AGENDA

Third-party risk management is increasingly critical as intrusion vectors through managed service providers (MSPs), managed security service providers (MSSPs), vendors, and contractors become more prevalent. Additionally, threat actors are increasingly targeting data aggregators, leading to higher extortion payments and systemic vendor events. Effective negotiations with vendors and a comprehensive risk management perspective from the insured are essential. Additionally, understanding these risks is crucial for intelligent cyber underwriting and placement, as well as successful claims management.

Privacy litigation is experiencing significant developments across various statutes and regulations. The California Invasion of Privacy Act (CIPA) has seen increased application in session replay cases, highlighting the importance of consent in digital interactions. The Biometric Information Privacy Act (BIPA) has undergone amendments in 2024, which limit liability and clarify electronic consent requirements. The Genetic Information Privacy Act (GIPA) is witnessing a surge in claims, particularly against employers who request genetic information during hiring processes. Additionally, new applications for the Video Privacy Protection Act (VPPA) are emerging, especially in the context of online video streaming and tracking technologies. Coverage considerations are crucial as companies navigate these evolving legal landscapes, ensuring they have adequate cyber insurance to mitigate risks associated with privacy violations.

Accurate financial assessment in large and complex losses begins with clear definitions of what constitutes a "large loss" and a "complex loss." Engagement with the DFIR vendor is crucial, and decisions about sharing information with them must be carefully considered. Aligning expectations and understanding the scope of the loss are essential steps in the loss review process. An early review of all policies in the insurance tower helps identify coverage terms, conditions, and potential gaps. Addressing disputes or differences in the interpretation of coverage terms is also vital to ensure a comprehensive and accurate financial assessment.

Cyber insureds must carefully consider the intent and purpose behind their data collection efforts, as well as how they monitor and monetize this data. Balancing safety concerns with the drive to monetize data is crucial. Companies must ensure that their data collection practices do not compromise individual privacy or security. The role of data brokers, such as Atlas, in privacy litigation highlights the challenges and legal battles surrounding the sale and distribution of personal information.

The emergence of artificial intelligence (AI) has introduced new cyber risks that are not explicitly covered or excluded in traditional cyber insurance policies. These "silent cyber" risks can lead to significant financial losses if not properly addressed. Assessing and mitigating these risks is complex. In response to these risks, some insurers are responding by updating policy language; including exclusions; and developing new products to address these emerging risks.

The future of cyber attacks is shifting beyond traditional malware, with threat actors increasingly intruding without using malicious code. These attackers often dwell in the outer ring of security, exploiting vulnerabilities in the cloud, email systems, and unmonitored endpoints. They frequently use legitimate software like TeamViewer and other free tools to avoid detection. This evolution in attack methods impacts insurance triggers and claims, as traditional policies may not cover these sophisticated intrusions. Preventative measures, such as robust monitoring and advanced threat detection, are essential to mitigate these risks. 

Achieving better outcomes BEC claim resolution and recovery involves a multifaceted approach encompassing resolution, recovery, and prevention strategies. Improving board governance and operational preparedness is crucial, ensuring that organizations are equipped to handle BEC incidents effectively. Adhering to a "reasonable duty of care" standard helps in mitigating risks and demonstrating due diligence. Understanding and fulfilling contractual obligations is essential to avoid potential legal pitfalls. Additionally, subrogation and the recovery of funds play a vital role in minimizing financial losses.

Mass arbitrations began as a response to the limitations imposed by arbitration clauses that prevent class actions. Today, social media and AI are amplifying this trend, making it easier for claimants to organize and file collective claims. While mass arbitrations can be a powerful tool, they also create challenges such as increased administrative burdens and potential procedural complexities. Handling parallel claims in litigation and mass arbitration requires strategic coordination to avoid conflicting decisions. This panel will dive into these issues and the future of mass arbitration, as well as provide insight into best practices in the management of these claims.

Cyber and Tech E&O insurance solutions are being tailored for payments and supply chain transactions on decentralized networks. Trustless transactions and asset tokenization, which operate without centralized intermediaries, are becoming more prevalent. Additionally, protocol differentiators are creating layered security measures to protect against sophisticated cyber threats; and ongoing audits provide assurance on the integrity of smart contracts. Data aggregation with AI is being utilized to develop accurate models, improving risk assessment and decision-making. Additionally, changes in the regulatory landscape are supporting this evolution, providing a framework that balances innovation with compliance. 

Effective inventory and asset management involves tracking both monitorable and non-monitorable assets to ensure comprehensive oversight. Managing assets inside and outside the perimeter presents challenges, particularly with the limitations of patching, which may not fully address vulnerabilities. Threats to the digital supply chain, such as supply chain attacks targeting software vendors and open-source solutions, highlight the importance of robust security measures. Maintaining compliance with regulatory standards is essential to avoid penalties and ensure operational efficiency. 

The public entity sector has unique abilities to risk transfer in various parts of the supply chain. In this session we are going to explore key areas of risk transfer for public entities, including self-insurance, pooling and traditional standalone insurance. Topics such as benefits and drawbacks of each area of risk transfer, unique aspects of claims in each area, as well as cyber risk management priorities which traverses all aspects of risk transfer will be covered.

We explore the significant implications catastrophic cloud failures pose for cyber insurers and risk managers. Quantifying the risk of catastrophic cloud downtime is crucial for understanding its impact on cyber insurance portfolios, as downtime can lead to substantial financial losses. While historically, modeling these risks has been challenging due to the unpredictable nature of cloud outages and the limitations of traditional modeling techniques, recent developments in cloud monitoring technology, particularly AI-driven solutions, are enhancing the ability to detect and mitigate these risks. This panel will also share insights into solutions and alternative risk financing, such as parametric insurance products, as ways to manage exposure to systemic risks associated with cloud outages. 

This panel will delve into the pressing issues affecting minors in the digital age. We will explore the Children's Online Privacy Protection Act (COPPA) and its implications for protecting children's data online, as well as state-specific privacy laws. We will also address the growing concern of AI on cyberbullying and sextortion, addiction to social media and gaming, and policyholder exposures related to these issues. The session will examine the role of EdTech platforms like PowerSchool in managing PII, PHI, and Mental Health PHI, emphasizing the importance of data security., focusing on the unique challenges in insurance and legal contexts. 

This panel will explore the growing use of dark web data in breach response and the associated risks. As organizations increasingly rely on dark web intelligence to understand and mitigate breaches, they face significant liability risks, including legal and regulatory exposures from trusting threat actors. Accessing dark web data also presents legal and technical risks, as well as potential reputational damage. The discussion will cover best practices to mitigate these risks, such as thorough verification processes, secure handling of sensitive information, and appropriate insurance coverage. 

This panel will provide a comprehensive overview of new and notable activities and changes, highlighting key legislative and regulatory updates. Highlights from various states will be covered, as well as changes in the federal approach, focusing on trends in regulatory consolidation and harmonization. The panel will also address impactful international activities, examining global trends and their implications for domestic and international companies.