April 2012 randomized evaluation sme access to finance
Sept 2012 data security & cyber liability
1. Emerging Risk:
Data Security & Cyber Liability
Autumn 2012
“For any business that accepts non-cash payments or has a payroll - there is some data at risk.”
2. By the Numbers...
$210,000 Estimated cost of a small data
breach involving 1,000 records
40% Surveyed businesses with <500
employees that have experienced
a data breach
100% Virtually every business
handles at-risk data
2-6 days Number of days within which
25% of businesses will go
bankrupt without internet access
42% Breaches caused by factors which cannot be
mitigated through IT security measures – rogue
employee, theft, and business interruption
About Us
MidSouth Assurance- on Main Street, for Main Street. We believe that businesses can best be
served by an insurance agency that understands the environment in which a particular business
operates. Similarly, we represent insurance carriers with a similar philosophy. This, we believe,
will result in the most effective insurance programs for our clients.
Over fifty years of experience in large and small brokerages, as well as independent agencies,
allows us to effectively serve new ventures and growth businesses in the Greater Richmond area.
We advise clients on a breadth of risk management issues, and develop appropriate mitigation
strategies for them, including specialty insurance programs.
Insurance • Risk Management
3. Relevance
Which businesses have this risk?
Virtually every business utilizes sensitive According to Accenture, a majority of businesses
information, and virtually any business can incur have lost sensitive personal information, and
liability from employee’s cyber activities. In fact, among these organizations, the biggest causes are
any business which has payroll data or collects internal control failures. In fact, there were over
non-cash payments captures Personally eight million computers stolen in the past three
Identifiable Information (PII), or that information years; and according to the FBI only 3% are
which is protected under law. PII includes an recovered.2 According to Ponemon Institute, each
individual’s name in combination with a week there are 10,000 laptop computers lost at
credit/debit card numbers, bank account the 36 largest airports in the U.S., with an average
information, social security numbers, and driver’s cost of $50,000 per laptop, including: replacement,
license numbers. Other sensitive personal detection, forensics, data breach, lost IP rights, lost
information includes: IP addresses, vehicle productivity, and legal and regulatory expenses.
registration numbers, fingerprints and biometric Moreover, 40% of small businesses have
data, address, age, gender, name of school experienced a loss of sensitive information. 3
attended, professional grade or salary, criminal According to NetDiligence, a significant share of
record, and health care records.1 Combinations of breaches are attributable to hacking attacks;
these data elements are valuable to criminals who however 42% are caused by factors which are not
use the information for illegal purposes. mitigated through IT security measures – rogue
p. 2
4. employees, theft or loss of a device, and place. The primary variables include, but are not
interruption of internet connectivity or electricity limited to: the definition of the type of data which
service.4 Paradoxically, Tower Watson has found constitutes PII, requirements regarding the
that amongst businesses who had foregone risk notification timing, the state agencies which must
transfer through a liability policy 37% justified the be contacted in the event of a data breach,
decision in the belief that their IT departments and applicability of the law to various entity forms,
internal controls were sufficient.5 applicability to physical data (not electronic data),
provisions for notifying aggrieved parties of
While the healthcare, finance, utilities, and recommendations regarding credit freeze or fraud
defense sectors are particularly likely targets for alerts, provisions requiring notification to the
cyber attacks due to the volume of valuable data, credit monitoring agencies, and safe harbor
industry experts still predict that the highest stipulations around the loss of an encrypted mobile
likelihood of breaches will occur in small device. In the event of a data breach, complexity
businesses, particularly in healthcare, given their can become unwieldy as it is the aggrieved party’s
smaller IT security budgets. McAfee recently home state which determines the applicable laws
identified “industrial threats” first on its list of to which the breached business must adhere.
