Transcript Cyber Program Information - Legal Executive Institute

Cyber Exposure Landscape
LAW FIRM PERSPECTIVE
"The single biggest threat still is people inadvertently bringing down a
virus from outside or through a phishing scheme ... That's where the
training gets critical … You can never tell your workforce enough ‘don't do
this’ or ‘don't do that’. "
Reed Smith Chief Information Officer Gary Becker
“law firms ... are vulnerable to a data breach from three main areas:
•
an employee who downloads a virus or mistakenly leaves an
unencrypted laptop in a taxi, for example;
•
the law firm's vendors who have access to client information getting
breached;
•
or foreign hackers looking to get information from firms working on
major business deals or IP matters.”
John F. Mullen, chair of Lewis Brisbois Bisgaard & Smith's data privacy
and network security practice
Law Firm LLP | Cyber Insurance |
July 16th, 2014
Page 1
Cyber Insurance
Cyber Insurance policies respond to a broad range of evolving risk:
1. Insure both First Party and Third Party risks
2. Respond to “bad actors” both inside and outside the insured corporation
3. Provide cover for fines & penalties (where allowed by law)
4. Cover intangible risks - loss and damage to non-physical “property”
5. The primary coverage is for the costs of investigation to establish whether loss or damage has
occurred
6. Insurers also provide access to risk control, governance, compliance and technical services as part
of the offering
These policies are modular and can be tailored in both limits and elements of coverage to respond to
the particular needs of the client
The following slides outline the services, the primary coverage elements of cyber policies and an
overview of available coverage under typical conventional insurance policies.
Law Firm LLP | Cyber Insurance |
July 16th, 2014
Page 2
Cyber Insurance
Added Value Risk Management Services
Service
Key Components
Training
Online training courses in information security. Includes
compliance monitoring & reporting
Procedures &
Protocols
Templates for compliance protocols and manuals
Breach
Response /
Breach Coach
Access to expert resources to respond to an event, legal /
regulatory and forensic / security experts
Crisis
Public Relations experts with experience handling internal
Communications and external fallout from breaches of client information
Other Services
May include provision of hardware devices, 24-hour
emergency help-line, penetration testing, discounts for
advanced services
Claims Handling
Insurers’ own in-house experts on managing and handling
claims are also available for advice and training, selection
of counsel etc.
Law Firm LLP | Cyber Insurance |
July 16th, 2014
Page 3
Cyber Insurance
First Party Insurance
Module
Key Coverage Components
Breach
Response
Breach coach
Forensic investigation
Regulatory / legal advice
Remediation
Security consulting
Reconstruction of data
Reinstallation of software
Network
Interruption
Loss of revenue from network failure / degradation
Loss of revenue from denial of network access
“Contingent” interruption
Extortion
Threat of Distributed Denial of Service (DDoS) attack
Threat of release of information
Threat of destruction of data
Crisis
Response
Public relations
Client / Internal communications
Crisis fund
Law Firm LLP | Cyber Insurance |
July 16th, 2014
Page 4
Cyber Insurance
Gap Analysis: What is available under a typical first party program?
1.
Loss or damage to digital assets – Generally, very limited coverage is provided in Property
insurance policies for "Computer Virus and Denial of Access“. A typical limit of insurance is
$25,000. Chubb policies typically provide some cover for “Malicious Programming”, limits of up to
$100,000 for “insider” and $10,000 for external parties are standard.
2.
Business interruption from network downtime – Property policies provide little coverage as
stated above. The KR&E policy may provide some network interruption coverage for the risk of
“computer violation”.
3.
Cyber extortion – Kidnap, Ransom & Extortion policies typically do not have a Cyber exclusion
and some (e.g. the Chubb Forefront) provide specific coverage. However, acts of an employee
or with the collusion of an employee are specifically excluded.
4.
Reputational damage – Property programs typically do not provide cover for Public Relations /
remediation activity following a breach. KR&E policies sometimes provide limited cover specific to
an extortion event.
5.
Theft of money and digital assets – Your Crime policy does provide specific insurance for
