Seminar
October Cyber Liability - Continuing Education - CE Credit
Cyber Liability - Continuing Education Program - Three Hours CE Credit
When: October 8, 2014 8 AM registration - First Class Starts 8:30 AM
Where: Audubon Country Club, 3265 Robin Road, Louisville, Ky 40213
Data security and privacy exposures can result in massive financial loss and reputational damage for organizations and businesses of all sizes, in the public, private, for-profit and non-profit sectors. Producers, underwriters and claims professionals need to understand the scope and the extent of these exposures and the risk management and insurance strategies available to address them.
We are pleased to announce the Kentucky Chapter of the CPCU Society will be offering a program on Cyber Liability. The program has been approved for three hours of CE credit for Kentucky and Indiana. The program itself will be presented by the good people of Zurich Insurance company on behalf of the Kentucky Chapter. Please see more program information on the Materials tab.
At the conclusion of the educational program at 12:00 noon we will hold a luncheon and are pleased to announce that our speaker will be representatives of the new Louisville professional soccer team. The speaker will be either the President, Djorn R. Buckholz or the Head Coach, James O'Conner. If possible, both will be joining us.
The cost of the program is as follows:
- Three hours of CE on Cyber Liability $30
- Luncheon $20 (lunch is free for dues-paid CPCU chapter members)
* * * * * * * *
Registration
The following people will be attending the Continuing Education Program. Please list below the names and company/agency of the people attending. If you want CE credit, please provide your Department of Insurance number.
1.
2.
3.
4.
The following people will attend the luncheon.
1.
2.
3.
4.
Enclosed is a check for $___________
Please mail your registration and check to
CPCU Society
C/O Darlene Phillps
KHA Solutions Group
PO Box 436629
Louisville, KY 40253-6629
Event Materials
A GROWING THREAT TO DATA SECURITY
Information, Network Security and Privacy Risk Management
Program Overview
Data security breaches continue to occur not only with alarming frequency, but also with significant severity. Identity theft continues to rise, jumping 13% from 2010 to 2011. Close to 12 million adults were victimized by identity theft, and was the number one complaint filed with the Federal Trade Commission in 2011.
It is no longer unusual for single incidents of data breach to involve the compromise of several hundred thousand and perhaps even millions of records involving personal information. These breaches may also not be discovered for considerable lengths of time. Heartland Payment Systems provides bank card payment processing services to 250,000 merchants and businesses nationwide. A massive data breach was apparently launched in 2007, not discovered until 2008 and not made public until 2009. Over this time period, Heartland has incurred over $13 million in costs associated with the breach, incalculable damage to its corporate reputation, and a 40%+ drop in its stock price. Predictably, Heartland's directors and officers are the targets of ongoing lawsuits by shareholders, regulators, and other effected parties.
Perpetrators of data breaches range from amateur hackers to political and social activists to organized crime gangs. While intuition might suggest that larger, more sophisticated organizations would be able to fend off attacks, the reality is otherwise, as major US banks and government organizations (including the CIA and State Department) have been hacked. The Wikileaks hacks of the military and state departments have revealed extremely sensitive information related to our national security. In addition to data breaches, liability exposures can include trademark, copyright and/or patent infringement.
Data security and privacy exposures can result in massive financial loss and reputational damage for organizations and businesses of all sizes, in the public, private, for-profit and non-profit sectors. Producers need to understand the scope and extent of these exposures and the risk management strategies available to address them.
Program Objectives
As a result of this program, the producer will:
- Understand the scope and extent of network security exposures and that organizations of all sizes are as risk;
- Learn about the multiple U.S. federal and state privacy laws, and similar privacy laws in effect in the European Union, their requirements, and potential fines and penalties imposed by these regulations;
- Understand the scope of potential financial and reputational costs associated with data breaches and other privacy-related exposures;
- Learn the essential components of a network security and privacy insurance contract, definition of insureds, defense and settlement provisions and exclusions;
- Understand how the underwriting process works in assessing an applicant, and related "best practices" for identifying and quantifying a risk;
- Understand how the network security and privacy claim is processed, managed and resolved;
- Learn how to employ a holistic network security and privacy risk management program combining avoidance, reduction, retention, and risk transfer strategies.
Program Content
I. Current and Emerging Risks in Network Security and Privacy (20 Minutes)
a. Types of threats
i. Denial of service
ii. Privacy breach
iii. Extortion threats
iv. Malware
v. Sabotage, defacement and vandalism
vi. Libel, slander
vii. Copyright and/or patent infringement
viii. Income Loss
b. Number of breaches/trends
c. Industry-related breaches
d. Corporate breaches: case studies
e. Perpetrators
i. Criminals
ii. Amateur hackers
iii. Activists
II. Regulatory Environment (20 Minutes)
a. U.S. State and Federal Privacy Laws
i. HIPAA
ii. Gramm-Leach Bliley
iii. Children's Online Privacy Protection Act
iv. Computer Fraud and Abuse Act
v. Fair and Accurate Credit Transactions Act/"Red Flag Rules"
vi. State Laws
b. European Union Data privacy Laws
i. Information Directive of 1995
ii. Directive on Privacy and Electronic
III. Costs Associated with Data Security Breaches (10 Minutes)
a. Forensic analysis/damage assessment
b. Expense to secure compromised networks
c. Costs of mandatory notices to consumers and government authorities
d. Credit monitoring services
e. Defense costs and damages
f. Costs of compliance with government investigations
g. Fines (e.g.violations of HIPPA, GLBA, FCRA)
h. Lost business
i. Loss of trust
j. Reputational damage
IV. Liability Risks (15 Minutes)
a. Defamation
b. Invasion of privacy
c. Trademark, copyright, patent infringement
d. Copyright infringement
e. Loss of access
V. First-Party Risks (15 Minutes)
a. Business interruption and CBI
b. Extra expense
c. Digital asset replacement expense
d. Cyber-extortion threats
VI. Network Security and Privacy Insurance/Analysis of a Sample Form (40 Minutes)
a. Why This Coverage is Necessary: Shortcomings and Deficiencies in the Traditional CGL Form
b. Definition of insured
c. Definition of Loss
i. Privacy wrongful act
ii. Security wrongful act
d. Coverage parts
i. Security and privacy liability coverage (third party)
ii. Privacy breach cost coverage (first party)
iii. Business income and dependent business income loss coverage (first party)
iv. Digital asset replacement expense coverage (first party)
v. Cyberextortion coverage (first party)
vi. Internet media liability coverage (third party)
e. Defense and settlement
f. Other insurance
g. Exclusions
VII. Underwriting and Application Considerations (20 Minutes)
a. Recommend participants
i. Chief Information Officer
ii. Chief Privacy Officer
iii. High level information technology officer
b. Identifying and quantifying the risk
i. Business activities
ii. International exposures
iii. Organization and governance
iv. Network security
v. Data management
vi. Incident response
vii. Business continuity planning
viii. Loss history
c. Industry classification
d. Implications for regulated industries (healthcare, financial, commercial retailers)
e. Developing the rating basis
f. Completing the application
g. Using endorsements to modify policy terms
VIII. Handling the e-Claim (20 Minutes)
a. First party claims/Third-party claims
b. Actions for injunctive relief
c. Selection of defense counsel
d. Consent to settle and the hammer clause
IX. Data Security Risk Management (20 Minutes)
a. Risk management options
i. Avoidance
ii. Reduction
iii. Retention
iv. Transfer
b. Network security "best practices"
X. Conclusions/Q & A
TOTAL TIME: 180 MINUTES/ 3 HOURS