Data Breaches &Cyber :Understanding theRisk.
Alex Ricardo, CIPP/USBeazley Breach Response
Beazley plc
This presentation and content is not meant to be consideredprofessional legal advice.
The presenter is not a licensed attorney and all informationobtained from this presentation should be considered forinformational purposes only.
You should consult with a licensed privacy counsel for anydecisions surrounding your corporate privacy initiatives,incident response plan or data breach response methodology.
Disclaimer
2
Beazley plc November 2017
A cyber breach isn’talways a disaster.Mishandling it is.
Slide 3
Threat landscape
Beazley plc
The loss or disclosure of personal or sensitive datacontinues to be a huge concern and risk forcompanies.
2009:
2014
2015:
2016:
2017:
2018:
2019 Projection:
“Let’s go to thetote board”
Beazley – Breach statistics
Managing breach incidents since 2009
Handled 750+ incidents
Handled 1,200+ incidents
Handled 1,900+ incidents
Handled 2,600+ incidents
Handled 3,300+ incidents
4,500+ incidents
As of 1/1/2019 – 11,000+ incidents
Slide 514 June, 2019
Beazley plcSource: Beazley – 2018 stats
Physical loss:
Breach Incidents – It’s not all cyber-related
14 June, 2019
5%of breach incidents involve physical loss
Accident or Unintended disclosure:
20%of breach incidents result from broken business practices
Company/3rd party:
30%of breach incidents are a result of a 3rd party
Slide 6
Approximately
Beazley plc
Unintended Disclosure
Paper / Physical Records
• Un-shredded Documents
• Dumpster Diving
• File cabinets – sold/donated
• Natural Disasters
• X-Ray Images
Where’s the Risk?
7
Beazley plc
Where’s the Risk?
8
Unintended Disclosure
Electronic assets• Computers
• Smart phones
• Backup tapes
• Hard drives
• Servers
• Copiers
• Fax machines
• Scanners
• Printers
Leasing Contracts - Review
Beazley plc
Business Email Compromise
– 24% of 2018 incidents (vs 13% of 2017), 811 incidents in 2018 (vs 348 2017)
– Financial Institutions, Healthcare, Education
– MM (59%) vs SME (41%)
– Examples
– “CFO” email
– “HR – Payroll Form” email
– CEO “W2 Request” email
– Payroll Diversion emails
Where’s the Risk?
9
Beazley plc
Lost/Missing/Stolen Electronic Assets
• 6% of 2018 Incidents
• #1 issue with regulators
• encrypt – Encrypt – ENCRYPT!
• Unencrypted portable media exclusions
Where’s the Risk?
10
Beazley plc
Mishaps due to Broken Business Practices – Unintended Disclosure
• 20% of 2018 incidents (source: Beazley statistics)
• Industry Agnostic
Where’s the Risk?
11
Beazley plc
Rogue Employees
9% of 2018 incidents (source: Beazley statistics)
• Disgruntled
• Information Security / Information Technology
• Enticed
• Human Resources
• Call Centers
• Finance
Where’s the Risk?
12
Beazley plc
Most Recent Threats
Beazley plc
Ransomware
Beazley plc
Ransomware incidents
The cyber threat landscape is changing
14 June, 2019 Slide 15Source: Beazley – 2018 statistics
• 2015-2016 – “Turning Point” in Ransomware
• 9% of 2018 Incidents - 298 in 2018
• Healthcare, Financial Services, Professional Services
• SME vs MM – 72% vs 28%
Beazley plc
“ To ‘B’reach Or Not To ‘B’reach ”
Ransomware
14 June, 2019 Slide 16
• Most are not breaches
• Forensics is necessary
• Industry mandate may apply (ie: Covered Entities under HIPAA)
• Retain under counsel
• Need for regulatory inquiries in the future
Beazley plc
Ransom Amounts
Ransomware
14 June, 2019 Slide 17
• $100s/$1000s/$10000s
• Beazley highest paid ransom – nearly 7 figures
• Outliers are becoming more common and actors more bold
• Actors make up in volume
• FBI estimated in 2017, $1B were paid in ransomware demands
Beazley plc
Who Are These Actors?
Ransomware
14 June, 2019 Slide 18
• No More ‘Dark Hoodies’
• Professional Business Model
• “Best Customer Service”
• Bitcoin Wallet ID
• “Double Dippers”
• “Honor Amongst Thieves”
• Known Terrorist Organizations
Beazley plc
Why Would You Pay?
