Tag Archives: cyber liability

What to Consider When Buying Cyber

No industry or organization, wherever situated and whatever the size, is immune to the threat of cyberattack, and the impact can be catastrophic, both financially and in terms of reputation. For example, eBay recently announced a massive cyberattack that may have exposed the personal data of 128 million customers globally.

The management of cyberrisk clearly needs to be high on the boardroom agenda. Network security alone cannot fully address the issue: Experience has shown that even top-notch, state-of-the-art cybersecurity is vulnerable.

Boards need to ensure that they identify key risks and prioritize the protection of critical information. Internal policies and procedures should be put in place to ensure that staff are aware of risky behaviors, such as disclosing passwords and opening suspicious documents in unsolicited emails. Companies need to see that network security systems and controls are regularly tested and monitored, and that response procedures are in place in case of a cyberattack or data breach.

Insurance can also play a vital role in managing cyberrisks. As part of the board’s risk assessment, it needs to understand the types of cyberrisk, and the potential losses and liabilities that follow. This is the first step in understanding the organization’s insurance requirements and the extent of coverage required for cyberrisks.

Consider the Company’s Risk Profile
An initial assessment of the company’s risk profile and areas particularly vulnerable to cyberattack is crucial.  External advice may be needed. The risk assessment should extend across the organization. The assessment needs to consider the amount and type of personally identifiable information, customer data and confidential corporate data the organization maintains and how such data is used, transmitted and stored. The company’s technology infrastructure should be evaluated, as well as potential threats to network security and the likely consequences of significant interruptions to online working or customer transactions. Also consider the risk of third-party claims arising from the company’s media content and the services provided to support e-commerce.

The company needs a complete understanding of any potential impact of a cyberattack or data breach, including the wider impact on business strategy. Performing a thorough risk assessment not only helps the organization identify and address risks and potential gaps in security but can facilitate underwriting of cyberrisks and may even result in premium reductions. Once the organization has a grasp of its risk profile and potential exposures, it can consider its insurance needs.

Examine Existing Insurance Policies
Some coverage for these potential losses and liabilities may be available under existing insurance policies already held by the business. These include general liability, directors and officers liability, professional indemnity, crime and property and business interruption policies. Careful assessment of the coverage provided by these policies is essential, however, as there are likely gaps in coverage because such policies have not historically been designed to cover non-tangible assets and network-related risks. The company will need to consider whether to fill those gaps with enhancements to existing policies or through new cyberrisk products now being offered by insurers.

Consider the Need for Cyberinsurance
There are now a number of cyberinsurance products available, and the scope of coverage varies from insurer to insurer. These policies typically cover losses and liabilities such as:

  • Data liability. This covers damages and defense costs resulting from any claim against the insured from a data breach that compromises personal information. It should also cover claims alleging that information has been lost or compromised as a result of unauthorized access to, or use of, the insured’s computer systems. It is important that the policy covers not only an individual’s personal information but also employee data and confidential corporate information. Many organizations possess third-party trade secrets, customer lists, marketing plans and other information that could be beneficial to competitors and may result in liability if compromised.
  • Media liability. This insures damages and defense costs resulting from any claim against the insured for infringement of copyright and other intellectual property rights, as well as misappropriation or theft of ideas or media content. While coverage may not extend to content published in a personal capacity, this should ideally be included, as organizations may face significant liabilities as a result of employees using Twitter, Facebook and other social media.
  • Regulatory coverage. This covers the costs of response to any administrative, government or regulatory investigation following a data breach or cyberattack, as well as any fines or penalties imposed.  However, this coverage is typically limited to civil fines and penalties, as criminal fines and penalties are not insurable in many jurisdictions. Some regulators, including the Financial Conduct Authority (FCA) and the Securities Exchange Commission (SEC), prohibit regulated firms from recovering from insurers any fines or penalties the regulators impose.
  • Remediation coverage. Most policies provide coverage for additional costs associated with a data breach, including the costs incurred to notify those affected and relevant authorities, provide credit monitoring for those affected and set up call centers to field inquiries from concerned clients. Coverage may also extend to the costs of forensic services to determine the cause and scope of a breach, as well as public relations expenses and other crisis management costs.
  • Information assets coverage. The policy may include coverage for costs of recreating, restoring or repairing the company’s own data and computer systems. This may also extend to third-party data that has not been captured by back-up systems or that has been corrupted or lost because of negligence or technical failure.
  • Network interruption coverage. The policy may cover lost revenue from network interruptions or disruptions because of a denial of service attack, malicious code or other security threats.
  • Extortion coverage. Many policies insure the costs of responding to ransom or extortion demands to prevent a threatened cyberattack.

Cyberinsurance policies vary significantly, so the specific policy terms and conditions should be analyzed carefully to ensure that the coverage meets the company’s likely loss scenarios and potential exposures. It is particularly important to consider whether the coverage extends to information in the hands of third parties where data handling, processing and storage has been outsourced to third parties, including cloud service providers. If the organization has outsourced data handling, then it should secure coverage for any loss or business interruption arising from data that is managed by third-party service providers.

