It's Time to Investigate Cyber Insurance

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.technewsworld.com/story/81710.html

Almost every day there are reports of cyberintrusions, attacks and related
security breaches. If your company does not have the right insurance, it
could be even more of a disaster. For example, according to regulatory
filings, at the time of Target's cyberbreach in 2014, it had about US$100
million in insurance coverage with a $10 million deductible, but that did
not even make a dent in the estimated losses of $1 billion.

What company can afford not to have insurance for a potential
cyberdisaster? Let's look at some protective measures that can be taken to
safeguard your business.

As a practical matter, you or your chief risk officer should examine your
current insurance policies to see if you have insurance protection for
these cyberrisks:

- Network and information security liability
- Communications and media liability
- Crisis management event expenses
- Security breach remediation and notification expenses
- Computer program and electronic data restoration expenses
- Computer fraud
- Funds transfer fraud
- E-Commerce extortion

Of course, each business has its own insurance needs, so you will need to
make your own decisions about the right coverage. For instance, if your
company is in the healthcare industry, specific coverage for HIPAA data
should be included.

Inspect Your Policies

Some insurance companies offer cyberprotection as an add-on policy to
general commercial liability, while other insurance companies include
cyberprotection in policies for cybercrime.

It would be wise to take a look at what coverage your company has, what is
available, and make sure you do have cyberinsurance coverage.

Whether cyberinsurance is deemed a part of certain GCL policies is the
subject of a declaratory judgment complaint brought by Travelers Indemnity
Company in the U.S. District Court in Connecticut in October 2014. The
Complaint alleged that P.F. Chang's restaurant chain did not have
cybercoverage with Travelers. Because there was no cybercoverage, Travelers
claimed "that it is not obligated to defend or indemnify P.F.
Chang's...under GCL insurance policies issued by Travelers."

It appears that Travelers filed the claim for two reasons. First, P.F.
Chang's had filed a claim for insurance coverage under its Travelers GCL
policy for a cyberbreach involving seven million customers' credit and
debit cards. Second, class action cases were brought by P.F. Chang's
customers in several states, accusing P.F. Chang's of failure to prevent
the breach, and breach of implied contract.

Interestingly, the breach itself began on Sept. 18, 2013. However, P.F.
Chang's was unaware of the breach until nine months later, on June 10, 2014.

It will be interesting to follow this case to see how the Court views the
CGL coverage.

Examples of Cyberinsurance Coverage

AIG, one of the largest insurance companies in the world, offers CyberEdge,
which provides coverage for security or data breach losses as follows:

Direct first-party costs resulting from a breach
Lost income and operating expense resulting from a security or data breach
Threats to disclose data or attack a system to extort money
Online defamation

Travelers, another large insurance company, offers CyberFirst, which
includes a number of related insurance coverage provisions:

Technology errors and omissions liability
Network and information security liability
Communications and media liability
Employed legal professional liability
Expense reimbursement

How to Assess a Cyberincident

Most IT leaders plan for cyberattacks by constructing firewalls and
installing related security hardware and software. However, with the
widespread proliferation of malware, companies are finding that their IT
infrastructure has been attacked, customer data has been compromised, the
IT system is being held for ransom and assets are missing. This obviously
puts a burden on the IT leadership -- CIOs, CISOs and CTOs -- to do an
immediate assessment of what transpired:

Identify malware within their networks
Review logs to see when and where the cyberintruders came in
Determine what if any data was remotely accessed
Determine what if any data was sent off the network
Determine whether backup files can be used to reconstruct encrypted data

Following the assessment, companies may need to report to customers, as
well as to their own employees, under a variety of laws in 47 states. Plus,
in addition to everything else that violoated companies must do, if credit
card or banking information has been compromised, they may have a legal
duty to provide credit protection services for up to one year. This happens
more often than people want to know.

Report the Cyberincident -- It May Be a Crime

Of course, it is important that the U.S. government learns about all
cyberincidents so they can investigate in order to find the bad guys. The
incidents should be reported to the Internet Crime Complaint Center which
is a partnership between the FBI and the National White Collar Crime
Center. The IC3 defines Internet crime:

"...as any illegal activity involving one or more components of the
Internet, such as websites, chat rooms, and/or email. Internet crime
involves the use of the Internet to communicate false or fraudulent
representations to consumers. These crimes may include, but are not limited
to, advance-fee schemes, non-delivery of goods or services, computer
hacking, or employment/business opportunity schemes."

If your company has a cyberintrusion, consult your lawyer first to be sure
you take the appropriate steps, including making a timely cyberinsurance
claim.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!