advertising supplement - Events

advertising supplement
3
advertising supplement
Cyber Risk Identification
a
Cyber Liability Outlook
A Risk Manager's Perspective
Cyber Coverage Issues
Executive Q&A: Patrick Donnelly
Glossary of Cyber Risk Terms
JLT Specialty USA
Florence Levy
Senior Vice President
Cyber and E&O Practice
www.jlt.com
720.501.2816
Florence.Levy@jltus.com
4
6
7
9
10
11
JLT Specialty USA
Steve Bridges
Senior Vice President
Cyber and E&O Practice
www.jlt.com
312.235.8223
Steve.Bridges@jltus.com
This special advertising supplement is not created, written or produced by the editors of Business Insurance and does not represent the views or
opinions of the publication or its parent company, Crain Communications Inc.
CYBER RISK OUTLOOK
4
advertising supplement
RISK
CYBER
ecent headlines show that
cyber risks are continuing to
grow. Data breaches tend to
capture the most attention, but
other kinds of incidents are also
worrisome.
On July 8, a computer failure shut
down trading on the New York Stock Exchange for four hours in the middle of
the day, but the cause was a technical
glitch, not a cyber attack. That same day,
a technology problem forced United Airlines to temporarily halt its flights. Neither incident turned out to be malicious,
but they nevertheless caused major disruptions.
Managing cyber risks has become
paramount for businesses worldwide. At
the Business Insurance Cyber Risk Summit 2015, held Sept. 27-28 in San Francisco, attendees will discuss emerging
technology risks, regulations and strategies for mitigating cyber attacks.
exist inside companies and have technical knowledge and broad-level access
within an organization.”
There are a lot of different ways
cyber risk can arise, she pointed out.
“Human error, such as leaving a laptop at
an airport, using unsecured Wifi networks or opening spear-phishing emails, also contributes to companies’
vulnerability to cyber incidents. Social
media usage by employees could also
expand their risk profile, sometimes unknowingly,” Ms. Levy explained.
“Media attention to data breaches indicates how frequently these events are
occurring,” said Shannon Groeber, senior
vice president at JLT Specialty USA, and
a colleague of Ms. Levy. “As a result,
we’re educating our clients and
prospects that everybody is at risk,
though specific risks vary from one insured to the next,” she said.
In November 2014, Sony Pictures En-
Managing cyber risks has become
paramount for businesses worldwide
A Prevalent Risk
“We’re learning that cyber risk is
ubiquitous, and that risks can be unknown as the technology advances. It’s
hard to keep up with cyber risks and the
criminals’ methodologies and motivations,” said Florence Levy, senior vice
president in the Cyber/E&O Practice at
JLT Specialty USA in Denver.
“Cyber risk can emanate from online
and offline sources, particularly when we
consider data privacy issues,” she said.
Who perpetrates a cyber incident is
closely tied to the perceived level of risk.
“The most prevalent and feared source
is the profit-motivated malicious external actor,” Ms. Levy said. “But we have to
remember that malicious actors can
CYBER RISK OUTLOOK
tertainment Inc. became the victim of a
cyber attack in which hackers used malware to access over a period of months
enormous amounts of sensitive information, including internal communications
between Sony executives. The hackers
released the information publicly over
several weeks, keeping Sony in the headlines. The Sony hack was a gamechanger in cyber risk, according to Ms.
Groeber.
“For a long time, cyber attacks focused on breaches of large volumes of
payment cards or consumer records. The
Sony breach expanded the focus of
cyber risks. It brought forward the notion that cyber attacks could cause significant reputational harm. At the heart
5
advertising supplement
IDENTIFICATI N
of the second major breach at Sony was
confidential corporate information, not
consumer data,” Ms. Groeber said. The
hackers were able to prey on Sony by exposing, over an extended period of time,
internal information that may not have
had a true economic value, but was certainly embarrassing, she noted.
A challenge that risk managers face
when a cyber incident occurs at their own
organization is answering the inevitable
string of questions: Who did it? How did
it happen? How long were we vulnerable?
What now? And other organizations have
questions too: Could this happen here?
What would we do if it did?
Mitigating the Risk
“Risk mitigation for technology risks is
a moving target; technology constantly
progresses and risk mitigation can be a
game of catch-up,” Ms. Groeber said. “The
underwriting process is very technical.
