insuring against cyber risks (latham and watkins)

7/25/2019 Insuring Against Cyber Risks (Latham and Watkins)

1/36

Latham & Watkins operates worldwide as a li mited liability partnership organized under the laws of the State of Delaware (USA) with affili ated limitedliability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practicein Hong Kong and Japan. T he Law Office of Salman M. Al-Sudairi is Latham & W atkins associated office in the Kingdom of Saudi Arabia. In Qatar,Latham & Watkins LLP is licensed by the Qatar Financial Centre Authority. Copyright 2014 Latham & Watkins. All Rights Reserved.

Insuring AgainstCyber-Risks

Evaluating CoverageViability

Tuesday, March 25, 2014


2/36

22

IntroductionA Tale of Two Front Pages

SATURDAY, MARCH 22, 2014


3/36

33

Cyber Attacks Grow inPrevalence and Sophistication


4/36

44

Coverage Areas Can Include:1. Data Loss

2. Business Interruption3. Notification and Compliance Expenses

4. Crisis ManagementForensicInvestigations and Public Relations

5. Content Liability

6. Regulatory Investigations

Cyber Insurance


5/36


The Cyber Threat


6/36

66

Any useful computer system can bemade to do malicious things

No technology can identify malwarewith 100% accuracy

As long as there are flaws insoftware or the people who use itare not perfect, there will besuccessful cyber attacks

No Silver Bullet

Todays cyber attackers do not need to be computerexperts. The know-how, tools, and services neededare all for sale on the Dark Market.


7/36

77

The Dark Market for Cyber

Attacks


8/36

88

A Market for Hacking Tools andStolen Data


9/36

99

No need to install and run hacking tools yourself.

Hacking can be purchased as a service, from hackers basedin Russia and elsewhere:

Malware Pay-per-Install: $100-$150 per 1,000 downloads

Distributed Denial-of-Service: 1 hour = $10, 1 week = $150 Spam Services: $10 per 1,000,000 emails

Botnet: $200 per 2,000 bots

Rootkit software: $292 (Windows version)

Hacking email/social media: $100 - $300 per account

Source: Max Goncharov, Russian Underground 101, Trend Micro Incorporated (2012)

Cyber Attacks la Carte


10/36


The TargetCorporation Attack


11/36

1111

11/27/2013Target POSterminals infected

11/30/2013New softwareinstalled to upload stolen data;

Target security software sendsfirst alerts

12/2/2013Terminals begin uploadingstolen data, ultimately ends up onservers in Russia

12/15/2013Target identifies attack andends it

Overview of the Target Attack

Graphic: McAfee Labs Threat Advisory: EPOS Data Theft, January 23, 2014


12/36

1212

The Point-of-Sale Malware: BlackPOS

For sale for $1,800 to $2,300

Author is 23-year-old Russian


13/36


The Evolution ofCyber Insurance


14/36

1414

1990s Early 2000s Now

The History of Cyber Insurance


15/36

1515

Increasing Use

Increasing Risk

Increasing Regulation

Increasing Popularity. Why?


16/36

1616

Securities and Exchange Commission (SEC)

Federal Trade Commission (FTC)

Department of Health and Human Services (DHHS)

Executive Order 13636

State Laws

Increasing Regulation


17/36


CGL Policy Coverage


18/36

1818

Not Tangible Property

New Insurance Services Office (ISO) Standards

Exclusions

D&O and E&O?

Commercial General Liability(CGL) Coverage


19/36

1919

AOL v. St. Paul E.D. VA: damaged software not tangible property

Zurich v. Sony NY Trial Court: policy covered confidential material

published directly by Sony, not by the hackers who stole theinformation.

Case in Point:


20/36


Basic Cyber

Insurance Coverages


21/36

21

Third Party Coverage

Damages Claims

from violation of a privacy tort, law, orregulation

from a violation of a law or regulationarising out of a security breach

Defense Costs

third party claims and regulatory defense

Media Liability Data and PII Loss

Intellectual Property Losses


22/36

2222

Remediation Costs

Fines/Penalties

Business Interruption

Damage to Systems

Intellectual Property

Computer Fraud

Funds Transfer

Extortion

First Party Coverage


23/36

2323

Investigation/forensics to determine cause and extent ofbreach

Public relations

Customer notification Credit monitoring for customers

Identity theft resolution services

Call centers

Costs to re-secure, re-create, and/or restore data

Legal services/advice

Crisis management services

Remediation costs to respond to thebreach


24/36

2424

Contractual Liability

Criminal Conduct

Unfair Business Practices

Content Theft

Unauthorized Collection of Customer Data

Intentional or Fraudulent Acts

Terrorism, Hostilities, and claims arising from acts of

foreign enemies.

Exclusions


25/36

2525

Definition of Confidential Information

Aggregate and other limits

Retroactivity

Time Limitations

business interruption

credit monitoring and other breach response

Other Considerations


26/36


Brokers Perspective


27/36

2727

Why transfer data security/privacyrisks through cyber insurance?

