Managing Cyber Risks Threats, Risk Management & Insurance

Report
Managing Cyber Risks
Threats, Risk Management & Insurance Principles
Brian J. Courtney, RPLU, AAI
The Safegard Group, Inc.
100 Granite Drive, Suite 205
Media, PA 19063
610.892.7688
[email protected]
Legal Disclaimer
This presentation is advisory in nature and necessarily
general in content. No liability is assumed by reason of
the information provided.
Whether or not or to what extent a particular loss is
covered depends on the facts and circumstances of the
loss and the terms and conditions of the policy as issued.
The precise coverage afforded is subject to the terms and
conditions of the policies as issued.
Brian J. Courtney, RPLU, AAI
Brian Courtney joined The Safegard Group, Inc. in April 2005 and serves as a Producer and the Healthcare Practice Leader for the company.
He is primarily responsible for the direction of client services to the healthcare industry.
Brian began his career at the height of the medical malpractice crisis. Working with a large regional insurance broker, Brian served with the
healthcare practice leader helping hospital systems and physician groups obtain medical malpractice coverage.
Prior to joining The Safegard Group, Brian joined a large national insurance brokerage firm where he gained considerable experience in
healthcare risk management serving the needs of large physician groups, long-term care facilities, home healthcare providers, and allied
health professional organizations.
Brian has completed the Registered Professional Liability Underwriter (RPLU) program, which was developed by Professional Liability
Underwriting Society as a specialized curriculum completely dedicated to professional liability risk management. Professionals who wish to
obtain the RPLU designation are required to complete a rigorous, 13-Course curriculum comprised of eight core courses and five
specialization courses. Brian chose to specialize in the following areas:
•
•
•
•
•
Advanced Healthcare Professional Liability
Cyber Risk
Employment Practices Liability
Directors & Officers Liability
Crime
As it suggests, RPLU professionals are recognized as having the highest level of professional liability expertise to help their clients manage
their risk and protect their assets.
Currently, Brian is helping many of his clients with Cyber Risk Management initiatives, such as Risk Assessments, Data Breach Incident
Response Planning, Contractual Risk Transfer, Insurance Protection and a host of other related services.
Brian lives in Downingtown, Pennsylvania with his wife Erin and three kids, Aidan, Carter & Chase. He is active in the community volunteering
his time with the Lionville Youth Soccer Association and Brandywine Health Foundation. He is also an avid fitness/thrill seeker recently
competing in the Spartan Races, which was voted the 2012 Best Obstacle Course Race by Outside magazine.
Brian Courtney
Expert in Risk Management and Loss Prevention???
Big believer that you should avoid risk
AT ALL COSTS
True or False
Large corporations are typically the targets for hackers
FALSE
A joint study by the U.S. Secret Service and Verizon Communications’
forensics analysis unit paints a frightening picture. 482 of the 761 data
breaches the unit investigated in 2010—63%—occurred at companies
with 100 or fewer employees.
73% percent of small-to-middle-sized companies experienced a cyber
attack in 2010, and 30% of those attacks were extremely effective,
according to Symantec, a software security developer.
True or False
Small businesses (less than 100 employees) are required to abide by data breach laws
TRUE
From the Federal Trade Commission website:
For many companies, collecting sensitive consumer and employee
information is an essential part of doing business. It’s your legal
responsibility to take steps to properly secure or dispose of it. Financial
data, personal information from kids, and material derived from credit
reports may raise additional compliance considerations. In addition, you
may have legal responsibilities to victims of identity theft, regardless of
the size of your company or your line of work.
True or False
Certain industries have to worry about Cyber Security risks
FALSE
While I would agree that certain industries are more
at risk than others, every industry holds sensitive data
in some form or another. Also there is more to Cyber
risk than just a data breach. Therefore, all industries
have Cyber Security risks.
What Are Cyber Risk?
•
•
•
•
•
•
•
•
Violation of privacy policies
Transmission of viruses to other systems
Programming errors
Theft, corruption, or destruction of data or
computer systems
Hacking
Abuse of access to networks by employees
Copyright or trademark infringement
Denial of Service attacks
Source: Professional Liability Underwriting Society
www.plusweb.org
What Activities Create Cyber Risk?
•
•
•
•
•
•
•
•
•
•
•
•
•
Data storage on networks
Credit card processing
Online payment processing (other than CCs)
Internet connectivity
E-commerce
Business websites and Internet advertising
Customer forums and support (help) message boards
Internet Service Providers
Website Design
Development of hardware and software
Providing content or media
Consulting
Providing technical services, equipment and support
Source: Professional Liability Underwriting Society
www.plusweb.org
Who Regulates the Cyber World?
