[PPT] - CYBER LIABILITY BREAK OUT SESSION Dakota Manufacturers' Day Summit PowerPoint Presentation

SLIDE 1

CYBER LIABILITY BREAK OUT SESSION

Dakota Manufacturers' Day Summit October 5, 2016

Beth M. Watkins, CRM, CIC, CISR Director of Management Liability Marsh & McLennan Agency 763-746-8220 Beth.Watkins@MarshMMA.com

SLIDE 2

MARSH & McLENNAN AGENCY LLC

1

TODAY’S DISCUSSION

What does Cyber Liability look like
Legal & Financial Consequences
Managing Your Risk

SLIDE 3

MARSH & McLENNAN AGENCY LLC

Discovery

Actual or alleged theft, loss, or unauthorized collection/disclosure of confidential information that is in the care, custody, or control of the Insured, or a 3rd for whom the Insured is legally liable. Discovery can come about in several ways:

Self discovery — usually the best case.
Customer inquiry or vendor discovery.
Call from regulator or law enforcement.

First Response

Forensic Investigation and Legal Review

Forensic tells you what happened.
Legal sets out options/obligations.

External Issues Public Relations Notification Remedial Service Offering Damage to Brand or Reputation Regulatory Fines, Penalties, and Consumer Redress Civil Litigation Income Loss Long-Term Consequences

HOW A DATA BREACH OCCURS

2

SLIDE 4

MARSH & McLENNAN AGENCY LLC

3

AN EXPOSURE SOME WANT TO IGNORE

Not easily monetized, or visualized
Many cases are kept quiet
Not tangible
Seen as an IT issue, challenging to understand

BARNES & THORNBURG, LLP

“There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

– Robert S. Mueller, III Director, FBI

SLIDE 5

MARSH & McLENNAN AGENCY LLC

4

DOES YOUR BUSINESS OR ORGANIZATION HAVE EXPOSURE?

Do you store confidential information in your network (e.g., social security

numbers, birth dates, employee evaluations, customer lists, trade secrets)?

Does your business utilize, wireless networks, laptops, smartphones or
ther portable devices?
Can your customers access their information via your website?
Do you receive/transmit sensitive information from/to vendors or other

third parties? What about the cloud?

Do you process credit card transactions?
Are your employees able to communicate outside your business?

BARNES & THORNBURG, LLP

SLIDE 6

MARSH & McLENNAN AGENCY LLC

5

WHAT DATA IS EXPOSED?

Confidential client or customer information

– Customer lists – Business/acquisition plans – Employee records (past, present and applicants) – Intellectual property

PII/PHI

– Social Security and drivers license numbers – Credit card and financial account numbers – HIPAA

SLIDE 7

Cyber Statistics

6

SLIDE 8

MARSH & McLENNAN AGENCY LLC

NetDiligence 2015 Claims Study

7

SLIDE 9

MARSH & McLENNAN AGENCY LLC

NetDiligence 2015 Claims Study

8

SLIDE 10

MARSH & McLENNAN AGENCY LLC

9

DATA BREACH STATISTICS

What Commonalities Exist

75% driven by financial motives
71% targeted user devices
54% compromised servers
75% considered opportunistic attacks
78% rated as low difficulty
69% discovered by external parties
66% took months, or more to discover

Source: Verizon 2013 Data Breach Investigations Report

SLIDE 11

MARSH & McLENNAN AGENCY LLC

COMMON TYPES OF CLAIMS

Cryptolocker

– Small sums demanded and paid – Forensics & investigation

Employee error

– Inadvertent email to thousands of unintended recipients – Lost laptops with confidential files

Online Breaches

– Accessing individual records – Self reported to payment card brands – Breach vendors engaged

Phishing and Spear Phishing Attacks

– Access to confidential information and network – Social Engineering schemes

10

SLIDE 12

MARSH & McLENNAN AGENCY LLC

11

LEGAL CONSEQUENCES OF BREACH

Notification & remediation laws

– Patchwork of laws (47 states, D.C., Puerto Rico, Virgin Islands) – No Federal Law, International Laws developing

30+ countries outside the U.S. now require or strongly recommend notification

– Jurisdiction in which affected party resides governs notification requirement

Claims by clients, customers or employees, regulators

– Negligence, invasion of privacy, breach of fiduciary duty, intellectual property infringement, unfair/deceptive business practices – Class Actions – Active Attorney General

SLIDE 13

MARSH & McLENNAN AGENCY LLC

A SINGLE EXPOSURE CAN RESULT IN:

Direct Legal Liability
Vicarious liability for acts of vendors/service providers
Compliance with breach notification laws
Loss of revenue/extra expense due to a system outage
Loss or damage to brand reputation
Regulatory actions and scrutiny
Loss or damage to data/information

