sept 2012 data security & cyber liability
TRANSCRIPT
Emerging Risk:
Data Security & Cyber Liability
Autumn 2012
“For any business that accepts non-cash payments or has a payroll - there is some data at risk.”
40% Surveyed businesses with <500
employees that have experienced
a data breach
$210,000 Estimated cost of a small data
breach involving 1,000 records
100% Virtually every business
handles at-risk data
2-6 days Number of days within which
By the Numbers...
About Us
MidSouth Assurance- on Main Street, for Main Street. We believe that businesses can best be
served by an insurance agency that understands the environment in which a particular business
operates. Similarly, we represent insurance carriers with a similar philosophy. This, we believe,
will result in the most effective insurance programs for our clients.
Over fifty years of experience in large and small brokerages, as well as independent agencies,
allows us to effectively serve new ventures and growth businesses in the Greater Richmond area.
We advise clients on a breadth of risk management issues, and develop appropriate mitigation
strategies for them, including specialty insurance programs.
Insurance • Risk Management
2-6 days Number of days within which
25% of businesses will go
bankrupt without internet access
42% Breaches caused by factors which cannot be
mitigated through IT security measures – rogue
employee, theft, and business interruption
Relevance
Which businesses have this risk?
Virtually every business utilizes sensitive
information, and virtually any business can incur
liability from employee’s cyber activities. In fact,
any business which has payroll data or collects
non-cash payments captures Personally
Identifiable Information (PII), or that information
which is protected under law. PII includes an
individual’s name in combination with a
credit/debit card numbers, bank account
information, social security numbers, and driver’s
license numbers. Other sensitive personal
information includes: IP addresses, vehicle
registration numbers, fingerprints and biometric
data, address, age, gender, name of school
attended, professional grade or salary, criminal
record, and health care records.1 Combinations of
these data elements are valuable to criminals who
use the information for illegal purposes.
According to Accenture, a majority of businesses
have lost sensitive personal information, and
among these organizations, the biggest causes are
internal control failures. In fact, there were over
eight million computers stolen in the past three
years; and according to the FBI only 3% are
recovered.2 According to Ponemon Institute, each
week there are 10,000 laptop computers lost at
the 36 largest airports in the U.S., with an average
cost of $50,000 per laptop, including: replacement,
detection, forensics, data breach, lost IP rights, lost
productivity, and legal and regulatory expenses.
Moreover, 40% of small businesses have
experienced a loss of sensitive information.3
According to NetDiligence, a significant share of
breaches are attributable to hacking attacks;
however 42% are caused by factors which are not
mitigated through IT security measures – rogue
p. 2
employees, theft or loss of a device, and
interruption of internet connectivity or electricity
service.4 Paradoxically, Tower Watson has found
that amongst businesses who had foregone risk
transfer through a liability policy 37% justified the
decision in the belief that their IT departments and
internal controls were sufficient.5
While the healthcare, finance, utilities, and
defense sectors are particularly likely targets for
cyber attacks due to the volume of valuable data,
industry experts still predict that the highest
likelihood of breaches will occur in small
businesses, particularly in healthcare, given their
smaller IT security budgets. McAfee recently
identified “industrial threats” first on its list of
2012 predictions, including the manipulation or
destruction of industrial controls. These risks are
particularly relevant in the physical infrastructure
sectors for transportation, energy and
telecommunications. In 2009, the “Night Dragon”
coordinated attacks demonstrate the level of
sophistication which has been achieved when
attacking core infrastructure providers. Within this
incident oil, energy and petrochemical firms were
place. The primary variables include, but are not
limited to: the definition of the type of data which
constitutes PII, requirements regarding the
notification timing, the state agencies which must
be contacted in the event of a data breach,
applicability of the law to various entity forms,
applicability to physical data (not electronic data),
provisions for notifying aggrieved parties of
recommendations regarding credit freeze or fraud
alerts, provisions requiring notification to the
credit monitoring agencies, and safe harbor
stipulations around the loss of an encrypted mobile
device. In the event of a data breach, complexity
can become unwieldy as it is the aggrieved party’s
home state which determines the applicable laws
to which the breached business must adhere.