2012 predictions, including the manipulation or
destruction of industrial controls. These risks are National regulation can increase the complexity of
particularly relevant in the physical infrastructure navigating a breach event. Within certain
sectors for transportation, energy and organizational contexts a range of regulations can
telecommunications. In 2009, the “Night Dragon” apply, these include: Sarbanes Oxley Act of 2002,
coordinated attacks demonstrate the level of Gramm-Leach-Bliley Act (GLBA) on financial
sophistication which has been achieved when transactions, Payment Card Industry (PCI) Data
attacking core infrastructure providers. Within this Security Standard, the Health Insurance Portability
incident oil, energy and petrochemical firms were and Accountability Act of 1996 (HIPAA), Health
attacked through a combination of social Information Technology for Economic and Clinical
engineering, spear phishing, and remote Health (HITECH), the Fair and Accurate Credit
administration tools. The attacks are believed to Transactions Act (FACTA), Federal Information
have originated from China, and were designed to Security Management Act (FISMA), the Genetic
acquire confidential information regarding bidding Information Nondiscrimination Act of 2008 (GINA),
and other project finance intelligence related to the Family Education Rights & Privacy Act (FERPA),
large development projects.6 the FTC recommendations on protecting consumer
privacy, especially section 5A on website data
Regulation usage, and the SEC Cyber Security guidance.9 It is
What is required under law? important to note that in areas of conflicting
Regulatory changes regarding data security and definitions or differing requirements, compliance
cyber liability have developed at a rapid pace.7 A with the stricter law is generally required.
compromise of confidential PII triggers a
requirement under state laws to notify the Depending on the nationality of those for whom
aggrieved parties. This notification is designed to data is held, and how the data is used,
provide aggrieved parties information related to international law may apply. Several of the most
the nature of the incident, the type of PII that was relevant, include: Canada’s Personal Information
compromised, remedial actions the company took Protection and Electronic Documents Act, the UK
to increase protection, a contact phone number for Data Protection Act of 1998, the U.S. Patriot Act,
posing questions regarding the incident, and the U.S. – E.U. Safe Harbour Agreement, the
information regarding credit monitoring. 8 European Union Data Protection Regulations,
Requirements vary across the 47 states and three Malaysia's Personal Data Protection Act 2010, and
territories which have data protection legislation in India's IT Amendments Act.10
p. 3
5. Contributing Trends Causes of Loss Areas of Exposure
Technological
Perils Strategic Risk
• Social Media & Web 2.0
• Cloud Computing Models • Mysterious • Business Model
• Growth in Data Volume Disappearance or Obsolescence
• Proliferation of Mobile Theft of Company • IT Vendor Negligence
Devices Data
• Sophisticated Attacks • Online Operational Risk
Collaboration and • Data Breach
Legal Social Media • Fraudulent Payment
• Consumer Protection Postings • Defamatory
Legislation • Phishing Tactics Communications Suit
• Financial Transactions • Website • Unfair Trade Practices Suit
Legislation Interference • Privacy Violations & Other
• Industry Regulation • Unauthorized Employer Practices Liability
• Judicial Precedent Network Access • Data Tracking Liability
(e.g. Trojans, SQL
Socio-Cultural Injections, Other Pure Risk
• Increased Awareness of Malware) • Hacking Attacks
Identity Theft • Social Activism • Physical Theft
• Increased • Rogue Employees • Internet or Electrical
Interconnectivity Service Interruption
Figure 1: Data Security & Cyber Liability Landscape
Scope of the Risks
What does “Data Security & Cyber Liability” entail?
Data security and cyber liability is a risk family that information that a business is bound to keep
encompasses first-party and third-party liability confidential, such as intellectual property and
resulting from the use of Information and trade secrets. 12 Regardless of the IT delivery
Communication Technologies (ICT). Technological model, the firm as the “data owner” retains
and Regulatory trends have brought rise to a group responsibility for protection, even in the case of a
of perils, from which the risks arise; and these risks data breach experienced by an outsourced partner.
