Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | moses-bell |
View: | 216 times |
Download: | 0 times |
NEFEC - Cyber LiabilityMICHAEL GUZMAN, ARMARTHUR J. GALLAGHER & CO.
2 © 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™
What are we talking about today?
1. Cyber Risk Overview
2. Regulatory Landscape
3. Trends and Developments
4. Cyber Liability Coverage
5. Breach Examples
Today’s Agenda
3
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 4
Cyber Risk Overview
Economic Damages
1. Notification Costs
2. Forensic Costs
3. Data Recovery Costs
4. Business Interruption
5. Legal Expenses
6. Lawsuits
7. Reputational Damage (Non- Economic)
What is Cyber Risk
The Potential of Economic and Non-Economic Losses arising out of the use of Information Technology Systems
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 5
Cyber Risk Overview
Cyber Risk1. Breach of Personal Protected
Information (PPI) / Hacker
2. Lost or Stolen Laptop/ Smartphone/ Tablets
3. Employee Negligence/ Human Error/ Rogue Employee
4. Thumb drives / Flash drives
5. Servers and Cloud Storage
6. Dropbox
7. Paper Files
8. Copy Machines
Potential Exposures
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 6
Cyber Risk Overview
School Districts Exposures• Student/ Alumni Records• Enrollment• Social Security Numbers• Employee Records• Employee Benefits• Credit Card Numbers
Cyber Risk for Public Entities
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 8
• When a breach occurs, there are many Federal/State and regulatory laws to consider:
– 47 out of 50 State Laws (Varies from State to State)
– Health Insurance Portability & Accountability Act (HIPAA)
– FTC 114: Red Flag Rule
– Payment Card Industry (PCI) Data Security Standards
Regulatory LandscapeComplex, Changing, and Challenging
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 9
• Gov. Rick Scott signed a bill dramatically changing the State of Florida’s data security breach laws.
• The Florida Information Protection Act of 2014 changes the requirements after a data breach and the definition of personal protected information.
• These changes give Florida the broadest and most encompassing breach laws in the nation.
Regulatory LandscapeFlorida Information Protection Act of 2014
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 10
Regulatory Landscape
FL Definition of Personal Information
1. Social Security Number
2. Driver’s License # or FL ID Card #
3. Credit or Debit Card Number
4. Health Insurance Policy or Subscriber #
5. Medical History
6. Financial Information
7. Online User Name or Email Address in combination with their password
8. Online User Names or Email Address in combination with their security question and answer
FL Notification Requirement Changes
1. Provide notification of breach to affected individuals within 30 days.
2. Notice must be provided to the Florida Department of Legal Affairs for any breach affecting 500 or more individuals.
3. Must provide the Florida Attorney General with a copy of an incident or forensic report along with a copy of the company’s data breach policies and procedures.
Florida Information Protection Act of 2014 Summary
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 11
Regulatory Landscape
• 1st Party Coverage not covered under Sovereign Immunity
– Notification Cost, Regulatory Fees, Expenses, etc.
• 3rd Party coverage has yet to be tested in court
• Sovereign Immunity varies from State to State
• 1st Party Coverage (Not Covered by Sovereign Immunity)
– Crisis Management (Notification cost, Credit Monitoring, etc.)
– Data Recovery– Business Interruption– Cyber Extortion
• 3rd Party Coverage (Possibly covered by Sovereign Immunity)
– Network & Security Liability – Privacy Liability– Media Liability– Regulatory Liability
Sovereign Immunity and Tort Caps
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 13
Trends and Developments
• Number of data security incidents in 2013 by victim industry and organization size
• Public Entities account for 74.84%
High Frequency IndustriesIndustry Total Small Large Unknown % of TotalPublic 47,479 26 47,074 379 74.84%Unknown 12,324 5,498 4 6,822 19.43%Information 1,132 16 27 1,089 1.78%Finance 856 43 189 624 1.35%Retail 467 36 11 420 0.74%Professional 360 26 10 324 0.57%Manufacturing 251 7 33 211 0.40%Accommodation 212 115 34 63 0.33%Utilities 166 2 3 161 0.26%Education 33 2 10 21 0.05%Transportation 27 3 7 17 0.04%Other 27 13 - 14 0.04%Healthcare 26 6 1 19 0.04%Entertainment 20 8 1 11 0.03%Administrative 16 8 7 1 0.03%Mining 11 - 8 3 0.02%Management 10 1 3 6 0.02%Real Estate 8 4 - 4 0.01%Agriculture 4 - 3 1 0.01%Construction 4 2 - 2 0.01%Trade 4 3 - 1 0.01%Total 63,437 5,819 47,425 10,193 100.00%Small = organizations with less than 1,000 employees.Large= organizations with 1,000+ employees.*Information Source Credit to the Verizon 2013 Data Breach Investigation Report
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 14
Trends and Developments
• Ponemon Institute, LLC conducted a study on the cost of a data breach.
Cost of a Data Breach
Cost Per Breach$0
$20$40$60$80
$100$120$140$160$180$200
$38
$50
$40
$60
Cost Per Record Breakout*
Legal Guidance/ Breach CoachCredit MonitoringForensics Notification/ Call Center
*Cost can vary depending on vendor.