National regulation can increase the complexity of
navigating a breach event. Within certain
organizational contexts a range of regulations can
apply, these include: Sarbanes Oxley Act of 2002,
Gramm-Leach-Bliley Act (GLBA) on financial
transactions, Payment Card Industry (PCI) Data
Security Standard, the Health Insurance Portability
and Accountability Act of 1996 (HIPAA), Healthincident oil, energy and petrochemical firms were
attacked through a combination of social
engineering, spear phishing, and remote
administration tools. The attacks are believed to
have originated from China, and were designed to
acquire confidential information regarding bidding
and other project finance intelligence related to
large development projects.6
Regulation
What is required under law?
Regulatory changes regarding data security and
cyber liability have developed at a rapid pace.7 A
compromise of confidential PII triggers a
requirement under state laws to notify the
aggrieved parties. This notification is designed to
provide aggrieved parties information related to
the nature of the incident, the type of PII that was
compromised, remedial actions the company took
to increase protection, a contact phone number for
posing questions regarding the incident, and
information regarding credit monitoring.8
Requirements vary across the 47 states and three
territories which have data protection legislation in
and Accountability Act of 1996 (HIPAA), Health
Information Technology for Economic and Clinical
Health (HITECH), the Fair and Accurate Credit
Transactions Act (FACTA), Federal Information
Security Management Act (FISMA), the Genetic
Information Nondiscrimination Act of 2008 (GINA),
the Family Education Rights & Privacy Act (FERPA),
the FTC recommendations on protecting consumer
privacy, especially section 5A on website data
usage, and the SEC Cyber Security guidance.9 It is
important to note that in areas of conflicting
definitions or differing requirements, compliance
with the stricter law is generally required.
Depending on the nationality of those for whom
data is held, and how the data is used,
international law may apply. Several of the most
relevant, include: Canada’s Personal Information
Protection and Electronic Documents Act, the UK
Data Protection Act of 1998, the U.S. Patriot Act,
the U.S. – E.U. Safe Harbour Agreement, the
European Union Data Protection Regulations,
Malaysia's Personal Data Protection Act 2010, and
India's IT Amendments Act.10
p. 3
Scope of the Risks
Figure 1: Data Security & Cyber Liability Landscape
Areas of Exposure
Strategic Risk
• Business Model
Obsolescence
• IT Vendor Negligence
Operational Risk
• Data Breach
• Fraudulent Payment
• Defamatory
Communications Suit
• Unfair Trade Practices Suit
• Privacy Violations & Other
Employer Practices Liability
• Data Tracking Liability
Pure Risk• Hacking Attacks
• Physical Theft
• Internet or Electrical
Service Interruption
Contributing Trends
Technological
• Social Media & Web 2.0
• Cloud Computing Models
• Growth in Data Volume
• Proliferation of Mobile
Devices
• Sophisticated Attacks
Legal
• Consumer Protection
Legislation
• Financial Transactions
Legislation
• Industry Regulation
• Judicial Precedent
Causes of Loss
Perils
• Mysterious
Disappearance or
Theft of Company
Data
• Online
Collaboration and
Social Media
Postings
• Phishing Tactics
• Website
Interference
• Unauthorized
Network Access
(e.g. Trojans, SQL
Injections, Other
Malware)
• Social Activism
• Rogue Employees
Socio-Cultural
• Increased Awareness of
Identity Theft
• Increased
Interconnectivity
information that a business is bound to keep
confidential, such as intellectual property and
trade secrets.12 Regardless of the IT delivery
model, the firm as the “data owner” retains
responsibility for protection, even in the case of a
data breach experienced by an outsourced partner.
It is also important to bear in mind that pure risks,
such as an ICT service interruption or a hacking
attack, increase the risk of data loss – highlighting
the inter-relatedness of the various risk elements.
Similarly, theft of mobile devices constitutes
another such risk, especially unencrypted data
storage. Other relevant risks, include: (1)
Defamatory Communications, or social media
postings, which held to the legal standards of
commercial publications, are judged to be
misleading and/or guilty of libel or slander; (2)
Unfair Trade Practices, or the publication of social
media judged to include misleading endorsements
or disparagements; (3) Privacy Violations,
Harassment and Discrimination, includes a range of
employment practices liabilities within the social
media space – for example consideration of an
individual’s social media postings which include
p. 4
Scope of the Risks
What does “Data Security & Cyber Liability” entail?