fall within three areas: (a) Strategic Risks; (b) It is also important to bear in mind that pure risks,
Operational Risks; and (c) Pure Risks (see figure 1). such as an ICT service interruption or a hacking
The risks can result in first party losses, such as attack, increase the risk of data loss – highlighting
investigations and remedial action following a data the inter-relatedness of the various risk elements.
breach. Also, a number of third-party liabilities are Similarly, theft of mobile devices constitutes
present, and are based upon the principle that an another such risk, especially unencrypted data
individual has a right to control the collection, use storage. Other relevant risks, include: (1)
and disclosure of his/her personal information.11 Defamatory Communications, or social media
postings, which held to the legal standards of
The Risks: Operational risk is the largest commercial publications, are judged to be
component – particularly Data Breach, or the misleading and/or guilty of libel or slander; (2)
compromise of personally identifiable information Unfair Trade Practices, or the publication of social
(PII) or other sensitive material – whether in media judged to include misleading endorsements
electronic form or represented in physical or disparagements; (3) Privacy Violations,
documents. “Sensitive information” includes that Harassment and Discrimination, includes a range of
data which is protected under the Health Insurance employment practices liabilities within the social
Portability and Accountability Act, Fair Credit media space – for example consideration of an
Reporting Act, criminal records, and other individual’s social media postings which include
p. 4
6. information that would be judged off-limits in an be weighed against cost, efficiency and scalability
interview setting; and (4) Data Tracking, or the benefits.
collection of data related to consumer behavior,
which is conducted unbeknownst to the individual The Causes: There are a range of factors which
or which is conducted in a manner which doesn’t cause these losses. The causes can range from the
allow a consumer opt-out.13 straight-forward to the complex – employee
communications, physical theft or mysterious
There is an exposure related to cloud delivery disappearance of data sources (especially mobile
models, and the use of outsourced IT providers, devices), skimming credit and debit card numbers
with third party mistakes now accounting for 46% at a point of sale, phishing tactics to masquerade
of data loss.14 Most cloud providers simply cannot as a trustworthy entity to solicit sensitive
afford to indemnify all platform tenants;15 as such information (including counterfeit social media
it’s incumbent upon cloud service providers and web pages), website interference or defacement,
data center operators to investigate risk transfer and complex network intrusions. Motives for both
through technology errors & omissions coverage. negligent and malicious behavior can include
As client businesses seek cost efficiencies and political and social activism, financial gain, or
deployment speed through cloud delivery models, employee retribution.18
unique risks arise, such as: disruptive force (i.e.
business model obsolescence), lack of Contributing Trends: These risks have emerged
transparency, reliability and performance issues, from a range of trends, including legislation to
strategic business model risks, vendor lock-in, and protect individuals – creating compliance
security concerns.16 Moreover, daisy chain effects requirements. The rise of social media and Web
of liability have been documented – where the 2.0 collaboration, mobile data communications,
primary company utilizes an outsourced IT explosive growth in data volumes, and cloud
provider, who in turn outsources some elements of architectures have all contributed to the growth
data storage or manipulation to another provider. the growth in data security and cyber liability
This chain of data handlers may extend to multiple risks.19 Furthermore, data security is becoming
vendors, which increases loss-of-control and increasingly difficult. The advent of quantum
overall exposure.17 In short, an evaluation of cloud computing has been predicted to create an
architecture and outsourced IT relationships ecosystem in which it will be impossible to keep
should include a thorough risk assessment of data secure for any length of time, and that
resultant cyber liabilities; and the liabilities should governments and large corporations won’t connect
p. 5
7. to the “red internet.”20 FBI Director, Robert Muller, there have been 2,870 data breaches affecting 543
stated, “But in the not too distant future, we million records. Furthermore, Privacy Rights
anticipate that the cyber threat will pose the Clearinghouse reported 535 breaches in 2011 that
number one threat to our country.”21 Data stores involved 30.4 million records.24 Historic statistics
are growing at an exponential rate,22 and the regarding data breach have been incomplete, with
increasing use of Bring-Your-Own device policies many going unreported. It is only in the past
are creating further security concerns and reducing several years that notifications have been made
the organization’s control over the data for which mandatory.
