SEC - The New Cyber Cop (Cyber Risk and D&O Insurance)

December 2014

Cyber Risk –What Boards Need To Know

2| 2| 2|

NOT DEFINED

• Can be any or all of the following:

•Loss of Personally Identifiable

Information (Clients & Employees)

•Failure to Prevent Unauthorized

Access (Virus/Hacking)

•Network or Security Failure (and

Subsequent Loss of Income)

•Misuse/Infringement of Copyright,

Trademark, Patent

•Etc.

What is Cyber Liability?

3| 3| 3|

OUTSIDE, INSIDE & SYSTEM FAILURES

•Hackers & Unauthorized Access

•Viruses, Trojans & Malicious Codes

•Rogue Employees

•System Failure

•Vendors

•Failure to Comply With Company Policies

•Cloud

•Denial of Service

•Phishing

Where do the threats come from?

5| 5| 5|

Cyber Facts

Only 20% of companies believe current incident response programs to be “very effective.” - Information

Security Media Group

2012/13 supply chain disruptions were from technology & cyber events, not weather-related events. –

Guy Carpenter

Reputation management was #1 in 2013 survey of executives’ top risk concerns. – TechAssure

Association

30% of customers will not be back after a data breach; 70% after second incident. – Independent

Consumer Poll

46% of companies surveyed in 2011 reported network intrusion attempts.

- Computer Security Institute

6| 6| 6|

CEO + CFO + CIO = ?

•False Assumptions of Security

•Perceived Proactive Safeguards

•Failed Expectations of Compliance

The “C-Level” Disconnect

7| 7| 7|

Spencer Hoole ModeratorPresident and CEO

Diversified Insurance Group

William Stern PanelistEVP, General Counsel

Ancestry.com

Susan Miner PanelistSenior Partner

Woodruff-Sawyer

Daniel Burke PanelistSenior Underwriter

Hiscox

8|

Facts

• In 2013 the FBI notified 3,000 companies in the United States that they had been victims of cyber-attacks.

• Reports estimate that cybercrime cost the global economy up to $575 billion annually and approximately $100 billion in the United States alone.

• According to one 2013 survey, the average annualized cost of cyber-crime to a sample of U.S. companies was $11.6 million per year, representing a 78% increase since 2009.

• 77% of respondents to a 2014 PricewaterhouseCoopers study detected a security event in the past 12

8

9|

Relevant Regulation in the US

• FTC regulates whether commerce is fair or deceptive

Privacy statements and use of information

Deceptive and/or Unfair practices

Section 5 liability governed by “reasonableness” test regarding security and statements made about security in light of sensitivity, volume, size, complexity, cost/benefit of better security and reduced vulnerability (perfect security neither expected nor required).

• Other regulators:

Health: HIPAA (HHS); Finance: GLBA (CFPB)

International: Safe Harbor (Commerce)

DOT; OMB; IRS; EEO; ADA; DHS; ETC!

9

10|

Standards Imposed by Private Organizations

• Payment Card Industry Data Security Standards (PCI DSS)

• ISO 27001 (high level organizational rules, policies procedures – a checklist, certifiable by outside auditors)

• ISO 27002 (guidelines and principles for initiating, maintaining and improving security within an organization – not required and cannot be certified)

• SSAE 16 auditing standards for compliance controls at “service” organizations

• Industry best practice – Cloud providers

10

11|

Judicial/SEC Standards

• Caremark decision:

Boards are protected by the Business Judgment Rule unless:

- “utterly failed” to oversee system of controls

- “consciously” failed to monitor or oversee risks

- Result is obligation to ask for security updates/reports

• SEC:

2011 Guidance regarding disclosure of cybersecurity risks and incidents

Must provide specific, non-boilerplate disclosure in risk factors and MD&A

Provide disclosure of Board risk oversight

11

12|

What Your Board Needs to Know

• Cyber-risk evaluation/response.

• Require regular reports on security risks.

• Review cybersecurity as part of budget.

Does cybersecurity take a backseat to other IT or physical security projects?

65% of IT departments cite budget constraints as their #1 obstacle to delivering value

• Re-evaluate cyber insurance.

12

13|

What You Need to Know

• Your information network will be compromised. Accept it!

• Physical security and cybersecurity are linked.

Target breach, hackers got access to the network through the HVAC system

• Cyber damage goes beyond the dollars

Reputational damage with customers

Increased cost of new systems for prevention (EMV)

• Everything cannot be protected equally

Identify the crown jewels and really, really protect them

• Walls are probably high enough – look at detection13

14|

Recommended steps:

cyber-risk education for directors, including periodic updates to the board on new

developments;

determine what part of the Board will oversee cybersecurity risks (could be entire board

or a committee);

invest time and resources into making sure that management has developed a well-constructed and deliberate response plan that is consistent with best practices for a company in the industry;

develop a business culture that prioritizes cybersecurity;

review terms of insurance policy and coverage of cybersecurity issues; and

assess the need to bring in external advisors.

