cyberinsurance Archives - The National Law Forum

Cybersecurity Crunch: Building Strong Data Security Programs with Limited Resources – Insights from Tech and Financial Services Sectors

National Law Forum — Thu, 13 Jun 2024 14:50:07 +0000

In today’s digital age, cybersecurity has become a paramount concern for executives navigating the complexities of their corporate ecosystems. With resources often limited and the ever-present threat of cyberattacks, establishing clear priorities is essential to safeguarding company assets.

Building the right team of security experts is a critical step in this process, ensuring that the organization is well-equipped to fend off potential threats. Equally important is securing buy-in from all stakeholders, as a unified approach to cybersecurity fosters a robust defense mechanism across all levels of the company.Digit

This insider’s look at cybersecurity will delve into the strategic imperatives for companies aiming to protect their digital frontiers effectively.

Where Do You Start on Cybersecurity?
Resources are limited, and pressures on corporate security teams are growing, both from internal stakeholders and outside threats. But resources to do the job aren’t. So how can companies protect themselves in real world environment, where finances, employee time, and other resources are finite?

“You really have to understand what your company is in the business of doing,” Wilson said. “Every business will have different needs. Their risk tolerances will be different.”

“You really have to understand what your company is in the business of doing. Every business will have different needs. Their risk tolerances will be different.”

BRIAN WILSON, CHIEF INFORMATION SECURITY OFFICER, SAS
For example, Tuttle said in the manufacturing sector, digital assets and data have become increasingly important in recent years. The physical product no longer is the end-all, be-all of the company’s success.

For cybersecurity professionals, this new reality leads to challenges and tough choices. Having a perfect cybersecurity system isn’t possible—not for a company doing business in a modern, digital world. Tuttle said, “If we’re going to enable this business to grow, we’re going to have to be forward-thinking.”

That means setting priorities for cybersecurity. Inskeep, who previously worked in cybersecurity for one of the world’s largest financial services institutions, said multi-factor authentication and controlling access is a good starting point, particularly against phishing and ransomware attacks. Also, he said companies need good back-up systems that enable them to recover lost data as well as robust incident response plans.

“Bad things are going to happen,” Wilson said. “You need to have logs and SIEMs to tell a story.”

Tuttle said one challenge in implementing an incident response plan is engaging team members who aren’t on the front lines of cybersecurity. “They need to know how to escalate quickly, because they are likely to be the first ones to see something that isn’t right,” she said. “They need to be thinking, ‘What should I be looking for and what’s my response?’”

“They need to know how to escalate quickly, because they are likely to be the first ones to see something that isn’t right. They need to be thinking, ‘What should I be looking for and what’s my response?’”

LISA TUTTLE, CHIEF INFORMATION SECURITY OFFICER, SPX TECHNOLOGIES
Wilson said tabletop exercises and security awareness training “are a good feedback loop to have to make sure you’re including the right people. They have to know what to do when something bad happens.”

Building a Security Team
Hiring and maintaining good people in a harrowing field can be a challenge. Companies should leverage their external and internal networks to find data privacy and cybersecurity team members.

Wilson said SAS uses an intern program to help ensure they have trained professionals already in-house. He also said a company’s Help Desk can be a good source of talent.

Remote work also allows companies to cast a wider net for hiring employees. The challenge becomes keeping remote workers engaged, and companies should consider how they can make these far-flung team members feel part of the team.

Inskeep said burnout is a problem in the cybersecurity field. “It’s a job that can feel overwhelming sometimes,” he said. “Interacting with people and protecting them from that burnout has become more critical than ever.”

“It’s a job that can feel overwhelming sometimes. Interacting with people and protecting them from that burnout has become more critical than ever.”

TODD INSKEEP, FOUNDER AND CYBERSECURITY ADVISOR, INCOVATE SOLUTIONS
Weighing Levels of Compliance
The first step, Claypoole said, is understanding the compliance obligations the company faces. These obligations include both regulatory requirements (which are tightening) as well as contract terms from customers.

“For a business, that can be scary, because your business may be agreeing to contract terms with customers and they aren’t asking you about the security requirements in those contracts,” Wilson said.

The panel also noted that “compliance” and “security” aren’t the same thing. Compliance is a minimum set of standards that must be met, while security is a more wide-reaching goal.

