Hosted by the Institute of Internal AuditorsThe Role of Cyber Insurance &

The People Factor in a Cyber Breach: Three Key Elements for Building

a Human Firewall Kirsten Liston

Steven SchwartzJune 23, 2016

CyberSecurity is No Longer an IT Department Issue

But How Much is this

Threat Worth?

Can a Director or Officer be

Liable?

The Threat Landscape is

Changing

What Will Cyber

Insurance Cover and When?

“There are those companies that have been hacked, and there are those companies that don’t know that they’ve been hacked”

The Annual Global Cost of Cybercrime is upwards of $445 Billion – Center for

Strategic and International

Studies (CSIS)

Directors owe Duties of Care and Duty of Oversight.

1. Data Breach and Privacy Mgmt.

2. Media Liability3. Cyber Extortion4. Network

Security & Business Interruption

The Threat Landscape is ChangingIs Your Company Ready for a Big Data Breach?

minuteEVERY

OFTHE DAY

There is 2,123,880

7,431,120

USERS view

VIDEOs

EMAILUSERS

SEND149,689,380

OVERreceives3,250,000

SEARCH QUERIES

$612,633

RECEIEVESABOUT

Mobile

342,000 APPDOWNLOADS

BRANDS

“LIKES”ON FACEBOOK

34,72267,380BLOG OWNERSPUBLISH

NEW POSTSNEW PHOTOS

43,500Users share17,361

Profiles Viewed

571NEW

RECEIVE& ORGANIZATIONS

GB ofInternet

traffic

websites

Is this Threat Real?What’s Actually Been Exposed?“Cyber Security is the biggest risk facing the financial system” - Chair of the US SEC

Social Engineering cost US Victims more than

$800M since 2013

• 707,509,815Data Records Lost

• 75% of Incidents occurred in the US

• 1,023,108,267 Data Records Lost

• 75% of Incidents occurred in the US

70%

SMB’s =

70% of al l

incidents

f

445B+

Global annual Cost Of Cyber crime:

Retail

Stolen Data Records

by Industry

Finance

Government

Healthcare

2014 2015567M 40M

2014 2015205M 1M

2014 201530M 134M

2014 201542M 307M

The 2015 Leading Sources of Data Breach1

1,673 Total Breaches, compromising 707,509,815 Total Records

#1 -Malicious Outsiders• The leading source of data

breaches in 2015, accounting for 58% of total breaches

• Exposed more than 265.2M records, or 37% of the total

#3 -Malicious Insiders• Launched 14% of the data

breaches in 2015, exposing 46.3Mrecords

• Often one of the most difficult to detect and most devastating to the firm

#2 -Accidental Loss• The 2nd leading source of data

breaches in 2015, accounting for 36%, yet more records lost than from malicious outsiders

• Exposed more than 257.7M records, mainly due to the US Government’s Loss of 191M voter records

#4 -Hacktivists• Representing 2.1% of the total

data breaches, accounting for 30.6M records

• Although this is relatively small, it’s important to note the increase from 8.2M exposed records in 2014

#5 -State Sponsored• Although these represented only

2% of attacks in 2015, but exposed 107.7M records

1Breach Level Index

What is the Common Threat Denominator?2015 Verizon Data Breach Investigations Report

0.0%

10.0%

20.0%

30.0%

40.0%

POSIntrusions

CrimeWare

Cyber-Espionage

InsiderMisuse

Web AppAttacks

Misc.Errors

PhysicalTheft/Loss

PaymentCard

Skimmers

Denial ofService

2014 28.5% 18.8% 18.0% 10.6% 9.4% 8.1% 3.3% 3.1% 0.1%2013 0.7% 25.1% 0.8% 20.6% 4.1% 29.4% 15.3% 0.1% 3.9%

% of Security Incidents by Incident Classification

2014

2013

Which Industries are Affected the Most?Number of Records Breached by Industry, 2014 - 2015

-

100,000,000

200,000,000

300,000,000

400,000,000

500,000,000

600,000,000

Government Healthcare Other Technology Retail Education Financial

# O

F CO

MPR

OM

ISED

REC

ORD

S

# of Compromised Records by Industry2014 vs 2015

2014

2015

Total

Total

42,844,710 29,384,567 30,515,427 96,493,092 567,316,824 51,377,801 205,175,846 1,023,108,267

307,122,342 134,385,415 121,129,222 84,394,833 40,075,707 19,328,253 1,074,043 707,509,815

349,967,052 163,769,982 121,644,649 180,887,925 607,392,531 70,706,054 206,249,889 1,730,618,082

