This presentation discusses the current status of Cyber Liability Insurance and how carriers are managing to understand and cover cyber risk. If one views "cyber risk" from a operational risk perspective versus IT risk, then Cyber liability insurance can be one of the most effective countermeasures available to you.
However, buyer beware...as this is a nascent market where underwriters, actuaries, and others involved in providing cyber insurance are on a steep learning curve. Aligning insurance policy language with your security program is paramount...so that when the time comes and you need it most, you'll have a smooth claims process, without litigation with your carrier.
Effectively implementing a cyber insurance policy as another arrow in your quiver, requires collaboration across your organizations.
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Cyber liability insurance and your security program
1. Cyber Liability Insurance and
Your Security Program – How
They Fit Together
SCOTT TAKAOKA
SCOTT@VERSPRITE.COM, 415.509.8071
VP BUSINESS DEVELOPMENT
2. Cyber Insurance Basics
o Sold as specialty insurance
o General liability, Errors & Omissions policies often do not
cover cyber events
o Covers costs associated with breach
o First party – outside counsel, notification, PR, forensics, credit
monitoring, extortion payments
o Third party – class action suits, regulatory investigations/fines
o Brokers line up multiple carriers to bid on your policy
o Security often participates on discovery calls
o Multiple carriers may participate in a “risk tower”
3. Risk Tower Example
1st $10M - Carrier A
2nd $10M – Carrier B
3rd $ 10M - Carrier C
4th $10M - Carrier D
5th $10M - Carrier A
$50m in
coverage
Payout for 1st $10M in loss
4. Wild, Wild West
I N S U R AN C E C AR R I E R S AR E ON A S T E E P
L E AR N I N G C U R VE
o GL insurance may provide
coverage example - “property”
o Cyber - non admitted policies
o No standard language – caveat
emptor!
o SMB gets off-the-shelf language
o Your policy will change
5. What’s Behind the Curtain?
I N S U R AN C E C AR R I E R S AR E ON A S T E E P
L E AR N I N G C U R VE
o No actuarial models for cyber risk
o Steep learning curve for infosec
o Less rigor on application - tight
scrutiny on claims
o Imperfect information – working
through brokers
o Broad range in pricing
Write policies with
basic underwriting
Understand claims
Write more
exclusions
Adjust premiums
6. Interesting Case Law
• Columbia Casualty Company (CNA) v. Cottage Health System
• Server mis-configuration: anonymous FTP
• Exposure of 32,500 records – settled class action suit of $4.1M
• Claim initially accepted by CNA
• Examined application, then reversed course and sued Cottage
• Case dismissed on procedure
7. Cottage “failed to apply minimum required security
practices”…and must “continuously implement” security
measures…
— CNA
Interesting Case Law
An unresolved argument
8. AgendaTake Action
• Collaborate across silos - pen-testers to general counsel
• Understand context – your threats/attack scenarios and loss potential
• PASTA (process for attack simulation and threat analysis)
• FAIR (factor analysis for information risk)
• Strength of security vs. business impact cyber insurance requirement
Legal Business Risk Security
9. AgendaTake Action
• Governance – easiest deficiencies to spot when applying for cyber
• Collaborate to review and negotiate policy language - exclusions, BYOD,
cloud, vendors risk…
• Be careful what you state – you answers are a “warranty”
• Be mindful of time limits on notification of breach
Legal Business Risk Security
10. Cyber Liability Insurance and
Your Security Program – How
They Fit
SCOTT TAKAOKA
VP BUSINESS DEVELOPMENT