•
•
•
•
•
•
•
•
Federal Trade Commission (FTC)
Federal Bureau of Investigation (FBI)
Fair and Accurate Credit Transaction Act (FACTA)
Gramm-Leach-Bliley Services Modernization Act
Health Insurance Portability & Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health (HITECH)
Sarbanes-Oxley Act (SOX)
State Privacy Breach Legislation
Source: Professional Liability Underwriting Society
www.plusweb.org
Cyber Laws
•
•
•
•
Copyright Law – Digital Millennium Copyright Act
Trademark Law – Lanham Act
Defamation
Privacy – HIPAA/HITECH, GLBA, State Laws
Source: Professional Liability Underwriting Society
www.plusweb.org
The Risks Today
Websites
IP Infringement &
Libel
Privacy
Risk
Cyber Exposures – First Party Risks
•
•
•
•
•
Data Storage
Business Interruptions
Fraud & Theft
Extortion
Crisis Management
Source: Professional Liability Underwriting Society
www.plusweb.org
Cyber Exposures – Third Party Risks
Intellectual Property
• Copyright
• Trademarks
• Trade secrets
• Patents
Privacy & Customer Data
• Security Breaches
• Liability
• Phishing & Pharming
Source: Professional Liability Underwriting Society
www.plusweb.org
Professional E&O
• Internet provider
• App. service provider
• Web hosting
• Network equipment
• Programmers
• Website Designers
• Data warehouses
• Consultants
Personal Identifiable Information (PII)
Definition:
as used in information security, refers to information that
can be used to uniquely identify, contact, or locate a single
person or can be used with other sources to uniquely
identify a single individual.
First or Last name in combination with
–
–
–
–
Social Security number
Driver’s license number
Financial Account number
Credit, Debit, or payment card
Protected Health Information (PHI)
As defined by HIPPA
“any information, whether oral or recorded in any form or
medium” that
• Is created or received by a health care provider, health plan, public
health authority, employer, life insurer, school or university, or
healthcare clearinghouse, and
• Relates to the past, present, or future physical or mental health or
condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the
provision of health care to an individual
What Is a Data Breach?
Unauthorized access to
protected information
–
–
–
–
Hacking
Rogue Employees
Negligence
Rogue Vendors
The Value of Stolen Data
Symantec Corporation; “Report on the Underground Economy, July ’07 – June ‘08
Data Breach Example
Date Made
Public
Name (Location)
Number of
Records
February 12, 2011
Cincinnati Children’s Hospital
60,000
Type of Breach
Mobile Device
An employee’s newly-issued, unencrypted laptop was stolen out of
a car. Although the covered entity had a policy of encrypting its
computers, an investigation revealed that new computers are not
encrypted before they are given to employees. The laptop
contained the protected health information (PHI) of approximately
60,000 individuals. The PHI stored on the laptop included names,
medical record numbers, and services received at the covered
entity. Following the breach, the covered entity notified its clients
by letter of the incident, placed notice on various websites and in
The Cincinnati Enquirer, and established a new internal procedure
whereby all new computers would be encrypted before they are
given to employees.
Source: Department of Health & Human Services
www.HHS.gov
Data Breach Cost Calculation
Forensic Investigation:
Security Remediation:
Data Breach Law Legal Guidance:
eDiscovery Litigation:
Customer Notification:
Call Center:
Credit Monitoring:
ID Fraud Remediation:
Public Relations Service:
HHS Fines:
State AG Fines:
Legal Defense & Damages:
$
$
$
$
$
$
$
$
$
$
$
$
TOTAL:
$1,940,712
Source: eRiskHUB
www.eriskhub.com
32,200
112,200
10,000
160,998
60,998
4,575
152,500
60,998
20,000
750,000
500,000
76,248
Another Data Breach Example
Date Made
Public
May 16, 2008
Type of Breach
Stationary Device
Name (Location)
Number of
Records
Chester County School District
55,000
A 15-year-old student gained access to files on a computer at
Downingtown West High School. Private information,
including names, addresses and Social Security numbers, of
more than 50,000 people were accessed. The student
apparently used a flash drive to save the personal data of
about 40,000 taxpayers and 15,000 students.
Source: Privacy Rights Clearinghouse
A Chronology of Data Breaches
www.privacyrights.org
Data Breach Cost Calculation
Forensic Investigation:
Security Remediation:
Data Breach Law Legal Guidance:
eDiscovery Litigation:
Customer Notification:
Call Center:
Credit Monitoring:
ID Fraud Remediation:
Public Relations Service:
FTC Fines:
State AG Fines:
Legal Defense & Damages:
$
$
$
$
$
$
$
$
$
$
$
$
TOTAL:
$1,761,625
Source: eRiskHUB
www.eriskhub.com
75,000
155,000
10,000
0
55,000
4,125
137,500
55,000
20,000
750,000
500,000
0
One More – Manufacturing???