Data security and cyber liability is a risk family that
encompasses first-party and third-party liability
resulting from the use of Information and
Communication Technologies (ICT). Technological
and Regulatory trends have brought rise to a group
of perils, from which the risks arise; and these risks
fall within three areas: (a) Strategic Risks; (b)
Operational Risks; and (c) Pure Risks (see figure 1).
The risks can result in first party losses, such as
investigations and remedial action following a data
breach. Also, a number of third-party liabilities are
present, and are based upon the principle that an
individual has a right to control the collection, use
and disclosure of his/her personal information.11
The Risks: Operational risk is the largest
component – particularly Data Breach, or the
compromise of personally identifiable information
(PII) or other sensitive material – whether in
electronic form or represented in physical
documents. “Sensitive information” includes that
data which is protected under the Health Insurance
Portability and Accountability Act, Fair Credit
Reporting Act, criminal records, and other
be weighed against cost, efficiency and scalability
benefits.
The Causes: There are a range of factors which
cause these losses. The causes can range from the
straight-forward to the complex – employee
communications, physical theft or mysterious
information that would be judged off-limits in an
interview setting; and (4) Data Tracking, or the
collection of data related to consumer behavior,
which is conducted unbeknownst to the individual
or which is conducted in a manner which doesn’t
allow a consumer opt-out.13
communications, physical theft or mysterious
disappearance of data sources (especially mobile
devices), skimming credit and debit card numbers
at a point of sale, phishing tactics to masquerade
as a trustworthy entity to solicit sensitive
information (including counterfeit social media
web pages), website interference or defacement,
and complex network intrusions. Motives for both
negligent and malicious behavior can include
political and social activism, financial gain, or
employee retribution.18
Contributing Trends: These risks have emerged
from a range of trends, including legislation to
protect individuals – creating compliance
requirements. The rise of social media and Web
2.0 collaboration, mobile data communications,
explosive growth in data volumes, and cloud
architectures have all contributed to the growth
the growth in data security and cyber liability
risks.19 Furthermore, data security is becoming
increasingly difficult. The advent of quantum
computing has been predicted to create an
ecosystem in which it will be impossible to keep
data secure for any length of time, and that
governments and large corporations won’t connect
p. 5
There is an exposure related to cloud delivery
models, and the use of outsourced IT providers,
with third party mistakes now accounting for 46%
of data loss.14 Most cloud providers simply cannot
afford to indemnify all platform tenants;15 as such
it’s incumbent upon cloud service providers and
data center operators to investigate risk transfer
through technology errors & omissions coverage.
As client businesses seek cost efficiencies and
deployment speed through cloud delivery models,
unique risks arise, such as: disruptive force (i.e.
b u s i n e s s m o d e l o b s o l e s c e n c e ) , l a c k o f
transparency, reliability and performance issues,
strategic business model risks, vendor lock-in, and
security concerns.16 Moreover, daisy chain effects
of liability have been documented – where the
primary company utilizes an outsourced IT
provider, who in turn outsources some elements of
data storage or manipulation to another provider.
This chain of data handlers may extend to multiple
vendors, which increases loss-of-control and
overall exposure.17 In short, an evaluation of cloud
architecture and outsourced IT relationships
should include a thorough risk assessment of
resultant cyber liabilities; and the liabilities should
to the “red internet.”20 FBI Director, Robert Muller,
stated, “But in the not too distant future, we
anticipate that the cyber threat will pose the
number one threat to our country.”21 Data stores
are growing at an exponential rate,22 and the
increasing use of Bring-Your-Own device policies
are creating further security concerns and reducing
the organization’s control over the data for which
it is legally responsible.23 Lastly, according to the
Federal Trade Commission, 9 million Americans
become identity theft victims each year. As this
victimization becomes more prevalent, public
awareness of data breaches and confidentiality
issues is increasing.
Frequency
How often are losses experienced?