Clients are looking for guidance on certain questions, potential costs associated
with a breach and which third-party vendors may be available to help them.”
“Because all this is so new, a lot of
clients want hard rules around costs, or
know whether case law is favorable or
not,” in a cyber attack, Ms. Levy said. But
such questions are difficult to answer, she
said, because “litigation and precedentsetting case law is happening now.”
Compounding that challenge is it takes
time to uncover the facts surrounding a
cyber event, Ms. Levy said. “It’s happening
in real time. When an incident occurs,
firms themselves are trying to figure out
the who, what, why and when,” she said.
“Buyers know their business better
than anyone else,” Ms. Groeber said. “We
bring our expertise in helping them identify which aspects of their business are
more vulnerable than others. Blind spots
happen. We have worked with clients that
have very diverse exposures and risks and
we’re constantly tracking trends.”
When it comes to mitigating cyber
risk, senior management has a vital role to
play.
“The strongest risk management strategy
against cyber risks starts at the top of an
organization, with leadership or the board
focused on cyber,” Ms. Groeber said. It’s
important that senior management supports decision-making when it comes to
managing cyber risks, she said.
Physical and virtual controls are other
key components in cyber risk management, Ms. Groeber added. “Good questions for risk managers to ask include,
‘What type ofainformation does my company collect?’ and ‘How is that information collected?’”
The ability to identify and mitigate
cyber risk has a big influence on an organization’s insurance options. “Underwriters are looking for risk managers to
demonstrate understanding and awareness of cyber risk throughout the entire
organization,” she said. ●
Cyber Incidents/Records Exposed
YEAR
DATA
DATA BREACHES
BREACHES
RECORDS
RECORDS EXP
EXPOSED
OSED
2010
2
010
953
9
53
96 million
2011
20
11
1,241
1,241
413
4
13 million
2012
2
012
3,220
265 million
2013
2
013
2,345
873
8
73 million
2014
2
014
3,041
3,041
11.1
.1 billion
Source: Risk Based Security Inc.
CYBER RISK OUTLOOK
6
advertising supplement
CYBER
LIAB LITY Outlook
ompanies that hold data on their
direct customers or on behalf of
others—conditions that apply to
virtually all companies—face exposure to litigation for data breaches, not only
from customers but also from investors.
Multiple lawsuits demonstrate that
cyber liability is an area of growing interest
for plaintiffs, and that is triggering action by
organizations’ directors and officers.
“From a board standpoint, there is
growing awareness that a D&O or shareholder derivative action could arise from a
cyber event,” said Florence Levy, senior vice
president in the Cyber/E&O Practice at JLT
Specialty USA in Denver. As a result, “we are
also seeing more activity and accountability
at the board level when it comes to cyber
risk,” Ms. Levy said.
It’s not yet clear that lawsuits against directors and officers arising from cyber
events will become a trend, she said. Some
insurance companies are evaluating their
aggregation of risk in D&O liability, however,
especially as more cyber events occur, she
added.
Part of the challenge for companies that
suffer a breach is that courts are recognizing a broader basis for cyber litigation. For
example, while consumers directly affected
by a cyber incident may bring negligence
claims, some investors are initiating shareholder derivative lawsuits, alleging breach
of fiduciary duty, among other things.
Until a ruling in the 7th U.S. Circuit Court
of Appeals this year in a class-action lawsuit
over a 2013 data breach at retailer Neiman
Marcus Group, “consumer plaintiffs have a
hard time getting standing to bring class actions after data breaches,” Ms. Levy said.
In the 2013 breach, credit card data for
about 350,000 Neiman Marcus customers
was stolen, though only about 9,200 of the
cards have been used fraudulently so far, according to court documents.
Prior to the 7th Circuit’s ruling, which reinstated the class action after finding that
consumers did have standing to bring the
suit, most courts had dismissed such cases,
Ms. Levy said. “But there still is not a lot of
certainty around that issue. Case law is still
being decided in the courts,” she said.
Companies
suffering
large
data
breaches also have faced lawsuits from investors and, in some cases, government
CYBER RISK OUTLOOK
agencies. That is becoming a concern for directors and officers, industry observers
note.
