Post on 01-Jun-2022
Valuing Cyber Risks and First Party Damages
Russ Zinn Bob Kirchmeier
CT Valley Chapter April 4, 2017
Business Interruption!
Data Breach!
Regulatory!
Data Assets!
Reputation!
Extortion/Ransom!
Network!
Cyber BCP
Cyber Insurance
Cyber Legislation
?Financial Exposure
Cyber News Cyber Planning Cyber Coverage
The Issue:
Cyber is a “PERIL” that manifests itself across MULTIPLE coverage lines
What’s the Problem? • Theft or loss of Data
– Motive: Financial gain• Data destruction
– Motive: ideological, extortion, terrorism, war• Communication Disruption
– Motive: ideological, extortion, terrorism, war• Operational or physical disruption
– Control system takeover halting operations, destroying machinery and facilities
Root Causes • Intentional – Malicious / criminal
– Nation States• Economic espionage• Destructive – influence policies
– Criminal – Low risk w/ potential high payoff• Theft• Extortion
– Personal Hacktivists• Call attention to a perceived grievance• Enjoyment
– Insider – Bad actor• Most capable of damage• Circumvents protections against unauthorized access
• Unintentional– Human error – Insider/vendor– System or software glitch
Root Causes (cont.)
Most breaches result from inadequate internal procedures and training … IT security against external threats is not enough.
Source: IBM/Ponemon “2015 Cost of Cyber Breach Study”
High Profile Targets • Retail
• Healthcare
• Financial Institutions – early adopters (late 90’s) due to network risks
• Production: energy, water, communications, manufacturing
• The rest of us, organizations and individuals, rely on technology more and more
Examples • Target: C-suite executives fired• Stuxnet : Extensive physical damage by
overtaking industrial controls• Steel Mill: destructive attack via spear
phishing on blast furnace • BTC Pipeline: Wireless network to shut
down alarms, over pressurized pipeline• Aramco: Insider deployed malware 30,000
computers inoperable 10 day recovery
Yahoo 2016 Update CEO loses bonus Chief legal resigns
Verizon acquisition renegotiated ($350 Million reduction)
43 consumer class action suitsStockholder class-action suit
(NY Times 3/2/2017)
Costs Increasing frequency, response costs, impact on business
Who is financially responsible, and what is the resulting harm
Typical Damages • Regulatory fines & penalties
– Comprehensive Written Information Security Program
• Industry fines: PCI, Card Brand
• Privacy liability
• Network security liability
• Media / content liability – IP & personal injury (often excludes patent & trade secrets); reissue credit cards
• Technology Services/Products & Professional E&O
• Other liability: accidental transmission of malware
Outsourcing the function does not outsource liability
First Party Damages • Breach response (often covered)
– Crisis Management– Legal costs– Notification costs– Credit/ID monitoring– Investigation / Forensics– Public relations
• Intellectual Property (though sometimes excludes trade secrets)– Customer information– Pricing information
• Data Restoration
• Cyber extortion – avoid an attack
First Party Damages (cont.) • Loss of income, i.e. business interruption
– Network Interruption / System Failure• Lost income from an interruption to an Insured Computer
System, resulting from:– Security failure, attack, malware– System failure: broadened to include human error & system failure
• Contingent / dependent BI• Corporate/shared platforms, like hospitality
• Reputational– Losses beyond operational disruption – Coverage limits, time limits, expectations for response.– Industries this particularly affects are health, retail and
financial services
What to do • Board level ownership
– Enterprise-wide risk, not just an IT threat – reputational / market
– Understand regulatory implications– Boards should have access to cyber security
expertise and should get regular updates– Establish cyber risk management / security
framework / culture
• Normal RM approach: identify, evaluate, control, finance, monitor
What to do (cont.) • Balance Investments
– Protection/Prevention• Employee awareness/training is biggest ROI• IT Security – Identify what’s important to you/them?
– Response / Detection• Shorten the interval for detection & containment• Adoption of outsourced / cloud enabled security – more
signal & less noise• Dedicated or assigned response?
Insurance Considerations • Traditional lines are moving to exclude anything cyber related• Plenty of capacity is available for SMB’s / non-high profile risks• Insurance coverage becoming more uniform• Pay attention to:
– Align with other coverages (CGL, property, E&O, D&O)– Application details!– Prior acts: If first year, can you get it backdated– Extra coverage grants– Vendor selection– Sublimits– Deductibles / waiting periods– Exclusions
• Coverage condition requiring “reasonable” protective measures• Breach of contract exclusions
• BI / Reputational coverage vague but becoming more relevant• Early claims are setting precedent and highly scrutinized
Other Remedies
• Contractual indemnification / hold harmless
• Additional insured status on others’ coverage– Underlying coverage requirements
Conclusion • ERM framework applies
• Business Continuity Planning is critical– Mostly peril agnostic with cyber specific
enhancements
• Benefits– Reduce impact, including uninsured losses– Gain a competitive advantage– Address scrutiny of creditors & investors– Address scrutiny of customers & suppliers– Better access to coverage / lower premiums
Business Interruption!
Data Breach!
Regulatory!
Data Assets!
Reputation!
Extortion/Ransom!
Network!
Cyber BCP
Cyber Insurance
Cyber Legislation
?Financial Exposure
Cyber News Cyber Planning Cyber Coverage
Conclusion
Thank you!Russell Zinn
(203) 240-3889russellzinn@rwhmyers.com
Bob Kirchmeier (862) 251-2767
bobkirchmeier@rwhmyers.com