Date Made
Public
Name (Location)
Number of
Records
February 13, 2012
Combined Systems
Unknown
Type of Breach
Hacking
A hacker or hackers accessed the Combined Systems website
and shut it down. The hackers claim to have struck in honor
of the anniversary of the February 14, 2011 Bahrain uprising
and to have wiped out the company's web servers.
Administrator logins, customer data, and emails were posted
online.
Source: Privacy Rights Clearinghouse
A Chronology of Data Breaches
www.privacyrights.org
2011 Data Breaches by Industry
Other
16%
Non-Profit
3%
Medical
34%
Government
14%
Education
11%
Retail
15%
Financial Services
8%
0%
5%
10%
Source: Privacy Rights Clearinghouse
A Chronology of Data Breaches
www.privacyrights.org
15%
20%
25%
30%
35%
40%
2011 Data Breaches by Type
30%
25%
24%
20%
20%
15%
16%
14%
14%
10%
9%
5%
2%
0%
Unintended
Disclosure
Hacking or
Malware
Payment Card
Fraud
Source: Privacy Rights Clearinghouse
A Chronology of Data Breaches
www.privacyrights.org
Insider
Physical Loss
Portable
Device
Stationary
Device
State Statutes
Currently, 47 other states have enacted some type of security breach notification
legislation, including:

Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Maine,
Massachusetts, Minnesota, Montana, New Hampshire, New Jersey, New York,
North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, Texas, Vermont,
Washington and Wyoming.
Some states have state laws that require breaches to be reported to a centralized data base
including:

Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s
notification law only applies to electronic breaches affecting more than 1,000 residents).
Other states have some level of notification that has been made publicly available, primarily
through Freedom of Information requests including:

California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and
Wisconsin. For details, see the Open Security Foundation Datalossdb website:
www.datalossdb.org
Massachusetts General Law 93H
Every person that owns, licenses, stores or maintains
personal information about a resident of the commonwealth
shall develop, implement, maintain and monitor a
comprehensive, written information security program
applicable to any records containing such personal
information.”
Massachusetts – Effective March 1, 2010
 Requires encryption of confidential data when it is on a mobile device
 Includes additional, robust security requirements for holders of
personal information of Massachusetts residents
Pennsylvania State Law 73 P.S. § 2303
Notification of a Breach
(a) General rule. – An entity that maintains, stores or manages computerized data that includes
personal information shall provide notice of any breach of the security of the system following discovery
of the breach of the security of the system to any resident of this Commonwealth whose unencrypted
and un-redacted personal information was or is reasonably believed to have been accessed and
acquired by an unauthorized person. Except as provided in section 4 [FN1] or in order to take any
measures necessary to determine the scope of the breach and to restore the reasonable integrity of the
data system, the notice shall be made without unreasonable delay. For the purpose of this section, a
resident of this Commonwealth may be determined to be an individual whose principal mailing address,
as reflected in the computerized data which is maintained, stored or managed by the entity, is in this
Commonwealth.
(b) Encrypted information. – An entity must provide notice of the breach if encrypted information is
accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the
security of the encryption or if the security breach involves a person with access to the encryption key.
(c) Vendor notification. – A vendor that maintains, stores or manages computerized data on behalf of
another entity shall provide notice of any breach of the security system following discovery by the
vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity shall
be responsible for making the determinations and discharging any remaining duties under this act.
Pennsylvania State Law 73 P.S. § 2305
Notification of Consumer Reporting Agencies
When an entity provides notification under this act to
more than 1,000 persons at one time, the entity shall
also notify, without unreasonable delay, all consumer
reporting agencies that compile and maintain files on
consumers on a nationwide basis, as defined in section
603 of the Fair Credit Reporting Act (Public Law 91-508,
15 U.S.C. § 1681a), of the timing, distribution and
number of notices.
Delaware Law § 12B-102
Notification of a Breach
(a) An individual or a commercial entity that conducts business in Delaware and that owns or licenses
computerized data that includes personal information about a resident of Delaware shall, when it
becomes aware of a breach of the security of the system, conduct in good faith a reasonable and
prompt investigation to determine the likelihood that personal information has been or will be misused.
If the investigation determines that the misuse of information about a Delaware resident has occurred
or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as
possible to the affected Delaware resident. Notice must be made in the most expedient time possible
and without unreasonable delay, consistent with the legitimate needs of law enforcement and
consistent with any measures necessary to determine the scope of the breach and to restore the
reasonable integrity of the computerized data system.
(b) An individual or a commercial entity that maintains computerized data that includes personal
information that the individual or the commercial entity does not own or license shall give notice to and
cooperate with the owner or licensee of the information of any breach of the security of the system
immediately following discovery of a breach, if misuse of personal information about a Delaware
resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or
licensee information relevant to the breach.