Data loss has been occurring since records have
been taken; however the collection of statistics
regarding data loss is only in its infancy. Since
2005, frequency in data breaches has grown at an
average rate of 27%. In an Accenture survey, 40%
of small businesses with less than 500 employees
experienced a loss of sensitive information, while
over half of those respondents with over 1,000
employees had experienced a loss. Since 2005,
there have been 2,870 data breaches affecting 543
million records. Furthermore, Privacy Rights
Clearinghouse reported 535 breaches in 2011 that
involved 30.4 million records.24 Historic statistics
regarding data breach have been incomplete, with
many going unreported. It is only in the past
several years that notifications have been made
mandatory.
Severity
How significant are the losses?
When considering statistics related to data
breaches and other cyber liabilities, it is important
to remember that large breaches skew the
average.25 That said the overall average cost of a
breach involving personal data is $7.2 million.26 A
recent study by Ponemon revealed that the
average cost from a data breach of PII is $214 per
record. Consequently, for a small business which
experiences the theft of 1,000 records – we
estimate damages of approximately $210,000.27
Costs vary depending on the cause of the data loss,
and across a wide array of breach scenarios. For
example, business interruption cost due to denial
of internet or other technical services has been the
most severe type of loss.28
p. 6
employees had experienced a loss. Since 2005,
Figure 2: Data Security & Cyber Liability Exposures Response
most severe type of loss.28
2 – 14 Days 2+ Years
Potential First
Party Losses
Potential Third
Party Losses
• Privacy Counsel
• Containment
• Forensic Data Investigation
• Crisis Management /
Reputation Risk Advisory
• Notifications to Aggrieved
Parties
• Repairs and Upgrades to Impacted Systems
• Credit Monitoring & Call Center Support
• Business Interruption Costs
• Legal Defence
• Fines
• Compensatory Damages for Lost Income
• Loss of Funds – Fraudulent e-Payment
• Bodily Injury for Mental Anguish
• Content Injuries – Loss of IP, Trade Secret
• Reputational Damages (i.e. libel, defamation)
• Systems Injuries for Security Failures
• Impaired Access Damages
• Punitive Damages
Assessment Short-term & Long-term Crisis Management
correlated to the complexity of the IT architecture
and sophistication of pre-existing security
measures (not the number of breached files). The
cost of a forensic examination is typically
$50,000.31 Dependent upon the nature of the
breach, ten to thirty hours of crisis management
services may be undertaken by a reputational risk
advisory firm or a public relations consultant.32 At
the end of this period notifications are distributed
to aggrieved parties in order to comply with
statutory obligations, and with costs estimated at
$10 - $15 per record.33
For the subsequent two years (or more) a range of
further first party costs are incurred, including
further remediation such as physical security
measures and technical changes. These
augmentations may include data restoration,
software upgrades, and hardware replacement; or
may be as extensive as fundamental changes in:
outsourcing relationships and service level
agreements, data models, infrastructure
architecture, and security-related policy and
governance protocols. In some instances
In many instances, especially regarding network
intrusions, the hacker has had access for an
extended period.29 However, it is the moment of
awareness of a potential data loss which triggers
the crisis response. The costs associated with this
initial period, which we estimate at 2 days to 2
weeks, is incurred through efforts to stop and
contain an intrusion or other attack including
security upgrades or other remediation efforts.
Awareness of a potential data loss should set in
motion a precise response methodology. The
timeline in figure 2 provides a high-level view of
the process the firm will undergo. Within the first
2 days to 2 weeks, a crisis assessment exercise is
undertaken – preferably under the guidance of a
privacy attorney well positioned to provide legal
oversight, to limit exposure, and to control the
circulation of communications regarding the
incident. The attorney is generally required for 10
– 30 hours of service.30 Also, in the case of
suspected electronic data loss, a forensic
examination is required to confirm whether a
breach has occurred, and if so, it’s extent. The
scope and cost of this examination is most
p. 7
re-certification with PCI standards may be
necessitated.34 Also, the ongoing operation of a call
center may be required to meet compliance
requirements. There may also be costs related to
business interruption, especially in relation to
denial of data access, website outage, or other
service outage. Lastly, legal defense costs and
regulatory fines of up to $1.5 million may be
incurred. One primary exposure, outside data
breach scenarios, typically concerns the liability
associated with third-party damages.35 As figure 2
illustrates, there are a range of potential liabilities
related to Data Security and Cyber Liability. There
are potential claims against the data owner from
employees, potential employees, customers,
suppliers and competitors. Depending upon the
nature of the cyber event third party liabilities can
include: investigation, mitigation and remediation
costs relating to a data breach; costs for
compliance with various laws and regulations after
a breach; class action lawsuits alleging disclosure of
PII; business partners alleging breach of contract,
negligence or demands for indemnification; or
professional negligence.36 Also, relating to other
risks there are potential third party liabilities
arising from fraudulent electronic payments,
damages arising from an unfair trade practices suit
due to employee social media postings, and
liabilities arising from invasion of privacy, especially
in relation to data tracking. Lastly, there is also a
risk of compensatory damages for employment
practices liabilities, data breach incidents, or
defamatory social media postings. These damages
can include loss of income, mental anguish, and
punitive damages.37
Recommended Approach
What should be done to mitigate the risks?
