Cyber Risks Looming in the Transportation Industry

CYBER RISKS LOOMING IN THE TRANSPORTATION INDUSTRYSeptember 2014

1

HOUSEKEEPING

• Slide deck will be posted on hni.com

• Q&A at the end, but feel free to ask questions throughout

• Tweet @HNIRisk or using the

hashtag #hniu to win some HNI swag!

2

Thanks to our sponsors!

WHO’S ON THE LINE

4

MODERATORAndrea TarrellDirector of [email protected]

SUBJECT MATTER EXPERTKevin ZinterSenior Vice President [email protected]

mailto:[email protected]


Outline Summary

• Review of exposures

• Review of Wisconsin and state laws, and other Federal

Laws

• Explanation of Insuring Agreements

• Brokering Challenges

• Stats

• Underwriting Questions

• Sample Transportation Industry claims / incidents

• Risk Management Services

• Why AmWINS

Cyber/Privacy Exposures facing the

Transportation Industry

• Collection of sensitive personal information

• Exchanging information with vendors, providers, outsourced firms, etc.

• Use of network to provide services to others

• Holding confidential business information (your own or third parties

• Outsourcing services to third parties – i.e. logistics firms, freight

brokers, data processing, billing and collections, etc.

• Disseminating information and media online

Federal Laws

• Consumer notification of potential loss of data is required in 47

states, Puerto Rico, and DC.

• Personally identifiable information (PII) and protected health

information (PHI), is currently governed by a patchwork of federal

and state laws:

– The Family Educational Rights Privacy Act (FERPA)

– HIPAA

– Children’s Online Privacy Protection Act

– Gramm Leach Bliley Act (GLBA)

– Fair Credit Reporting Act

– Sarbanes-Oxley (SOX)

– Federal Privacy Act

– HITECH Act

– Red Flags Rule

– President Obama’s Cybersecurity Executive Order, among others.

Wisconsin Notification Requirements

Security Breach Definition

When an Entity whose principal place of business is located in WI or an Entity

that maintains or licenses PI in WI knows that PI in the Entity’s possession has

been acquired by a person whom the Entity has not authorized to acquire the

PI, or, in the case of an Entity whose principal place of business is not located

in WI, when it knows that PI pertaining to a resident of WI has been acquired by

a person whom the Entity has not authorized to acquire the PI.


Notification Obligation

Any Entity to which the statute applies shall make reasonable efforts to

notify each subject of the PI.

An Entity is not required to provide notice of the acquisition of PI if the

acquisition of PI does not create a material risk of identity theft or fraud to

the subject of the PI or if the PI was acquired in good faith by an

employee or agent of the Entity, if the PI is used for a lawful purpose of

the Entity.

An Entity shall provide the notice within a reasonable time, not to exceed

45 days after the Entity learns of the acquisition of PI. A determination as

to reasonableness shall include consideration of the number of notices

that an Entity must provide and the methods of communication available

to the Entity.


Penalties

No penalties defined or outlined.

Considerations

• Wisconsin does not require automatic offer of free credit-monitoring to

breached individuals.

• Wisconsin does not require entities to notify the state Attorney General

or any other governmental agencies, but it does require notice to all

consumer reporting agencies and credit bureaus if more than 1,000

residents are to be notified.

• Additional notification obligations apply pending the state where the

consumer (affected individual) is located.

http://www.beazley.com/business_lines/technology_media__business/data_breach_map.aspx

http://www.beazley.com/business_lines/technology_media__business/data_breach_map.aspx

What is the difference between 1st Party Risk

and 3rd Party Risk in a Cyber Liability Policy?

1st Party Risks 3rd Party Risks

Direct loss incurred by our insured

because of “injury” to electronic data

or systems resulting from acts of

others:

Liability for financial losses or costs

sustained by others resulting from

internet or other electronic activities:

• Costs of fixing the problem

• Expenses to protect customers

(including notification and credit

monitoring costs)

• Other expenses to mitigate loss

(including PR and publicity costs)

• Theft of data & intangible property

• Loss of future income

• Cyber extortion

• Defense expenses

• Damages resulting from customer

suits and suits from others for

personal/content injury, intellectual

property claims, professional

services, and injury from a security

or privacy breach, or Regulatory

fines/penalties.

