insuring against cyber risks (latham and watkins)
TRANSCRIPT
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
1/36
Latham & Watkins operates worldwide as a li mited liability partnership organized under the laws of the State of Delaware (USA) with affili ated limitedliability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practicein Hong Kong and Japan. T he Law Office of Salman M. Al-Sudairi is Latham & W atkins associated office in the Kingdom of Saudi Arabia. In Qatar,Latham & Watkins LLP is licensed by the Qatar Financial Centre Authority. Copyright 2014 Latham & Watkins. All Rights Reserved.
Insuring AgainstCyber-Risks
Evaluating CoverageViability
Tuesday, March 25, 2014
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
2/36
22
IntroductionA Tale of Two Front Pages
SATURDAY, MARCH 22, 2014
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
3/36
33
Cyber Attacks Grow inPrevalence and Sophistication
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
4/36
44
Coverage Areas Can Include:1. Data Loss
2. Business Interruption3. Notification and Compliance Expenses
4. Crisis ManagementForensicInvestigations and Public Relations
5. Content Liability
6. Regulatory Investigations
Cyber Insurance
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
5/36
Latham & Watkins operates worldwide as a li mited liability partnership organized under the laws of the State of Delaware (USA) with affili ated limitedliability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practicein Hong Kong and Japan. T he Law Office of Salman M. Al-Sudairi is Latham & W atkins associated office in the Kingdom of Saudi Arabia. In Qatar,Latham & Watkins LLP is licensed by the Qatar Financial Centre Authority. Copyright 2014 Latham & Watkins. All Rights Reserved.
The Cyber Threat
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
6/36
66
Any useful computer system can bemade to do malicious things
No technology can identify malwarewith 100% accuracy
As long as there are flaws insoftware or the people who use itare not perfect, there will besuccessful cyber attacks
No Silver Bullet
Todays cyber attackers do not need to be computerexperts. The know-how, tools, and services neededare all for sale on the Dark Market.
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
7/36
77
The Dark Market for Cyber
Attacks
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
8/36
88
A Market for Hacking Tools andStolen Data
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
9/36
99
No need to install and run hacking tools yourself.
Hacking can be purchased as a service, from hackers basedin Russia and elsewhere:
Malware Pay-per-Install: $100-$150 per 1,000 downloads
Distributed Denial-of-Service: 1 hour = $10, 1 week = $150 Spam Services: $10 per 1,000,000 emails
Botnet: $200 per 2,000 bots
Rootkit software: $292 (Windows version)
Hacking email/social media: $100 - $300 per account
Source: Max Goncharov, Russian Underground 101, Trend Micro Incorporated (2012)
Cyber Attacks la Carte
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
10/36
Latham & Watkins operates worldwide as a li mited liability partnership organized under the laws of the State of Delaware (USA) with affili ated limitedliability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practicein Hong Kong and Japan. T he Law Office of Salman M. Al-Sudairi is Latham & W atkins associated office in the Kingdom of Saudi Arabia. In Qatar,Latham & Watkins LLP is licensed by the Qatar Financial Centre Authority. Copyright 2014 Latham & Watkins. All Rights Reserved.
The TargetCorporation Attack
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
11/36
1111
11/27/2013Target POSterminals infected
11/30/2013New softwareinstalled to upload stolen data;
Target security software sendsfirst alerts
12/2/2013Terminals begin uploadingstolen data, ultimately ends up onservers in Russia
12/15/2013Target identifies attack andends it
Overview of the Target Attack
Graphic: McAfee Labs Threat Advisory: EPOS Data Theft, January 23, 2014
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
12/36
1212
The Point-of-Sale Malware: BlackPOS
For sale for $1,800 to $2,300
Author is 23-year-old Russian
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
13/36
Latham & Watkins operates worldwide as a li mited liability partnership organized under the laws of the State of Delaware (USA) with affili ated limitedliability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practicein Hong Kong and Japan. T he Law Office of Salman M. Al-Sudairi is Latham & W atkins associated office in the Kingdom of Saudi Arabia. In Qatar,Latham & Watkins LLP is licensed by the Qatar Financial Centre Authority. Copyright 2014 Latham & Watkins. All Rights Reserved.
The Evolution ofCyber Insurance
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
14/36
1414
1990s Early 2000s Now
The History of Cyber Insurance
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
15/36
1515
Increasing Use
Increasing Risk
Increasing Regulation
Increasing Popularity. Why?