Consider the “retroactive date,” as policies often limit coverage to cyberattacks or data breaches occurring after a specified date, such as policy inception. It is important to request retroactive coverage for network security breaches that may have occurred before the inception date, as it is not uncommon for cyberattacks to remain undetected for a considerable period.

Review Defense and Settlement Provisions
Cyberinsurance policies include defense provisions that typically limit coverage for defense costs to those that are reasonable and incurred with the insurer’s prior written consent. While many insurers include these types of provisions to insist on the appointment of their own choice of defense counsel, selection of defense lawyers is an important issue. Some companies prefer to appoint lawyers whom they know well and who are familiar with their business. Moreover, certain claims arising from the use of technology, such as claims for breach of confidence, breach of copyright and defamation, require specialist counsel with particular experience. The company should therefore consider requesting a specific provision reserving the right to choose its defense lawyer, although the decision will usually be subject to the insurer’s prior approval.

Check the Fine Print
The “devil is in the details,” especially with cyberinsurance. While the market has developed rapidly in recent years, there are inconsistencies in the cover provided, and minor variations can have significant impact on the availability of coverage.

There will likely be efforts by the insurer to exclude risks that should be covered under other types of policy, and this is not unreasonable. It is important, however, to avoid broadly worded exclusions that could extend beyond that concern, or attempt to undermine the initial purpose of the insurance. For example, insurers might seek to impose exclusions based on possible shortcomings in the company’s network security. These types of exclusions should be resisted.

Insurance can play a vital role as part of an overall strategy to mitigate cyberrisk, but it is necessary to look beyond the policy limits to ensure that the coverage provided — whether under traditional policy forms or specific cyberinsurance policies — is as broad as possible.

Ms. Gates wrote this article with Sarah Turpin, a partner in the dispute resolution and insurance coverage groups in K&L Gates’ London office.

How to Lower Your Cyber Risk

As we approach the close of 2014, virtually no one needs to be reminded that cyber liability is real and here to stay. Data breaches and cyber security incidents are on the rise. New York’s attorney general reported that breaches tripled between 2006 and 2013, and, according to a recent study, 43% of companies experienced a breach last year.

What are some of the key issues accounting for this increase? First, information is the new oil, and it has value. Stolen financial and medical data can be purchased on the “dark web” and used for identity theft and fraudulent billing. Second, computer networks can be attacked relentlessly by hackers thousands of miles away, with little risk to the hackers. Third, entities are creating and storing more data than ever. It is estimated that the volume of data is doubling every two years, and too many entities have adopted a keep-everything approach to information management.

Given this reality, it’s no wonder that sales of cyber insurance are rising. Cyber insurance can fill gaps left by traditional policies and provide a lifeline to entities affected by a breach or security incident. But cyber insurers require prospective insureds to complete detailed applications that address various areas relevant to cyber liability. Among the areas of inquiry are:

  • Records and Information Management — including identification of the types and volume of sensitive information the company handles. For example, do you handle or store payment card information, intellectual property of others or medical records?
  • Management of Computer Networks — including security management, intrusion testing, auditing, firewalls, use of third party vendors and encryption.
  • Corporate Policies — for privacy, information security, use of social media and BYOD (bring your own device), among others. Insurers often ask if the policy was prepared by a qualified attorney and how often it is reviewed and updated. Some insurers require such policies to be attached to the completed application.
  • Employment Issues — including whether employees go through criminal background checks. Many insurers also ask if the company has a chief privacy officer, chief information officer and chief technology officer.

The following are some basic steps a company can take to better position itself to complete the cyber application and obtain optimal cyber coverage.

Locate Your Data

You can’t manage and secure information if you don’t know what you have or where it is. Creating a map or inventory of all enterprise information is an invaluable step toward getting your data house in order. Paper records and data stored on inactive media and on mobile devices should not be forgotten.

Delete What You Don’t Need

It is estimated that between 60% and 70% of stored information has no business value. Keeping all this useless information is not a sustainable business practice. Disposing of data can reduce storage, e-discovery costs and security risks, and improve employee efficiency. Legally defensible deletion of useless information and adoption of a sound record retention and deletion policy are important parts of a successful information management policy.

Control Access

Entities should permit access to information, particularly sensitive information, on a need-to-know basis. A large number of data breaches result from employee negligence and disgruntled or rogue employees. Restricting access to sensitive data is an important step to mitigating that risk.

Improve Policies and Training

Depending on business activities, entities should consider adoption of policies that relate to cyber liability, including privacy, record retention and deletion, use of passwords, email and use of social media. Policies should be reviewed by a qualified attorney, updated regularly and enforced. Employee training and re-training is an important component of successful policy implementation. Conducting data breach workshops, where the entity can rehearse its response to a breach incident, can pay big dividends in the event of a breach.

