Tag Archives: cyber risk

The Metrics Of The Matrix: Making Sure Your Cyber-Risks Are Covered

We live in a world that is almost entirely dependent upon digital technology. Internet sales and marketing, and even the simple efficiency of how information flows, can be a critical indicator of a company's success. Along with it comes an increased risk of hackers, disruption of service, theft of intellectual property, loss or theft of financial data, or worse, the theft of a customer's confidential information. Throw in a global economy that increases international exposure, and you have a recipe for disaster. While most large corporations have sophisticated network security measures in place, small to mid-size businesses cannot afford them, or are not even aware of the potential security risks. But if you consider information to be an asset, and the means with which it is gathered and used as a measure of your company's performance, the need to protect it becomes abundantly clear.

As early as the year 2000, underwriters at Lloyds of London predicted that e-commerce1 would “emerge as the single biggest insurance risk of the 21st century.”2 They were dead on. Between 2009 and 2011, the cost of data breaches rose from $6.8 million to $7.7 million — a blistering 9%.3 As one commentator noted, the cost and number of data breaches was so high that 2011 was christened “the year of the cyber-attack.”4 Indeed, the risk was seen as so severe that the SEC released disclosure guidelines for publicly traded companies recommending the disclosure of “the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”5 According to the SEC, “disclosure” includes a “[d]escription of the relevant insurance coverage.”6 Although the number of cyber-attacks decreased slightly in 2012, this should not be taken as a sign that the threat of an attack is any less likely; it just means that some companies are responding to attacks more quickly, or implementing stronger security measures on the front end.

While the threat of a cyber-attack may conjure up the image of an overzealous computer geek with the mad-cap idea of ruling the world from his mother's basement, or a network of head-to-toe-in-black cyber-villains, a competitor seeking market dominance may be an equally likely culprit. A cyber-attack can take many forms. Most commonly, a company suffers a data breach, where “hackers, [ ] current or former employees, or others steal or otherwise gain access to personally identifiable information.”7 However, there are also “phishing” and “pfarming” schemes where the culprit poses as a legitimate user to steal or redirect internet traffic, or transmit a virus. Another form of attack is known as a “denial of service” incident, designed to temporarily or indefinitely block public access to a particular website or server. This involves “saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.”8 These attacks “usually lead to a server overload.”9 The most serious attacks “are comparable to 'tak[ing] an ax to a piece of hardware,” which requires a complete “replacement or reinstallation of hardware.”10 A company targeted by a cyber-attack can suffer a loss of informational assets and a significant interruption in operations, not to mention a damaged reputation.

The theft of intellectual property may or may not come as a result of a direct cyber-attack. Rather, a rogue company may steal your ideas, your website design, your domain names and meta-tags, or they may simply advertise and sell knock-off products. Chances are, if they are not using the internet for this purpose, they got your information from the business you transact online. As if this were not enough, there is the potential liability you face if confidential information is exposed, or you inadvertently infringe upon the intellectual property of a competing business. Customers and even shareholders affected by a data breach “commonly initiate expensive and very public litigation.”11 Likewise, the pursuit of patent and trademark infringement claims has skyrocketed in recent years, and the cost of defending these claims has symbiotically followed suit. Interestingly, the protection of the intellectual property itself seems to be a concern that is almost secondary to the economic warfare that is often waged by the aggressor.

In a world where technology barely keeps up with technology, how can you effectively protect your business against the threat of a cyber-attack, and potential cyber-liability? If you own a website, engage in direct or indirect internet sales, use clouding, linking, framing, solicit business via electronic communication, conduct financial transactions on the internet, exchange information via the internet, or store information through an internet server, your company is at risk. Managing these hazards can be tricky. As seen by the recent attacks on eBay, Amazon, Yahoo, and Google, even companies that have defined internet usage are not immune. No matter how big or small you are it is absolutely imperative that you implement internal security controls to prevent and/or respond quickly to an attack. Simple measures such as encrypting data, regularly changing passcodes, conducting routine virus scans, and limiting the number of employees who have access to confidential information can go a long way. However, insuring against these risks should be your primary objective because a cyber-attack can literally destroy your business overnight.

So, how does your company measure up? Let's take a little test. Assuming you are a “brick and mortar” business is your company:

  • Insured under a Property policy?
  • Insured under a Comprehensive General Liability policy?
  • Insured under a Director's & Officer's liability policy?
  • Insured under a specialty lines policy the expressly insures first and third party Cyber-hazards?