Enterprise Risk Management (ERM)has become a
sophisticated discipline of coordinated activities to
mitigate the negative impacts of uncertainty,
including the use of complex regression analyses
and probabilistic models.39 Data Security & Cyber
Liability, as a risk family, should be considered
within an organization’s ERM efforts, and within
each segment of the ERM framework. Figure 3
What extreme events could happen, and how is
p. 8
Figure 3: Risk Management Framework Applied to Data Security & Cyber Liability38
What extreme events could happen, and how is
a cyber loss related to other risk areas?
How effective are
we at preventing
data loss and
defending against
attacks?
Have we determined the scale and
scope of potential breach scenarios?
Do we track the right security
information regarding data in use,
data transfer and data storage?
Have we implemented
cyber policies, and
assigned accountability
for data crisis response?
To what extent are we
willing to accept the risk
of a data loss?
Do we have sensitive information?
What actions can we
take to better defend
against cyber loss?
provides several illustrative questions the risk
management professional should consider when
incorporating Data Privacy and Cyber Liability
within an ERM program.
Our approach to Data Security and Cyber Liability
applies the breadth of the ERM Framework, while
grounding action within traditional project
management methodology. For example, within
the first tranche of work firms should focus efforts
on identifying all relevant risks, including sources
of the risk, areas of impact, estimates of frequency
and severity and preliminary findings on
interdependencies. By surfacing all relevant data
security and cyber liability risks, the firm is well
positioned to conduct a robust analysis, covering:
factors that affect the likelihood of realization,
existing controls, interdependencies, and
sensitivities.
A strong response to data security and cyber
liability results in effective internal controls to
mitigate risk; a plan for a crisis event (pre- and
post-claim); and robust risk transfer through
insurance designed to address the risks. Like all
risk management efforts, the challenge is in the
details. Businessowners Policies (BOPs) and
Commercial Package Policies generally exclude
potential exposures. Endorsements may be
available, but are typically limited in their scope of
coverage given the nature of these risks. The savvy
firm will seek effective risk transfer through
appropriate policies designed to cover their
specific risk exposures. The most effective plan for
managing the risk and related response will be
specifically tailored to the firm, and companies that
combine a contingency plan and an appropriately
crafted policy are best positioned to survive the
risks.
Obj
ectiv
e
Effectively Manage Data Security & Cyber Liability Risks
Obj
ectiv
e
Figure 4: Our Approach to Data Privacy & Cyber Liability
p. 9
Obj
ectiv
eA
ctiv
ities
Inpu
tsO
utpu
ts
Effectively Manage Data Security & Cyber Liability Risks
Project Management & Communications
Risk Identification
Risk Analysis
Risk Treatment
Risk Evaluation
Milestone A Milestone B Milestone C Milestone D
• Existing risk
framework,
communications,
and context
documentation
• Industry
intelligence
• IT security
measures
• Related Human
Resources policies
• Cyber risk log
• Industry data on
retained risks
• Compliance
requirements
• Risk criteria
• Risk analysis
outcomes
• Risk evaluations
• Existing insurance
policies
• Existing disaster
recovery plans
• Exhaustive log of all
relevant risks and
risks discounted
• Existing treatments
• Frequency and
severity mapping
• Sensitivities,
scenarios and
dependencies
• Prioritization of
required
treatments
• Outcomes of risk
technique decisions
• Pre- and post-claim
response plan
• Enhanced insurance
coverage
• Implemented risk
controls
A B C D
Figure 4: Approach to Data Security & Cyber Liability
Endnotes
1. Virginia Code § 18.2-186.6. Breach of personal information notification. 2008. See also: Sophos. (2010). Protecting Personally Identifiable
Information: What data is at risk and what you can do about it. Boston: Stinger, J. Retrieved from:
http://www.sophos.com/sophos/docs/eng/dst/sophos-protecting-pii-wpna.pdf
2. Brigadoon Security Group. Retrieved September 10, 2012, from: http://www.pcphonehome.com/
3. Accenture. (2009). How Global Organizations Approach the Challenge of Protecting Personal Data. Retrieved from:
http://www.accenture.com/nl-en/Documents/PDF/Accenture_Data_privacy_reportLD.pdf Note: The included survey defines small businesses as
those with less than 500 employees, p. 14.
