a cyber insurance and employee awareness training primer hosted by the institute of internal...
Post on 13-Jan-2017
126 Views
Preview:
TRANSCRIPT
Hosted by the Institute of Internal AuditorsThe Role of Cyber Insurance &
The People Factor in a Cyber Breach: Three Key Elements for Building
a Human Firewall Kirsten Liston
Steven SchwartzJune 23, 2016
CyberSecurity is No Longer an IT Department Issue
But How Much is this
Threat Worth?
Can a Director or Officer be
Liable?
The Threat Landscape is
Changing
What Will Cyber
Insurance Cover and When?
“There are those companies that have been hacked, and there are those companies that don’t know that they’ve been hacked”
The Annual Global Cost of Cybercrime is upwards of $445 Billion – Center for
Strategic and International
Studies (CSIS)
Directors owe Duties of Care and Duty of Oversight.
1. Data Breach and Privacy Mgmt.
2. Media Liability3. Cyber Extortion4. Network
Security & Business Interruption
The Threat Landscape is ChangingIs Your Company Ready for a Big Data Breach?
minuteEVERY
OFTHE DAY
There is 2,123,880
7,431,120
USERS view
VIDEOs
EMAILUSERS
SEND149,689,380
OVERreceives3,250,000
SEARCH QUERIES
$612,633
RECEIEVESABOUT
Mobile
342,000 APPDOWNLOADS
BRANDS
“LIKES”ON FACEBOOK
34,72267,380BLOG OWNERSPUBLISH
NEW POSTSNEW PHOTOS
43,500Users share17,361
Profiles Viewed
571NEW
RECEIVE& ORGANIZATIONS
GB ofInternet
traffic
websites
Is this Threat Real?What’s Actually Been Exposed?“Cyber Security is the biggest risk facing the financial system” - Chair of the US SEC
Social Engineering cost US Victims more than
$800M since 2013
• 707,509,815Data Records Lost
• 75% of Incidents occurred in the US
• 1,023,108,267 Data Records Lost
• 75% of Incidents occurred in the US
70%
SMB’s =
70% of al l
incidents
f
445B+
Global annual Cost Of Cyber crime:
Retail
Stolen Data Records
by Industry
Finance
Government
Healthcare
2014 2015567M 40M
2014 2015205M 1M
2014 201530M 134M
2014 201542M 307M
The 2015 Leading Sources of Data Breach1
1,673 Total Breaches, compromising 707,509,815 Total Records
#1 -Malicious Outsiders• The leading source of data
breaches in 2015, accounting for 58% of total breaches
• Exposed more than 265.2M records, or 37% of the total
#3 -Malicious Insiders• Launched 14% of the data
breaches in 2015, exposing 46.3Mrecords
• Often one of the most difficult to detect and most devastating to the firm
#2 -Accidental Loss• The 2nd leading source of data
breaches in 2015, accounting for 36%, yet more records lost than from malicious outsiders
• Exposed more than 257.7M records, mainly due to the US Government’s Loss of 191M voter records
#4 -Hacktivists• Representing 2.1% of the total
data breaches, accounting for 30.6M records
• Although this is relatively small, it’s important to note the increase from 8.2M exposed records in 2014
#5 -State Sponsored• Although these represented only
2% of attacks in 2015, but exposed 107.7M records
1Breach Level Index
What is the Common Threat Denominator?2015 Verizon Data Breach Investigations Report
0.0%
10.0%
20.0%
30.0%
40.0%
POSIntrusions
CrimeWare
Cyber-Espionage
InsiderMisuse
Web AppAttacks
Misc.Errors
PhysicalTheft/Loss
PaymentCard
Skimmers
Denial ofService
2014 28.5% 18.8% 18.0% 10.6% 9.4% 8.1% 3.3% 3.1% 0.1%2013 0.7% 25.1% 0.8% 20.6% 4.1% 29.4% 15.3% 0.1% 3.9%
% of Security Incidents by Incident Classification
2014
2013
Which Industries are Affected the Most?Number of Records Breached by Industry, 2014 - 2015
-
100,000,000
200,000,000
300,000,000
400,000,000
500,000,000
600,000,000
Government Healthcare Other Technology Retail Education Financial
# O
F CO
MPR
OM
ISED
REC
ORD
S
# of Compromised Records by Industry2014 vs 2015
2014
2015
Total
Total
42,844,710 29,384,567 30,515,427 96,493,092 567,316,824 51,377,801 205,175,846 1,023,108,267
307,122,342 134,385,415 121,129,222 84,394,833 40,075,707 19,328,253 1,074,043 707,509,815
349,967,052 163,769,982 121,644,649 180,887,925 607,392,531 70,706,054 206,249,889 1,730,618,082
Company # of Records Breached Costs Insurance Root Cause
of the Breach Notes
130 Million $140M to Date $30M
SQL Injection code that allowed Hackers to each their systems
for 6 months
Stock fell by 80%, resulting in Shareholder Suits
110 Million $252M $90MMalware was introduced
by a much smaller corporate partner
46% drop in sales in the quarter that the breach hit
70 Class Action Lawsuits
4 Shareholder Derivative Demands
94 Million Approx.$1.6B No Evidence
Hackers broke into their wireless network and stole the records in
the 2nd half of 2005 and throughout 2006
25 Class Action lawsuits following the breach
settlements
TJ Maxx paid out several hundred million dollars
So How much do these Data Breaches Cost?