Company # of Records Breached Costs Insurance Root Cause

of the Breach Notes

130 Million $140M to Date $30M

SQL Injection code that allowed Hackers to each their systems

for 6 months

Stock fell by 80%, resulting in Shareholder Suits

110 Million $252M $90MMalware was introduced

by a much smaller corporate partner

46% drop in sales in the quarter that the breach hit

70 Class Action Lawsuits

4 Shareholder Derivative Demands

94 Million Approx.$1.6B No Evidence

Hackers broke into their wireless network and stole the records in

the 2nd half of 2005 and throughout 2006

25 Class Action lawsuits following the breach

settlements

TJ Maxx paid out several hundred million dollars

So How much do these Data Breaches Cost?

Company # of Records Breached Costs Insurance Root Cause

of the Breach Notes

2.6 TB of Data;11.5M Confidential

Documents;4.8M Emails;

214K Offshore Entities

TBD –

Possible most in Direct Losses

Loss of Reputation

NA Outdated firewalls, antivirus, password protection, encryption

Outside hacker

Offshore Holdings of12 world leaders,

140 Political Leaders and29 Forbes-listed Billionaires

78.8 Million $142m to Date NA

State-Nation Cyber Attack, executing a sophisticated attack

to gain unauthorized access

Post-Breach, Anthem spent $65M in Cybersecurity

Enhancementsin both 2015 and 2016

83 Million Estimates $1 Billion NA

Employee's Personal Computer was injected with malware that

stole login credential

IT Spending expected to increase additional $250M

Both this year and next year

So How much do these Data Breaches Cost?

A Deeper Look into the TJ Maxx BreachUnderstanding a Breakdown of the Costs

SUMMARYIt is clear to see how these breaches can escalate from one party to the next. Adequate Cyber Insurance would have covered most of these costs, certainly all of the Direct Costs

#1 – Breach Discovery Theft of data to 45,000,000 credit and debit card at

TJX Stores discovered in December, 2006

#7 – Cash SettlementsTJX had several covenants in their settlement agreements that provided cash to customer who made a purchase during the breach timeframe. Combined, $8M was paid out.

#5 – Credit MonitoringTJX offered 3 years of credit monitoring to

455,000 Class Members. At $390 per Person, this costs TJX $177M

#4 - SettlementsBreach was announced and 25 Class Action

Lawsuits against TJX quickly followed. TJX settled with Visa for $41M, MasterCard

for $24M and $525K to 5 smaller banks.TJX also settled with attorneys general from

41 states in a deal that included $2.5M for state funds to advance security and $5.5M to

cover the investigations of the breach

#3 - AnnouncementBreach was announced in January, 2007,

ultimately concluding that the hackers first had access to customer financial information

as far back as 2003.

#2 – More DiscoveryBanking associations that issued some of the

affected cards asserted that hackers actually compromised the security of

over 94,000,000 accounts.

#6 – Attorney’s Fees Courts approve Attorney’s Fees of $6.5M

What Are Your Exposures?

Theft or Destruction to Electronic Data on your Company’s Computer System

Unauthorized Access or Use of your Company’s Computer System Transmission of Malicious Code from your Computer System to a 3rd Party’s Computer System

Denial of an Authorized User’s access to a Computer System or participation in a Denial-of Service (DoS) Attack against a 3rd Party Computer system.

Network Security Breach

Privacy Breach

Technology Failures

An Unauthorized Disclosure or Loss of:

Personal and/or Confidential Information in the care, custody, or control of any Insured or Service Provider;

A violation of Any Privacy Regulation

i.e. HIPAA, PCI, FTC, FCC, SEC, DOJ

Business Income and Extra Expense

Dependent Business Income

Why Do You Need Cyber Insurance?Cyber Insurance is “Your Last Line of Defense” when Technology Fails

A Cyberattack can burden your company with substantial time and costs that can put YOU out of BUSINESSif YOU’RE NOT PROTECTED.

Cyber Insurance covers a business’s liability for a data breach in which their customer’s information (PII, Tax Info, Health Info, etc.….) is exposed or stolen by a criminal or

someone with unauthorized use who has gained access to the company’s network.

