Sign Arizona Banking Confidentiality Agreement Computer

Industry sign banking arizona confidentiality agreement computer

today's presentation is titled lawyer care introduction to cyber care i'm karen bloem marketing director of the medmark lawyer care program on behalf of medmark and today's speaker michael lampricht thank you for joining us michael lampricht is president of bdi solutions in this capacity michael is responsible for developing cyber risk insurance products loss mitigation and reinsurance solutions for exposures related to network security and privacy cyber extortion and crime multimedia liability and technology errors and emissions michael has over 20 years of experience as a cyber risk insurance consultant underwriter and broker prior to his current position michael led the cyber risk team at arthur j gallagher and company and was a cyber risk consulting practice leader at aeon michael is a three-time winner of the risk and insurance magazine power broker award he frequently lectures on cyber risk at industry conferences including the risk management society professional liability underwriting society and american bar association michael's continuing professional education includes the designation of associate in risk management michael worked closely with medmark on development of its cyber care endorsement and i'm pleased to turn things over to michael who will begin today's presentation welcome michael thank you karen thank you everyone for joining us today for our presentation on cyber risk i will walk you through cyber risk as it relates to law firms specifically then i will discuss the state of the cyber insurance marketplace with respect to law firms and then i will dig deeper into the med mark cyber care program endorsement and the associated services that go along with it so let's get started the first step in any firm's cyber risk evaluation has got to be looking at their own cyber risks you can do it as an individual entity as an industry or just take a generic overview of what you think the exposures are as in the insurance industry has a tendency to look at all accounts the same way they offer the same products to all industries and we don't necessarily feel that's the best way we think that the exposures vary radically industry by industry we believe that law firms stand out as a type of entity that has a greater need for cyber risk than other types of entities and we feel the exposures would be very different than say a manufacturer or a retailer or a bank or a health care institution so when looking at this next slide here i've listed out the most common cyber perils otherwise known as threat vectors things like hackers viruses denial of service attacks things on this list can be accidental or intentionally dishonest and when these things happen it leads to the graphic on the right the loss types and you'll see what i've done here is i've divided these into the four known quadrants of losses that can arise out of your cyber apparels in my experience most of the losses experienced by law firms occur in the upper right quadrant this is the third party liability losses in the non-physical or intangible side of the equation these would be things along the lines of damage to electronic data and others consequential loss privacy breaches that's something that is a very popular topic breaches of confidentiality regulatory violations and things of the like now when you compare this matrix to let's just say a retailer for example the order of these perils might change significantly and they might be in different quadrants for example on the subject of privacy which is probably the most popular in other industries the largest exposure at a retailer is largely considered to be the disclosure of credit card information and the associated fines and penalties that might come from a pci breach we don't see that type of activity at law firms there are some law firms yes that do collect credit card information and some collect a lot of it but on the whole the 50 000 law firms across the united states only a fraction collect any credit card information of of significance more than you know a couple hundred records at a time so the privacy breaches have a tendency to fall down the list when you are trying to evaluate your firm's exposures we recommend looking at it according to the area of practice that your firm is involved in the type and size of clients that you have and the type and quantity of data that you have more often than not we find the third party liability risk associated with law firms is going to be a breach of confidentiality breach of privilege arising out of your legal services and on the first party side it's generally not going to be something along the lines of business interruption or even reputational damage more often than not the claims we see happen in the law firms that are the first party nature will be cyber extortion or theft of your money or your client's money we see those two types of incidents happen very frequently with respect to the bottom quadrants on this risk matrix we don't see these losses happen frequently if at all at law firms yes we do see bodily injury happen but more often than not that is at a health care type of risk and we do occasionally see physical damage come out of cyber perils as well but that's more along the lines of utilities hydroelectric dams and things of the like when you're studying these exposures for a law firm do study all four but you're probably going to want to stick to the top two now moving on we will get into a deeper analysis of law firm cyber risk in a future presentation but for right now we just had to keep it fairly high level so we could talk through the side risk insurance products as well for law firms that are entering the cyber risk insurance marketplace you will find many many options available i've tried to simplify it by dividing it into a few key categories we see that there are two types of policies in general there are generic cyber risk policies which are the most common cyberis policies that are generic are written for all industries but not any one industry specifically for example if you went to your insurance company you would ask for cyberis policy they would give you exactly the same one that they were going to get to a bank health care manufacturer retailer those are generic policies the other types are the specific policies those that have been drafted for a particular industry segment or multiple industry segments for example we see a lot of professional services