Basic Insuring Agreements Found in Most Forms

1. Privacy/Security Liability

Third party claims alleging failure to protect an individuals PII,

whether through a network & information security failure,

unauthorized access & unauthorized use, etc etc.


2. Notification Costs

The hot button sublimit, and main premium driver within a Cyber Liability policy.

When private/confidential information is lost, this insuring agreement covers the

cost to notify those individuals/victims that their private information was lost or

stolen. 47/50 states have laws outlining the requirements to notify, usually

described as a short period of time. Credit Monitoring is also often included with the

Notification limit. Some forms will include Credit Repair/Remediation Services – the

actual cost to repair a victim’s credit history if their information was used

fraudulently.


3. Crisis Management & Forensic Expenses

Costs of hiring an outside PR / consulting firm to handle media inquiries, restore

insured’s brand image in the media, assist with the drafting of notification letters to

breached individuals, and provide expert strategies/solutions in regards to the exact

claim scenario. Forensic Expenses covers the costs for an outside expert to help

determine the scope of the breach, what was exposed, and possibly eradicate the

intrusion.


4. Regulatory Defense & Penalties

The costs to handle inquiries & investigations, and the possible resulting

fines/penalties levied against the insured by a regulatory or governmental body.

An increasing number of regulations exist related to the protection of confidential

data, and all signs point towards increased enforcement (FTC, State Attorney

Generals, etc).


5. Extortion/Threat Expenses

If the insured is contacted by an individual threatening to hack the system,

shut down the system, and which might include a demand for payment


6. Business Interruption

Interruptions in business due to breaches of a company’s network (i.e. denial

of service attack).


7. Media/Content

Covers libel, slander, and other forms of disparagement with respect to display of

material, as well as copyright infringement. A well written Media insuring agreement will

also respond to Social Media exposures, such as disparaging statements made via a

company’s official Twitter/Facebook page which may result in a suit brought by a 3rd

party vendor/partner or an offended individual.


8. Hacker Damage

Covers the cost to repair/replace/restore damaged or destroyed data the insured had in

their possession, to the state it was in previously, as a result of a hack/incident.


9. PCI Fines/Penalties

Covers violations of the Payment Card Industry Data Security Standard, as levied

against the insured. Generally brought as a fine or penalty, and cited as a violation of a

PCI Standard as defined under Payment Card Company Rules. PCI governs the

safeguarding of sensitive payment card information, by merchants.

Brokering Challenges: Why It’s Not Covered

Elsewhere

• General Liability covers bodily injury and property damage, not stolen identities.

• Property Insurance does not consider data as property

• E&O policies are covering services for others for a fee. The primary intent of an E&O

policy is covering a mistake/error/omission in the course of an individual’s

professional service. While there is limited invasion of privacy coverage in an E&O

form, the intent is only to cover errors in the course of professional services. You

won’t get notification expense coverage or credit monitoring services coverage on an

E&O policy, which are your primary 1st party sublimits.

Brokering Challenges: Why It’s Not Covered

Elsewhere [Cont’d]

• Directors & Officers Coverage does not cover the key 1st party expenses that are

provided on a Cyber form. D&O is primarily for the directors’ & officers’ fiduciary duty

in running the company, and will not extend coverage for 1st party expenses

associated with a breach situation.

• Media Liability policies are only covering content for libel, slander and copyright, and

don’t fully respond to the interrelated nature of a breach incident that turns into a

Media claim.

