liability, Errors & Omissions policies often do not cover cyber events o Covers costs associated with breach o First party – outside counsel, notification, PR, forensics, credit monitoring, extortion payments o Third party – class action suits, regulatory investigations/fines o Brokers line up multiple carriers to bid on your policy o Security often participates on discovery calls o Multiple carriers may participate in a “risk tower”
CURVE o GL insurance may provide coverage example - “property” o Cyber - non admitted policies o No standard language – caveat emptor! o SMB gets off-the-shelf language o Your policy will change
LEARNING CURVE o No actuarial models for cyber risk o Steep learning curve for infosec o Less rigor on application - tight scrutiny on claims o Imperfect information – working through brokers o Broad range in pricing Write policies with basic underwriting Understand claims Write more exclusions Adjust premiums
Health System • Server mis-configuration: anonymous FTP • Exposure of 32,500 records – settled class action suit of $4.1M • Claim initially accepted by CNA • Examined application, then reversed course and sued Cottage • Case dismissed on procedure
general counsel • Understand context – your threats/attack scenarios and loss potential • PASTA (process for attack simulation and threat analysis) • FAIR (factor analysis for information risk) • Strength of security vs. business impact cyber insurance requirement Legal Business Risk Security
when applying for cyber • Collaborate to review and negotiate policy language - exclusions, BYOD, cloud, vendors risk… • Be careful what you state – you answers are a “warranty” • Be mindful of time limits on notification of breach Legal Business Risk Security