In early 2014, a shareholder derivative
lawsuit was filed in U.S. District Court in New
Jersey against Wyndham Worldwide Corp.’s
directors and officers, alleging breach of fiduciary duty, waste of corporate assets and
unjust enrichment following three data
breaches.
The breaches involved the theft of credit
card information of more than 600,000
Wyndham customers and fraudulent
charges exceeding $10 million, according to
110 million
customer
records
were stolen
Multiple lawsuits demonstrate that cyber liability is
an area of growing interest for plaintiffs
the suit. The lawsuit accused the defendants
at the Parsippany, N.J.-based company of
“knowingly, recklessly or with gross negligence” failed to implement “a system of internal controls to protect customers’
personal and financial data,” and “caused or
allowed the company to conceal its data
breaches from investors,” among other
things.
In 2012, the Federal Trade Commission
sued Wyndham in U.S. District Court in Arizona alleging that the company’s security
practices were unfair and deceptive and violated the FTC Act. The FTC litigation was
transferred to U.S. District Court in New Jersey. In a memorandum filed earlier this year
with the New Jersey court, the FTC said it
had declared inadequate data security as an
unfair practice under the FTC Act and that
it had issued 20 similar complaints.
Minneapolis-based Target Corp. faced a
barrage of lawsuits from consumers and
shareholders following its massive data
breach in 2013, in which as many as 110 million customer records were stolen. In 2014,
many of the consumer suits were consolidated into a class action. Earlier this year,
Target proposed a $10 million settlement of
the class-action litigation, which is awaiting
a November court hearing to approve or reject the settlement. Target’s proposed settlement includes the appointment of a chief
information security officer, along with more
robust data security procedures. ●
credit card
data for about
350,000
customers
were stolen
7
advertising supplement
A Risk Manager’s Perspective
yber risk, to our company, is
the threat of unauthorized
access to data, be it Rackspace’s or our customer’s,”
said Anna Ziegler, risk manager of Rackspace, a San Antonio,
Texas-based global cloud computing
company that provides data hosting
and other services. Cyber security is
paramount to Rackspace and its more
than 300,000 customers, she said.
“Cyber risk is in the forefront of our
minds every day.”
For a technology company like
Rackspace, cyber is a round-the-clock
risk. “Rackspace is like a big apartment
building. We rent apartments to our
customers, and even though we provide certain levels of security, customers know they need to put a lock
on their door,” Ms. Ziegler said. “In our
data centers, we have very robust
physical security that incorporates biometric screening, and no one is allowed on our data center floor unless
authorized – and very few people are.”
ANNA ZIEGLER
sonable expectation that we will also
take the steps necessary to protect
their data. However, we’re experts at
a
protecting our customers’ data and
work with them to deploy all available
security options,” she said.
As a result, Rackspace’s risk
management and information security departments collaborate, Ms.
Ziegler said. “We meet regularly on
different issues. We have a mature incident response team that provides
real-time information. I manage the
insurance piece, and we work closely
with all the units to make sure that our
security processes are the best they
can be,” she explained.
“We have some cutting-edge
tools and people monitoring our network around the clock, to make sure
doors aren’t being opened or data accessed by the wrong people. We’ve
been doing this for years, but we continue to evolve and develop our security posture,” Ms. Ziegler said.
Ms. Ziegler offers some advice
Cyber risk is in the forefront
of our minds every day.
“
Ms. Ziegler said Rackspace
views its cyber risks as: first-party
loss, including costs that Rackspace
would incur to mitigate an incident
and system damage; and third-party
loss, such as unauthorized access to
customer data and breach-related expenses including notifications and
legal costs. “The inherent nature of
our business is we’re a data aggregator. We hold a lot of data on behalf of
our customers. Contractually, our customers are responsible for protecting
their own data. But they have a rea-
”
for her peer risk managers, especially
at organizations that don’t yet comprehend their cyber exposures: “My
advice to risk managers is to research
cyber risk, point out incidents that
occur and show how expensive they
can be for companies.”
“I would also encourage risk managers to talk to their IT departments
and IT security departments. Group together with like-minded folks and get
in front of your leadership to say, ‘These
are the problems and here’s how we
want to solve them,’” she said. ●
CYBER RISK OUTLOOK
8
advertising supplement
CYBER
C VERAGE
s the cost of data breaches increases and cyber events become more frequent, more
insurance companies are stepping forward to offer coverage,
which continues to evolve.