Ransomware
14 June, 2019 Slide 19
• “You Are Not the US Government”
• Technical Challenges at Data Restoration
• Bad segmentation
• Corrupt restored data
• Improper backup intervals for data purpose
Beazley plc
Who Do Actors Target?
Ransomware
14 June, 2019 Slide 20
• All industries targeted
• LinkedIn is their friend
Beazley plc
CryptoJacking
Beazley plc
CryptoJacking
The cyber threat landscape is changing
14 June, 2019 Slide 22
• Hacker does not seek PII/PHI but “CPU Power”
• Hacks and Hijacks IOT devices throughout an organization
• PCs / Laptops
• Servers
• Security Cameras
• “Coffeemakers & Refrigerators”
• Leverages IOT devices’ CPU power to mine for crypto-currency, like BitCoin
Beazley plc
MS Office 365
Beazley plc
MS Office 365 - Technical Issues Necessitating Data Discovery and Review
The cyber threat landscape is changing
14 June, 2019 Slide 24
• O365 Default Settings Provide Insufficient Logging
• MS has disabled the “magic logs”
• Attackers Synching the Inbox
• Programmatic searches do not work on unsearchable PDFs
• Large spreadsheets of data can require manual review
Beazley plc
MS Office 365 - Data Discovery and Review Costs are Costly
The cyber threat landscape is changing
14 June, 2019 Slide 25
EmailPlatform
No. of InboxesNo. of
DocumentsCost
BBR Legal /Forensic Sublimit
No. of NotifiedIndividuals
MS O365 70 inboxes 450,000 $2,000,000.00 $2,500,000.00 83,000
MS O365 189 inboxes 1,750,000 $1,850,000.00 $1,000,000.00 362,000
MS O365 120 inboxes 855,000 $1,400,000.00 $2,500,000.00 TBD
MS O365 24 inboxes 365,000 $675,000.00 $1,500,000.00 TBD
Beazley plc
MS Office 365 - Lessons Learned
The cyber threat landscape is changing
14 June, 2019 Slide 26
• Multi-Factor Authentication
• MS Logging Script and O365 Audit Logs Turned ON
• Email Retention Settings
Beazley plc
The Breach ResponseMethodology
Beazley plc
The Data Breach Response Methodology
28
Phase 4
Claims Defense
Phase 3
Response
Phase 2
Investigation
Phase 1
Discovery &Assessment
Privacy Counsel
Crisis
Management
Class-Action Lawsuits
RegulatoryInvestigations, Fines,
Penalties
Communications
& Services Reputational Damage
Business
Income Loss
Incident Discovery
Trigger IncidentResponse Plan
Forensics
Conclusion & Results
Risk Can Still Be Managed “Cannot Un-Ring the Bell”
Beazley plc
Best Practices on Crafting aData Breach Response Plan
Beazley plc
“Living Document”
– Routinely updated to keep current
Clear and Easy-to-Use in the midst of a crisis incident
– Succinct
– Organized by sections
Not a “phone book” but not a “leaflet”
– Background information on regulations and laws
– Detailed procedures and steps on incident management
– Contact details of the Incident Response Team
Document all discoveries for evidentiary needs
Objectives for a Data Breach Incident Response Plan
30
Beazley plc
NCUA (12 CFR Part 748)
GLBA (Section 501(b))
PCI DSS (Section 12.9)
Red Flags Rule – FACT Act (Section .90(d)(1))
HIPAA Security Rule (Section 164.308)
ISO 17799/27002 (Section 6.3)
Certain State Information Security Laws
– MA 201 CMR 17
Regulatory Satisfaction for a Data Breach Incident Response Plan
31
Beazley plc
Background
Incident Response Team
Incident Management
– Risk Transfer Requirements
– Threat Level Definitions
– Checklist #1 : Incident Triaging
– Checklist #2 : Breach Universe Definitions
– Checklist #3 : Notification Procedures
– Mitigation/Remediation
The Anatomy of the Data Breach Incident Response Plan
32
Beazley plc
Background
– Purpose of the Plan
– High-Level Legal Landscape / History
– Internal Policies
– Versioning
– Custodian/Contact for revisions
The Anatomy of the Data Breach Incident Response Plan
33
Beazley plc
Incident Response Team
– Roles & Responsibilities
– Internal Members of the IRT
– External Members of the IRT
– Contact Information of Members of the IRT
– Define “Threat Levels” to members of the IRT
The Anatomy of the Data Breach Incident Response Plan
34
Beazley plc
Incident Management
– Risk Transfer Requirements
– The IRT should be in sync with risk management and insurance requirements
– Threat Level Definitions
– Establish threat levels for incidents
– A breach of 1 individual is not like a breach of 1,000,000.