Crisis Management

Costs

Notification Costs

Business Interruption

Costs

Regulatory Fines and Penalties

Legal Liability

Reputational Damage

Four Main Types of Cyber Insurance CoverageFirst and Third Party Coverage

Coverage- A third party brings a claim

against you for:- Defamation; or- Breach of Intellectual property

rights,

- Arising from your internet, website, e-mail and other electronic media

- Crisis Services – The costs of managing and recovering from a Data Breach, including:

Computer Forensics, Notifying Customers, Credit Monitoring, Call centers, PR Firm, Restoring Lost Data, and any Legal Fees

- Regulatory Defense – Federal and State Compliance/Investigation, Legal Support, Fines, Penalties

- Prior-Acts Coverage – Retro-active date for delayed breach-discoveries

Network Security Liability:The Damages or Claim Expenses

the Insured is legally obligated to pay in the event of a security breach

Business Interruption:The Loss of Income / Gross Profit during

an interruption to the company and was caused by a hack or

denial of service attack

Data Breach and Privacy Management

Network Security Liability /Business Interruption

Media Liability

Extortion LiabilityThird Party threats to:

damage, destroy,

prevent access to, copy

or steal your computer systems, programs or data; or

Disseminate sensitive data held by the company,

Unless a ransom is paidInsurers also cover the

Value of Goods / Services surrendered

Not All Policies Are Created EqualKey Coverage and Policy Considerations when Purchasing Cyber Insurance

• Make certain that the policy is triggered upon the “discovery” of a data breach, not requiring a “Claim” to be made before coverage is triggered, like in General Liability Policies

• Most policies require compliance with a certain level of security

• Many policies will exclude coverage if the device leading to a cyber breach is portable

• Make certain that coverage for Third Party Vendors is included

• You are still liable even if breach occurs from a 3rd Party Vendor (unless you have contractually transferred the risk to them)

• Intentional Acts Exclusion

• Policies will not respond is an employee intentionally causes a breach

• Antitrust violations may be excluded

• How are Breach Counsel and Vendors Selected?

• How does your Cyber Policy interact with other policies?

• How is your policy affected by any merger or acquisition?

It is critical that a professional reviews your policy. There is no standardization in the coverages offered by different insurers. Policy Terms, Language and Conditions vary from one insurer to the next

What is Social Engineering Fraud and Where can You Get Coverage?• Social Engineering Fraud is the art of manipulating people into performing

actions or divulging confidential information• Coverage is provided through Crime Insurance, NOT CYBER INSURANCE

• Typically through a sub-limit and is added as an endorsement by request

SMiShing Messages sent Each Day

200M33%Of Phishing Attacks

target Financial Services

$21MUK Banks alone Lost in 2014

from Vishing Attacks

75MFake or Duplicate

Facebook Accounts

Can a Director or Officer be Held Liable?• Although no individual director or officer has been held personally liable for the costs of a

data breach to date, such lawsuits have been filed and it is only a matter of time before unprepared and negligent directors and officers are held personally liable for the defense and damages in the event of a data breach.• Cyber Security is no longer an IT Department Issue; it is now a matter of corporate

governance

• Directors own Duties of Care and Loyalty-Duty of Oversight• Consider the Target Breach where at least 4 shareholder derivative lawsuits were

filed against the board alleging that they breached their fiduciary duty to protect and waste of corporate assets in their conduct before the data breach, misconduct that allowed the data breach to happen and lastly, that the D&O’s acted improperly in the way they disclosed, investigated and remediated the data breach.

• Following a Data Breach, it is likely that a derivative lawsuit against the board for “breaching it duty of loyalty by failing to act in the face of a reasonably known threat”• Plaintiff is not required to provide damages resulting from theft of PII

A BOARD THAT FAILRS TO MANAGE AND MONITOR CYBERSECIROTY, MOST LIKELY BREACHES ITS DUTIES OF CARE AND OVERSIGHT

How Do You Protect Against Board Liability

Board Must Become Well Informed and Drive a “CyberSecure” CultureBoard Should Appoint a

Committee Responsible for Privacy and Security

Hire at least one tech savvy member to

clarify risks

Follow best industry practices

D&O

Insu

ranc

e Co

nsid

erat

ions

Regulatory Exclusion

Bodily Injury Exclusion

Contractual Liability Exclusion

Prior/Pending Litigation Exclusion

D&O Insurance and Indemnity and Board-Drive Culture

The Current State of the Cyber Insurance MarketCyber Insurance is still in its infancy! There is no standardization of underwriting process or policy language

How many Cyber Insurance Companies?

Roughly 60 in the US and 26 in the UK Large organizations have difficulty obtaining adequate

limits in insurance companies stack their limits through layered programs

Who Does Not have Cyber Insurance?

Estimated that 75% of all Organizations do not have Cyber Insurance

US Cyber Insurance Market is expected to exceed $7.5B in annual premium, up from $2.5 billion today

Why is Cyber Risk Difficult to Underwrite?

The Complexity of the Risk The Lack of Historical Data Risk Aggregation

86

75%

3