But company leaders must realize they can’t have a perfect cybersecurity system, even if they could afford it. It’s important to identify priorities—including which operations are the most important to the company and which would be most disruptive if they went offline.

Wilson noted that global privacy regulations are increasing and becoming stricter every year. In addition, federal officials have taken criminal action against CSOs in recent years.

“Everybody’s radar is kind of up,” Tuttle said. The increasingly compliance pressure also means it’s important for cybersecurity teams to work collaboratively with other departments, rather than making key decisions in a vacuum. Inskeep said such decisions need to be carefully documented as well.

“If you get to a place where you are being investigated, you need your own lawyer,” Claypoole said.

“If you get to a place where you are being investigated, you need your own lawyer.”

TED CLAYPOOLE, PARTNER, WOMBLE BOND DICKINSON
Cyberinsurance is another consideration for data privacy teams, but it can help Chief Security Officers make the case for more resources (both financial and work hours). Inskeep said cyberinsurance questions also can help companies identify areas of risks and where they need to prioritize their efforts. Such priorities can change, and he said companies need to have a committee or some other mechanism to regularly review and update cybersecurity priorities.

Wilson said one positive change he’s seen is that top executives now understand the importance of cybersecurity and are more willing to include cybersecurity team members in the up-front decision-making process.

Bringing in Outside Expertise
Consultants and vendors can be helpful to a cybersecurity team, particularly for smaller teams. Companies can move certain functions to third-party consultants, allowing their own teams to focus on core priorities.

“If we don’t have that internal expertise, that’s a situation where we’d call in third-party resources,” Wilson said.

Bringing in outside professionals also can help a company keep up with new trends and new technologies.

Ultimately, a proactive and well-coordinated cybersecurity strategy is indispensable for safeguarding the digital landscape of modern enterprises. With an ever-evolving threat landscape, companies must be agile in their approach and continuously review and update their security measures. At the core of any effective cybersecurity plan is a comprehensive risk management framework that identifies potential vulnerabilities and outlines steps to mitigate their impact. This framework should also include incident response protocols to minimize the damage in case of a cyberattack.

In addition to technology and processes, the human element is crucial in cybersecurity. Employees must be educated on how to spot potential threats, such as phishing emails or suspicious links, and know what steps to take if they encounter them.

Key Takeaways:
What are the biggest risk areas and how do you minimize those risks?
Know your external cyber footprint. This is what attackers see and will target.
Align with your team, your peers, and your executive staff.
Prioritize implementing multi-factor authentication and controlling access to protect against common threats like phishing and ransomware.
Develop reliable backup systems and robust incident response plans to recover lost data and respond quickly to cyber incidents.
Engage team members who are not on the front lines of cybersecurity to ensure quick identification and escalation of potential threats.
Conduct tabletop exercises and security awareness training regularly.
Leverage intern programs and help desk personnel to build a strong cybersecurity team internally.
Explore remote work options to widen the talent pool for hiring cybersecurity professionals, while keeping remote workers engaged and integrated.
Balance regulatory compliance with overall security goals, understanding that compliance is just a minimum standard.

by: Theodore F. Claypoole of Womble Bond Dickinson (US) LLP

For more on Cybersecurity, visit the Communications Media Internet section.

The post Cybersecurity Crunch: Building Strong Data Security Programs with Limited Resources – Insights from Tech and Financial Services Sectors appeared first on The National Law Forum.

Will an Act of War Destroy Your Cyberinsurance Coverage?

National Law Forum — Thu, 24 Mar 2022 20:20:23 +0000

Cyberinsurance spurs many complaints from US business. The cost is skyrocketing, retentions (deductibles) are rising quickly, and the insurance companies push their own panel lawyers on customers despite other relationships. Ransomware or email fraud can be excluded from some policies.

But news of significant hacks drives more companies into the cyberinsurance market despite the costs. According to Bloomberg, cyberinsurance prices rose nearly 100% in 2021 and keep climbing. Travelers Insurance, working to justify the leaping costs of its products, lists the following reasons for higher cybersecurity prices: a wave of ransomware, rising breach response costs (from forensic and legal experts to ransom payments and regulatory fines), increasing tech complexity and budgets, inadequate cybersecurity hygiene (which is why better controls can now lead to lower insurance prices), lack of advance response plans, and business interruption expenses. Shutting down business operations may be a way for criminals to force ransom payments, but it also creates an expensive risk reduction system, and all companies are suffering from it.