If you answered “no” to the last question, your company is at risk. The traditional products that insure small to medium sized businesses are unfortunately inadequate to cover even the known cyber-hazards, much less the ones that are surely on the horizon as e-commerce continues to grow and change, and new markets emerge. For instance, as it pertains to the loss you may suffer as a result of a data breach, while a standard property policy covers “physical loss or damage to covered property,” the term “covered property” does not include intangible assets like data. More recent property forms either exclude coverage for data breaches outright, or subject the loss of electronic data to a minimal sub-limit of liability.

Likewise, the coverage typically afforded under a CGL policy for liability claims resulting from an unauthorized intrusion is insufficient. CGL policies provide relatively broad liability coverage, but only for certain defined risks. The policies are “menu” driven, and are endorsed to include or exclude particular coverages or risks, such as employee liability, inland marine or commercial crime. Cyber-liability may or may not inadvertently come within the coverage terms of a particular endorsement, but the standardized forms are definitely not geared towards insuring these risks.

Rather, CGL policies are split into two parts — Coverage Part A for Bodily Injury and Property Damage Liability, and Coverage Part B for Personal and Advertising Injury. The terms “bodily injury,” “property damage,” and “personal and advertising injury” are separately defined, and each coverage part is subject to its own specific set of exclusions. Under Coverage Part A, the term “property damage” is defined to mean “physical injury to tangible property” or “loss of use of tangible property” — and therein lies the rub. “Tangible property” is property that is capable of being handled, held or touched. See State Auto Property and Cas. Ins. Co. v. Midwest Computers & More,America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003); Recall Total Information Management,12

Further, while lawsuits filed against a company whose client's financial information has been exposed typically includes claims for mental anguish. Mental anguish that is not consequential to physical harm or injury, or that does not manifest itself as physical injury is not “bodily injury” under a CGL policy. See e.g. Nance v. Phoenix Ins. Co., 118 Fed. Appx. 640, 642 (3d Cir. 2004) (Pennsylvania law) Jacobsen v. Farmers Union Mut. Ins. Co., 87 P.3d 995, 999 (2004); Tackett v. American Motorists Ins. Co., 213 W. Va. 524 (2003); Armstrong v. Federated Mut. Ins. Co., 785 N.E.2d 284, 292-93 (Ind. Ct. App. 2003); Farm Bureau Ins. Co. of Nebraska v. Martinsen, 659 N.W.2d 823, 827 (Neb. 2003); Galgano v. Metropolitan Property and Cas. Ins. Co., 838 A.2d 993, 999 (Conn. 2004); Smith v. Animal Urgent Care, Inc., 542 S.E.2d 827, 830-31 (W. Va. 2000); Costello v. Nationwide Mut. Ins. Co., 795 A.2d 151, 155 (Md. App. 2002); SCR Medical Transp. Services, Inc. v. Browne, 781 N.E.2d 564, 571 (Ill. App. 1st Dist. 2002); Allstate Ins. Co. v. Diamant, 518 N.E.2d 1154 (Mass. 1988).13 On your best day, it depends upon what jurisdiction you are in as to whether or not that coverage would apply to a cyber-liability claim.

Coverage for “personal and advertising injury” nowadays is almost a joke. Generally speaking, coverage for “personal and advertising injury” is intended to address liability claims for the infringement of intellectual property rights, or other types of personal injury torts (i.e. defamation and invasion of privacy claims). Under older versions of the CGL, the terms “personal injury” and “advertising injury” were separately defined. The term “Advertising injury” included the “[m]isappropriation of advertising ideas or style of doing business” and the infringement of a “copyright, title or slogan.” Now, the terms “personal and advertising injury” have been conflated, and are defined to mean:

  1. False, arrest, detention or imprisonment;
  2. Malicious prosecution;
  3. The wrongful eviction from, wrongful entry into, or invasion of the right of private occupancy of a room, dwelling or premises that a person occupies, committed by or on behalf of its owner, landlord, or lessor;
  4. Oral or written publication of material that slanders or libels a person or organization or disparages a person's or organization's goods, products or services;
  5. Oral or written publication of material that violates a person's right of privacy;
  6. Copying, in your “advertisement,” a person's or organization's “advertising idea” or style of “advertisement”;
  7. Infringement of copyright, slogan or title of any literary or artistic work, in your “advertisement.”