Because cyber applications require entities to take a close look at their information management and cyber vulnerabilities, it’s no wonder that a recent Ponemon study found that 62% of surveyed companies report that their ability to deal with security threats improved following the purchase of cyber insurance. Taking the steps outlined above in connection with applying for cyber coverage makes good business sense and can help an entity obtain the best cyber policy to protect itself against growing threats.

New Way to Audit Digital Assets

In the real world, it would be considered reasonable and appropriate to require an independent audit of digital assets to be insured. In cyberspace, this is more challenging. Insurers have to rely on the insured to tell the truth about what assets have been affected by a breach.

Integrity standards for data enable insurance companies to conduct an independent audit of what digital assets exist (e.g., client data, intellectual property) prior to a breach, thus preventing fraudulent claims.

One aspect of a data integrity standard is keyless signature infrastructure, known as KSI. KSI is a disruptive new technology standard that can effectively address some of the issues insurers face in the rapidly emerging cyber liability domain. It can enable mutual auditability of information systems to allow stakeholders to know the cause of a breach, mitigate the risk of breach escalation in real time and provide indemnification against subrogation and other legal claims.

The concept of a digital signature for electronic data is very straightforward: a cryptographic algorithm is run on the data, generating a “fingerprint of the data”; a tag or keyless signature for the data that can then be used at a later date to make certain assertions, such as signing time, signing entity (identity) and data integrity. KSI offers the first Internet-scale digital signature system for electronic data using only hash-function-based cryptography. The main innovations are:

  1. Adding the distributed delivery infrastructure designed for scale
  2. No longer requiring cryptographic keys for signature verification
  3. Being able to independently verify the properties of any data signed by the technology without trusting the service provider or enterprise that implements the technology

Other features include:

  • Unlike digital certificates, keyless signatures never expire; the historical provenance of the signed data is preserved for the lifetime of the data, and people are not required in the signing process.
  • Use of keyless signatures strengthens legal non-repudiation for data at rest.
  • There are no keys to be compromised or to revoke. This fundamentally changes the security paradigm. It is important to understand that if data integrity relies on secrets like keys or trusted personnel, when these trust anchors are exploited there becomes an unlimited liability for the data protected by those trust anchors. This occurs because there is no way to determine what has happened to the data signed by those private keys or maintained by those trusted personnel. Evidence can be eliminated; data changes can occur without oversight; and log/event files can be altered. The exploiters can provide the picture they want you to see. Keyless signatures remedy this problem.
  •  During a breach, active integrity can be provided with cyber alarms and correlated to other network events by auditors, network operations center and security operations center(s). Active Integrity means real-time, continuous monitoring and verification of data signed with keyless signatures. With active integrity, real-time understanding is achieved as to the coherence and reliability of technical security controls and whether the digital asset has integrity.
  • Underwriting cyber policies becomes much simpler and more efficient because there is transparent evidence certifying the integrity of the data, the technical security controls protecting the information and rules governing the transmission, modification, or state of the insured asset(s).

A “managed security service” resulting from the implementation of KSI marks a new era for insurers. As they seek organizational intelligence of digital assets to make real-time policy adjustments, they are also making concrete conclusions about the insured asset risks, threat, exposure and cyber landscapes affecting clients. Claims processing and disputes become simpler as the technology preserves the forensic traceability and historical provenance of the digital asset, enabling rapid determination of when and how a breach or manipulation occurred and who or what was involved. Hackers and malicious insiders cannot cover their tracks. Moreover, proving negligence is now possible. Negligent acts may be quickly detected and proven in the event the service provider does not comply with the contracts maintained in force with the enterprise.  

Most breaches today go unnoticed until long after they occur and the damage has been done. Active integrity involves continuous verification of the integrity of data in storage using keyless signatures. It is equivalent to having an alarm on your physical property and a motion detector on every asset that cannot be disabled by insiders.

Because of the volatile nature of electronic data, any hacker knows how to delete or manipulate logs to cover his tracks and attribute his activity to an innocent party, which is why attribution of crimes on the internet is so difficult. Integrity is the gaping security hole. A loss of integrity is what leads to data breaches, introduced by malware, viruses or malicious insiders.

Public key infrastructure (PKI) will never be the solution to integrity or usable for large-scale authentication of data at rest. The forensic evidence of keyless signatures makes legal indemnification issues easy to resolve, highlighting who, what, where and when a digital asset was touched, modified, created or transmitted. This places the onus on the “use” of data and not collection, providing auditability across service providers and the internet. Privacy is maintained, but there is also transparency and accountability for how data is used. Every action can be traced back to the original source that is legally responsible. This simplifies service-level agreements, pinpoints liability in the event of accidental or malicious compromise, and indemnifies independent data providers from legal claims.

This article is an excerpt from an EY report titled “Cyber Insurance, Security and Data Integrity; Part 1: Insights into cyber security and risk — 2014.” For the full report, click here