However, for the price of protection, you would expect your insurance company to pay to remediate a properly-reported cyberattack. Property insurers have long excluded “acts of war” from insurable damage that would receive payments. Most cyberinsurance policies have similar exclusions. This leads insurance customers to wonder, in a world where hackers and ransomware gangs from Russia and Ukraine initiate a significant percentage of cyberattacks, when would those attacks be considered “acts of war” during a real shooting war? If your company is smacked with ransomware from a Russian crew associated with the Kremlin, will your insurance company exclude the costs from your cyberinsurance policy as an act of war?

Lloyds of London just released a set of new exclusion clauses for addressing cyber war. These clauses are for underwriters to consider placing in Lloyds insurance contracts, and “have been drafted to provide Lloyd’s syndicates and their (re)insureds (and brokers) with options in respect of the level of cover provided for cyber operations between states which are not excluded by the definition of war, cyber war or cyber operations which have a major detrimental impact on a state.” Lloyds specifies that the “act of war” exemption language applies to China, France, Japan, Russia, the U.K and the U.S. The new clauses supply underwriters with extensive leeway to refuse to pay claims.Importantly, Lloyds can decide that the attack was an act of war even if the attackers do not declare themselves. Pending any government attribution of an attacker, Lloyds can decide through reasonable inference to attribute any attack to state activities, and therefor falling within the “act of war” exclusion.

Property insurers have long excluded “acts of war” from insurable damage that would receive payments. Most cyberinsurance policies have similar exclusions. This leads insurance customers to wonder, in a world where hackers and ransomware gangs from Russia and Ukraine initiate a significant percentage of cyberattacks, when would those attacks be considered “acts of war” during a real shooting war? If your company is smacked with ransomware from a Russian crew associated with the Kremlin, will your insurance company exclude the costs from your cyberinsurance policy as an act of war?

TED CLAYPOOLE

All hope is not lost for businesses relying on cyberinsurance. Courts tend to hold insurers to high standards when trying to avoid paying out claims due to broadly-defined exclusions. For example, earlier this year the Superior Court of New Jersey rules that insurers can’t use a nation-state “act of war” cyber-exclusion to avoid covering more than a billion dollars in damages that Merck claimed it suffered from the NotPetya cyberattack in 2017. According to Insurance Journal, “ The insurers had tried to use the exclusions to avoid paying out, citing the fact the NotPetya malware was attributed to Russia and was meant to be deployed to disrupt and destabilize Ukraine. The malware wound up affecting thousands of companies worldwide. . . The cyber attack also attracted the attention of regulatory scrutiny of so-called “silent cyber” exposure in all policies.” The court “unhesitatingly” ruled that war exclusions did not apply in this instance.

So an attack from Russian hackers in 2021 may be covered under most cyberinsurance policies, but what about an attack in March of 2022? Does the state of hostility between the U.S. and Russian – in which Putin has claimed that sanctions against Russia and providing arms to Ukraine is an act of war – mean that ransomware attacks from the same Russian hackers may be considered acts of war? For example, the Conti ransomware gang has officially announced its full support of the Russian government after the invasion of Ukraine and threatened to use all possible researches to attack both Ukraine and Western countries that might support Ukraine. It would be easy for US critical infrastructure businesses to be direct victims of attacks from Russians supporting the Kremlin, or to be indirect victims of attacks aimed at Ukraine that spread through open networks like NotPetya or other malicious viruses. Where would that leave an affected company if its insurance provider refuses to pay, claiming an “act of war” exclusion?

We simply don’t know many insurance companies will use these policy exclusions and will be allowed to do so by U.S. courts. But each of us should check our cyber insurance policies for exclusions that could be triggered by current international conflicts.

