Lockton Presents Replay of Data Breach Webcast

Posted by on February 18, 2015 | Be the First to Comment

Data Breach

On Tuesday, Feb. 17, Lockton Companies hosted a webcast to address the Anthem Data Breach. For those that could not attend, or would like to review again, a replay and copy of the presentation handouts have been made available, by simply clicking on the links below:

Attendees can learn about the attack, the response, and the responsibilities of a plan sponsor and employer. In addition, while Benefit clients may be at the forefront of concern, given the far-reaching implications of this data breach, the webcast is advantageous for P&C clients as well. Both types of clients will receive:

  • An understanding of the contractual and legal relationship between their company and its third-party partners
  • “Takeaways” and “lessons learned” from a large event such as this to help protect their company in the future
  • Renewed insight into the vital role that cyber risk coverage plays in event response

The Cyber Pendulum: Is There a Balance Between Security and Privacy?

Posted by on January 28, 2015 | Be the First to Comment

Internet Security System

Following a year of high-profile cyber breaches, it’s no surprise President Obama included proposals for increased cyber security in his State of the Union address last week.

The President proposed a measure that would establish a federal data breach notification law to replace the existing patchwork that currently exists at the state level. He also hopes to improve law enforcement’s ability to investigate and prosecute cyber criminals, as well as incentivize information sharing about threats from industry with the federal government. He also noted the importance of protecting student data and the need to pare down domestic surveillance:

“As promised, our intelligence agencies have worked hard, with the recommendations of privacy advocates, to increase transparency and build more safeguards against potential abuse. And next month, we’ll issue a report on how we’re keeping our promise to keep our country safe while strengthening privacy.”

Recently, I had the opportunity to discuss this very topic – the balance of security versus privacy – with other cyber risk experts on the Huffington Post Live. While the President aspires to achieve both simultaneously, I see many challenges ahead.

After the Snowden leaks, the pendulum swung more toward privacy, as the extent of surveillance programs became clearer. Now that we’ve seen high-profile cyber hacks like Sony, the pendulum swings back toward security. Each country is going to have to decide for itself how much privacy it’s willing to give up for the sake of increased security.

Watch the full discussion below:

Getting Schooled: Schools Face Host of Risk Management Challenges

Posted by on December 29, 2014 | Be the First to Comment


There are many risk exposures school administrators need to mindful of, including things such as traumatic brain injury, sexual harassment, discrimination, and security.

In a recent article in Property Casualty 360°, I reveal how only 25 percent to 30 percent of schools currently purchase cyber security coverage, resulting in schools being a treasure trove of information for hackers. Schools have a lot of personal information on students, faculty and employees, not to mention colleges that accept credit cards for payment.

Brokers who understand the need for Cyber have a real opportunity to educate schools on the risk as well as the extent of coverage in today’s Cyber forms, which provide third-party liability and first-party coverage including business interruption, reputational risk, forensic analysis, damage control, and more.

Overall, schools and colleges are considered desirable risks. For clients with average to favorable loss ratios, we’ve seen rates stable as a general rule.

The FCC Jumps into Cyber-Regulation with Millions in Fines

Posted by on November 18, 2014 | Be the First to Comment

Recently, the Federal Communications Commission entered into the cyber regulatory field in a big way: proposing to fine two companies $10 million for alleged data security breaches.

The FCC is taking action against two telecommunications companies who provided prepaid phone services to low-income residential customers. According to the agency, the companies “collected names, addresses, Social Security numbers, driver’s licenses, and other proprietary information (PI) belonging to low-income Americans and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.”

The FCC justified imposing such large fines in part because “the companies stored such consumer PI in two publicly accessible folders on the Internet without password protection or encryption. By not employing appropriate or even reasonable security measures, the companies exposed their customers to an unacceptable risk of identity theft and other serious consumer harms.” The FCC gave the companies 30 days to seek a reduction in the fine.

The FCC’s $10 million fine followed a $7.4 million settlement with Verizon in September over its use of customer information for marketing, and a $7.5 million settlement with Sprint back in May over “do not call” violations. These multimillion dollar fines are coming from a federal regulator not thought of as a data security and privacy watchdog. The Federal Trade Commission has mainly filled that role.


The FCC appears to be a new aggressive player on the cyber regulatory field that may have the power to move quicker in issuing fines than the FTC. When faced with a data security situation, the FTC typically issues a complaint setting forth its charges. If the respondent elects to settle the charges, it may sign a consent agreement (without admitting liability), agreeing to the entry of a final order and waiving all right to judicial review.

If contested, the matter is adjudicated, starting with an administrative trial working its way through the Federal courts and ending, potentially with the U.S. Supreme Court. Fines and penalties may be imposed on a respondent for violations of the FTC Act. The FCC, however, can move much more quickly in connection with companies it regulates and may impose a fine once it determines the company failed to protect the “confidentiality of proprietary information of its customers.”

From a risk standpoint, the recent FCC actions represent yet another exposure for telecommunications companies in connection with data security. A cyber insurance product is designed to protect against this risk and should offer coverage for regulatory claims such as those brought by the FTC, FCC or any other governmental agency, federal, state or local.

For those who already purchase a cyber policy to address this risk, it would be prudent to review the policy wordings to assure that regulatory claims are defined as broadly as possible to address new entrants in the privacy regulatory arena.

Additionally, cyber coverage purchasers should look to see whether their policy provides full policy limits for regulatory claims. In some cases, insurers hedge their bets by offering reduced sub-limits of liability for regulatory claims. Given the ramped up efforts by regulators such as the FCC, it is important to make sure adequate limits are in place.

State of the Cyber Insurance Market: 10 Lessons Learned From Major Retailer Breaches

Posted by on August 22, 2014 | Be the First to Comment


It is not an overstatement to say that there is a “pre-Target and “post-Target” state of the cyber market for major retailers from both the underwriting and the client side.

In November–December 2013, cyber thieves executed a well-planned intrusion into Target’s computer network and the point-of-sale terminals at its 1,800 stores around the holiday season and successfully obtained not only 40 million customers’ credit and debit card information, but also noncard customer personal data for as many as 70 million customers.

But Target was not alone, as in that same time period, retailers such a s Neiman Marcus and Michaels were also reportedly exposed with 1.1 million and 3 million cards at their respective establishments.

Read my newest white paper that features a comprehensive snapshot of the Target case study, the 10 lessons learned from the underwriters and pointe of view, as well as a peer group perspective on the current state of the cyber insurance market.