it is legally responsible.23 Lastly, according to the
Federal Trade Commission, 9 million Americans Severity
become identity theft victims each year. As this How significant are the losses?
victimization becomes more prevalent, public When considering statistics related to data
awareness of data breaches and confidentiality breaches and other cyber liabilities, it is important
issues is increasing. to remember that large breaches skew the
average.25 That said the overall average cost of a
Frequency breach involving personal data is $7.2 million.26 A
How often are losses experienced? recent study by Ponemon revealed that the
Data loss has been occurring since records have average cost from a data breach of PII is $214 per
been taken; however the collection of statistics record. Consequently, for a small business which
regarding data loss is only in its infancy. Since experiences the theft of 1,000 records – we
2005, frequency in data breaches has grown at an estimate damages of approximately $210,000.27
average rate of 27%. In an Accenture survey, 40% Costs vary depending on the cause of the data loss,
of small businesses with less than 500 employees and across a wide array of breach scenarios. For
experienced a loss of sensitive information, while example, business interruption cost due to denial
over half of those respondents with over 1,000 of internet or other technical services has been the
employees had experienced a loss. Since 2005, most severe type of loss.28
2 – 14 Days 2+ Years
Assessment Short-term & Long-term Crisis Management
• Privacy Counsel • Repairs and Upgrades to Impacted Systems
• Containment • Credit Monitoring & Call Center Support
Potential First • Forensic Data Investigation • Business Interruption Costs
Party Losses • Crisis Management / • Legal Defence
Reputation Risk Advisory • Fines
• Notifications to Aggrieved
Parties
• Compensatory Damages for Lost Income
• Loss of Funds – Fraudulent e-Payment
Potential Third • Bodily Injury for Mental Anguish
Party Losses • Content Injuries – Loss of IP, Trade Secret
• Reputational Damages (i.e. libel, defamation)
• Systems Injuries for Security Failures
• Impaired Access Damages
• Punitive Damages
Figure 2: Data Security & Cyber Liability Exposures Response
p. 6
8. In many instances, especially regarding network correlated to the complexity of the IT architecture
intrusions, the hacker has had access for an and sophistication of pre-existing security
extended period.29 However, it is the moment of measures (not the number of breached files). The
awareness of a potential data loss which triggers cost of a forensic examination is typically
the crisis response. The costs associated with this $50,000.31 Dependent upon the nature of the
initial period, which we estimate at 2 days to 2 breach, ten to thirty hours of crisis management
weeks, is incurred through efforts to stop and services may be undertaken by a reputational risk
contain an intrusion or other attack including advisory firm or a public relations consultant.32 At
security upgrades or other remediation efforts. the end of this period notifications are distributed
Awareness of a potential data loss should set in to aggrieved parties in order to comply with
motion a precise response methodology. The statutory obligations, and with costs estimated at
timeline in figure 2 provides a high-level view of $10 - $15 per record.33
the process the firm will undergo. Within the first
2 days to 2 weeks, a crisis assessment exercise is For the subsequent two years (or more) a range of
undertaken – preferably under the guidance of a further first party costs are incurred, including
privacy attorney well positioned to provide legal further remediation such as physical security
oversight, to limit exposure, and to control the measures and technical changes. These
circulation of communications regarding the augmentations may include data restoration,
incident. The attorney is generally required for 10 software upgrades, and hardware replacement; or
– 30 hours of service. 30 Also, in the case of may be as extensive as fundamental changes in:
suspected electronic data loss, a forensic outsourcing relationships and service level
examination is required to confirm whether a ag reem ents, dat a models, inf rast ructure
breach has occurred, and if so, it’s extent. The architecture, and security-related policy and
scope and cost of this examination is most governance protocols. In some instances
p. 7
9. re-certification with PCI standards may be professional negligence.36 Also, relating to other
necessitated.34 Also, the ongoing operation of a call risks there are potential third party liabilities
center may be required to meet compliance arising from fraudulent electronic payments,
requirements. There may also be costs related to damages arising from an unfair trade practices suit
business interruption, especially in relation to due to employee social media postings, and
denial of data access, website outage, or other liabilities arising from invasion of privacy, especially
service outage. Lastly, legal defense costs and in relation to data tracking. Lastly, there is also a
regulatory fines of up to $1.5 million may be risk of compensatory damages for employment
incurred. One primary exposure, outside data practices liabilities, data breach incidents, or
breach scenarios, typically concerns the liability defamatory social media postings. These damages
associated with third-party damages.35 As figure 2 can include loss of income, mental anguish, and
illustrates, there are a range of potential liabilities punitive damages.37
related to Data Security and Cyber Liability. There
are potential claims against the data owner from Recommended Approach
employees, potential employees, customers, What should be done to mitigate the risks?