As it pertains to a data breach, at least one Court has held that under the newer version of the CGL, theft of customer data is a “publication of material that violates a person's right of privacy.” See Norfold & Dedham Mut. Fire Ins. Co. v. Clearly Consultants, Inc., 81 Mass.App.Ct. 40 (Dec. 16, 2011). Other Courts, however, have disagreed, leaving an uncertain gap as to whether or not your policy would cover such an event. See Creative Host. Ventures, Inc. v. E.T. Ltd., Inc., 2011 U.S. App. 19990 (Sept. 30, 2011).

There is even more uncertainty with regard to intellectual property liability claims. Both older and newer versions of the CGL require that the offense occur in the course of the advertisement of your own goods, products or services. This would include internet-based sales and marketing, but not all forms of electronic commerce. The most current CGL forms in use, however, essentially gut coverage for intellectual property claims with the following exclusion:

This insurance does not apply to:

“Personal and advertising injury”:

(7) Arising out of any violation of any intellectual property rights such as copyright, patent, trademark, trade name, trade secret, service mark or other designation of origin or authenticity.

However, this exclusion does not apply to infringement, in your “advertisement,” of

(a) Copyright;

(b) Slogan, unless the slogan is also a trademark, trade name, service mark or other designation of origin or authenticity; or,

(c) Title of any literary or artistic work.

Under this widely used form, there is no coverage for trademark or copyright infringement (or any other one of the enumerated torts), unless the infringement occurs during the course of your advertisement of a slogan, unless the slogan is “also a trademark, trade name, service mark or other designation of origin or authenticity.” The problem with this language is that whether a slogan is “also a trademark, trade name, service mark or other designation of origin or authenticity” is not dependent upon whether the mark is federally protected under the Lantham Act. Rather, the standards for determining whether a trade or service mark is eligible for protection are the same under the common law and the federal law. 15 U.S.C. § 1051 et. seq. Two Pesos, Inc. v. Taco Cabana, Inc., 505 U.S. 763 (1992); Amazing Spaces, Inc. v. Metro Mini Storage, 608 F.3d 225 (5th Cir. 2010); Board of Supervisors for the Louisiana State University Agriculture and Mech. College v. Smack Apparel Co., 550 F.3d 465 (5th Cir. 2008); Genesee Brewing Co., Inc. v. Stroh Brewing Co., 124 F.3d 137 (2nd Cir. 1997); Laredo v. Union Nat'l Bank, Austin, 909 F.2d 839, 842 (5th Cir. 1990). It is difficult to imagine a set of circumstances where a slogan would not also be “a trademark, trade name, service mark or other designation of origin or authenticity” under the common law. Coverage is essentially illusory, or at best, ambiguous. On a good day, your insurer is going to contest whether it owes a duty to defend an intellectual property liability claim. Where does this leave you?

There may be limited coverage under your Director's & Officer's Liability policy, but the forms vary in the scope of coverage and there may not be coverage for the acts and omissions of regular employees. Further, the policy will likely only cover your liabilities to your shareholders, and those to whom you owe a fiduciary duty. Fortunately, there are newer products on the market that are specifically designed to cover cyber-related risks. In a 2005 press release, Insurance Services Organization (ISO) unveiled its E-Commerce Program to address cyber liability exposure. According to ISO, “[t]he menu-based policy comprises five separate agreements:

  • Website publishing liability provides coverage against Internet-related publishing perils, including libel against a person or organization, and copyright, trademark, and service mark infringement allegations arising out of content published by the policyholder on its website.
  • Network security liability covers the policyholder against claims for failing to maintain the security of a computer system resulting in unauthorized access and publication of personal information, such as credit card numbers or personal medical information.
  • Replacement or restoration of electronic data provides coverage for the cost of replacing or restoring electronic data lost or rendered inaccessible because of an e-commerce incident, such as a virus, malicious instruction or denial-of-service attack.
  • Cyber extortion provides coverage for extortion expenses incurred and ransom payments made because of an extortion threat. Extortion is defined as a threat to commit an e-commerce incident, disseminate the policyholder's proprietary information, reveal a weakness in its source code or publish personal information belonging to policyholders' clients.
  • Business income and extra expense provides coverage for loss of business income or extra expenses incurred as a result of an extortion threat or e-commerce incident.14

ACE, Hartford, Chubb, Chartis (AIG), Ironshore, Travelers, SafeOnline, CNA, and Zurich are among the insurers offering products specifically covering cyber-hazards.15 However, these companies may or may not have adopted the ISO forms, but may be using products that were internally developed. Still, most of the companies who have targeted this market are going to be competitive, offering coverage for a combination of network security liability, media liability, expense and damage from a violation of privacy tort, coverage for fines and regulatory expenses, loss electronic information (including the cost to recovery lost, corrupted or stolen data), cyber-extortion, and business interruption arising out of a majority of these events. Specific products also exist for liability claims arising out of patent, trademark and trade dress infringement claims, both to pay for the costs of defending those suits, or the cost to pursue a third party who infringes upon your company's intellectual assets.

