Cyber Liability Insurance and Your Security Program – How They Fit Together

SCOTT TAKAOKA

SCOTT@VERSPRITE.COM, 415.509.8071

VP BUSINESS DEVELOPMENT

Cyber Insurance Basics

o Sold as specialty insurance

o General liability, Errors & Omissions policies often do not cover cyber events

o Covers costs associated with breacho First party – outside counsel, notification, PR, forensics, credit

monitoring, extortion payments

o Third party – class action suits, regulatory investigations/fines

o Brokers line up multiple carriers to bid on your policyo Security often participates on discovery calls

o Multiple carriers may participate in a “risk tower”

Risk Tower Example

1st $10M - Carrier A

2nd $10M – Carrier B

3rd $ 10M - Carrier C

4th $10M - Carrier D

5th $10M - Carrier A

$50m in coverage

Payout for 1st $10M in loss

Wild, Wild WestI N S U R A N C E C A R R I E R S A R E O N A S T E E P L E A R N I N G C U R V E

o GL insurance may provide coverage example - “property”

o Cyber - non admitted policies

o No standard language – caveat emptor!

o SMB gets off-the-shelf language

o Your policy will change

What’s Behind the Curtain?I N S U R A N C E C A R R I E R S A R E O N A S T E E P L E A R N I N G C U R V E

o No actuarial models for cyber risk

o Steep learning curve for infosec

o Less rigor on application - tight scrutiny on claims

o Imperfect information – working through brokers

o Broad range in pricing

Write policies with basic underwriting Understand claims Write more

exclusions Adjust premiums

Interesting Case Law

• Columbia Casualty Company (CNA) v. Cottage Health System• Server mis-configuration: anonymous FTP • Exposure of 32,500 records – settled class action suit of $4.1M• Claim initially accepted by CNA • Examined application, then reversed course and sued Cottage• Case dismissed on procedure

Cottage “failed to apply minimum required security practices”…and must “continuously implement” security measures…

— CNA

Interesting Case Law

An unresolved argument

AgendaTake Action

• Collaborate across silos - pen-testers to general counsel

• Understand context – your threats/attack scenarios and loss potential• PASTA (process for attack simulation and threat analysis)

• FAIR (factor analysis for information risk)

• Strength of security vs. business impact cyber insurance requirement

Legal Business Risk Security

AgendaTake Action

• Governance – easiest deficiencies to spot when applying for cyber

• Collaborate to review and negotiate policy language - exclusions, BYOD, cloud, vendors risk…

• Be careful what you state – you answers are a “warranty”

• Be mindful of time limits on notification of breach

Legal Business Risk Security

Cyber Liability Insurance and Your Security Program – How They Fit

SCOTT TAKAOKA

VP BUSINESS DEVELOPMENT