4. NetDiligence. (2011, June). Cyber Liability & Data Breach Claims.
5. Towers Watson. (2011). Risk and Finance Manager Survey – Full Report. Retrieved from:
http://www.towerswatson.com/assets/pdf/4481/Towers-Watson-Risk-Financial-Manager-Survey-Report.pdf
6. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4.
7. Gartner. (2011). Gartner Says Half of all Organizations Will Revise Their Privacy Policies by End-2012. Retrieved September 10, 2012, from:
http://www.gartner.com/it/page.jsp?id=1761414
8. Virginia Code § 18.2-186.6. Breach of personal information notification. 2008.
9. Federal Trade Commission. (2012, March). Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and
Policymakers. Retrieved September 10, 2012, from: http://ftc.gov/os/2012/03/120326privacyreport.pdf See also: U.S. Securities & Exchange
Commission, Division of Corporation Finance. (2011). CF Disclosure Guidance: Topic No. 2 Cybersecurity. Retrieved September 10, 2012, from:
http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm See also: Property Casualty 360⁰. (2012, February 2). After ‘Year of the
Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from:
http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca
10. Capgemini. (2010, March 16). Putting Cloud Security in Perspective. Retrieved September 10, 2012, from:
http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security-in-perspective/ See also: Committee of Sponsoring
Organizations of the Treadway Commission: Enterprise Risk Management for Cloud Computing. Chicago, Crowe Horwath LLP: Chan, W., Leung, E.
and Pili, H. Retrieved September 10, 2012, from: http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf
11. Information & Privacy Commissioner. (2010, April). Privacy Risk Management. Ontario, Canada: Cavoukian, A. Retrieved September 10, 2012,
from: http://www.ipc.on.ca/images/Resources/pbd-priv-risk-mgmt.pdf
12. Godes, S. (2012, March 19). Surprising Sources of Coverage. Business Insurance, 46(12), p. 10.
13. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance
Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches
14. Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker,
M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca
15. Zurich Insurance Group. (2012). Cyber Risk in 2012: Get Your Head in the Cloud. New Salem, Massachusetts: DeWitt, J. Retrieved September
10, 2012, from: http://img.sbmedia.com/Perm/LH/PC360/Zurich/Cloud.pdf
16. Committee of Sponsoring Organizations of the Treadway Commission: Enterprise Risk Management for Cloud Computing. Chicago, Crowe
Horwath LLP: Chan, W., Leung, E. and Pili, H. Retrieved September 10, 2012, from:
http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf See also: Capgemini. (2010, March 16). Putting Cloud Security
in Perspective. Retrieved September 10, 2012, from: http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security-
in-perspective/
17. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance
Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches
18. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4. See also: U.S.
Securities & Exchange Commission, Division of Corporation Finance. (2011). CF Disclosure Guidance: Topic No. 2 Cybersecurity. Retrieved
September 10, 2012, from: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
19. Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker,
M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca
20. The Futures Company. (2012). Public Worlds: How Digital Technology Will Transform Identity, Work and the City. London: Galgey, W.