• Crime Insurance covers employee theft of money, securities and property. A data

record can be stolen, but you may not see a financial loss for many years. In the

absence of the privacy/security policy, there wouldn’t be coverage for the notification

and credit monitoring, which are your primary 1st party sublimits. There can be some

overlap though, at least for financial institutions, and some carriers are now offering a

combo Cyber-Crime policy

Brokering Challenges: Non-Standard Policy

Language

COVERAGE TYPE AIG CHUBB TRAVELERS

Security Security & Privacy Liability Cyber Liability Network and Information

Security Liability

Privacy Security & Privacy Liability Cyber Liability Network and Information

Security Liability

Media/Content Media Content Insurance Content Injury and

Reputational injury

Communications and

Media Liability

Regulatory Regulatory Action Regulatory Defense Regulatory Defense

Business Interruption Network Interruption E-Business Interruption Business Interruption

Breach Response

Costs

Event Management Privacy Notification

Expenses and Crisis

Management Expenses

Crisis Management Event

Expenses and Security

Breach Remediation and

Notification Expenses

Extortion/Threat Cyber/Extortion E-Threat Expenses E-Commerce Extortion

Carriers use different language, and it can be difficult to decipher. Just a few examples

from various carriers:

Brokering Challenges: Exclusions to Watch For

• Losses arising out of unencrypted portable devices

• Notice of Claim Timing – are you required to report a claim within a certain

number of days of the event/incident

• Limitation of expenses paid out to within a certain number of days of the event

• Stacking of Retentions

• Failure, interruption, or outage to internet access service provided by the

internet service provider that hosts the insured’s website

• Failure / Requirement to update antivirus and maintain security levels referenced

on the application

Brokering Challenges: Exclusions to Watch For

• Failure to continuously implement the procedures and risk controls identified in

the application, whether orally or in writing

• Failure to follow in whole or in part, the Minimum Required Practices as listed by

Endorsement

• Failure to meet any service levels, performance standards, or metrics

• Failure to use best efforts to install commercially available software product

updates and releases, or to apply software patches

• Inability to use or inadequate performance of software programs due to the

expiration or withdrawal of technical support by the software vendor, or that are in

development or otherwise not authorized for general commercial release

Brokering Challenges: Exclusions to Watch For (cont)

• Inability to use or inadequate performance of software programs due to the

expiration or withdrawal of technical support by the software vendor, or that are in

development or otherwise not authorized for general commercial release

• Wear and tear, drop in performance, progressive deterioration, or aging of electronic

equipment and other property or computer hardware being used by the insured

• Malfunction or defect of any hardware, component or equipment

• Involving wireless networks that are not under your control, or information

exchanged over unsecured wireless networks

• Does Regulatory coverage include coverage for fines/penalties or just the Defense?

• Does Media coverage cover all forms of Media, or just online Media?

Privacy: Historical Data Breach Info

http://datalossdb.org

Privacy Incidents by Breach Type – All Time


Privacy Incidents by Breach Type – 2013


Privacy Incidents – Inside vs. Outside – 2013


Privacy: Costs of an Incident

$3.5m*Average total cost per reporting company. Of that figure, Defense ($575k)

and Settlement ($300k) continue to be a huge portion.

*NetDiligence June 2013 study


$737K Average cost for Crisis Services (forensics, notification, credit monitoring)

$50K The average PCI fine.

$150,000 The average Regulatory fine.

$3.94 Average per-record Notification Cost of a data breach. Per-record notification

estimates range from $2-$400, pending the sample size and claims studied. Other factors

include vendors used in the Notification process, and whether defense costs, PR costs, and

other expenses are lumped into the per-record estimates.

*NetDiligence June 2013 study


Breaches involving malware or spyware are 4.5x more

costly than breaches involving unintended/accidental disclosure**

**Beazley Analysis Findings 2014

Questions to consider:

• Do you hold any personally confidential data of any employees, customers, clients, etc?

If so how many individual records?

• Do you hold any corporate information or trade secrets, for any of your clients?

• Are you aware of the notice requirements in each state if you lose control of that data?

• What steps would you take/who would you call if you lost those private records?