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 15
Trends and Developments
• Where is the data really stored?
• How is the data protected?
• Who owns the data?
• Who is responsible for the data during a breach?
• Are you the only organization using this cloud?
What about the Cloud?
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 16
Trends and Developments
Top 5 Leading Causes of Cyber Claims
1. Lost employee laptop or other computing devices
2. Malicious acts by a rogue employee or ex-employee
3. Improperly disposed sensitive information
4. Media campaign gone wrong
5. Subcontractor error or omission (including breaches on those subcontracting vendors that are holding your data)
Claims Triggers
Lost or Stolen Device
25%
Network Secu-rity Attack
21%Human Error15%
Employee Theft15%
Privacy Policy 10%
Paper7%
Other7%
Most Common Policy Triggers
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 17
Trends and DevelopmentsNetwork Security Attacks
Negligence35%
Malicious or Crim-inal Acts
36%
System Failure
29%
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 19
Cyber Liability CoverageFirst & Third Party
Cyber Liability
First Party Coverage
Crisis Manage
mentNotification
Expense
Credit Monitoring
Forensic
Investigation
s
Public Relati
ons
Data Recovery
Business Interrupti
on
Cyber Extortion
Third Party CoverageNetwork
& Security Liability
Privacy Liability
Media Liability
Regulatory
Liability
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 20
Crisis Management
– Notification Cost
– Credit monitoring
– Call center to handle inquiries
– Identity fraud expense reimbursement
– Public relations services to mitigate negative publicity
– Forensic costs incurred to determine the scope of the network failure and determine whose information was breached
– Breach Coach and Legal Assistance to handle the event and determine which regulatory bodies need to be notified
Cyber Liability Coverage1st Party Coverage
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 21
Cyber Liability Coverage
Carrier Vendor Benefits• Breach Coach• Forensic Investigator• Credit Monitoring
Vendor• Notification & Call
Centers• Public Relations Firm• Legal Assistant
Approved Vendor Panel
Pre - Negotiated Rates
1st Party Coverage
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 22
• Breach of approximately 5,000 records with two years of credit monitoring
Cyber Liability CoverageNegotiated Vendor Rates
ServiceStandard
Vendor Cost*Carrier Negotiated
Vendor Cost* Savings
Legal Assistance with Notification Letters $24,190 $10,000 -59%
Print/Mail Letters $63,551 $56,341 -11%
Call Center Services $118,642 $66,852 -44%
Credit Monitoring $683,996 $317,297 -54%
Total $890,379 $450,490 -49%
*Cost can vary depending on vendor.
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 23
• Data Recovery
Expenses incurred to restore data lost from an unauthorized access or virus to an information system
• Business Interruption
Loss of income and extra expense incurred to restore operations, as result of a computer system disruption caused by a virus or other unauthorized computer attack
• Cyber Extortion
Money paid due to threats made regarding an intent to fraudulently transfer funds, destroy data, introduce a virus or attack on computer system, or disclose electronic data/information
Cyber Liability Coverage1st Party Coverage
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 24
• Network & Security Liability
Liability coverage for failing to prevent a Security Breach or a Privacy Breach
• Privacy Liability
Liability coverage for failing to protect personal information (electronic or non-electronic) in their care custody and control
• Media Liability
Intellectual Property and Personal Injury liability from an error or omission in content (website, electronic publishing, etc.)
• Regulatory Liability
Coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws
Cyber Liability Coverage3rd Party Coverage
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 25
Cyber Liability Coverage
Vendor shall obtain at its own expense and evidence via Certificate(s) of Insurance the following insurance requirements before commencement of any awarded work and throughout the duration of the Agreement:
1. Network Security / Privacy Liability with breach response coverage
2. $1M Minimum Liability/ Aggregate Limit
– Breach response sublimits of at least 50% of the liability limit
– Inclusive of defense costs
3. Technology E&O / Technology Products E&O: (If Applicable)
– $1M Minimum Aggregate Limit– Inclusive of defense costs
4. School District must be named as an additional insured under policies.
5. Claims-made policies must be in place for a period of at least 12 months after the agreement completion/ termination date.
6. Addition of the appropriate endorsement deleting the “Insured vs. Insured” exclusion. This is protect the School District for wrongful acts by the Vendor.
7. All insurance carrier(s) must carry an A.M. Best rating of at A- VI or better.
Vendor Recommended Requirements
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 27
• FL County School District - #200 – SSN of 200 students who paid tuition for education programs was comprised. Affected
students were offered one-year credit monitoring.
• Florida University - #47,000– The information of 47,000 teachers and students was publicly accessible for 14 days after
a data transfer at the University. The information was from teachers participating in state prep programs.
• Florida Community College - #3,300 – Federal investigators informed the Community College that a hacker gained access to
their main computer system. The personal information of students who applied for financial aid may have been accessed. It appears that an insider hacked into the computer system. Hacked 2011 financial aid records were misused to file fraudulent tax refunds.
Breach ExamplesFlorida Public Entity Breaches
© 2013 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 28
Gallagher Cyber Risk GroupEducate, Inform, and Assist
Michael Guzman, ARMArthur J. Gallagher Risk Management Services, Inc.
200 South Orange Avenue | Suite 1350
Orlando | FL | 32801