Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cyber Liability Insurance

VerSprite, Inc
February 11, 2016

Cyber Liability Insurance

Bay Area Cyber Security Meetup, Feb 11, 2016

VerSprite, Inc

February 11, 2016
Tweet

More Decks by VerSprite, Inc

Other Decks in Business

Transcript

  1. Cyber Liability Insurance and Your Security Program – How They

    Fit SCOTT TAKAOKA [email protected], 415.509.8071 VP BUSINESS DEVELOPMENT
  2. Cyber Insurance Basics o Sold as specialty insurance o General

    liability, Errors & Omissions policies often do not cover cyber events o Covers costs associated with breach o First party – outside counsel, notification, PR, forensics, credit monitoring, extortion payments o Third party – class action suits, regulatory investigations/fines o Brokers line up multiple carriers to bid on your policy o Security often participates on discovery calls o Multiple carriers may participate in a “risk tower”
  3. Risk Tower Example 1st $10M - Carrier A 2nd $10M

    – Carrier B 3rd $ 10M - Carrier C 4th $10M - Carrier D 5th $10M - Carrier A $50m in coverage Payout for 1st $10M in loss
  4. Wild, Wild West INSURANCE CARRIERS ARE ON A STEEP LEARNING

    CURVE o GL insurance may provide coverage example - “property” o Cyber - non admitted policies o No standard language – caveat emptor! o SMB gets off-the-shelf language o Your policy will change
  5. What’s Behind the Curtain? INSURANCE CARRIERS ARE ON A STEEP

    LEARNING CURVE o No actuarial models for cyber risk o Steep learning curve for infosec o Less rigor on application - tight scrutiny on claims o Imperfect information – working through brokers o Broad range in pricing Write policies with basic underwriting Understand claims Write more exclusions Adjust premiums
  6. Interesting Case Law • Columbia Casualty Company (CNA) v. Cottage

    Health System • Server mis-configuration: anonymous FTP • Exposure of 32,500 records – settled class action suit of $4.1M • Claim initially accepted by CNA • Examined application, then reversed course and sued Cottage • Case dismissed on procedure
  7. Cottage “failed to apply minimum required security practices”…and must “continuously

    implement” security measures… — CNA Interesting Case Law An unresolved argument
  8. Agenda Take Action • Collaborate across silos - pen-testers to

    general counsel • Understand context – your threats/attack scenarios and loss potential • PASTA (process for attack simulation and threat analysis) • FAIR (factor analysis for information risk) • Strength of security vs. business impact cyber insurance requirement Legal Business Risk Security
  9. Agenda Take Action • Governance – easiest deficiencies to spot

    when applying for cyber • Collaborate to review and negotiate policy language - exclusions, BYOD, cloud, vendors risk… • Be careful what you state – you answers are a “warranty” • Be mindful of time limits on notification of breach Legal Business Risk Security
  10. Cyber Liability Insurance and Your Security Program – How They

    Fit SCOTT TAKAOKA VP BUSINESS DEVELOPMENT