• Do you have a corporate wide privacy policy?

• Do you have a disaster plan specific to data breaches?

• Are your records stored electronically? Paper? Are the records secure? Do you shred?

Questions to consider:

• Do any employees have access to private client records? Do you allow use of USB

drives on computers with access to private data?

• Are any records ever handled by a third party?

• Are all of your laptops, mobile devices, and wireless connections encrypted?

• Are you confident your antivirus and firewall systems are 100% effective?

• How would your clients respond if you lost their private records? Do your contracts

promise to do the notification if you lose their records – or will they do the notification

process?

• If your network was damaged or disabled by a virus or hacker attack, would it be material

to your revenues/income? Do you have a backup system? How long would it take

you to recover?

Additional Underwriting Questions that go into

quoting a risk:

Review of controls & protocols on portable devices:

• How many portable computers are in circulation and what % are encrypted?

• Are users able to store data to the hard drive?

• Is the actual data on the portable device encrypted?

• Is tracking software installed on portable devices?

• Have workstations been configured to prevent the storage of data to USB dvices?

• Do you have back up tapes, and if so, are they stored offsite? How are they

transported?

• Are the back up tapes encrypted?

• Do you issue company smart phones to employees? Are they encrypted?

• Do employees access confidential information on their smart phones?

• Is all data backed up on a daily basis?

• In the event of a breach, do your contracts put the requirement to do notification on the

vendor who lost your information, or are you doing the notification?

The Biggest Breaches of All Time

Heartland Payment Systems 134m records lost

Target 110m records lost

eBay Inc. 145m records lost

Adobe 152m records lost

TJ Maxx 94m records lost

Home Depot 56m records lost

Epsilon 60m records lost

RSA Security 40m records lost

Stuxnet Attack on Iran’s nuclear power program

Department of Veterans Affairs 26.5m records lost

Sony’s PlayStation 77m records lost

ESTsoft 35m records lost

Gawker Media 1.3m records lost

Google Chinese govt infiltrated systems & stole intellectual property

VeriSign Not disclosed

CardSystems 40m records lost

AOL 650k records lost

SC Dept of Revenue 4m records lost

WikiLeaks Ongoing…

Advocate Medical Group 4m records lost

Trucking/Transportation Claims Examples

CorporateCarOnline

11/4/13 – Kirkwood, MO.

Hackers stole and stored information online related to customers who

used limousine and other ground transportation. The online information

included plain text archives of credit card numbers, expiration dates,

names, and addresses. Many of the customers were wealthy and used

credit cards that would be attractive to identity thieves.

Records from this breach: 850,000

Source: www.Privacyrights.org

http://www.privacyrights.org/


Yusen Logistics10/25/13 – Secaucus, NJ

An unencrypted laptop was stolen from an employee's vehicle sometime around

September 23. It contained a spreadsheet with payroll deduction information for

former and current Yusen Logistics Americas employees. It contained names,

Social Security numbers, addresses, and payroll benefit deduction amounts from

the period of July 2013 to September 2013.

Records from this breach: unknown




US Department of Transportation 8/9/06 – Washington, DC

The DOT's Office of the Inspector General reported a special agent's laptop was stolen on

July 27 from a government-owned vehicle in Miami, FL, parked in a restaurant parking lot. It

contained names, addresses, SSNs, and dates of birth for 80,670 persons issued

commercial drivers licenses in Miami-Dade County, 42,800 persons in FL with FAA pilot

certificates and 9,000 persons with FL driver's licenses. A suspect was arrested in the

same parking lot where the theft occurred, but the laptop has not been recovered.

Investigators found a theft ring operating in the vicinity of the restaurant parking lot.

Records from this breach: 132,470




Allied Waste

4/12/08 – Boston, MA.

A strap on a garage truck snapped and sent reams of intact financial

reports over downtown Boston streets.

Records from this breach: unknown.




Laboratory Corporation of America 3/27/10 – Burlington, VT.