By and large the cyber-liability policies currently on the market are offered on a claims-made, or claims-made and reported basis. Policies that contain first-party coverage for data breaches may contain fairly short notice requirements, as early response is critical to minimizing the loss and containing any resultant liability exposure. The only way to make sure that you are procuring the right coverage and the right amount of coverage is to (1) establish internal procedures to assess and routinely reassess your risks; (2) establish internal protocols for preventing and responding to cyber-related risks; (3) set goals and benchmarks to determine if your company is meeting expectations; (4) read the policies you currently have in effect to determine where your company stands; (5) if you determine additional coverage is necessary, read the policies carefully before you invest in premiums; and (6) evaluate your coverage on an annual basis. New insurance products are coming out about every 12-18 months. Many brokers keep specimen forms, and most are knowledgeable enough to ensure that the specific risks that you face are covered. And in today's technology-driven world, you cannot afford to leave these exposures uninsured, or underinsured. In today's world, addressing the potential risk exposures your company faces is not just a measure of your success, it may be determinative of your survival.

1“E-commerce” or e-comm is defined as “the buying and selling of products or services over electronic systems such as the Internet and other computer networks.” Wikipedia, The Free Encyclopedia, Wikimedia Foundation, Inc., Dec. 12, 2004, Web. September 15, 2012, < http://en.wikipedia.org/wiki/Ecommerce>. E-commerce “draws on such technologies as electronic funds transfer, supply chain management, Internet marketing, online transaction processing, electronic data interchange (EDI), inventory management systems, and automated data collection systems.” Id. E-commerce can be divided into: E-tailing or 'virtual store-fronts' on Web sites with online catalogs, sometimes gathered into a 'virtual mall'; the gathering and use of demographic data through Web contacts; Electronic Data Interchange (EDI), the business-to-business exchange of data; e-mail and fax and their use as media for reaching prospects and established customers; Business-to-business buying and selling; and, the security of business transactions. Id.

2 David R. Cohen & Roberta D. Anderson, Insurance Coverage for “Cyber-Losses”, 35 Tort & Ins. L.J. 891 (2000), citing Reuters Eng. News. Serv., May 9, 2000.

3 2010 Annual Study: U.S. Cost of a Data Breach 13 (March 2011); available at <http://www/symantec.com/content/en/us/abuot/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf>.

4 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012), citing Garry Byers, Rapid Cyber Attack Response: Three Days Make All the Difference, Digital Forensic Investigator News (Sept. 28, 2011), available at <http://dfinenews.com/article/rapid-cyber-attack-response-three-days-make-all-difference>.

5 U.S. Securities and Exchange Commission Division of Corporate Finance, CF Disclosure Guidance: Topic No. 2 — Cybersecurity, (Oct. 13, 2011). Topic No. 2 states that: “In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”

6 Id.

7 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012).

8 Wikipedia, The Free Encyclopedia, Wikimedia Foundation, Inc., Dec. 12, 2004, Web. September 14, 2012, <http://en.wikipedia.org/wiki/Denial_of_service_attacks>.

9 Id. “In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.”

10 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012)(citing Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID= 211201088 (May 19, 2008).

11 Scott Gods & Jennifer Smith, Insurance Coverage for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar (March 1-3, 2012).

12 In State Auto Property & Casualty Co. v. Midwest Computers, the Court addressed whether data lost by Mid-West after it serviced computer equipment purchased by one of its customers was “tangible property” within the meaning of a CGL policy issued by State Auto to Midwest. Id. at 1115. Holding that it was not, the Court reasoned that the term intangible referred to property that was “[c]apable of being perceived esp. by the sense of touch: PALPABLE[;] … capable of being precisely identified or realized by the mind [;] … capable of being appraised at an actual or approximate value (assets).

