Protecting the Balance Sheet Cyber and Management Liability Insurance Solutions 1 Sandra K. Carroll, Esq. Vice President Strategic Risk Advisor Executive Risk Hylant Group Herb Churchill Vice President Client Executive Hylant Group 2 Agenda Introduction Cyber Crime
Directors and Officers Liability Employment Practices Liability Fiduciary Liability Questions This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 3 Cyber - Event Costs First Party Costs Response Cost Business Interruption & Extra Expense Data Recovery Costs Extortion Ransomware Lost Business Third Party Liabilities Privacy Liability
Regulatory Proceedings Data Privacy GDPR, CCPA, HIPAA State Breach Notice Laws Media Liability This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 4 Cyber - Insurance Coverages First Party Breach Response Extortion Business Interruption Dependent Business Interruption Data Recovery Costs Reputational Harm Third Party Network Security and Privacy Liability Regulatory Fines and Penalties* PCI Fines and Penalties Media Liability eCrime Social Engineering Fraud (SEF)* Telecommunications Fraud Funds Transfer Fraud* This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage.
5 Cyber - Market Market Pricing & Trends Rates are generally stable and competitive due to the over $1 billion of capacity with 80+ insurers. Increase in underwriting sophistication is providing more beneficial for customers who invest in cyber security measures and procedures. Coverage Trends Dependent business interruption sublimits are going up with various new levels of underwriting scrutiny. Coverage solutions addressing the insurability of fines/penalties continue to evolve. Examples include the new Zurich cyber policy affirmatively covering GDPR fines/penalties, though the legality of insuring those fines and penalties in the various EU jurisdictions is yet to be tested. Industry Issues & Considerations 2018 saw 6,515 breaches (3.2% decrease) and 5 billion records exposed (35.9% decrease); 74% of the records exposed were due to 12 large breaches (Source: Risk Based Security, Inc. Feb 2019).
The EU General Data Protection Regulation (GDPR) went into effect in May 2018. For organizations doing business in California, the California Consumer Privacy Act (CCPA) goes into effect on 1/1/2020. Recent settlements include a $16 million HIPAA penalty against Anthem following their previous 2017 class action settlement of $115 million; a Yahoo data breach following a D&O litigation settlement of $80 million, plus another $35 million fine to the SEC for late reporting. This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 6 Cyber Value Add Beyond Insurance 1. Fact Finding & Risk Profiling 2. Exposure Quantification Risk Modeling Privacy and Business Interruption 3. Insurance Procurement & Negotiations 4. Cyber Risk Readiness Incident Response Planning Vendor Vetting 5. Assessment and Tabletop Planning and Selection This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 7 Crime/Employee Theft
Provides protection for Theft by employees of money, securities and property of the organization. o Special consideration precious metals and valuable papers Theft by employees of customers money, securities and property Wire transfer fraud Computer fraud Social engineering fraud manipulation of employees resulting in theft of organization assets This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 8
Directors and Officer Liability Directors and officers of public, private and non-profit organizations owe a duty of care, loyalty and obedience to their organization and its shareholders. They can be held personally liable for their actions under a myriad of federal, state and local statutes or common law or the laws of other countries. Sources of suits Shareholders and other Investors direct or derivatively Regulators/Attorneys General Employees Customers Competitors
Creditors Family members Donors This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 9 Directors and Officer Liability D&O Coverage Organization balance sheet protection o An organization can be held liable separately from its directors and officers. In addition, the organization is obligation by law to provide indemnification and defense cost to its individual directors and officers in most circumstances. > The D&O policy protects the balance sheet by covering
defense costs, settlement amounts or judgments. Individual protection A D&O policy also protects individuals for those situations in which the organization cannot indemnify them either because it is by law prohibited from doing so or it cannot due so due to financial insolvency. o In the absence of D&O policy, the individuals would have to pay loss out of their own pockets. This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 10 Directors and Officer Liability Key considerations Publicly held organizations o Privately held organizations o
Largest threats are from employees and shareholders Not-for- profit organizations o Largest threat is from shareholders Largest threats are from employees and donors The D&O market is in the midst of a correction with significant upward pressure on premium rates and retentions. o This is especially true for publicly traded companies and those going through an IPO. This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 11 Employment Practices Liability Employment Practices Liability policies have evolved dramatically over the 27 years since the coverage was first introduced. It provides protection for the organization and its directors, officers and employees and pays defense costs and settlement and judgment amounts. Coverage
Current Trends Wrongful termination #MeToo Sexual and other types of harassment Social media recruiting Wage and hour will continue Unlawful discrimination Complex employment relationships Wrongful discipline Joint employer liability
Gender identity/sexual orientation discrimination Religious discrimination Employer wellness programs EEOC regulations under ADA Website accessibility litigation is gaining momentum and will continue as a developing opportunity for the plaintiffs bar. Number of claims increased from 814 in 2017 to 2,258 in 2018 (Source: Seyfarth Shaw LLP). Wrongful failure to employ or promote Negligent employee evaluation
Retaliation Third party discrimination/ harassment by your employees against non-employees This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 12 Employment Practices Liability Organization balance sheet protection o The majority of EPL claims are corporate obligations. A well constructed EPL policy will protect the organization by providing defense costs coverage as well as coverage for settlements and judgments. o Value Add Services > Access to risk management data base > Legal advice
o Potential coverage for therapeutics This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 13 Fiduciary Liability ERISA established standards of conduct for fiduciaries of employee benefit plans. Anyone who exercises discretionary management or administrative control over sponsored welfare (e.g., health, dental, vision, etc.) or retirement (e.g., defined contribution and defined benefit) plans can be held personally liable. Decisions to create, modify or terminate a plan are outside the scope of ERISA and are known as settlor functions. A well constructed Fiduciary Liability policy should include coverage for defense costs arising out of such decisions. ERISA coverage protects the organization, its sponsored plans as as well as the individual fiduciaries such as o Plan administrators
o Trustees o Directors or officers o Human resources staff o Other clerical staff Fiduciary policies do not satisfy the ERISA bonding requirement; such coverage is found in crime policies This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 14 Fiduciary Liability Litigation Trends and Examples Denial of benefits o
Benefits due provision Administrative errors and omissions Negligent selection of advisor/provider Imprudent investments This is intended merely for informational purposes and is in no way to be considered to be a grant or offer of coverage. 15 Questions 16