certain Cyber events, specifically “direct loss of Money, Securities or Property sustained by an
Insured resulting from Computer Fraud committed by a Third Party”. There is also no exclusion
for Cyber in respect of theft of money by employees. Crime policies will not provide cover for
theft of anything other than financial instruments (e.g. if an employee “steals” and sells personal
information of the firm’s employees, the Crime policy will not respond).
Law Firm LLP | Cyber Insurance |
July 16th, 2014
Page 5
Cyber Insurance
Third Party Insurance
Module
Key Coverage Components
Security &
Privacy
Forensic investigation
Regulatory / legal advice
Defense costs & damages
Regulatory
Action
Investigation
Defense costs
Awards, fines & penalties
Loss of Data
Damage to or corruption of third party data
Compensation for denial of access
Data errors
Media
Liability
Defamation, libel & slander
Breach of copyright trademark or trade dress
Electronic and print media
Notification
Expenses
Legal, posting and advertising expenses for compliance
Credit monitoring & identity theft monitoring / insurance
Call center
Law Firm LLP | Cyber Insurance |
July 16th, 2014
Page 6
Cyber Insurance
Gap Analysis: What is available under a typical third party program?
1.
Security and privacy breaches – General Liability insurance policies provide no coverage for
costs, expenses or penalties incurred in connection with a security or privacy breach. However,
depending on circumstances your LPL policy may respond. For a breach of employee
information there may be some coverage available under the EPL policy (if an affected employee
can prove “injury” or that the breach constitutes an “employment related tort”).
2.
Investigation of privacy breach – Again, there is typically no coverage provided for
investigations or regulatory action and fines and penalties will be specifically excluded.
3.
Customer notification expenses – The issue of whether these costs can be covered under the
GL Personal Injury coverage has been explored in the courts and to date the courts have found in
favor of the insurers. GL insurance is not designed or intended to respond to cyber breaches.
4.
Multi-media liability – GL insurance does sometimes provide coverage under the Advertising
and Personal Injury extension but this will exclude professional services (which would in principle
be covered under the LPL). The extent of cover may be limited depending on the circumstances
of the loss and the interpretation of the activity that gave rise to the loss and the wording and
exclusions should be reviewed.
5.
Loss of third party data – GL insurance provides cover for Bodily Injury or Property Damage:
data is generally not considered to be physical property and therefore, generally speaking, GL
policies will not cover loss of third party data.
Law Firm LLP | Cyber Insurance |
July 16th, 2014
Page 7
Why do Law Firms Buy Cyber Insurance?
Aon is seeing a dramatic increase in the number of firms enquiring about and purchasing Cyber
insurance. We currently have more than 55 law firm clients who purchase stand-alone Cyber
insurance policies.
The main factors driving decisions to purchase the coverage are as follows:
1. Reducing uncertainty – affirmative and cost effective coverage in areas where there is none available from other
policies or where the response of other policies is limited or uncertain.
2. Risk Management Services
- firms that do not employ a full time CIO or CISO value the services that are provided
alongside the insurance, particularly:

Training (provision of online courses including monitoring and compliance reports)

Breach response (specialists with expertise and experience to respond quickly and professionally to all aspects
of a breach, including legal advice on managing regulatory implications)

Security services (consulting, ethical hacking, security protocols, hardware etc.)
3. Contractual requirement - Financial Institutions in particular are requiring very high standards of data protection, and
some are now mandating that their outside counsel buy cyber insurance.
4. Network Interruption
5. Remediation
- Awareness that traditional insurance programs provide little or no coverage for this risk.
- reconstructing data, repairing systems & reinstalling software & security is time-consuming & expensive.
6. Employee Information – Law firms are no different from any other employer in that they hold Personally Identifiable
Information (PII) and Protected Health Information (PHI) relating to employees.
Law Firm LLP | Cyber Insurance |
July 16th, 2014
Page 8