MEL Educational Seminar-Cyber Liability April 2015

CYBER INSURANCE
MEL Educational Seminar
PAUL J. MIOLA, CPCU, ARM
AREA EXECUTIVE VICE PRESIDENT
ARTHUR J. GALLAGHER RISK MANAGEMENT SERVICES
Edward Scioli | Account Executive
Conner Strong & Buckelew
Public Sector Practice
APRIL 17, 2015
• Not just insurance coverage
 Claims for damages by third parties
• A variety of services
 Designed to prevent claims
 Respond on your behalf
 Deal with regulators
o Make sure you comply
 Handle Public Relations
Takes the burden off of you
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
2
• In the event of a data breach:
 Notify Employees
 Notify members of public
 Notify regulators
o State/Multi State
o Federal
 Additional efforts
Who has to do this?
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
3
Responsibility lies with the offending entity
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
4
• Cyber claims are infrequent but they do
occur
• Big name companies are targets but you
represent low hanging fruit
 Lack of formal security and “Privacy Policies”
• What if it happens to you?
• Will you know what to do?
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
5
• If you pass along a virus or other type of
malware, even unknowingly, especially if another
entity's customer information is then
compromised.
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
6
• An employee gains unauthorized access to
another entity's information or if confidential
information is disclosed or misused.
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
7
• If an employee knowingly or unwittingly slanders
another entity in a blog, e-mail, or in a social
media or forum post, or infringes on copyrighted
material.
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
8
• If you do not follow federal or state regulations
controlling notification of members of the
public/employees whose personal data has
been compromised.
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
9
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
10
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
11
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
12
What Are You Doing
To Control Risk?
Knocking on wood — hoping
that it won't happen to you —
isn't risk management.
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
13
XL Value Added Services
• eRisk Hub




Go to https://www.eriskhub.com/xl.php
Complete Registration Form
Access Code – 10448
Once Registered your have immediate access to the
portal with User ID & password created during
registration
The eRisk Hub portal is a one-stop shop that brings you up-to-the-minute
cyber risk information — expertise you would spend tens of thousands
of dollars in consulting fees and staff hours to attain on your own.
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
14
eRisk Hub
• Incident Roadmap – suggested steps to take following a network or
data breach incident and free consultation with a Breach Coach®
• News Center – articles on major breach events, security and privacy
blogs, IT security updates, risk management events and helpful
industry links
• Learning Center – a library of best-practices articles, white papers
and webinars from leading technical and legal practitioners
• Risk Manager Tools – self-help for managing cyber risk, including
a cyber-risk assessment survey, breach notification guides, what-if
modeling tools to estimate the cost of a breach, and research tools to
monitor the type, frequency and severity of incidents occurring in
your business sector
• eRisk Resources – a directory to help you find qualified third-party
resources with expertise in pre- and post-breach disciplines
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
15
16
Public Sector Practice
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
16
17
Public Sector Practice
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
17
18
Public Sector Practice
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
18
What More Should You Do
To Control Risk?
• Are you training employees?
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
19
Reinforcement Tools
Protecting your data is too important to leave to once-a-year
training. Reinforcement helps you get the message out any time
of the year!
Articles & Tent
Cards
Animated Videos
Games
Posters
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
20
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
21
Ed Scioli
Conner Strong & Buckelew
• Claims Reporting and Coverage
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
22
•
Breach occurs when an unauthorized
3rd party accesses your network or the
network becomes infected with a virus
or a denial of service attack.
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
23
And who pays for it?
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
24
Ghost Busters?
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
25
Immediately dial the
XL Data Breach Hotline
1-855-566-4724
This is EXTREMELY IMPORTANT!
Keep the number handy!
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
26
XL’s Cyber Claim Team
They will guide you.
But this does not meet the claims reporting requirements!
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
27
proclaimnewnotices@xlgroup.com
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
28
What’s Covered…
Data Recovery:
• Expenses required to replace,
recreate, restore or repair the
Insured’s network or information
residing on the network to
substantially the form in which it
existed immediately prior to a
breach.
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
29
Additional Exposure…
Cyber Extortion:
• Coverage provided to reimburse an
Insured the amounts paid to avert a
credible threat to commit or
continue a network attack against
the insured or to disclose
personally identifiable information
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
30
Crisis Management Costs
Data Breach Response
• Costs incurred following a breach
 Forensic costs
 Public relations costs
 Legal Fees
 Mandatory notification costs
 Credit monitoring
 Call center
 Breach coach costs
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
31
Crisis Management Costs
• PCI-DSS Response
 Costs incurred following a PCI-DSS incident
 Independent forensic investigation
 Attorney fees
 Fines and Penalties
*Payment Card Industry Data Security Requirements
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
32
Third Party Liability Exposure
Privacy Liability
• Claims arising from third parties for
allegations of:



Violation of privacy torts, law and regulations (HIPPA,
etal)
Theft, loss, unauthorized disclosure of personally
identifiable private information
Including both on-line and off-line data
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
33
Regulatory Risks
Defense
• Defense costs resulting from a regulatory
investigation or proceeding. Typical
enforcement comes from the FTC or AGs.
• FTC can charge defendants with violating of
Section 5 of the FTC Act, which bars unfair
and deceptive acts and practices in or
affecting commerce.
• The FTC has the power to press legal
actions against organizations that have
violated consumers’ privacy rights, or misled
them by failing to maintain security for
sensitive consumer information.
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
34
Media Coverage
• Covers the content the Insured
disseminates through various
means including social media for a
defined list of covered perils.
 Intellectual property infringement
 Defamation
 Other personal injury torts
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
35
Third Party Coverage:
• Media Liability, Network Security and Privacy
Liability
 $3,000,000 per claim
 $6,000,000 annual aggregate
 $25,000 deductible each claim
• Regulatory Fines and Penalties sub limit of
$1,000,000
• Retroactive date January 1, 2013
* Limits may vary by JIF
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
36
First Party Coverage:
• Notification Costs, Extortion Threat, Crisis
Management and Business Interruption
 $3,000,000 per claim limit
 $6,000,000 annual aggregate
 $25,000 deductible each claim
* Limits may vary by JIF
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
37
• Data Breach Hotline
• XL Cyber Claims Team
• eRisk Hub
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
38
Paul J. Miola, CPCU, ARM
Area Executive Vice President
Arthur J. Gallagher Risk Management Services
Edward Scioli, Account Executive
Conner Strong & Buckelew
This presentation will be posted to the JIF websites
www.acmjif.org
www.burlcojif.org
www.tricojif.org
© 2014 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
Public Sector Practice
39