Despite ample capacity for cyber
risks, insurance buyers generally have
not been eager to purchase cyber insurance. Among their concerns is a nagging
uncertainty that the coverage will respond, said Shannon Groeber, senior
vice president at JLT Specialty USA.
“We’ve heard consistent feedback,
going back to the first iterations of
cyber-related insurance policies in the
coverage if the policyholder failed to follow “minimum required practices.” A U.S.
District Court in Los Angeles dismissed
the insurer’s lawsuit, citing a mediation
clause in the policy, but left unanswered
whether the exclusion should apply.
Irrespective of whether an organization has cyber insurance, data
breaches are increasingly costly events.
According to the Ponemon Institute, the
average organizational cost of a data
breach in the United States rose to $6.53
million in fiscal year 2015 from $5.85 million a year earlier.
The institute’s research found that
47% of data breaches resulted from
Despite ample capacity for cyber risks, insurance buyers
generally have not been eager to purchase cyber insurance.
late ’90s, from non-buyers that cyber
policies won’t respond to their exposures,” she said.
That concern may stem from media
reports of claim denials, but the marketplace overall has increased its appetite
to underwrite cyber risks. After some
breaches, there has been media attention on some carriers denying cover,
without focusing on which policies are
actually involved, Ms. Groeber noted.
For as many insurance denials as
have recently appeared in the news,
which may reference non-cyber-specific
policies, there are just as many incidents
that suggest standalone cyber policies
are paying claims, she said.
In Columbia Casualty Co. vs. Cottage Health System, a unit of CNA Financial Corp. sought declaratory judgment
that it was not obligated to pay a $4.1
million settlement or defense costs following a 2013 data breach at the Santa
Barbara, Calif.-based health care system.
The insurer cited an exclusion in Cottage
Health’s cyber policy that precluded
CYBER RISK OUTLOOK
malicious attacks, 29% came from system glitches, and 25% stemmed from
human error.
The Ponemon Institute attributes
the cost of a data breach to four components: lost business, ex-post response,
detection and escalation, and notification. Ex-post response items include
help desk activities, inbound communications, product discounts and identity
protection services. All of these cost
components have increased over the
past three years, except for notification,
which fell slightly, the institute reported.
Coverage Evolving
Cyber insurance has evolved significantly in the last several years, but it has
only existed for about two decades–far
shorter than other types of property and
casualty insurance. As new technologies
—and risks—emerge, cyber insurance
continues to evolve.
“People talk about cyber insurance
being new. The first solution was available
in the late ’90s. It evolved from technology
9
advertising supplement
ISSUES
a
errors and omissions to network liability
to privacy and data breach in 2000s,”
Ms. Levy said. “Cyber insurance is not
completely mature, but the market is
able to most comprehensively address
the data breach elements of cover.”
“Cyber insurance was just a liability
product in the early days. It has evolved
immensely for companies that may not
have a professional services exposure,”
she said. “You could have a cyber event
that prohibits your firm from providing
your services. Is that an E&O exposure or
a cyber exposure? It largely depends on
the specific facts along with the resulting
damage.”
Today, cyber and E&O are often
seen blended together on the same
policy, which is one reason that JLT
Specialty USA's resources are dedicated to this risk area are known as the
Cyber/E&O Practice, Ms. Levy and Ms.
Groeber explained.
Evolution of the cyber insurance
market “has been significant in the last
five years,” Ms. Groeber said. “Now, it’s
flooded with capacity, though not all
policies are created equal. Carriers often
compete on terms when they can’t compete on price, which is a trend that we’ve
seen over the last several years. Now
with more claims activity occurring,
some insurers aren’t as willing to negotiate on certain coverage terms or as aggressively on price within certain classes
of business. The market has become
much more diversified among the various classes of business, reflective of the
perceived risk.”
For most organizations that want to
purchase cyber insurance, obtaining the
desired coverage limits is not difficult.
“While some industries have more limited
capacity than others, overall there certainly is a lot of capacity for cyber exposures, when you consider domestic
markets, London and Bermuda,” Ms.
Groeber said.
