Cyber Liability Insurance and Your Security Program – How They Fit SCOTT TAKAOKA SCOTT@VERSPRITE.COM, 415.509.8071 VP BUSINESS DEVELOPMENT

Cyber Insurance Basics o Sold as specialty insurance o General liability, Errors & Omissions policies often do not cover cyber events o Covers costs associated with breach o First party – outside counsel, notification, PR, forensics, credit monitoring, extortion payments o Third party – class action suits, regulatory investigations/fines o Brokers line up multiple carriers to bid on your policy o Security often participates on discovery calls o Multiple carriers may participate in a “risk tower”

Risk Tower Example 1st $10M - Carrier A 2nd $10M – Carrier B 3rd $ 10M - Carrier C 4th $10M - Carrier D 5th $10M - Carrier A $50m in coverage Payout for 1st $10M in loss

Wild, Wild West INSURANCE CARRIERS ARE ON A STEEP LEARNING CURVE o GL insurance may provide coverage example - “property” o Cyber - non admitted policies o No standard language – caveat emptor! o SMB gets off-the-shelf language o Your policy will change

What’s Behind the Curtain? INSURANCE CARRIERS ARE ON A STEEP LEARNING CURVE o No actuarial models for cyber risk o Steep learning curve for infosec o Less rigor on application - tight scrutiny on claims o Imperfect information – working through brokers o Broad range in pricing Write policies with basic underwriting Understand claims Write more exclusions Adjust premiums

Interesting Case Law • Columbia Casualty Company (CNA) v. Cottage Health System • Server mis-configuration: anonymous FTP • Exposure of 32,500 records – settled class action suit of $4.1M • Claim initially accepted by CNA • Examined application, then reversed course and sued Cottage • Case dismissed on procedure

Cottage “failed to apply minimum required security practices”…and must “continuously implement” security measures… — CNA Interesting Case Law An unresolved argument

Agenda Take Action • Collaborate across silos - pen-testers to general counsel • Understand context – your threats/attack scenarios and loss potential • PASTA (process for attack simulation and threat analysis) • FAIR (factor analysis for information risk) • Strength of security vs. business impact cyber insurance requirement Legal Business Risk Security

Agenda Take Action • Governance – easiest deficiencies to spot when applying for cyber • Collaborate to review and negotiate policy language - exclusions, BYOD, cloud, vendors risk… • Be careful what you state – you answers are a “warranty” • Be mindful of time limits on notification of breach Legal Business Risk Security

Cyber Liability Insurance and Your Security Program – How They Fit SCOTT TAKAOKA VP BUSINESS DEVELOPMENT