Beyond insurance, international cyberattacks have straddled the line between standard crime and acts of international state hostility. Since the internet connected our world electronically, our societies have not set rules about how public and private actors are allowed to behave toward each other. Brad Smith, the President of Microsoft, has called for a Digital Geneva Convention, so that the nations of the world can agree what acts of electronic aggression are acceptable in war and even which acts should be considered to be acts of war. Maybe the current crisis, where a long-existing state is invaded without provocation, may be the catalyst to discuss digital hostility and set some rules around what kinds of interactions will be tolerated by the international community.

For now, check your cyberinsurance policies. For posterity, push our politicians to create baseline rules for the digital world. We have promulgated the law of the sea and the law of space. We should create a law of cyberspace as well.

Article By Theodore F. Claypoole with Womble Bond Dickinson LLP.

For more articles on cyberinsurance for your workplace, visit the NLR Cybersecurity Media & FCC section.

The post Will an Act of War Destroy Your Cyberinsurance Coverage? appeared first on The National Law Forum.

Will Cyberinsurance Cover Target's $19 Million Mastercard Settlement?

National Law Forum — Wed, 22 Apr 2015 19:18:20 +0000

Another credit card in the mail?

If you’re reading this post, you’ve probably received a new credit or debit card in the mail, attached by rubber cement to a cover letter explaining that your card number could have been compromised – so you ended up with replacement cards. You might even have received new cards more than once over the past five years. Perhaps you even received a new card with an explanation that after the data breach at Target Corporation, your “issuing bank” – the bank that issued you the credit or debit card – decided to send you a new card. And maybe you signed your card, called to activate it, replaced your old card, and didn’t give a second thought to it. After all, consumers generally are not financially responsible for fraudulent charges and likely did not pay to get the shiny new piece of plastic in the mail.

What are card brand liabilities?

The payment card brands, however, view such incidents differently than do individual consumers. The payment card brands frequently pursue retailers, either directly or by means of a payment processor. They allegedly do so on behalf of the issuing banks and the losses that the issuing banks allegedly suffered as a result of the data breach.^[1]The brands allege that the retailers are responsible for the fraudulent charges that were incurred and the amounts spent to replace payment cards. As Target explained in its 2014 Form 10-K:

“In the event of a data breach where payment card data is or may have been stolen, the payment card networks’ contracts purport to give them the ability to make claims for reimbursement of incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred as a result of the event.”^[2]

Those amounts can run into the millions of dollars (Card Brand Liabilities). Card Brand Liabilities also may include amounts for alleged failures to maintain certain levels of computer security required by contract (so-called PCI-DSS compliance).^[1]The amounts owed for alleged fraudulent charges and replacement of compromised credit cards often dwarfs the amounts of fines for alleged PCI non-compliance.^[2]Some incidents that involved more than 1 million allegedly exposed card numbers have resulted in Card Brand Liabilities in the millions of dollars.^[3]

Target’s card brand liabilities…and pending settlement of them with MasterCard

Target disclosed that three out of the four payment card brands made written demands for Card Brand Liabilities, and that it expected the fourth brand to do so as well.^[4] The total amount of Target’s potential Card Brand Liabilities is unclear, but Target did disclose that it had incurred $252 million of data breach-related expenses, an amount that accounts for Card Brand Liabilities.^[5]

On April 15, 2015, Target announced that it had reached a settlement of its Card Brand Liabilities with MasterCard for up to $19 million.^[6] Interestingly, Target explained that the settlement is contingent upon the issuing banks, which allegedly reimbursed the fraudulent charges and issued the new cards, agreeing to accept payment via the MasterCard settlement and the issuing banks dropping claims against Target.^[7] This requirement is fascinating, as issuing banks have filed a putative class action against Target directly, alleging that they suffered losses as a result of Target’s data breach.^[8] It may be that the MasterCard settlement resolves at least part of the claims at issue in the issuing bank litigation.

Will Target’s cyberinsurance cover its card brand liability settlement?

Now for the question you’ve been waiting for: will Target’s insurance policies cover its $19 million settlement with MasterCard? Probably.

Without commenting on the correctness of the position, consider that one underwriter has written that Card Brand Liabilities are contract-based indemnities and may be excluded from cyberinsurance coverage, with emphasis added:^[9]

Many policy forms in the marketplace directly exclude contractual indemnities and liability, including that which stems from merchant service agreements. Some policy forms initially grant coverage for breach of contract claims, but then add exclusions concerning key components of this coverage. In addition, some policy forms exclude breach of contract claims with some very narrow carvebacks to the exclusionary wording that may not help the insured much in the event of a payment card breach.