14

15|

Keys to an Effective Cyber Program

• Led by executives defining cyber risk management priorities and risk appetite

• Involve everyone – not just an IT or finance issue

• Identify all stakeholders – internal and external (suppliers, vendors, partners)

• Program not project – requires continuous monitoring and review

• Comprehensive and integrated

Understand how events impact the business

Integrate IS insights into management decision making process

15

16|

Cyber Risk Strategy

• Align Cyber Risk strategy with business strategy

• Outsource? – Determine which security functions are performed in house, which are outsourced and in the cloud

• Use trusted standards to increase confidence (ISO, COSO, COBIT)

• Conduct independent third party assessments

• Identify and define KPI to monitor success (up-time)

• Corporate culture that anticipates risks rather than reacts

• Leverage expertise of others

16

www.wsandco.com |

The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.

17

Cyber Liability Exposure Overview

www.wsandco.com |

The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.

18

First-Party v. Third-Party Coverage

www.wsandco.com |

The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.

19

Business Interruption

Insuring for Business Interruption from the failure of your technology network is a relatively new concept.

Categorized into three types of failures, coverage varies based on the triggers and sources of the failure.

Typical Losses: Profits and extra expenses

* Property BI coverage may be applicable

Source of Failure Triggered by

Direct Bi

(Your Own Network)

Contingent Bi

(Outsourced/Cloud

Network)

Security Failure Hacker / 3rd Party Breach / Denial of Service Attack that renders a

network inoperable

Widely available Limited

System Failure Unplanned / unintentional outage of a network Few markets Few markets

Physical Damage Failure of a network due to physical peril such a fire, wind, flood, etc. N/A* Rare*

Coverage in Today’s Cyber Market

www.wsandco.com |

The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.

20

• Contractual Liability

– Coverage disputes over PCI “assessments “ due to faulty policy language in breach of contract exclusions

– Look for affirmative language – “demand from a payment card association or [bank] for a monetary assessment including a

contractual fine or penalty for failing to comply with PCI-DSS”

• Choice of counsel/vendors

– Carrot vs Stick approach (Incentives for using or mandatory)

– Pre-approval vs game-time decision

• Prior Acts Coverage

– Key issue when first purchasing coverage, as new breaches discovered during policy term may have first began months earlier

– Some carriers will offer 1 year backdated for a price: PAY THIS

Emerging Coverage Trends

www.wsandco.com |

The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.

21

Cyber Risk and D&O Litigation

In October 2011, the SEC published guidance for companies that suggested issuers should consider

• the “probability of cyber incidents occurring”

• “the quantitative and qualitative magnitude of those risks”

• that appropriate disclosure may include a “description of relevant insurance coverage.”

Significant Data Breaches Can Lead to D&O Issues

Company Cyber Event D&O Matter Status

ChoicePoint (2005) 500,000 PII exposed via a data warehouser. (2005) Class Action (2008) Settled $10M

TJX (2006-2007) 45M+ customer credit card data and other PII hacked

; cost $171M.

(2007) Books & Records

(2007) Derivative Suit

(breach of fiduciary duty)

(2010) Settled $595K plaintiffs fee

award & therapeutics

Heartland Payment (2009) 130M cards at payment processor; cost $140M. (2009) Class Action (2009) Dismissed

Target (2013) 70M+ credit/debit cards breach at POS system; estimated

cost over $1 billion.

(Jan 2014) Derivative Suit

(breach of fiduciary duty)

Pending

Wyndham

(2008 - 2010) Three breaches; 619,000 customers impacted. (Feb 2014) Derivative Suit (breach of

fiduciary duty)

Dismissed

www.wsandco.com |

The information contained herein is proprietary & confidential and not to be distributed without the consent of Woodruff-Sawyer & Co.

22

Board-Level Cyber Liability Questions

State of Cyber Risk Insurance Market

• Growing industry segment within Insurance - more

carriers entering the space

• Coverage grants getting more nuanced

• More industries buying cyber insurance

– Healthcare

– Financial Institutions

– Retail

– Services Companies (professional, technology, etc)

– Others (Construction, Manufacturing, Energy, etc)

23

How Cyber Insurance is Underwritten

• Premium calculated off industry class, number of

records, revenues, controls and claims.

• Statutory and regulatory liabilities drive coverage

need – industry type matters.

• Personally Identifiable Information (PII) most

often triggers coverage – how many and what

type of records do you have?

• Do you know where all your records are stored?

How are they protected?

– Outsourcing the services does not outsource the

liability

– Encryption, encryption, encryption

– Two-factor authentication

– Contracts

24

How to Respond to a Breach

Have A Plan!

– 67% of companies suffering Data Breaches

are out of business within 6 months.

(Symantec Corporation. 2013 Internet Security Threat Report. Vol. 18. California: Symantec

Corporation, 2013.)

– Breach Response Plan should be formalized

and tested

• Risk Management, IT, and Legal should all be

involved

– Insurance Carriers offer turn-key solutions

25

Navigating the Claims Process

• Immediate response is key, but the claims process will take time

• Multiple 1st party elements to a breach response

– Computer Forensics

– Legal Consultation

– Breach Notification

– Credit Monitoring

– Public Relations

• Class action litigation

26