13 But see Voicestream Wireless Corp. v. Federal Ins. Co., 112 Fed. Appx. 553, 555-56 (9th Cir. 2004) (Washington law). Williamson v. Historic Hurstville Ass'n, 556 So. 2d 103, 107 (La. Ct. App. 4th Cir. 1990); Loewenthal v. Security Ins. Co. of Hartford, 436 A.2d 493, 499 (Md. App. 1981).

14 http://www.iso.com/Press-Releases/2005/ISO-INTRODUCES-CYBER-RISK-PROGRAM-TO-HELP-COVER-$7-TRILLION-E-COMMERCE-MARKET.html.

15 David T. Chase & Todd L. Nunn, Insurance Coverage for Cyber risks and Losses, Stay Informed, April 27, 2011, available at http://www.klgates.com/insurance-coverage-for-cyber-risks-and-losses-04-27-2011.

Cyber Risk

Understanding your exposure to technology and implementing baseline controls should always come before you consider insuring those risks.

What is a firewall? What would I do with a privacy policy? What is encryption and why would my company need to encrypt any of our data? How would I implement an incident response plan? How many personal health records do we have in our database? Do we do background checks? Who has access to our server room? Why do I need to answer so many questions just to get a proposal for insurance?

These are the types of questions that come up during the cyber insurance application process, and this is often the first time someone outside of the IT department has had to answer them. With the growth of the cyber insurance industry, now estimated to be almost $1,000,000,000 in gross written premium for 20111, risk managers, insurance agents and boards of directors are wondering why they now also have to talk to the IT department when discussing risk management and their insurance renewal.

A vendor mistake, administrator's misconfigured firewall or even an improperly negotiated cloud contract can pose a systemic risk to your corporation.

As regulatory expectations continue to be set higher (due to increased enforcement of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, attention of 46 different state notification laws that are enforced by State Attorney Generals, Fair and Accurate Credit Transactions Act) and consumer opinion is constantly being expressed in the form of class action suits, these situations continue to get more difficult to mine through.

Plaintiff attorneys' allegations addressing monetary damages as a result of privacy or security breaches are consistently being brought. Not having adequate controls is the common focus of such suits that follow a breach. Additionally, the bad actors that are trying to improperly gain access to your information will consistently focus on firms who lack simple/intermediate controls.

According to Verizon, 96% of attacks were not highly difficult and 97% of breaches were avoidable through simple or intermediate controls.2 Your own data (account lists, legal documents, vendor agreements, price lists, R&D information, trade secrets) and client/patient information (personally identifiable information/health records) are what the hackers want.

Implementing baseline controls is the first element of fixing your cyber problems.

Several states have enacted laws that expect these baseline controls to be in place to protect their consumers. In Massachusetts, for example, there is a regulation (WISP3) that expects a legal entity holding personal information about a Massachusetts resident, to develop and implement a written information security program to protect that personal information. If this standard is not met, on top of $5,000 civil penalties of up to $5,000 per violation, the corporation could also encounter negligence based on litigation.

Like every state notification law that exists today, the law is based on the location of the consumer, not the corporation's place of domicile. In Nevada, since 2008, businesses have been required to use encryption when transmitting a customer's personal information externally(aside from fax)4. Additionally, PCI (Payment Card Industry) has required all corporations involved in a credit-card transaction to be compliant with varying degree of requirements based on size. For additional information, refer to https://www.pcisecuritystandards.org/merchants/how_to_be_compliant.php.

This is an important step for those companies dealing with credit cards. The 2012 Verizon Data Breach Investigations Report also found that 96% of victims subject to PCI Data Security Standards had not achieved compliance. This statistic shows the important of security controls being taken seriously.

Once your organization takes cyber security controls seriously and understands even the best controls don't isolate them from the exposures that exist, you should than take the time to discuss the insurance implications. Your insurance agent or broker can provide input on how current insurance coverage(s) could respond but also can get you in touch with over 30 insurance markets' underwriters who have dedicated cyber products and submission processes and are able to design coverage specific to your company. Additionally, most markets can help with loss control and ensure that you stay abreast of the current threat environment.

With adequate controls, a general understanding of the regulatory implications of a privacy breach and knowing the insurance consequences, you will be much better prepared if a problem with your company's technology does happen.

1 Cyber Betterley Report 2012

2 Verizon 2012 Data Breach Investigations Report

3 Massachusetts 201 CMR 17

4 Nev Revised Stat 597.970(1)2005