Although most privacy/security insurance policies grant the insured coverage for situations in which they need to incur the first-party costs to notify individuals and extend insureds credit monitoring services, not all will directly respond to the breach of, or the indemnities contained in, a merchant services agreement.

Without commenting on the merits of it, consider an opposing view that Card Brand Liabilities could be treated as common law claims for purposes of insurance coverage, not liabilities created by contract, and the payment card brands are demanding amounts as agents for the issuing banks. Target may not have to address whether its Card Brand Liabilities were created by merchant services agreement contracts or are common law liabilities, because Target reportedly has $50 million in coverage for this exact type of loss:

“To limit our exposure to losses relating to data breach and other claims, we maintain $100 million of network-security insurance coverage, above a $10 million deductible and with a $50 million sublimit for settlements with the payment card networks.”^[10]

How would your insurance cover card brand liabilities? Even if you have cyberinsurance, does the policy address card brand liabilities? Does your insurance carrier’s claim handler view the losses as liabilities under a merchant services agreement contract? Or as common law liabilities? If it’s the former, are there exclusions for liabilities allegedly assumed in a merchant services agreement contract? Or sublimits on the total policy limit (making just a fraction of coverage available)?

Consider using the Target announcement as a perfect opportunity to review your insurance – including your cyberinsurance – policies closely to figure out whether you would have full coverage for these losses. The last thing that you want to face is the prospect of your insurer denying coverage for millions of dollars in losses after you were told that buying cyberinsurance would be a panacea for all things cyberrisk.

_{[1] See, e.g., First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 WL 5858794, at *2 (Del. Super. Oct. 30, 2013), rearg. denied, 2013 WL 6407603 (Del. Super. Dec. 4, 2013).}

_{[2] Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. 2014) (over $13 million in liabilities overall, but only $10,000 in “fines for failing to ensure Genesco’s PCI DSS compliance”), opinion amended and superceded on other grounds, 2014 WL 935329 (M.D. Tenn. Mar. 10, 2014).}

_{[3] See, e.g., Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 691 F.3d 821, 824-25 (6th Cir. 2012) (retailer suffered more than $4 million in Card Brand Liabilities after credit card-based data incident); First Bank of Del., 2013 WL 5858794, at *2 (bank and debit card processor paid $1.4 million in compensatory damages due to Card Brand Liabilities after data incident of retailer with whom company did business); Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. Jan. 14, 2014) ($13.3 million in Card Brand Liabilities after a credit card-based data incident).}

_{[4] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.}

_{[5] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.}

_{[6] Target, Target Announces Settlement Agreement with MasterCard; Estimated Costs Already Reflected in Previously Reported Results (Apr. 15, 2015), available here.}

_[7] Id.

_{[8] See In re Target Corp. Customer Data Security Breach Litigation (Financial Institution Cases), MDL No. 14-2522 (PAM/JJK), slip op. (D. Minn. Dec. 2, 2014). A copy of the decision is available via Google Scholar.}

_{[9] Matt Donovan, Banking on Credit: Merchants bear the brunt of data breach risks in the hospitality industry, PropertyCasualty 360º (Dec. 1, 2013), available at http://www.propertycasualty360.com/2013/12/01/banking-on-credit?t=commercial (emphasis added).}

_{[10] Target, , Form 10-Q, Target Corporation SEC Filings (Nov. 26, 2014), available here.}

_{[1] MasterCard’s Security Rules and Procedures could be read to suggest that MasterCard is acting as an agent for issuing banks and demands against retailers are made on behalf of the issuing banks in whole or in part. MasterCard, Security Rules and Procedures – Merchant Edition, § 10.2.5.3 (Feb. 5, 2015) available at http://www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public.pdf.}

_{[2]Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.}

ARTICLE BY

Scott N. Godes

Barnes & Thornburg LLP

The post Will Cyberinsurance Cover Target's $19 Million Mastercard Settlement? appeared first on The National Law Forum.

Will Cyberinsurance Cover Target’s $19 Million Mastercard Settlement?