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
16/36
1616
Securities and Exchange Commission (SEC)
Federal Trade Commission (FTC)
Department of Health and Human Services (DHHS)
Executive Order 13636
State Laws
Increasing Regulation
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
17/36
Latham & Watkins operates worldwide as a li mited liability partnership organized under the laws of the State of Delaware (USA) with affili ated limitedliability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practicein Hong Kong and Japan. T he Law Office of Salman M. Al-Sudairi is Latham & W atkins associated office in the Kingdom of Saudi Arabia. In Qatar,Latham & Watkins LLP is licensed by the Qatar Financial Centre Authority. Copyright 2014 Latham & Watkins. All Rights Reserved.
CGL Policy Coverage
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
18/36
1818
Not Tangible Property
New Insurance Services Office (ISO) Standards
Exclusions
D&O and E&O?
Commercial General Liability(CGL) Coverage
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
19/36
1919
AOL v. St. Paul E.D. VA: damaged software not tangible property
Zurich v. Sony NY Trial Court: policy covered confidential material
published directly by Sony, not by the hackers who stole theinformation.
Case in Point:
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
20/36
Latham & Watkins operates worldwide as a li mited liability partnership organized under the laws of the State of Delaware (USA) with affili ated limitedliability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practicein Hong Kong and Japan. T he Law Office of Salman M. Al-Sudairi is Latham & W atkins associated office in the Kingdom of Saudi Arabia. In Qatar,Latham & Watkins LLP is licensed by the Qatar Financial Centre Authority. Copyright 2014 Latham & Watkins. All Rights Reserved.
Basic Cyber
Insurance Coverages
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
21/36
21
Third Party Coverage
Damages Claims
from violation of a privacy tort, law, orregulation
from a violation of a law or regulationarising out of a security breach
Defense Costs
third party claims and regulatory defense
Media Liability Data and PII Loss
Intellectual Property Losses
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
22/36
2222
Remediation Costs
Fines/Penalties
Business Interruption
Damage to Systems
Intellectual Property
Computer Fraud
Funds Transfer
Extortion
First Party Coverage
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
23/36
2323
Investigation/forensics to determine cause and extent ofbreach
Public relations
Customer notification Credit monitoring for customers
Identity theft resolution services
Call centers
Costs to re-secure, re-create, and/or restore data
Legal services/advice
Crisis management services
Remediation costs to respond to thebreach
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
24/36
2424
Contractual Liability
Criminal Conduct
Unfair Business Practices
Content Theft
Unauthorized Collection of Customer Data
Intentional or Fraudulent Acts
Terrorism, Hostilities, and claims arising from acts of
foreign enemies.
Exclusions
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
25/36
2525
Definition of Confidential Information
Aggregate and other limits
Retroactivity
Time Limitations
business interruption
credit monitoring and other breach response
Other Considerations
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
26/36
Latham & Watkins operates worldwide as a li mited liability partnership organized under the laws of the State of Delaware (USA) with affili ated limitedliability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practicein Hong Kong and Japan. T he Law Office of Salman M. Al-Sudairi is Latham & W atkins associated office in the Kingdom of Saudi Arabia. In Qatar,Latham & Watkins LLP is licensed by the Qatar Financial Centre Authority. Copyright 2014 Latham & Watkins. All Rights Reserved.
Brokers Perspective
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
27/36
2727
Why transfer data security/privacyrisks through cyber insurance?
Vendors/Outsourcing
Interaction of people andprocesses with ever-changing technology
Sophistication andevolution of criminal
community.