Thousands of medical documents fell out of a truck bed while in transit. The

scattered documents contained billing information and possibly medical records

from 1993 or later.





Federal Reserve Bank of Dallas 8/9/05 – Dallas, TX

A truck driver lost thousands of Federal Reserve Bank checks headed to Houston.

It seems that the back door of the truck was not closed when the driver left the

loading area. Paid and canceled checks with Social Security numbers, names,

addresses and signatures were scattered on the highway between Dallas and

Houston. Most of the checks were not recovered.





Various Taxi Cab Companies in Chicago

3/13/14 – Chicago, IL.

In an unprecedented move, First American Bank made a public announcement regarding

fraudulent activity they were seeing on both credit and debit cards of customers with their

bank specifically related to cab rides in the city of Chicago. The bank is urging both

residents and tourists to avoid paying for their cab rides with either debit or credit cards.

The ongoing breach appears to be related to the card processing systems used by a

significant amount of taxis in the city of Chicago. The bank has reported the breach to

MasterCard. They have also reached out to Banc of America Merchant Services and Bank

of America, the payment processors for the affected payment systems within the affected

taxi cab companies. First American Bank is urging that Banc of America Merchant Services

and Bank of America discontinue payment processing for the taxi companies who have

been targeted in this breach. So far, neither entity is commenting on the breach or appear

to be halting the processing services.

Records from this breach: 500+Source: www.Privacyrights.org



Various Trucking firmsOctober 2008

A group of Russian immigrants used their hacking skills to effectively run a

trucking company that didn't exist. They would hack into a Department of

Transportation website (Safersys.org) that listed licensed trucking firms to change

the contact info (temporarily) on certain firms to their own address and phone

number. Then, they would go to another online site that listed cargo in need of

transportation. They'd pose as the firm whose contact info they'd replaced, get the

deal, and then go find another trucking firm to actually deliver the cargo.

The cargo itself would get delivered, and the scammers would contact the original

cargo owners to get paid. Then, the company that actually delivered the cargo

would contact the company these scammers pretended to be working for, and

discover that it had no clue what they were talking about. This scam was effective

enough to net the scammers over a half-million dollars. The scammers were

eventually arrested.Source: www.Privacyrights.org



ZombieZeroJuly 2014

Logistics firms that purchase a handheld scanner used to track shipments as they

are loaded and unloaded from ships, trucks, and airplanes are being warned the

scanners may be infected with malware. The inventory scanners are made in

China, and are allegedly being implanted with the malware purposely by the

manufacturer, in an attempt to steal corporate data as well as the ‘manifests’ –

what’s on the particular load and where is it going. This could in turn be used to

re-route or steal the inventories/loads.



Cyber Summary

Security Failure of network and information security

Privacy Failure to protect private or confidential information

Media Libel, slander, and other forms of disparagement with

respect to display of material, or infringement of a

copyright / trademark

Regulatory Coverage Fines/penalties and defense costs incurred during an

investigation from a governmental or regulatory

agency

First Party Coverages Privacy Notification & Credit Monitoring Expenses

Crisis Management / PR Expenses

Forensic Expenses

Extortion/Threat Expenses

PCI Fines & Penalties

Business Interruption

Risk Management is the Key

• eRisk Hub - http://eriskhub.com/

• Beazley – www.nodatabreach.com - Q&A sections, incident examples, white

papers on security ‘best practices’, etc. Access to security professionals who

only work with Beazley policyholders in answering questions and dealing with

incidents.

• Expect the unexpected

• Need expertise and experience immediately

• Know what vendors and partners to call

http://eriskhub.com/

http://www.nodatabreach.com/

50

WHO’S ON THE LINE

51

MODERATORAndrea TarrellDirector of [email protected]

SUBJECT MATTER EXPERTKevin ZinterSenior Vice President [email protected]



Date post:	26-Dec-2014
Category:	Business
Upload:	hni
View:	84 times
Download:	0 times