
Management
Specialty
“Cyber”
Policies
–
First
Party
33. HOW
TO
ENHANCE
“OFF-‐THE-‐
SHELF”
CYBER
INSURANCE
FORMS
THROUGH
NEGOTIATION
47. TIPS
For
A
Successful
Placement
§ Embrace a Team Approach
§ Understand the Risk Profile
§ Review Existing Coverages
§ Purchase Cyber Coverage as Needed
§ Remember the “Cyber” Misnomer
§ Spotlight the “Cloud”
§ Consider the Amount of Coverage
§ Pay attention to the Retroactive Date and ERP
§ Look at Defense and Settlement Provisions
49. 49
“A well drafted policy will reduce
the likelihood that an insurer will be
able to avoid or limit insurance
coverage in the event of a claim.”
Roberta
D.
Anderson,
Partner,
K&L
Gates
LLP
(June
25,
2014)