cyberis policies they weren't specifically drafted for law firms they were drafted for law firms accountants real estate agents and similar entities likewise we also see policies endorsements and embedded coverage that were designed specifically for in a unique industry such as law firms accounts and things of the like when you get past the generic versus the specific then you need to look at the insurance marketplace and decide who's offering what again i've divided this into two additional categories one is the standalone cyber risk insurance marketplace what that means is they're selling an individual policy not an endorsement not coverage that's embedded in another policy it is a cyber policy through and through the other part is the endorsement or embedded cyber risk coverage in the lawyer's professional liability policy on the stand-alone cyber insurance marketplace side i see 18 markets that have dedicated cyber risk products that are available to law firms and other professionals they have a tendency to offer significantly higher limits than other type of endorsements or embedded coverage it starts at about five hundred thousand dollars in limit it can go all the way up to 25 million dollars with one insurance carrier there is significantly more excess coverage available if it was necessary generally speaking the coverage available from the standalone marketplace is the broadest available it will typically be broader than what you might find in an embedded policy or endorsement and you will have higher deductibles and premiums that go along with that the standalone coverage market includes all of the modules which i've listed here media liability network security and privacy the first party covers for data restoration business income extra expense extortion crime and brand of reputation coverage the main drawback aside from the price and deductible with the standalone marketplace is that the claims handling is can be very complicated the one issue that we see with law firms specifically is that there are a lot of what we call crossover claims claims such as a data breach that could result in a pure eno type of claim the question then becomes do you file that on your lawyer's professional liability do you file it on your cyber risk policy or do you do both and more often than not people are filing it under both and that's where the claims handling becomes very complicated and you often find that you have significant gaps between the two policies on the flip side talking about the endorsement or the embedded approach that is the main advantage of the endorsement or embedded approach you're buying a single policy from one insurance company it's a lot easier when it comes to handling claims and there are far less gaps in coverage generally speaking with respect to the endorsement embedded marketplace you're going to find that there are not as many markets there are nine large professional liability markets that also offer embedded or endorsed cybers coverage medmark being one of those nines those the limits available are significantly lower for the most part the limits typically range from about ten thousand dollars up to two hundred and fifty thousand dollars we are absolutely seeing a push upwards in the limits and we expect the number to be significantly higher in 12 to 24 months the coverage under these endorsements or embedded coverage it varies radically some of it is very specific to law firms others is not some of the coverage is very broad and in other cases it's very very narrow so you're going to need to be very careful when you're out there shopping for this coverage there's also five additional lawyers professional liability markets that offer what we call embedded cyber's coverage meaning it's in the main body of the policy form it's not an endorsement it has a shared limit those policies generally offer limits that are in between the dedicated standalone marketplace and the endorsement you'll see limits up to about 2 million coverage is generally fair although it's usually limited to liability only and it's not quite as broad as standalone again just emphasizing it's going to be lower limits lower premiums less complicated claims handling but you're also going to have a lot less limit available to you whereas on the standalone side it's going to be broader coverage bigger limits moving on in the last 12 months we've reevaluated the state of the market this uh is for the first quarter of 2007 it will continue to change things have improved radically in the last five years of the cyberus marketplace for law firms the rates are significantly lower than they were five years ago according to my analysis of about four thousand accounts if you go back five years from today and were to evaluate the rates back then you would see they're about 45 higher than they are today so there's been a drastic drop mostly associated with carriers that are entering the endorsement cyber endorsement marketplace and offering what they call or term first-time buyer pricing you know if you go back 10 years believe it or not the the premiums were about 150 higher than they are today so things are really going in the right direction there are however some issues that still need to be sorted out in my experience the structure will need a lot of work we do see a lot of different designs out there today and no commonality amongst the terms and conditions in most policies even the jargon used between insurance companies is very different my partner reminds me every couple of weeks that the language is effectively broken for cyber risk because nobody really seems to understand what any of it means and a lot of the time that we spend as a company is just educating people on what that jargon means and how it applies in an insurance context what we expect to see is the emergence of two markets in the future the standalone which we expect to remain and grow but we do expect the endorsement in the embedded marketplace to to be the source of real growth in the future if you go back two or three years there was one or two carriers offering a cyber risk endorsement that number has effectively tripled over the last few years and based on what we're seeing out in the marketplace it will probably triple again in the next few years we're going to see a huge growth in that marketplace the other large issue with the cyber risk insurance marketplace for law firms is the service bundle too many insurers are still applying the retail service bundle to these policies and by service bundle what i mean are the services