eWhite House Watch - Full Article

Never Waste A Good Breach! — Lessons Learned at the 2016 NetDiligence Cyber Risk and Privacy Liability Forum

By Sarah Austin and George K. Sarris



NetDiligence held its annual Cyber Risk and Privacy Liability Forum on June 6-8th in Philadelphia.  The event primarily focused on providing practical advice for cybersecurity insurance brokers, attorneys and Chief Information Security Officers (CISOs). eWhite House Watch was invited to cover the forum as part of the NetDiligence Press Corps.


On June 6th, the event opened with a session called “Cyber Claims & Loss Updates” where leading experts in cybersecurity insurance discussed the types of claims being covered, examination costs, and claims notice and handling. The panel discussed how policyholders of cyber insurance can improve their methods of dealing with privacy and notice issues after a breach. The panel stated that within the risk pool, only twenty-percent to thirty percent of organizations at risk are covered.  This is largely due to the misconception that breaches are targeted. Chris Novak, the co-founder and Managing Principal of the Verizon Investigative Response Unit, emphasized that recent studies indicate that the “majority of the breaches are opportunistic and not targeted.” Further, the panel discussed how the security industry has not reached the level of maturity needed to combat cybersecurity risks.  For example, the industry struggles to “patch” IOT devices after they are breached.

Cyber insurance coverage continued to take center stage at the conference with several panels of professionals and experts addressing the most pressing issues of coverage and underwriting.  “Importantly, no single cyber policy clause covers all of insureds’ individual needs and the types of incidents they may likely encounter,” stated  Fernando M. Pinguelo, Esq. (CIPP/US) an attorney who handles crisis litigation tied to cyber breach incident response and serves as chair of the Cyber Security & Data Protection group at Scarinci Hollenbeck, LLC. “And the last thing you want for you clients is to experience a breach and realize they don’t have the coverage they thought they had.  For example, a cyber clause that covers network security failure leading to business interruption, such as with a DDoS attack, may not automatically extend to cloud or other outside vendors as coverage for privacy breaches could,” he added.  Selecting cyber policies tailored to individual needs is a complicated process, one that requires both an understanding of the insureds’ business and the various products available and their limitations.  Pinguelo actively engages and relies upon qualified insurance brokers who have particularized knowledge that he relies upon in advising clients on their coverage needs. One such broker Pinguelo works closely with is Chris Quirk of ARC MidAtlantic Excess & Surplus, Inc.  According to Quirk: “The scope of cyber coverage provided by a cyber insurance policy is primarily determined by the policy definitions, exclusions and conditions. Although two polices may provide the same Insuring agreements, the coverage disparity between them may be vast due to the specific way the terms and conditions are worded.”  Quirk cautioned that great care must be taken when reviewing the “guts” of the policy prior to binding, as many forms are a “booby-trapped labyrinth waiting to devour an unsuspecting insured.”


Another major theme throughout every session at the event was the potential for cybersecurity litigation after a data breach. Experts on nearly ever panel addressed the issue of potential litigation and gave advice about how attorneys might keep the cost of a breach down, as well as manage further risks that result from a breach. In addition, many experts noted that cybersecurity policyholders have not been treating privacy and data breaches as if they were to go to litigation.  Instead, as David Walton, a partner at Cozen O’Connor, said that there is widespread “cyber-fatigue”.  In essence, privacy and data breaches have become so commonplace that the industry and policyholders have adopted a reactive, instead of proactive, approach. Ron Raether, attorney at Troutman Sanders, warned of this danger and analogized that in regard to data breaches, we are about to get hit with a tsunami and everyone is “seeing the tide pull out but no one is running for higher ground.”


The highlight of the event was when Keynote Speaker, Joel Brenner, spoke about the lessons we could learn from cyberattacks of the past. Mr. Brenner is the former head of U.S. counterintelligence under the Director of National Intelligence. He was responsible for integrating the counterintelligence activities of the 17 departments and agencies with intelligence authorities, including the FBI, CIA and elements of the Department of Defense, Energy, and Homeland Security.  He served as the Inspector General of the NSA, as well as Senior Counsel to NSA. Throughout his speech, Mr. Brenner suggested that we learn from the cyber attacks of the past and work together to create a more secure future for our Nation’s businesses and safety. Mr. Brenner emphasized that it is important for at-risk businesses and companies to keep track of what information they have, who has access to it, and how long they have it for. He encouraged the lawyers, Human Resource departments, and IT departments of at-risk companies to work closely with one another when attempting to solve cyber-problems and privacy issues within a company.


Overall, the Cyber Risk and Privacy Liability Forum was a success. The presentations were well thought out, intriguing and enlightening. We thank Tom Hagy, his fine staff, and NetDiligence for inviting eWhite House Watch to cover the forum.


Leave a Reply