(c) Notice required by this chapter may be delayed if a law enforcement agency determines that the
notice will impede a criminal investigation. Notice required by this chapter must be made in good faith,
without unreasonable delay and as soon as possible after the law enforcement agency determines that
notification will no longer impede the investigation.
Delaware Law § 12B-103
Compliance Procedures
(a)Under this chapter, an individual or a commercial entity that maintains its
own notice procedures as part of an information security policy for the
treatment of personal information, and whose procedures are otherwise
consistent with the timing requirements of this chapter is deemed to be in
compliance with the notice requirements of this chapter if the individual or
the commercial entity notifies affected Delaware residents in accordance with
its policies in the event of a breach of security of the system.
(b)Under this chapter, an individual or a commercial entity that is regulated
by state or federal law and that maintains procedures for a breach of the
security of the system pursuant to the laws, rules, regulations, guidances, or
guidelines established by its primary or functional state or federal regulator is
deemed to be in compliance with this chapter if the individual or the
commercial entity notifies affected Delaware residents in accordance with the
maintained procedures when a breach occurs.
The “Perfect Storm”
First Party
Loss of Private Data
• Notification Costs
• Publicity Costs
• Crisis Management Expenses
Business Continuity Expense
• Extra Expenses to continue
operations
• Business Income loss
Cyber Extortion
• Ransom Payment
• Other Expenses
Third Party
Client Suits - Privacy
• Suits from clients
alleging negligence in
protecting information
and other causes of
action
Client Suits – Denial of
Service
• Suits from clients
alleging negligence in
protecting the network
against denial of
service
Breach Related Expenses
Notification
Public Relations
Forensics
Legal
 Crafting letter or
other
notification
 Advertising &
Press Releases
 Legal Expenses for
Outside Attorney
 Response to
Claims or Suits
 Printing or design
 Call Center
Operations
 Cost of Forensic
Examination
 Mailing or other
transmission
 Other Services for
Effected Persons:
 Cost To Remediate
Discovered
Vulnerabilities
 Payment of
Judgments or
Settlements
 Credit
Monitoring
Trends in Data Breach Costs
In a U.S. based study of 49 companies in 14 different industries. Number of
breached records/incident ranged from 4,500 to 98,000.
•
•
•
•
•
•
The organizational cost has declined from $7.2M to $5.5M
Cost per record has declined from $214 to $194
Lost business due to a breach averages $3.01M
Detection and escalation costs declined from $460K to $433K
Cost to notify victims increased from $510K to $560K
First timers on average spent $37 more per record; Too-quick/nonplanners on average spent $33 more per record
• CISO can reduce cost per record by $80; Outside consultant can reduce
cost per record by $41.
2011 Ponemon Institute Benchmark Study
Cyber Risk Insurance Policies
Traditional Insurance Coverage?
ISO Commercial
Property?
Electronic Data Extension only
addresses loss or damage to data
which has been destroyed or
corrupted by a covered cause of loss.
Commercial Crime
Form?
No coverage due to the Definition of
“Other Property” and the Exclusion of
“Indirect Loss”.
General Liability Policy?
Addresses only physical injury to
persons or tangible property, as well as
the Insured’s publication of material
that violates a person’s right to privacy.
Professional Liability
Policy?
May be limited by the description of
“Professional Services” or by
Exclusions for “Invasion of Privacy”.
Common First Party “Gaps”
Cyber Vandalism
Denial of Service
ISO Property Policy
Surety Assoc. Computer
Crime
Cyber Extortion
Cyber Fraud
Unauthorized Record
Access
Surety Assoc. Crime
Policy
Extortion & Kidnap
Ransom Policy
Only Cyber Risk Covers:
• Notification Expenses
When required by law or on a voluntary basis?
• Credit Monitoring Expenses
For a stipulated period of time and/or under specified
circumstances?
• Crisis Management Expenses
Including expenses related to legal analysis, as well as
public relations?
What Information Assets Are Covered?
Personal Identifiable
Information (PII)
• Customers, Employees,
Others?
Personal Health Information
(PHI)
Business Property:
• Customer Lists (non-PII)
• Financial Information
• Marketing & Operational
Information
Trade Secrets
Privacy Risk
Cyber Policy Addresses
• Access to information other than
by over the Internet
• Access to information by an
employee
Employees
• Access to information residing on
an “outsourced” system –
anywhere
Outsourcers
• Access to information in “nonelectronic” form
• Negligent release of information
Conclusion
Avoid It
Assess &
Mitigate It
Employee Training
Operational
Guidelines
Customer
Awareness
Penetration Testing
Robust Patch
Management
Ongoing Security
Assessments
Insure It
Cyber Insurance
Policy
&
Crime Insurance
QUESTIONS???

similar documents