Date post: | 20-Jun-2015 |
Category: |
Business |
Upload: | donald-grauel |
View: | 146 times |
Download: | 0 times |
Discussing Cyber Risk Coverage With Your Commercial Clients
Steve RobinsonArea PresidentRPS Technology & Cyber
October 17, 2014
Threat Landscape and Common Misperceptions
Facts
When it comes to data breach, size doesn’t matter*
It’s more than just hacking The “we’ve got this covered”
attitude is waning IT is now very much on board
*Source: 2013 Data Breach Investigations Report Verizon RISK Team, et al
The Changing Threat Landscape
“Our 2013 findings suggest that there’s a lot
of complacency among organizations about
the risk of espionage attacks. The assumption
is that these attacks only target government,
military and high-profile organizations, but our
data shows that this increasingly isn’t true.
Don’t underestimate the likelihood that your
organization will be a target..”
Source: 2013 Data Breach Investigations Report Verizon RISK Team, et al
RPS Technology & Cyber
Information Risks –What Can Go
Wrong?
Information Risks
Hazards Hacker Attacks/Unauthorized Access Virus/Malicious Code Denial of Services Attacks Malicious Hardware Physical Theft of Device/Media Accidental Release Employee/Vendor Error Rogue Employees Social Engineering
Information Risks
Source: Open Security Foundation
Industry-Specific Threats
Industry-Specific Threats
RPS Technology & Cyber
Healthcare Retail Education Hospitality Financial Public Entity Nonprofit Mfg Technology
Breach of Personally Identifiable Info (PII)
Breach of credit card data & PCI Fines
Breach of Protected Health Information (PHI)
Breach of customers’ rights to privacy
Breach of confidential employee data
eBusiness Interruption
Technology Errors or Omissions
Personal Injury – Social Media Environment
Intellectual Property Infringement
Regulatory Liability
Electronic Theft
Cyber Extortion
Cost of a Data Breach
Data Breach Related Costs Average cost per compromised record = $201.00*
Direct Coordination Defense Notification expenses Credit monitoring Regulatory fines
Indirect Customer churn Impact on shareholder value Loss of future opportunity
Source: Ponemon Institute 2013 Annual Study “Cost of a Data Breach”
Related CostsPer Capita Cost By Industry Classification*
Source: Ponemon Institute 2013 Annual Study “Cost of a Data Breach”
Mitigating Risk in our
Clients’ Businesses
How Can Clients Reduce Their Risk?
Data Management* Collection
What employee, customer, donor/volunteer (nonprofits) data are you storing? Do you need to store it?
Access Who in your organization has access to sensitive information? Do those with access absolutely need access to perform their job? What of this information is publically available?
Use Are you using customer info in a manner it was originally intended (and consistent with the
way you communicated to your customers?) Storage
Where is your data stored? Is the stored information protected by access controls? Does sensitive customer information exist in multiple formats?
Eradication How long do you keep customer information? What do you do with info (in any format) you no longer need? 3rd party vendor agreements for document storage,
disposal, janitorial services, etc.
Source: NTEN – Nonprofit Technology Network
Policies & Procedures Privacy
Do you have a written privacy policy in place? Have employees and/or volunteers been trained?
Social Media Inventory your social media presence - regularly Restrict authority for creation and content management on behalf of your organization to
one or two designated employees Are there restrictions for social media access on systems that connect to your network
containing personal information on customers, employees, etc.? Websites, Intellectual Property & Electronic Communication
Consistency of content and message? Legal review? Have appropriate rights been secured (music, lyrics, video, etc.) Staff training in email etiquette
Network Security Software, patch management, spam filters, firewall protection, etc. & Credentialing Encryption of data - at rest and in a mobile state Vulnerability testing BYOD policies
How Can Clients Reduce Their Risk?
Risk Transfer Vendor Agreements
Appropriate transfer of liability language in vendor contracts? Cloud providers Payment processors Website hosting services Document disposal, storage and janitorial services
Insurance Cyber/Privacy Liability Insurance
How Can Clients Reduce Their Risk?
Cyber Risk Insurance Coverage
What is Cyber Risk Insurance?
Insurance coverage designed to protect a business from: Liability associated with:
• Unauthorized release of confidential information
• Violation of a person’s rights to privacy
• Personal injury in an electronic/social media environment
• Intellectual property infringement
• Violations of state or federal privacy laws
Out-of-pocket expenses incurred to make the above problems go away
Cyber Risk Insurance
RPS Technology & Cyber
Exposure Category Description
Privacy Liability Provides liability coverage for failure to protect electronic or non-electronic information in your care custody and control. Can include coverage for acts of vendors as well.