that are provided to the clients before a breach happens we call those pre-brief services those would be things like tools templates software to prevent losses from happening as well as the post-breed services which are mostly claims handling and incident response the larger problem there is that most of the incident response post-breed services is built solely around the disclosure of credit card or personally identifiable information and from beginning to end it's all about dealing with privacy breaches they they make few if any allowances for breaches of confidentiality breaches of privilege uh breaches of contract and i'm not i'm not grouping everyone into that mess but if you look nine out of ten policies out there today that are sold to law firms have almost no accounting on the service bundle side for breaches of privilege breaches of confidentiality and things of the like contractual breaches and so on it's all about credit card information personally identifiable information that needs to change if this market is going to improve the underwriting is a lot better than it used to be ask any cyber risk insurance broker that was around before 2012 and they will tell you that the paid the applications used to be eight to 15 pages long and now there are some markets that are attaching the coverage by endorsement with no application at all and those that offer it on a standalone basis are offering coverage with a one to two page application so overall everything is good everything is moving in the right direction there are still significant improvements to be made though now to the second part of the presentation and that is a summary of the medmark cyber care endorsement i have to be very careful because i often call it a policy but it's actually an endorsement that is attached to the med mark lawyers professional liability policy the coverage was designed very specifically for law firms it includes the core coverages this is what we refer to as an entry level policy or endorsement it provides just the core coverages and not the additional bells and whistles that have a tendency to drive price it covers the liability associated with the privacy and confidentiality breaches the regulatory fines and penalties and it also covers the first party data breach response costs in the event that you've had a breach and you're forced to incur expense for things like forensics credit monitoring and so on and so forth those two those two things are going to be covered in the endorsement one of the things that we really tried to do with this endorsement was to simplify the policy language with all of the new terminology that is being added to these cyberis policies they have a tendency to be very very long there was one insurance carrier that introduced a new policy in the last 30 days that was 57 pages long and i don't know anybody that's going to read a policy that's 57 pages long but you can be sure that in those 57 pages there's far too much jargon and terminology that's just not necessary so karen and i tried to rework this policy language relying on the existing terms and conditions within the med mark lawyers professional liability policy and reusing those wherever possible so we wouldn't have two different definitions f the same thing which is a common problem in the endorsement style coverages so we've attempted to make it easy to read we've attempted to provide the core coverages and we've attempted to incorporate the law firm specific incident response services we talked earlier about the pre and post free services and a lot of the problems that were going on out there medmark has chosen to incorporate law firm specific post breach response services and we're currently in the process of developing additional pre-breach loss control services and things that the like tools templates content software so on and so forth as of today there are two pilots or excuse me two endorsements available lcp 228 which has a 25 000 limit a 2500 deductible and is available at no additional premium every policy holder will get the lcp 228 endorsement at no charge on their medmark lawyers professional liability policy there is a larger limit policy or endorsement available it's a 250 000 limit 2500 deductible and that is subject to an additional premium which is a minimum of 300 i think you will find that the rating for that 250 000 endorsement is very simple and results in premiums that are usually in the hundreds of dollars they rarely rarely make it into the thousands of dollars which is often where the standalone policies start at moving on from there into the coverage provided by the program i mentioned a few minutes ago that it provides mostly third-party liability coverage and some first-party breach response coverage i wanted to cover this to the extent we possibly can without getting too deep i think that what we wanted to do the most of in this policy was to protect the policyholders third-party legal liability exposure that is by far the largest source of big claims we do see a lot of frequency on the first party side but the the 50 75 150 000 claims up to the you know 10 million dollar claims are almost always third party liability lawsuits and generally speaking those fall into two categories the privacy breaches which we've talked about a few slides earlier that covers a legal liability rising out of data breaches hackers viruses denial services lost laptops accidental disclosure that involves personally identifiable consumer information or confidential informations and this could occur at the law firm or at an outsource provider likewise the breach of confidentiality the liability for that is covered by the endorsement under the same circumstances unintentional or intentional dishonest disclosure of confidential information by third parties or by the employees of the firm that results in a breach of confidence or a breach of privilege and that results in liability those types of things were designed into the endorsement as a follow-on to that we have addressed the subject of pci violations that stands for payment card industry violations although most law firms don't collect much of any credit card information there are some that collect quite a bit of it so we opted to put in liability for breaches of the pci terms and conditions those are with your credit card providers they have the ability to unilaterally fine you in the event that you're non-compliance with those pci data security standards following a data breach we incorporated that in as well we haven't yet seen a lot of people