suppliers and competitors. Depending upon the Enterprise Risk Management (ERM)has become a
nature of the cyber event third party liabilities can sophisticated discipline of coordinated activities to
include: investigation, mitigation and remediation mitigate the negative impacts of uncertainty,
costs relating to a data breach; costs for including the use of complex regression analyses
compliance with various laws and regulations after and probabilistic models.39 Data Security & Cyber
a breach; class action lawsuits alleging disclosure of Liability, as a risk family, should be considered
PII; business partners alleging breach of contract, within an organization’s ERM efforts, and within
negligence or demands for indemnification; or each segment of the ERM framework. Figure 3
What extreme events could happen, and how is
a cyber loss related to other risk areas? Do we have sensitive information?
What actions can we To what extent are we
take to better defend willing to accept the risk
against cyber loss? of a data loss?
How effective are
we at preventing Have we implemented
data loss and cyber policies, and
defending against assigned accountability
attacks? for data crisis response?
Do we track the right security
Have we determined the scale and information regarding data in use,
scope of potential breach scenarios? data transfer and data storage?
Figure 3: Risk Management Framework Applied to Data Security & Cyber Liability38
p. 8
10. provides several illustrative questions the risk A strong response to data security and cyber
management professional should consider when liability results in effective internal controls to
incorporating Data Privacy and Cyber Liability mitigate risk; a plan for a crisis event (pre- and
within an ERM program. post-claim); and robust risk transfer through
insurance designed to address the risks. Like all
Our approach to Data Security and Cyber Liability risk management efforts, the challenge is in the
applies the breadth of the ERM Framework, while details. Businessowners Policies (BOPs) and
grounding action within traditional project Commercial Package Policies generally exclude
management methodology. For example, within potential exposures. Endorsements may be
the first tranche of work firms should focus efforts available, but are typically limited in their scope of
on identifying all relevant risks, including sources coverage given the nature of these risks. The savvy
of the risk, areas of impact, estimates of frequency firm will seek effective risk transfer through
and severity and preliminary findings on appropriate policies designed to cover their
interdependencies. By surfacing all relevant data specific risk exposures. The most effective plan for
security and cyber liability risks, the firm is well managing the risk and related response will be
positioned to conduct a robust analysis, covering: specifically tailored to the firm, and companies that
factors that affect the likelihood of realization, combine a contingency plan and an appropriately
existing controls, interdependencies, and crafted policy are best positioned to survive the
sensitivities. risks.