Responsibilities toregulators, investors,
clients, and affected parties
Systemic/large losspotentialfinancial and
brand
Traditional insurance doesnot address the risks
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
28/36
28
Data Breach Response Predictive Loss Model(Not including regulatory investigations/civil liability)
Assumptions:
Outside experts for forensics and crisis management $13 per record; economies of scale for larger breaches
Notification Costs $7 per record; varies if multi-state, includes mailing and tracking; economies of scale for larger
breaches Call Center Costs $5 per call (10% expected participation)
Credit monitoring and ID theft repair offered on an opt-in basis or activated affirmatively by the affected individual
Credit Monitoring $15 per record (5% expected participation); economies of scale for larger breaches
ID Theft Repair and ID Theft Insurance $500 per record (5% of those monitored experience theft); economies ofscale for larger breaches
Number of Records Compromised 1,000,000 5,000,000 30,000,000 50,000,000
Forensics and Crisis Management Costs $3,250,000 $4,875,000 $9,750,000 $16,250,000
Privacy Notification Costs $2,100,000 $3,500,000 $10,500,000 $13,125,000
Call Center Costs $250,000 $625,000 $2,250,000 $3,750,000
Credit Monitoring Cost $375,000 $937,500 $3,375,000 $5,625,000
ID Theft Repair $1,500,000 $3,750,000 $7,500,000 $8,750,000
Total Estimated 1st Party Costs $7,475,000 $13,687,500 $33,375,000 $47,500,000
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
29/36
29
Network Security Liability
Claim expenses and damages emanatingfrom network and nonnetwork securitybreaches
Denial of service attack
Transmission of a virus
Theft of data
Privacy Liability
Claim expenses and damages emanatingfrom violation of a privacy tort, law, orregulation
Claim expenses and damages emanatingfrom a violation of a law or regulation arisingout of a security breach
Extortion Payments
Reasonable and necessary expenses andany funds or property paid (varies bycompany)
Privacy Event Expense Reimbursement
Expense reimbursement for third-party forensicscosts
Public relations and Legal
Mandatory notification costs (comply with securitybreach notification laws)
Voluntary notification costs Credit monitoring
Call center
ID Theft Insurance
Privacy Regulatory Proceedings and Fines
Claim expenses in connection with a privacyregulatory inquiry, investigation, or proceeding
Damages/fines (varies by market) ConsumerRedress Fund
Privacy regulations fines
PCI DSS fines and assessments(varies by market)
Basic Data Security and PrivacyLiability Coverages
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
30/36
3030
Cyber Insurance MarketplaceKey DevelopmentExpert Data Breach Panel Support:
Cyber Policies developed as
Reimbursement policies that allowed the insured tohire vendors but many companies did/do not havean effective cross-border data breach contingencyplan.
New DevelopmentExpert Vendor Panels
Established breach panelsparticularly legal,forensics, and credit protection services.
Cross- border and multiple language capability for callcenter support.
Data breach coach.
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
31/36
31
Reputational Harm
Lockton is an industry leader in intangible risks.
Customized wording around a set of reputational harm perils (including data
breach or loss of service) Adverse media trigger leading to loss of net income/extra expense
Combinable with expanded loss of computer network coverage.
Additional First Party NetworkCoverages
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
32/36
32
Basic Process
Key Market Invitations
NDA signed by all invited insurers
Project Plan with Mutual Milestones + Key Dates
Policy Design Document w/Detailed Specifications Data breach response coordination with our
clients crisis management plan and preferred
vendors
Short Form Application
Assistance with PP Briefing document and
Presenter Rehearsal Underwriting briefing (one for all markets)
Debrief with client and negotiations
Finalize program and bind
Timely issuance of master and local policies(if needed)
Our Approach to Design/MarketingCyber Programs
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
33/36
Latham & Watkins operates worldwide as a li mited liability partnership organized under the laws of the State of Delaware (USA) with affili ated limitedliability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practicein Hong Kong and Japan. T he Law Office of Salman M. Al-Sudairi is Latham & W atkins associated office in the Kingdom of Saudi Arabia. In Qatar,Latham & Watkins LLP is licensed by the Qatar Financial Centre Authority. Copyright 2014 Latham & Watkins. All Rights Reserved.
Premium CalculationConsiderations
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
34/36
3434
Placeholder
-
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
35/36
3535
Contact Information
Peter K. RosenModerator
Partner, Los Angelesemail: [email protected]: +1.213.891.8778
Margrethe K. KearneyAssociate, Chicago
email: [email protected]: +1.312.777.7040
Neil A. RubinAssociate, Los Angelesemail: [email protected]: +1.213.891.8841
Bob SteinbergPartner, Los Angeles | Silicon Valleyemail: [email protected]: +1.213.891.8989
Emily FreemanRisk Management Cyber Specialist,
Lockton Companies LLPemail: [email protected]: +1.707.595.1901
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)
36/36
Although this presentation may provide informationconcerning potential legal issues, it is not a substitute forlegal advice from qualified counsel. Any opinions orconclusions provided in this presentation shall not beascribed to Latham & Watkins or any clients of the firm.
The presentation is not created or designed to address theunique facts or circumstances that may arise in any specificinstance, and you should not and are not authorized to relyon this content as a source of legal advice and this seminarmaterial does not create any attorney-client relationship
between you and Latham & Watkins.
Copyright 2014 Latham & Watkins. All Rights Reserved.