Even so, cyber insurance “is still a
discretionary purchase” for many organizations, she said. “A misunderstanding
among many buyers is that they’ll dedicate any available budget to security
updates instead of buying insurance,
which is an incomplete risk management strategy, as breaches can occur
with non-electronic information or as a
result of human error. In fact, when there
are concerns over funds available for insurance, a prospective buyer should also
be evaluating how they’ll pay for a
breach should one occur,” Ms. Groeber
said.
“Five years ago, the market was
much softer. It was easier to have broad
coverage for relatively inexpensive capacity,” Ms. Levy said. “There has also
been a tightening of terms where we’ve
had real losses. Some underwriting companies are willing to explore areas they
haven’t in the past. In exchange, they
want to conduct more due diligence on
these areas,” she said.
Anna Ziegler, risk manager for
Rackspace, a global cloud computing
company based in San Antonio, Texas,
said it’s important for insurers to understand their policyholders’ businesses.
“Over the years, it’s clear that the
technology industry moves much faster
than the insurance industry. It’s important for us to make sure carriers understand the language we’re speaking and
how our business works, and our broker
helps us do that,” Ms. Ziegler said.
“We partnered with JLT in April.
They’ve been really creative in helping us
identify ways to increase our coverage
and how our insurance policy would respond to an incident. It’s important that
we have the right legal counsel, and that
we have adequate limits on the firstparty and third-party side,” she said. “We
would never have a third-party incident
without incurring a lot of first-party
costs.”
At Rackspace, “our insurance program is influenced by the current landscape of cyber risks and by our
customers, in terms of what they are
asking us for, such as higher limits of liability,” Ms. Ziegler said. ●
The average
cost of a data
breach rose to
$6.53 million
in 2015 from
$5.85 million
a year earlier
CYBER RISK OUTLOOK
10
advertising supplement
Q&A
Patrick Donnelly, JLT Specialty USA
Patrick Donnelly joined JLT Group in 2014 as president and deputy chief executive
officer of its U.S. Specialty division. He shares leadership responsibility for JLT’s U.S.
operation and expansion. Before joining JLT, Mr. Donnelly created and led the U.S.
cyber and professional liability practice at Aon Risk Solutions, a division of Aon P.L.C.
He has extensive career experience in technology architecture and consulting. Mr.
Donnelly spoke recently with Business Insurance Custom Media about JLT Specialty
USA’s expansion plans.
Q. What role does cyber risk play in JLT Specialty’s U.S. expansion?
A. Cyber risk fits ideally within our specialty focus. JLT Group saw in the U.S. market
areas of growing risk with extreme complexity, which require experts to help companies manage and mitigate. Cyber is an area of exposure and insurance products
that didn’t exist until the late 1990s. It’s new, complex and evolving -- just the kind
of challenge that our specialty focus can help clients address.
Q. How does JLT Specialty USA see cyber risk evolving?
A. Cyber risk is dynamic. Insurance products that address cyber incidents are influenced by changes in law, regulations and geopolitics. Technology risks themselves
are evolving, and they require experts who are supported with tools and resources.
While cyber insurance has developed in the U.S. market over the last 14 years, there
is a need to continue to work with clients on other elements, such as industrial espionage, bodily injury and property damage. Clients really need expert advice to
help understand and manage those things.
PATRICK DONNELLY
Q. What are JLT Specialty USA’s short-term expansion plans?
A. We’re building tremendous momentum. We now have more than 150 people in
our U.S. platform, and while we are growing that number quickly, we’re more focused on the fit, experience, and quality of those people. Our primary objective in
our expansion is to identify specialty risk areas and create a culture and environment
to attract the right people. People like working on a winning and dynamic team.
We’re seeing validation of this by both the market and clients. All across the insurance industry, people talk about efficiencies, and every insurance market looking at
our model wants to meet with us and appoint us. Clients are attracted to our specialty focus and the expertise of our people. The clients know that we’re aligned
with them and their needs.
We pride ourselves on being agile, and we hear a lot that we have a creative,
passionate and agile team, which is a reflection of the broader JLT platform. JLT is
a global company that is attracting people because we’re investing in innovation
and bringing enormous resources and analytical tools to help our clients. We believe
very strongly in our model, and the next three to four years are about building out
our capabilities and expertise in a disciplined way. We are planning to hire 50 to 60
people a year over that time. JLT Specialty USA is in 12 cities today, where there are
a lot of companies with complex risks. We’ll add locations as we grow, but our expansion is less about our geographic footprint and more about specialist expertise.
