Business Continuity from an Insurance Perspective

Presented by

Jim CarterManager, Risk & Insurance

Overview

1. Disaster Planning Gone Wrong

2. Disaster Recovery and Protecting your Insurance Claim

3. Cyber Liability – NKOTB

Page 2 of 20

Disaster Planning Gone Wrong

Emergency Power

4

Transportation

Redundancy of Info Services

6

Redundancy of Resources

Disaster Recovery and Protecting your Insurance Claim

What to do Before the Loss1. Know Who to Call

• Insurance Agent/Company• Recovery and Restoration Companies• Industrial Hygienist

2. Have Crisis and Claim Management Teams in Place• Facilities/Construction• Team Resources• Finance• Risk Management/Insurance• Real Estate

3. Have a Segregated Insurance Recovery Account in Place to Track Expenses

4. Have a Panel Adjustor in Place if You Have a Layered Insurance Program

9

What to Do After the Loss

1. Stop/Mitigate the Damage (Duty to Do So)

2. Call your insurance agent/company as soon as possible (immediately).

3. Secure the Site

4. Implement Incident Command and Initiate Your Crisis and Claim Teams

5. Document Damages (Photos/Records)

6. Keep Everything (Insurer’s Right to Salvage)

7. Don’t forget about employee and customer safety

10

Settling the ClaimWhat to Claim1. Property Damage

• Building• Furniture, Fixtures and Equipment• Inventory

2. Extra Expenses/Increased Cost of Working• Overtime• Expenses to Reduce Business Interruption

3. Business Interruption/Loss of Profits

4. Other Coverages• Debris removal / Decontamination Costs / Demolition

Expediting Costs / Professional Fees / Protection of Property

11

Cyber Risks The Newest Kid on the Block

World's Top Data Breaches

Source: InformationisBeautiful.net13

Target Corp. said that the huge data breach it suffered late 2013 happened after an intruder stole a vendor’s user ID and password and used them to gain access to the company’s computer system.

What was stolen:

40 Million

Customer Credit and Debit Card Numbers,Security Code

Root Cause:Malware

Source: DataBreachToday.Com; StarTribune.com14

15

February 2014: Hackers obtained user ID and password from “a small number” of employees. Hackers then accessed a database containing all users records and copied “a large part” of those credentials.

What was stolen:

145 Million

Users Credentials

Root Cause:Cyber Attack

Source: New York Times

16

Home Depot: April 2014 Malware installed on cash register system across 2,200 stores. Home Depot said that criminals used a third-party vendor's user ID and password to enter the perimeter of its network.

What was stolen:

56 Million

Credit Card InformationOther Personal DataEmails  

Root Cause:Malware

Source: Associated Press

17

August 2014: Community Health Systems, which operates 203 hospitals across the United States, announced that hackers broke into its computers and stole data on 4.5 million patients.

What was stolen:

4.5 Million

Names, DOB, Addresses, Phone Numbers, SSN

Root Cause:Cyber Attack

Source: Modern Healthcare

18

February 2015: Anthem, American’s second-largest health insurer in the US. Attacker obtained user ID and password of five IT personnel. The data was exfiltrated using public external web storage.

What was stolen:

78.8 Million

Names, DOB, SSN, Addresses, Phone Numbers, Employment info

Root Cause:Phishing / Malware Keyboard Logger

Source: CNN Money, USA Today

Why Data is a Target...What Stolen Data is WorthSocial Security Number $3.00 Credit Card Info $1.50 Date of Birth $3.00 Medical Record Data $50.00

What’s the Exposure

Average Cost of a Data Breach is $3 - 4MM or $150 to $180 for Every Lost or Stolen Record

What Does This Pay For:• Audit and consulting services• Legal services for defense and compliance• Services to Victims / Identity Protection

1. Loss Reputation / Lost Business / Loss Productivity

2. Only 51% of RIMS Members Buy Privacy/Cyber Liability Insurance

20

Root Causes of Data Breaches

Human Error31%

Malicious Attack44%

System Glitch25%

Source: Ponemon Institute/Symantec

Federal & Statutory Requirements Following a Breach

1. There is no uniform federal law on data breaches.• HIPAA Health Insurance Portability and Accountability Act• HITECH established encryption and destruction protocols for PHI• Gramm-Leach-Bliley Act (GLBA) for Financial Institutions• The Payment Card Industry Data Security Standards (PCI-DSS• Office of Management and Budget (OMB) “Breach Notification Policy”

For Federal Agencies

2. State security breach notification laws generally follow a similar framework: • Delineating who must comply with the law; • Defining the terms “personal information” and “breach of security”;• Adopting requirements for notice; • Creating penalties, enforcement authorities, and remedies.

3. Florida Statutes. 501.171, 282.0041, 282.318(2)(i)

Q&AJim Carter

Manager, Risk & Insurances ServicesBayCare Health System, Inc.

2985 Drew St.Clearwater, FL 33759

Tel. 727-754-9234Email. jim.carter@baycare.org