Network Security Liability Provides liability coverage if an Insured's Computer System fails to prevent a Security Breach, becomes inaccessible to those who need it or unintentionally transmits a virus to a 3rd party.
Media Content Liability Provides liability coverage for Intellectual Property and Personal Injury lawsuits stemming from your website or social media content under your direct control.
Regulatory Liability Defense coverage for legal proceedings or investigations by Federal, State, or Foreign regulators relating to Privacy Laws.
Crisis Management
Legal Assistance Expense Expenses incurred to hire an attorney to help navigate the breach response process in accordance with the multitude of State and federal laws.
Forensic Expense Expenses incurred to hire a firm to conduct IT forensics investigations following a data breach.
Notification Expense Expenses incurred to notify members of a breach in accordance with State and Federal laws.
Credit Monitoring Expense Expenses incurred to provide donors with access to identity protection services.
Public Relations Expense Expenses incurred to hire a public relations consultancy, media expenses, etc. in the wake of a data breach.
Data Recovery/Restoration Expenses incurred to re-create data that is damaged as a result of a cyber incident.
Business Interruption The reduction of business income as a result of an interruption or use of a computer system as a result of a network breach to their system.
Cyber Extortion Expenses incurred resulting from threats to introduce a system hack, virus, etc. or from threats to disseminate or use information contained in your computer systems to destroy or alter your computer systems.
Fines and Penalties Where permissible by law, expenses incurred as a result of a State, Federal or other (PCI DSS) fine or penalty resulting from a data breach.
Doesn’t My Insurance Already
Cover This?
ISO General Liability Form
Coverage exclusion for claims of copyright, trademark infringement.
ISO Property Form
Protects physical computers but not the data that is stored on them.
CGL Data Breach Exclusions
Current ISO CGL form coverage is provided:
“For personal and advertising injury as the offense of an oral or written publication in any manner, or material that violates a person’s right of privacy.”
New ISO GL Exclusion (effective May 2014):
“Exclusion – Access or Disclosure of confidential or personal information and data-related liability – with limited bodily injury exception.”
Doesn’t My Insurance Cover This?
General Liability Property Crime Professional K&R Cyber3rd Party Privacy/Network Security/Personal Injury/IP
Theft/Unauthorized Disclosure PII
Breach of Confidential Corporate Info
Technology E&O
Media Liability/Social Networking
Regulatory Defense/Penalties
Virus/Malicious Code Transmission
1st Party Privacy / Network RisksLegal Assistance/Breach CoachIT ForensicsPhysical Damage to DataDenial of Service AttackBusiness Income from Security EventExtortion or ThreatRogue Employee - Data RelatedPublic Relations/Crisis Management
Coverage Provided?Coverage Possible?No Coverage?
* For reference and discussion only; policy language and facts of claim will require further analysis. This is not a guarantee of coverage.
Cyber Risk Coverage: Key Differentiators
RPS Technology & Cyber
Cyber Risk Coverage
Samples of Key Differentiators: Look carefully at the definitions Unauthorized acts of employees Coverage for electronic and non-electronic information Vicarious liability - 3rd parties/vendors/cloud providers Defense of privacy regulatory actions (at full privacy
limits) Regulatory fines & penalties Sublimits for 1st party vs full limits Breadth of media coverage
Cyber Risk Coverage Common Exclusions
Intentional Acts – look closely here Infrastructure failure Software Responsibility/Inadequate Software Unencrypted portable media Wrongful Collection Employment Practices
Not All Policies Are Created Equal
Cyber Endorsement “Fail”
Application Process & Rating Factors
Application Process & Rating Factors
Pricing Class of business
• High/Medium/Low• Number of patients and records held – medical
Annual revenue Number of employees Network defense parameters in place and update
procedures Information security policies Loss history
Application New streamlined options available
Coverage Trends
Coverage Trends
The tale of two worlds Large retail – appetite, capacity, underwriting Small business
Business Interruption triggers Aggregation Reputational Harm Electronic Theft – monetary & otherwise Retro date
Summary
Why Your Client Needs Cyber Risk Coverage Specific exclusions exist in traditional policies for:
• Privacy breach• Network related incidents• eBusiness Interruption• Personal Injury in Social Media, websites, blogs, etc.• Regulatory defense, fines
Buying coverage aligns pre and post-breach resources not afforded under other policies
Claims are on the rise Laws are driving demand:
• GLB, HIPAA, HI-TECH Act, FTC’s Red Flag Rule, etc. • 47 of 50 States require notification
Coverage is more accessible and affordable than ever