file claims for that but we expect that at some point in the future we will see those some of the the larger bells and whistles that we added on were these last two on the slide which i call failure to warn in wrongful collection the failure to warrant coverage is an area where we've actually seen quite a few incidents happen where for one reason or another a firm has suffered a data breach and then has not notified the victims in a timely fashion most often that occurs because the firm is working with the authorities to find the culprit before they notify the victims oftentimes law enforcement will come to you and ask you not to disclose that data breach to the victims because it would then notify the bad guys that they someone's on to them and we've seen several claims come out of that in the past so we've attempted to add that on to the endorsement that is not a coverage that is common on cyber risk policies these days we do expect to see it in the future as the interest grows and lastly wrongful collection it covers legal liability out of not just the disclosure of private or confidential information but also the wrongful collection of it in other industries this would take a different form but generally speaking in the legal industry this coverage is triggered when law firms are either collecting information from individuals through their website that they're not supposed to be or through their legal practices either by hiring a private investigator to collect information or what have you we haven't seen much in this area but the wrongful collection exposure is fairly large in web-centric services so we do expect to see it come over to the legal industry sooner rather than later firms that make a business out of being online and publishing information such as yahoo or google that have even minor inaccuracies in their privacy policy often get sued for wrongful collection moving on from there we're still talking about third party legal liability coverage there are some additional components here that we had wanted to talk about the first are privacy policy violations this expands into a larger area i called out privacy policy violations specifically but the the endorsement covers breach of contract that arises out of data breaches or security breaches and that's often important to law firms in my experience because i found many law firms are now signing contracts with their clients in which they are assuming liability for data breaches this is especially prevalent in law firms that have clients that are health care related or financial services related they're being forced to sign what's called business associate agreements and they're being forced to assume unlimited liability for data breaches that happen at the firm so we wanted to build in coverage for breach of contract and that expense extends to privacy policy violations or breach of a confidentiality clause or indemnity agreement in the contracts that the firms are signing with their clients we feel that is particularly important to law firms their lifeblood comes from most contracts with clients and many of the cyberis policies specifically exclude that exposure we just didn't feel like that was fair when it came to the legal industry moving forward from there there is broad coverage what i term broad coverage for regulatory violations and that comes from liability rising out breaches of regulations or laws that are related to three main categories the collection storage use security of disposal or private information excuse me it's totally miss said that collection storage security use or disposal of private information identity theft protection and notification of actual or possible privacy breaches each one of these categories has several regulations or laws that are already in place or in process that are being published relative to these things so we're trying to cover three broad categories of regulatory body violations on a related note the policy doesn't just cover the regulatory violations it also covers the administrative and disciplinary proceedings that are related to the legal industry again we felt like that was quite important to add that as often times that the first point of loss for a law firm is not going to be the ftc it might be the adrc or something similar the aba so we built that in there as well and getting to the end here there's coverage for data loss or damage and what that means is if you damage the data of a third party or your client and they need to rebuild it or they lose some value as a result of that data not being there anymore you'll have coverage for that more often than not those losses take the form of our clients accidentally having sent a virus to someone else or an employee at one of our clients intentionally hacking into an old employer and doing damage or stealing information at law firms we find that the employee exposures is also there but we've had a few cases where law firms that were responsible for holding sensitive electronic information that was being held as evidence or something else accidentally having deleted it and suffering liability as a result so we expanded out that coverage as well computer tax builds on the data loss or damage coverage if you have a computer system that has been breached either by a third party or an employee and that computer system is used to launch attacks against other computer systems the policy is intended to respond to that again more often than not that simply takes the form of having a rogue employee using the firm's computer system to attack others it could be an old employer it could be an ex-partner of theirs it could really be anything we don't know why they do these things and then lastly the media liability this is not very commonly known as a cyber risk coverage but most of the cyber policies if not all of the standalone cyberis policies cover what's called publishers liability errors and omissions that occur in the course of your publications and there's a bit of a crossover exposure here between the lawyers professional liability policy and the cyber risk coverage many lawyers professional liability policies provide personal and advertising injury coverage in addition to the pure arizona missions and that often clashes directly with the multimedia liability coverage in cyberis policies so we attempted to dovetail the two coverages together to provide some media liability coverage in the cyber risk endorsement but not in a way that clashed with the personal advertising injury the limited amount of it that was in the main body