Valuing Cyber Risks and First Party Damages

Russ Zinn Bob Kirchmeier

CT Valley Chapter April 4, 2017

Business Interruption!

Data Breach!

Regulatory!

Data Assets!

Reputation!

Extortion/Ransom!

Network!

Cyber BCP

Cyber Insurance

Cyber Legislation

?Financial Exposure

  Cyber News  Cyber Planning  Cyber Coverage

The Issue:

Cyber is a “PERIL” that manifests itself across MULTIPLE coverage lines

What’s the Problem? •  Theft or loss of Data

– Motive: Financial gain•  Data destruction

– Motive: ideological, extortion, terrorism, war•  Communication Disruption

– Motive: ideological, extortion, terrorism, war•  Operational or physical disruption

– Control system takeover halting operations, destroying machinery and facilities

Root Causes •  Intentional – Malicious / criminal

–  Nation States•  Economic espionage•  Destructive – influence policies

–  Criminal – Low risk w/ potential high payoff•  Theft•  Extortion

–  Personal Hacktivists•  Call attention to a perceived grievance•  Enjoyment

–  Insider – Bad actor•  Most capable of damage•  Circumvents protections against unauthorized access

•  Unintentional–  Human error – Insider/vendor–  System or software glitch

Root Causes (cont.)

Most breaches result from inadequate internal procedures and training … IT security against external threats is not enough.

Source: IBM/Ponemon “2015 Cost of Cyber Breach Study”

High Profile Targets •  Retail

•  Healthcare

•  Financial Institutions – early adopters (late 90’s) due to network risks

•  Production: energy, water, communications, manufacturing

•  The rest of us, organizations and individuals, rely on technology more and more

Examples •  Target: C-suite executives fired•  Stuxnet : Extensive physical damage by

overtaking industrial controls•  Steel Mill: destructive attack via spear

phishing on blast furnace •  BTC Pipeline: Wireless network to shut

down alarms, over pressurized pipeline•  Aramco: Insider deployed malware 30,000

computers inoperable 10 day recovery

Yahoo 2016 Update CEO loses bonus Chief legal resigns

Verizon acquisition renegotiated ($350 Million reduction)

43 consumer class action suitsStockholder class-action suit

(NY Times 3/2/2017)

Costs Increasing frequency, response costs, impact on business

Who is financially responsible, and what is the resulting harm

Typical Damages •  Regulatory fines & penalties

–  Comprehensive Written Information Security Program

•  Industry fines: PCI, Card Brand

•  Privacy liability

•  Network security liability

•  Media / content liability – IP & personal injury (often excludes patent & trade secrets); reissue credit cards

•  Technology Services/Products & Professional E&O

•  Other liability: accidental transmission of malware

Outsourcing the function does not outsource liability

First Party Damages •  Breach response (often covered)

–  Crisis Management–  Legal costs–  Notification costs–  Credit/ID monitoring–  Investigation / Forensics–  Public relations

•  Intellectual Property (though sometimes excludes trade secrets)–  Customer information–  Pricing information

•  Data Restoration

•  Cyber extortion – avoid an attack

First Party Damages (cont.) •  Loss of income, i.e. business interruption

–  Network Interruption / System Failure•  Lost income from an interruption to an Insured Computer

System, resulting from:–  Security failure, attack, malware–  System failure: broadened to include human error & system failure

•  Contingent / dependent BI•  Corporate/shared platforms, like hospitality

•  Reputational–  Losses beyond operational disruption –  Coverage limits, time limits, expectations for response.–  Industries this particularly affects are health, retail and

financial services

What to do •  Board level ownership

– Enterprise-wide risk, not just an IT threat – reputational / market

– Understand regulatory implications– Boards should have access to cyber security

expertise and should get regular updates– Establish cyber risk management / security

framework / culture

•  Normal RM approach: identify, evaluate, control, finance, monitor

What to do (cont.) •  Balance Investments

– Protection/Prevention•  Employee awareness/training is biggest ROI•  IT Security – Identify what’s important to you/them?

– Response / Detection•  Shorten the interval for detection & containment•  Adoption of outsourced / cloud enabled security – more

signal & less noise•  Dedicated or assigned response?

Insurance Considerations •  Traditional lines are moving to exclude anything cyber related•  Plenty of capacity is available for SMB’s / non-high profile risks•  Insurance coverage becoming more uniform•  Pay attention to:

–  Align with other coverages (CGL, property, E&O, D&O)–  Application details!–  Prior acts: If first year, can you get it backdated–  Extra coverage grants–  Vendor selection–  Sublimits–  Deductibles / waiting periods–  Exclusions

•  Coverage condition requiring “reasonable” protective measures•  Breach of contract exclusions

•  BI / Reputational coverage vague but becoming more relevant•  Early claims are setting precedent and highly scrutinized

Other Remedies

•  Contractual indemnification / hold harmless

•  Additional insured status on others’ coverage– Underlying coverage requirements

Conclusion •  ERM framework applies

•  Business Continuity Planning is critical–  Mostly peril agnostic with cyber specific

enhancements

•  Benefits–  Reduce impact, including uninsured losses–  Gain a competitive advantage–  Address scrutiny of creditors & investors–  Address scrutiny of customers & suppliers–  Better access to coverage / lower premiums

Business Interruption!

Data Breach!

Regulatory!

Data Assets!

Reputation!

Extortion/Ransom!

Network!

Cyber BCP

Cyber Insurance

Cyber Legislation

?Financial Exposure

  Cyber News  Cyber Planning  Cyber Coverage

Conclusion

Thank you!Russell Zinn

(203) 240-3889russellzinn@rwhmyers.com

Bob Kirchmeier (862) 251-2767

bobkirchmeier@rwhmyers.com