cyber liability insurance and your security program
TRANSCRIPT
Cyber Liability Insurance and Your Security Program – How They Fit Together
SCOTT TAKAOKA
[email protected], 415.509.8071
VP BUSINESS DEVELOPMENT
Cyber Insurance Basics
o Sold as specialty insurance
o General liability, Errors & Omissions policies often do not cover cyber events
o Covers costs associated with breacho First party – outside counsel, notification, PR, forensics, credit
monitoring, extortion payments
o Third party – class action suits, regulatory investigations/fines
o Brokers line up multiple carriers to bid on your policyo Security often participates on discovery calls
o Multiple carriers may participate in a “risk tower”
Risk Tower Example
1st $10M - Carrier A
2nd $10M – Carrier B
3rd $ 10M - Carrier C
4th $10M - Carrier D
5th $10M - Carrier A
$50m in coverage
Payout for 1st $10M in loss
Wild, Wild WestI N S U R A N C E C A R R I E R S A R E O N A S T E E P L E A R N I N G C U R V E
o GL insurance may provide coverage example - “property”
o Cyber - non admitted policies
o No standard language – caveat emptor!
o SMB gets off-the-shelf language
o Your policy will change
What’s Behind the Curtain?I N S U R A N C E C A R R I E R S A R E O N A S T E E P L E A R N I N G C U R V E
o No actuarial models for cyber risk
o Steep learning curve for infosec
o Less rigor on application - tight scrutiny on claims
o Imperfect information – working through brokers
o Broad range in pricing
Write policies with basic underwriting Understand claims Write more
exclusions Adjust premiums
Interesting Case Law
• Columbia Casualty Company (CNA) v. Cottage Health System• Server mis-configuration: anonymous FTP • Exposure of 32,500 records – settled class action suit of $4.1M• Claim initially accepted by CNA • Examined application, then reversed course and sued Cottage• Case dismissed on procedure
Cottage “failed to apply minimum required security practices”…and must “continuously implement” security measures…
— CNA
Interesting Case Law
An unresolved argument
AgendaTake Action
• Collaborate across silos - pen-testers to general counsel
• Understand context – your threats/attack scenarios and loss potential• PASTA (process for attack simulation and threat analysis)
• FAIR (factor analysis for information risk)
• Strength of security vs. business impact cyber insurance requirement
Legal Business Risk Security
AgendaTake Action
• Governance – easiest deficiencies to spot when applying for cyber
• Collaborate to review and negotiate policy language - exclusions, BYOD, cloud, vendors risk…
• Be careful what you state – you answers are a “warranty”
• Be mindful of time limits on notification of breach
Legal Business Risk Security
Cyber Liability Insurance and Your Security Program – How They Fit
SCOTT TAKAOKA
VP BUSINESS DEVELOPMENT