of the lawyer's professional liability form at bedmark now the first party coverage component of this policy is not a traditional first party coverage when people think of first party coverage they think of property damage damage to a building or a loss of income or theft this first party coverage is for intangible losses such as a data breach that causes the firm to need to respond to that we call it data breach expense coverage the third party liability component of this policy covers data breaches that result in privacy or confidentiality breaches and similar items the first party coverage protects the firm for the cost of cleaning up those losses so for example in the event that the firm suffered a breach of confidentiality involving client information that was due to someone hacking into the system and stealing the information then the policy would provide the law firm with access to the following expenses forensics to identify the source and scope of the breach along with that putting the system back to where it was if that is incorporated into the loss in some cases someone has actually unlocked the digital lock so to speak re-locking it would be addressed in that forensic component legal counsel to advise on the applicability and actions necessary to comply with the law firm's requirements which go beyond what most firms must do law firms have ethical professional and regulatory requirements and most firms only have the regulatory requirements so we built in specific coverage for ethical and professional breaches and that is one of the large differentiators in this cyber endorsement versus other cyber coverage out there in the industry today again we talked to several minutes ago about most cyber risk policies only providing data breach response when it comes to privacy breaches and that that applies to what we everything we see on the list here but only with respect to a privacy breach not a breach of confidentiality whereas the med mark endorsement covers both confidentiality breaches and privacy breaches and the types of services that you're going to need to address those they might not be radically different but the nuances they can be significant at times one example that i can think of is if you were to lose a credit card you would need to notify the individual according to state law and it would take the form of a paper letter you send it out to them it would cost you a couple dollars to type and print and mail the letter you might provide them with credit monitoring service you'd be looking at 25 to 35 dollars ahead however on the law firm side if you were to lose one case file with significant confidential information in it it might not be thirty five dollars to notify the individual and clean up the mess you've created it might be thirty 35 000 what we see often at law firms is they don't have the same volume of information that you have at other places but the individual records that they have are far more valuable and more difficult to clean up anyways getting through this list quickly there's forensics coverage covered for someone to come in and identify the source and scope of the breach the legal counsel someone to advise you on what you need to do following a breach the cost of notifying the individuals the victims of the data breach the credit monitoring service if it's applicable and finally the public relations most of the dollars that we see get spent on this first party expense coverage come directly out of the forensics and legal counsel we do occasionally see notification expense under item c here but we rarely if ever see the credit monitoring okay now i'm trying to change the slide okay good moving to the the last component of the presentation and that is what we're calling the cyber care services discussed several minutes ago about the pre and the post breach services we are attempting to offer both through the medicare medicaid excuse me med mark cyber risk endorsement the pre-breed services are still underway that is going to be the subject of a future presentation we are building out a a website that has access to self-directed tools where you'll be able to go and take an information security assessment to determine how well you stack up against published standards such as iso 17799 we'll also provide you with access to several templates such as a privacy policy a security policy a data breach response plan and similar and we depending on how far we go with it we're not sure yet we may provide you with access to software loss control tools um things such as antivirus uh firewall and things of the like that that is still up in the air at this point but we are we're proceeding down a path of creating a law firm specific loss control website for the med mark customers the second half of that is the incident response services and we talked briefly about this one slide ago when it came to what's covered by the policy we give the policyholders the option to um make use of our panel at any time they've had a claim now they are not they're not required to use everyone on our panel much of it is optional but we've put together a team of experts legal and technical experts that will help the firm handle a claim from soup to nuts from beginning to end on the data breach response services you begin the first call is to an incident advisor and that incident advisor will stay with you and walk you through the entire process and that goes from the forensics the notifications the legal advice and the public relations component of that more often than not we don't get to the public relations component it is there if you need it but what you will likely see for your clients is the first three uh arrows in the chevron you'll see the access to the incident advisor the forensics and the notification services ninety percent of the time the incident is wiped up in that small area we do occasionally see remediation that is in the form of the credit monitoring the identity theft and the fraud resolution hotlines you will see that the services we provide in this regard would be very similar to what you see at other insurance carriers however instead of just being aimed at the privacy breaches it also applies to the confidentiality breaches there are additional services that are not mentioned on this slide i could not fit quite everything on there but that covers the majority of it again we will b hosting one or more some webinars in the future that dig in deeper to these areas particularly with respect to things like the website but for now that's going to have to be it