Objective
Effectively Manage Data Security & Cyber Liability Risks
Project Management & Communications
Activities
Risk Risk Risk Risk
Identification Analysis Evaluation Treatment
A B C D
Milestone A Milestone B Milestone C Milestone D
• Existing risk • IT security • Compliance • Risk evaluations
framework, measures requirements • Existing insurance
communications, • Related Human • Risk criteria policies
Inputs
and context Resources policies • Risk analysis • Existing disaster
documentation • Cyber risk log outcomes recovery plans
• Industry • Industry data on
intelligence retained risks
• Exhaustive log of all • Frequency and • Prioritization of • Pre- and post-claim
relevant risks and severity mapping required response plan
Outputs
Objective
risks discounted • Sensitivities, treatments • Enhanced insurance
• Existing treatments scenarios and • Outcomes of risk coverage
dependencies technique decisions • Implemented risk
Figure 4: Our Approach to Data Privacy & Cyber Liability
controls
Figure 4: Approach to Data Security & Cyber Liability
p. 9
11. Endnotes
1. Virginia Code § 18.2-186.6. Breach of personal information notification. 2008. See also: Sophos. (2010). Protecting Personally Identifiable
Information: What data is at risk and what you can do about it. Boston: Stinger, J. Retrieved from:
http://www.sophos.com/sophos/docs/eng/dst/sophos-protecting-pii-wpna.pdf
2. Brigadoon Security Group. Retrieved September 10, 2012, from: http://www.pcphonehome.com/
3. Accenture. (2009). How Global Organizations Approach the Challenge of Protecting Personal Data. Retrieved from:
http://www.accenture.com/nl-en/Documents/PDF/Accenture_Data_privacy_reportLD.pdf Note: The included survey defines small businesses as
those with less than 500 employees, p. 14.
4. NetDiligence. (2011, June). Cyber Liability & Data Breach Claims.
5. Towers Watson. (2011). Risk and Finance Manager Survey – Full Report. Retrieved from:
http://www.towerswatson.com/assets/pdf/4481/Towers-Watson-Risk-Financial-Manager-Survey-Report.pdf
6. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4.
7. Gartner. (2011). Gartner Says Half of all Organizations Will Revise Their Privacy Policies by End-2012. Retrieved September 10, 2012, from:
http://www.gartner.com/it/page.jsp?id=1761414
8. Virginia Code § 18.2-186.6. Breach of personal information notification. 2008.
9. Federal Trade Commission. (2012, March). Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and
Policymakers. Retrieved September 10, 2012, from: http://ftc.gov/os/2012/03/120326privacyreport.pdf See also: U.S. Securities & Exchange
Commission, Division of Corporation Finance. (2011). CF Disclosure Guidance: Topic No. 2 Cybersecurity. Retrieved September 10, 2012, from:
http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm See also: Property Casualty 360⁰. (2012, February 2). After ‘Year of the
Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from:
http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca
10. Capgemini. (2010, March 16). Putting Cloud Security in Perspective. Retrieved September 10, 2012, from:
http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security-in-perspective/ See also: Committee of Sponsoring
Organizations of the Treadway Commission: Enterprise Risk Management for Cloud Computing. Chicago, Crowe Horwath LLP: Chan, W., Leung, E.
and Pili, H. Retrieved September 10, 2012, from: http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf
11. Information & Privacy Commissioner. (2010, April). Privacy Risk Management. Ontario, Canada: Cavoukian, A. Retrieved September 10, 2012,
from: http://www.ipc.on.ca/images/Resources/pbd-priv-risk-mgmt.pdf
12. Godes, S. (2012, March 19). Surprising Sources of Coverage. Business Insurance, 46(12), p. 10.
13. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance
Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches
14. Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker,
M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca
15. Zurich Insurance Group. (2012). Cyber Risk in 2012: Get Your Head in the Cloud. New Salem, Massachusetts: DeWitt, J. Retrieved September
10, 2012, from: http://img.sbmedia.com/Perm/LH/PC360/Zurich/Cloud.pdf
16. Committee of Sponsoring Organizations of the Treadway Commission: Enterprise Risk Management for Cloud Computing. Chicago, Crowe
Horwath LLP: Chan, W., Leung, E. and Pili, H. Retrieved September 10, 2012, from:
http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf See also: Capgemini. (2010, March 16). Putting Cloud Security
in Perspective. Retrieved September 10, 2012, from: http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security-
in-perspective/
17. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance
Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches
18. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4. See also: U.S.