Retrieved September 10, 2012, from:
http://www.marketingpower.com/ResourceLibrary/Documents/Content%20Partner%20Documents/The%20Futures%20Company/2012/future-
perspectives-public-worlds.pdf
21. Hoffman, M. (2012, March 19). Cyber Crime is Now a National Threat. Business Insurance, 46(12), p. 8.
22. IDC. (2009, May). As the Economy Contracts, the Digital Universe Expands. Framingham, Massachusetts: Grantz, J. and Reinsel, D. Retrieved
September 10, 2012, from: http://www.emc.com/collateral/leadership/digital-universe/2009DU_final.pdf See also: Deloitte. (2011).
Technology, Media and Telecommunications Predictions 2012. Retrieved September 10, 2012, from: http://www.deloitte.com/assets/Dcom-
Australia/Local%20Assets/Documents/Industries/TMT/Deloitte_TMT_Predictions_2012.pdf
23. Capgemini. (2011, October 17). Bring Your Own. Gillam, R. Retrieved September 10, 2012, from:
http://www.at.capgemini.com/insights/publikationen/bring-your-own/
p. 10
24. Property Casualty 360⁰. (2012, March 4). What’s Driving the Rise in Data Breaches? Kam, R. and Henley, J. Retrieved September 10, 2012,
from: http://www.propertycasualty360.com/2012/03/14/whats-driving-the-rise-in-data-breaches#.T2zn3hJnP5g.email
25. Ricardo, A. Beazley. (personal communication, September 6, 2012).
26. Anonymous (2012, March 19). Cyber Risks 2012. Business Insurance, 46(12), pp. 16 - 17. See also: Property Casualty 360⁰. (2012, February 2).
After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from:
http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca
27. Ponemon Institute. (2010, January). 2009 Annual Study: Cost of a Data Breach. Traverse City, Michigan. Retrieved September 10, 2012, from:
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf
28. Ponemon Institute. (2011, August). Second Annual Cost of Cyber Crime Study. Traverse City, Michigan. Retrieved September 10, 2012, from:
http://www.hpenterprisesecurity.com/collateral/report/2011_Cost_of_Cyber_Crime_Study_August.pdf
29. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance
Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches
30. Ricardo, A. Beazley. (personal communication, September 6, 2012).
31. Ibid
32. Ibid
33. Ibid
34. Ibid
35. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4.
36. Property Casualty 360⁰. (2012, February 2). A Lawyer’s Advice for Evaluating Your Cyber Coverage, Godes, S. Retrieved September 10, 2012,
from: http://www.propertycasualty360.com/2012/02/02/a-lawyers-advice-for-evaluating-your-cyber-coverag#.TzlYfgGr-8s.email
37. Cyber Liability: Data, Privacy and the Perils of Social Networking. Available through Professional Liability Attorney Network. See:
http://www.planattorney.org/
38. Note: Figure 3 illustrate some of the questions to be posed across the Enterprise Risk Management Framework, as the segments apply to Data
Security and Cyber Liability. See: http://www.rmahq.org/risk-management/enterprise-risk
39. International Organization for Standardization. (2009, November 15). Risk Management – Principles and Guidelines (ISO 31000:2009). Geneva.
Retrieved September 10, 2012, from: http://www.imeny.comyr.com/file/pdf/ISO-31000.pdf
p. 11
Disclaimer
This document is not a representation that coverage does or does not exist for any particular claim
or loss under any insurance policy. It is not intended as legal advice. A company should always
seek the advice of a qualified attorney when evaluating legal or statutory considerations. This
document is not intended as insurance advice. A company should always seek the advice of a
qualified insurance agent or broker when considering their insurance coverage.
ContactFor more information about our Data Security & Cyber Liability Services, please contact :
Max Koehler
Principal
(804) 477-3073
Dale Fickett
Director – Risk Advisory
(805) 335-7198
Copyright © 2012 Midsouth
Assurance, LLC. All rights reserved.
Midsouth Assurance and its logo
are trademarks of Midsouth
Assurance.
About MidSouth Assurance
Midsouth Assurance is a broker of commercial
insurance and an advisor in Risk Management.
Businesses are best served by an agency that
understands the local business environment, and
that leverages strong industry points of view.
Through our focus on small to medium enterprises
in the Greater Richmond area, we collaborate to
address client risks and provide the appropriate
insurance. By being responsive to our clients’
needs, we build lasting relationships.
Visit us at: www.midsouthassurance.com