12

SLIDE 14

MARSH & McLENNAN AGENCY LLC

13

FINANCIAL CONSEQUENCES OF BREACH

First-Party Loss
Third-Party Liability

SLIDE 15

MARSH & McLENNAN AGENCY LLC

14

FIRST PARTY LOSS

Notification and credit monitoring expenses
Crisis management expenses (including public relations)
Computer forensics/data restoration
Business income loss and extra expense including dependent

business interruption

Extortion payments
Reputational harm

SLIDE 16

MARSH & McLENNAN AGENCY LLC

15

THIRD-PARTY LIABILITY

Defense fees and expenses
Damages (Judgments/Settlements)
Plaintiff attorney’s fees and expenses
Punitive Damages
Regulatory fines and penalties

SLIDE 17

MARSH & McLENNAN AGENCY LLC

16

RISK MANAGEMENT

Identify and assess the risk
Reduce the risk
Transfer the risk

SLIDE 18

MARSH & McLENNAN AGENCY LLC

17

ASSESS THE RISK

What types of sensitive data does your company

store/send/receive?

How vulnerable is the data to a security breach?
What would be the potential severity of loss or liability in the

event of a breach?

SLIDE 19

MARSH & McLENNAN AGENCY LLC

18

REDUCE THE RISK

What reasonable measures can your company implement to

reduce the likelihood and severity of a data security breach?

Do those measures meet/exceed the standard of care for data

security in your type of business?

What can your company do to educate employees about the

risks and consequences of data security breaches, and to enforce their compliance with data security measures?

What can you do to ensure compliance by vendors and other

third parties?

Do you have a disaster recovery plan, incident response plan

and business continuity plan?

SLIDE 20

MARSH & McLENNAN AGENCY LLC

19

TRANSFER THE RISK

Contractually through Indemnity Agreements

– Limitations of Liability? – Proof of Insurance? – Availability of Insurance?

Insurance
Traditional insurance does not respond well to cyber liability

– Errors and Omissions (E&O) – tech & and sometimes mfg are excepted here; – Commercial General Liability (CGL); – Property; – Crime; – Kidnap and Ransom (K&R); – Directors and Officers (D&O)

SLIDE 21

MARSH & McLENNAN AGENCY LLC

20

CYBER / NETWORK SECURITY INSURANCE

Little standardization
Fills in gap in traditional insurance
Stand-alone policies (vs. endorsed onto existing polices such as property
r general liability) generally include 1st & 3rd party extensions
A good program can be a risk prevention, risk management and insurance

product all in one

Claims response services and suppport are a crucial piece

SLIDE 22

MARSH & McLENNAN AGENCY LLC

21

AVOID COVERAGE ISSUES BY NEGOTIATING FAVORABLE TERMS

Limited to electronic data?
Broad definition of “claim”?
Trigger on discovery or wrongful act?
Prior Acts Coverage?
Coverage for fines, penalties, punitive damages?
Coverage for Business Interruption? Data Restoration? Extortion?
Rogue Employee Coverage?
Does coverage extend to your notification of customer’s affected parties?
Exclusions

– Failure to update software? – Unecrypted portable devices?

If E&O is in place, how do these programs work (or not work) together?
Breach Response Service – pre and post loss

SLIDE 23

MARSH & McLENNAN AGENCY LLC

IN REALITY

22

 In 2014:  average claim payout was $733,109  average cost for legal defense was $698,797  average cost for legal settlement was $558,5201  Small businesses can expect forensic costs alone to run $10,000 to $100,0003

Does Insurance Really Pay?

A single call connects you to a team of experts who provide all the services you need to manage a breach and mitigate

litigation. Services Include:

 Forensics  Legal services  Breach notification services  Call center services  Credit monitoring and restoration services

When It Happens To You, Who Do You Call?

 In 2013, businesses with revenues less than $300M accounted for over 62% of cyber claims.1  1 out of 5 small businesses falls victim to cyber crime each year. Of those, about 60% go out of business within 6 months.2

It’s Not Just The Big Guys. . .

1. Net Diligence Cyber Claims Study 2014 2. “The Case for Cyber” National Underwriter, May 2015 citing National Cyber Security Alliance 1. Beazley PE Data Breach Report

SLIDE 24

MARSH & McLENNAN AGENCY LLC

Information Security is a Work in Progress not an Endpoint

23

SLIDE 25

MARSH & McLENNAN AGENCY LLC

24

RESOURCES ON DATA SECURITY BREACH

FTC – www.ftc.gov/bcp/edu/microsites/infosecurity/slides.pdf
Privacy Rights Clearinghouse – www.PrivacyRights.Org
Open Security Foundation – www.opensecurityfoundation.org or

www.datalossdb.org

Ponemon Institute, LLC. – www.ponemon.org
Darwin Professional Tech//404 Website – Data Loss Calculator www.tech-

404.com

Verizon Business Risk Team 2014 Data Breach Investigations Report
Beazley Tech Page www.beazley.com/tmb (look for Data Breach Map)

SLIDE 26

MARSH & McLENNAN AGENCY LLC

QUESTIONS?

Beth Watkins Beth.Watkins@MarshMMA.com (763) 746-8220

25

SLIDE 27

Legal/regional regulatory statement to be added here if required.

26