Vendors/Outsourcing

Interaction of people andprocesses with ever-changing technology

Sophistication andevolution of criminal

community.

Responsibilities toregulators, investors,

clients, and affected parties

Systemic/large losspotentialfinancial and

brand

Traditional insurance doesnot address the risks


28/36

28

Data Breach Response Predictive Loss Model(Not including regulatory investigations/civil liability)

Assumptions:

Outside experts for forensics and crisis management $13 per record; economies of scale for larger breaches

Notification Costs $7 per record; varies if multi-state, includes mailing and tracking; economies of scale for larger

breaches Call Center Costs $5 per call (10% expected participation)

Credit monitoring and ID theft repair offered on an opt-in basis or activated affirmatively by the affected individual

Credit Monitoring $15 per record (5% expected participation); economies of scale for larger breaches

ID Theft Repair and ID Theft Insurance $500 per record (5% of those monitored experience theft); economies ofscale for larger breaches

Number of Records Compromised 1,000,000 5,000,000 30,000,000 50,000,000

Forensics and Crisis Management Costs $3,250,000 $4,875,000 $9,750,000 $16,250,000

Privacy Notification Costs $2,100,000 $3,500,000 $10,500,000 $13,125,000

Call Center Costs $250,000 $625,000 $2,250,000 $3,750,000

Credit Monitoring Cost $375,000 $937,500 $3,375,000 $5,625,000

ID Theft Repair $1,500,000 $3,750,000 $7,500,000 $8,750,000

Total Estimated 1st Party Costs $7,475,000 $13,687,500 $33,375,000 $47,500,000


29/36

29

Network Security Liability

Claim expenses and damages emanatingfrom network and nonnetwork securitybreaches

Denial of service attack

Transmission of a virus

Theft of data

Privacy Liability

Claim expenses and damages emanatingfrom violation of a privacy tort, law, orregulation

Claim expenses and damages emanatingfrom a violation of a law or regulation arisingout of a security breach

Extortion Payments

Reasonable and necessary expenses andany funds or property paid (varies bycompany)

Privacy Event Expense Reimbursement

Expense reimbursement for third-party forensicscosts

Public relations and Legal

Mandatory notification costs (comply with securitybreach notification laws)

Voluntary notification costs Credit monitoring

Call center

ID Theft Insurance

Privacy Regulatory Proceedings and Fines

Claim expenses in connection with a privacyregulatory inquiry, investigation, or proceeding

Damages/fines (varies by market) ConsumerRedress Fund

Privacy regulations fines

PCI DSS fines and assessments(varies by market)

Basic Data Security and PrivacyLiability Coverages


30/36

3030

Cyber Insurance MarketplaceKey DevelopmentExpert Data Breach Panel Support:

Cyber Policies developed as

Reimbursement policies that allowed the insured tohire vendors but many companies did/do not havean effective cross-border data breach contingencyplan.

New DevelopmentExpert Vendor Panels

Established breach panelsparticularly legal,forensics, and credit protection services.

Cross- border and multiple language capability for callcenter support.

Data breach coach.


31/36

31

Reputational Harm

Lockton is an industry leader in intangible risks.

Customized wording around a set of reputational harm perils (including data

breach or loss of service) Adverse media trigger leading to loss of net income/extra expense

Combinable with expanded loss of computer network coverage.

Additional First Party NetworkCoverages


32/36

32

Basic Process

Key Market Invitations

NDA signed by all invited insurers

Project Plan with Mutual Milestones + Key Dates

Policy Design Document w/Detailed Specifications Data breach response coordination with our

clients crisis management plan and preferred

vendors

Short Form Application

Assistance with PP Briefing document and

Presenter Rehearsal Underwriting briefing (one for all markets)

Debrief with client and negotiations

Finalize program and bind

Timely issuance of master and local policies(if needed)

Our Approach to Design/MarketingCyber Programs


33/36


Premium CalculationConsiderations


34/36

3434

Placeholder


35/36

3535

Contact Information

Peter K. RosenModerator

Partner, Los Angelesemail: [email protected]: +1.213.891.8778

Margrethe K. KearneyAssociate, Chicago

email: [email protected]: +1.312.777.7040

Neil A. RubinAssociate, Los Angelesemail: [email protected]: +1.213.891.8841

Bob SteinbergPartner, Los Angeles | Silicon Valleyemail: [email protected]: +1.213.891.8989

Emily FreemanRisk Management Cyber Specialist,

Lockton Companies LLPemail: [email protected]: +1.707.595.1901
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


36/36

Although this presentation may provide informationconcerning potential legal issues, it is not a substitute forlegal advice from qualified counsel. Any opinions orconclusions provided in this presentation shall not beascribed to Latham & Watkins or any clients of the firm.

The presentation is not created or designed to address theunique facts or circumstances that may arise in any specificinstance, and you should not and are not authorized to relyon this content as a source of legal advice and this seminarmaterial does not create any attorney-client relationship

between you and Latham & Watkins.

Copyright 2014 Latham & Watkins. All Rights Reserved.

insuring against cyber risks (latham and watkins)

Documents