– A breach of 12 individuals due to fax error is not like a malware virus intrusion leaking
100,000 records of PHI.
The Anatomy of the Data Breach Incident Response Plan
35
Beazley plc
The 3 “Checklists”
Beazley plc
– Threat level defined to trigger appropriate members of the IRT
– Insurance Carrier need to be advised?
– Privacy Counsel needed?
– Investigation needed?– Forensics
– Traditional
– Both
– Electronic data? Paper-based data? Both?
– Is a 3rd party involved? Or the cause?
– Law Enforcement Needed?– FBI? Secret Service? State/Local?
– Police Report needed? (Theft involved?)
– PR/Crisis Management Needed? Media Involved (yet)?
Checklist #1 : Incident Triaging
37
Beazley plc
– Size of affected population– Types of Data Compromised– PII
– PHI
– Other
– Individuals– Name
– DOB (or age, adult/minor status)
– Deceased?
– Foreign National?
– Most recent mailing address
– Localization of individual (Preferred Language)
Checklist #2 : Breach Universe Definitions
38
Beazley plc
– Define timing strategy of all communications
– Police Report needed? (if theft involved)
– Affected Individuals’ notification fulfillment needed?– Draft notification letters
– Description of what happened
– Description of data types involved
– Steps to protect oneself
– What entity is doing to investigate and mitigate harm. Remedy? (credit monitoring)
– Contact details for questions
– Apology?
– Obtain corporate logo and signature image
– Affected Individuals’ call center needed?– Establish escalation contacts
– Draft FAQs
– Draft Scripts
Checklist #3 : Notification Procedures – part 1
39
Beazley plc
– Government Agencies / Attorneys General
– Draft notification letters - Federal, State, Local (where applicable)
– Press Releases
– Draft Press Releases and Scripts for Media
– Internal Communications
– Draft internal memos
– General Workforce, Management, Board of Directors
– Website
– HITECH Substitute Notice (if applicable)
– Public Posting
– Require separate phone # from notification #
– Assess need for localization (multiple languages)
– Accompanying remedy with notice
– Credit Monitoring / Credit Reports
– Identity Theft Resolution
– Credit-related fraud restoration
– Healthcare record fraud restoration
Checklist #3 : Notification Procedures – part 2
40
Beazley plc
Mitigation and Remediation
– Recovery
– Eradicate vulnerabilities
– Reinstate repaired/hardened systems
– Review – Lessons Learned
– Log/Record incident in an incident database for trending/historical analytics
– Review with incident response team
– Review information security systems, policies and procedures, workflows
– Review physical security systems, policies and procedures, workflows
– Update training program accordingly
– Update incident response plan
The Anatomy of the Data Breach Incident Response Plan
41
Beazley plc
Last Bit of Advice …
Beazley plc
Perception is Half the Regulatory Battle
– People use “breach” too frequently and you don’t want your customers or regulators to think
you are subject to numerous breaches
– “Breach” suggests something bad happened or is going to happen
– “Breach” has legal significance. Don’t prematurely call an “incident” or an “event”, a
“breach”
Best Practices
– Refrain from using “Breach” in anything memorialized
– Emails, Voicemails, Text Messages, Written Memos
– Train your incident response team to not use “Breach” within internal communications as they assess &
investigate the “incident” or “event”
Why we should be careful with the word “Breach”
43
Beazley plc
“It’s bad enough a company may possibly face liability from the data breach itself. The last thing you want is to create further liability
exposure from how you respond to the incident.
Making sure you are kept in the best defensible position possible during the course of your breach response methodology should be a
priority.”
44
Alex Ricardo, CIPP/USBreach Response Services
Beazley Group
Rockefeller Center1270 Avenue of the AmericasNew York, NY 10020
t: +1 (917) 344 3311c: +1 (646) 934-4100e: [email protected]
For More Information: www.beazley.com
The descriptions contained in this broker communication are for preliminary informational purposes only. The product is available on an admitted basis in some but not all US jurisdictions through BeazleyInsurance Company, Inc., and is available on a surplus lines basis through licensed surplus lines brokers underwritten by Beazley syndicates at Lloyd’s. Certain Lodestone services may not be available on anadmitted basis at this time. The exact coverage afforded by the product described herein is subject to and governed by the terms and conditions of each policy issued. The publication and delivery of theinformation contained herein is not intended as a solicitation for the purchase of insurance on any US risk. Beazley USA Services, Inc. is licensed and regulated by insurance regulatory authorities in therespective states of the US and transacts business in the State of California as Beazley Insurance Services (License#: 0G55497).
Questions?