Right now, we have specialties in aerospace, construction, energy, entertainment
and hospitality, private equity, real estate and technology, and our teams provide
support across these areas with expertise in D&O, cyber, E&O, environmental, transactional liability, and credit, political and security risks. And we’re still building.
Q. What kinds of organizations is JLT Specialty USA looking to serve?
A. As a specialist risk adviser and brokerage firm, we work with companies that have
complex needs, regardless of size. We look to help organizations that need and
value specialist expertise, rather than target a specific client size. Many smaller entities are very sophisticated. Where their risk is global in nature, that’s a strength
for us. We’re able to leverage one of the strongest global networks in the industry,
and that’s a sweet spot. Agility, rigor and collaboration are hallmarks of JLT, and our
culture fosters collaboration to help clients no matter where their needs are.
CYBER RISK OUTLOOK
11
advertising supplement
GLOSSARY of cyber risk terms
BOTNET: A network of bots (short for “robot”) computers
infected with malicious software, usually for a criminal purpose such as sending spam email, spreading viruses, attacking computers or servers or to commit other crimes
or fraud.
CRACKER: A person who breaks into a network or computer’s programs without authorization.
DOS: Denial of service. A common type of cyber attack
that prevents legitimate users from accessing online services or information by flooding a network with information.
A distributed denial-of-service, or DDoS, may use one or
more computers to launch an attack.
FIREWALL: A method of shielding computers from outside attacks utilizing hardware or software to block malicious or unnecessary Internet traffic. Firewalls can be
configured to block data from certain locations and allow
data from specific sources.
HACKER: A person who creates and modifies computer
software or hardware, including programming and security-related items. Criminal hackers create malware to
commit crimes and may operate in gangs of cybercriminals. “White hat” hackers are computer experts who probe
security weaknesses for ethical purposes.
LOGIC BOMB: A type of Trojan horse that executes when
specific conditions are met, such as a change in a file, or a
series of keystrokes. When the program is triggered by a
specific time or date, it is called a “time bomb.”
MALWARE: Unwanted, often malicious, software installed
without a device owner’s consent. Viruses, worms and Trojan horses are examples of malware.
PHISHING: A type of online identity theft. Phishing uses
email or fraudulent websites to capture personal information such as passwords, credit card numbers, account data
and other information.
SOCIAL ENGINEERING: A non-technical form of intrusion
that relies on human interaction. Social
engineering is a
a
component of many kinds of cyber attacks and aims to
trick people into providing passwords and other information. Phishing relies on social engineering to obtain sensitive information.
SPAM: Undesired or unsolicited bulk electronic messages.
Spam can come in the form of email, instant messaging,
mobile phone messaging and other channels, and may
contain phishing messages.
SPEAR PHISHING: A form of phishing that uses the appearance of familiarity to obtain access to personal or corporate information. Perpetrators of spear-phishing attacks
usually have obtained basic information about their target,
enabling them to personalize the communication or reference a recent purchase, for example. Opening an attachment or link in the email may enable the attacker to install
malware.
SPY WARE: A range of unwanted programs that can
launch unsolicited pop-up advertisements, monitor browsing activity, steal personal information or direct Internet
requests to alternate sites.
TROJAN HORSE: A malicious computer program that
masquerades as a benign application. Distinct from
viruses, Trojan horses do not replicate.
VIRUS: A malicious computer program that installs and
replicates itself, typically without the user’s knowledge or
permission. Viruses often damage or modify files on the
host computer.
WORM: A malicious computer program that replicates itself to spread to other computers. Worms may harm networks by consuming bandwidth.
ZOMBIE: A bot-infected computer controlled by malware.
RANSOMWARE: Malicious software that encrypts the hard
drive of an infected computer. A hacker using ransomware
may extort money from the computer’s owner in exchange
for decryption software.
Sources: McAfee Inc., Microsoft Inc., Symantec Corp., U.S. Computer Emergency Readiness Team
CYBER RISK OUTLOOK