Matt Foushee University of Tulsa Tulsa, Oklahoma Cyber Insurance Matt Foushee University of Tulsa Tulsa, Oklahoma.

Cyber Insurance

Matt FousheeMatt FousheeUniversity of TulsaUniversity of TulsaTulsa, OklahomaTulsa, Oklahoma

• Newer protection for businesses to consider.

• Vocabulary• Peril – Threat• Claim –is paid for covered loss• Actuarial – relating to using

mathematics and statistics to calculate financial risk.

• Indemnity – protection against loss.

Introduction

• Small businesses use brokerages or commercial insurance agents.

• Commercial Liability Policywith Endorsements

• Professional Liability Policywith Endorsements

Who Provides Cyber Insurance?

• Larger businesses use specialized brokerages or commercial insurance agents.

• Professional Liability Policywith Endorsements

• Stand-alone cyber risk policies• Growing segment. 28 markets.

Who Provides Cyber Insurance?

What Do Cyber Policies What Do Cyber Policies Cover?Cover?

Most policies are different but most include:

• First Party Protection:• Loss of Digital Assets• Non-Physical Business Interruption• Extra expenses – any additional costs

(travel, postage, etc.) • Cyber Extortion• Cyber Terrorism• Security Event Costs

What Do Cyber Policies What Do Cyber Policies Cover?Cover?

Most policies are different but most include:

• Third Party Protection:• Network Security and Privacy

Liability• Employee Privacy Liability• Electronic Media Liability• Disclosure Law Liability• California SB1386

Breach Disclosure LawsBreach Disclosure Laws

California SB 1386 (2002): requires companies to notify any California resident to be notified “whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. “ (SB1386)

46 States now have similar laws.

Costs of breach: Notification, Credit Monitoring Services, Forensics, Pubic Relations Expenses

Breach Disclosure LawsBreach Disclosure Laws

HITECH Act (Health Information Technology for Economic and Clinical Health)

• addresses privacy and security concerns associated with the electronic transmission of health information and strengthens civil and criminal enforcement of HIPAA rules. (HHS.gov)

• Maximum Penalties - $1.5 million for all violations per provision.

“Cyber insurance is seen as a way to get to a more secure world, without a heavy-handed government mandate that could stifle innovation,“

-Howard Schmidt, White House cyber security coordinator

Breach Disclosure LawsBreach Disclosure Laws

Costs of breach: • Notification • Forensics• Credit Monitoring Services• Pubic Relations Expenses

• Ponemon (3/8/2011)• Cost per breach average $214/record.

Post-Breach ServicesPost-Breach Services

Notification, Credit Monitoring Services, Forensics, Pubic Relations Expenses

Insurance companies often have relationships with companies that provide post-breach services to help with compliance of disclosure laws.

Common service providers:

What does it cost?What does it cost?

Every company is different, has specific risks, and different controls. These attributes help determine the carriers, products, and coverage for which it qualifies.

Some insurers price higher because they have little experience or properly realize the risk of cyber threats and expenses. Knowing the details of each policy is important.

Risk Managers should be expected to understand these risks and purchase accordingly.

What does it cost?What does it cost?

Chevrolet vs. LexusExample:• Small IT company with two employees• Only works within one state• $100,000 in annual sales• Liability Limit: $1,000,000 / incident, $2,000,000/

year• Cost: $1200 minimum premium/ year

Example:• Zurich Security and Privacy Protection Policy• Cost: $7,500 minimum premium/ year.

The Betterley ReportThe Betterley Report

Details• Who buys cyber insurance.• Market growth opportunities .• Actuarial methods.• Market Penetration and Production

Awareness.• Opinions on Product Features.• Perceptions of Insurance Companies,

Brokers, and Risk Management Service Providers.

Special ThanksSpecial Thanks

Interviews:

Tim Stapleton – Assistant Vice President Professional Liability Product Manager Zurich North America

Rebecca Sank – Commercial Underwriter Erie Insurance Group

John Meng – Senior Account Executive Victor O. Schinnerer & Co., Inc.

Tom DeOrnellas – Senior Commercial Producer Spicer Insurance Agency

QuestionsQuestions

?

ReferencesReferences

Web References:

http://betterley.com/samples/crmm_10_nt.pdf

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

http://www.ponemon.org/blog/post/cost-of-a-data-breach-climbs-higher

http://www.post-gazette.com/pg/10173/1067262-96.stm#ixzz1JvohGBvO

Interviews:

Tim Stapleton – Assistant VP, Professional Liability Product Manager , Zurich North America

Rebecca Sank – Commercial Underwriter, Erie Insurance Group

John Meng – Senior Account Executive, Victor O. Schinnerer & Co., Inc.

Tom DeOrnellas – Senior Commercial Producer, Spicer Insurance Agency