Securities & Exchange Commission, Division of Corporation Finance. (2011). CF Disclosure Guidance: Topic No. 2 Cybersecurity. Retrieved
September 10, 2012, from: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
19. Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker,
M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca
20. The Futures Company. (2012). Public Worlds: How Digital Technology Will Transform Identity, Work and the City. London: Galgey, W.
Retrieved September 10, 2012, from:
http://www.marketingpower.com/ResourceLibrary/Documents/Content%20Partner%20Documents/The%20Futures%20Company/2012/future-
perspectives-public-worlds.pdf
21. Hoffman, M. (2012, March 19). Cyber Crime is Now a National Threat. Business Insurance, 46(12), p. 8.
22. IDC. (2009, May). As the Economy Contracts, the Digital Universe Expands. Framingham, Massachusetts: Grantz, J. and Reinsel, D. Retrieved
September 10, 2012, from: http://www.emc.com/collateral/leadership/digital-universe/2009DU_final.pdf See also: Deloitte. (2011).
Technology, Media and Telecommunications Predictions 2012. Retrieved September 10, 2012, from: http://www.deloitte.com/assets/Dcom-
Australia/Local%20Assets/Documents/Industries/TMT/Deloitte_TMT_Predictions_2012.pdf
23. Capgemini. (2011, October 17). Bring Your Own. Gillam, R. Retrieved September 10, 2012, from:
http://www.at.capgemini.com/insights/publikationen/bring-your-own/
p. 10
12. 24. Property Casualty 360⁰. (2012, March 4). What’s Driving the Rise in Data Breaches? Kam, R. and Henley, J. Retrieved September 10, 2012,
from: http://www.propertycasualty360.com/2012/03/14/whats-driving-the-rise-in-data-breaches#.T2zn3hJnP5g.email
25. Ricardo, A. Beazley. (personal communication, September 6, 2012).
26. Anonymous (2012, March 19). Cyber Risks 2012. Business Insurance, 46(12), pp. 16 - 17. See also: Property Casualty 360⁰. (2012, February 2).
After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from:
http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca
27. Ponemon Institute. (2010, January). 2009 Annual Study: Cost of a Data Breach. Traverse City, Michigan. Retrieved September 10, 2012, from:
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf
28. Ponemon Institute. (2011, August). Second Annual Cost of Cyber Crime Study. Traverse City, Michigan. Retrieved September 10, 2012, from:
http://www.hpenterprisesecurity.com/collateral/report/2011_Cost_of_Cyber_Crime_Study_August.pdf
29. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance
Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches
30. Ricardo, A. Beazley. (personal communication, September 6, 2012).
31. Ibid
32. Ibid
33. Ibid
34. Ibid
35. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4.
36. Property Casualty 360⁰. (2012, February 2). A Lawyer’s Advice for Evaluating Your Cyber Coverage, Godes, S. Retrieved September 10, 2012,
from: http://www.propertycasualty360.com/2012/02/02/a-lawyers-advice-for-evaluating-your-cyber-coverag#.TzlYfgGr-8s.email
37. Cyber Liability: Data, Privacy and the Perils of Social Networking. Available through Professional Liability Attorney Network. See:
http://www.planattorney.org/
38. Note: Figure 3 illustrate some of the questions to be posed across the Enterprise Risk Management Framework, as the segments apply to Data
Security and Cyber Liability. See: http://www.rmahq.org/risk-management/enterprise-risk
39. International Organization for Standardization. (2009, November 15). Risk Management – Principles and Guidelines (ISO 31000:2009). Geneva.
Retrieved September 10, 2012, from: http://www.imeny.comyr.com/file/pdf/ISO-31000.pdf
Disclaimer
This document is not a representation that coverage does or does not exist for any particular claim
or loss under any insurance policy. It is not intended as legal advice. A company should always
seek the advice of a qualified attorney when evaluating legal or statutory considerations. This
document is not intended as insurance advice. A company should always seek the advice of a
qualified insurance agent or broker when considering their insurance coverage.
p. 11