Company # of Records Breached Costs Insurance Root Cause
of the Breach Notes
2.6 TB of Data;11.5M Confidential
Documents;4.8M Emails;
214K Offshore Entities
TBD –
Possible most in Direct Losses
Loss of Reputation
NA Outdated firewalls, antivirus, password protection, encryption
Outside hacker
Offshore Holdings of12 world leaders,
140 Political Leaders and29 Forbes-listed Billionaires
78.8 Million $142m to Date NA
State-Nation Cyber Attack, executing a sophisticated attack
to gain unauthorized access
Post-Breach, Anthem spent $65M in Cybersecurity
Enhancementsin both 2015 and 2016
83 Million Estimates $1 Billion NA
Employee's Personal Computer was injected with malware that
stole login credential
IT Spending expected to increase additional $250M
Both this year and next year
So How much do these Data Breaches Cost?
A Deeper Look into the TJ Maxx BreachUnderstanding a Breakdown of the Costs
SUMMARYIt is clear to see how these breaches can escalate from one party to the next. Adequate Cyber Insurance would have covered most of these costs, certainly all of the Direct Costs
#1 – Breach Discovery Theft of data to 45,000,000 credit and debit card at
TJX Stores discovered in December, 2006
#7 – Cash SettlementsTJX had several covenants in their settlement agreements that provided cash to customer who made a purchase during the breach timeframe. Combined, $8M was paid out.
#5 – Credit MonitoringTJX offered 3 years of credit monitoring to
455,000 Class Members. At $390 per Person, this costs TJX $177M
#4 - SettlementsBreach was announced and 25 Class Action
Lawsuits against TJX quickly followed. TJX settled with Visa for $41M, MasterCard
for $24M and $525K to 5 smaller banks.TJX also settled with attorneys general from
41 states in a deal that included $2.5M for state funds to advance security and $5.5M to
cover the investigations of the breach
#3 - AnnouncementBreach was announced in January, 2007,
ultimately concluding that the hackers first had access to customer financial information
as far back as 2003.
#2 – More DiscoveryBanking associations that issued some of the
affected cards asserted that hackers actually compromised the security of
over 94,000,000 accounts.
#6 – Attorney’s Fees Courts approve Attorney’s Fees of $6.5M
What Are Your Exposures?
Theft or Destruction to Electronic Data on your Company’s Computer System
Unauthorized Access or Use of your Company’s Computer System Transmission of Malicious Code from your Computer System to a 3rd Party’s Computer System
Denial of an Authorized User’s access to a Computer System or participation in a Denial-of Service (DoS) Attack against a 3rd Party Computer system.
Network Security Breach
Privacy Breach
Technology Failures
An Unauthorized Disclosure or Loss of:
Personal and/or Confidential Information in the care, custody, or control of any Insured or Service Provider;
A violation of Any Privacy Regulation
i.e. HIPAA, PCI, FTC, FCC, SEC, DOJ
Business Income and Extra Expense
Dependent Business Income
Why Do You Need Cyber Insurance?Cyber Insurance is “Your Last Line of Defense” when Technology Fails
A Cyberattack can burden your company with substantial time and costs that can put YOU out of BUSINESSif YOU’RE NOT PROTECTED.
Cyber Insurance covers a business’s liability for a data breach in which their customer’s information (PII, Tax Info, Health Info, etc.….) is exposed or stolen by a criminal or
someone with unauthorized use who has gained access to the company’s network.
Crisis Management
Costs
Notification Costs
Business Interruption
Costs
Regulatory Fines and Penalties
Legal Liability
Reputational Damage
Four Main Types of Cyber Insurance CoverageFirst and Third Party Coverage
Coverage- A third party brings a claim
against you for:- Defamation; or- Breach of Intellectual property
rights,
- Arising from your internet, website, e-mail and other electronic media
- Crisis Services – The costs of managing and recovering from a Data Breach, including:
Computer Forensics, Notifying Customers, Credit Monitoring, Call centers, PR Firm, Restoring Lost Data, and any Legal Fees
- Regulatory Defense – Federal and State Compliance/Investigation, Legal Support, Fines, Penalties
- Prior-Acts Coverage – Retro-active date for delayed breach-discoveries
Network Security Liability:The Damages or Claim Expenses
the Insured is legally obligated to pay in the event of a security breach
Business Interruption:The Loss of Income / Gross Profit during
an interruption to the company and was caused by a hack or
denial of service attack
Data Breach and Privacy Management
Network Security Liability /Business Interruption
Media Liability
Extortion LiabilityThird Party threats to:
damage, destroy,
prevent access to, copy
or steal your computer systems, programs or data; or
Disseminate sensitive data held by the company,
Unless a ransom is paidInsurers also cover the
Value of Goods / Services surrendered
Not All Policies Are Created EqualKey Coverage and Policy Considerations when Purchasing Cyber Insurance
• Make certain that the policy is triggered upon the “discovery” of a data breach, not requiring a “Claim” to be made before coverage is triggered, like in General Liability Policies
• Most policies require compliance with a certain level of security
• Many policies will exclude coverage if the device leading to a cyber breach is portable
• Make certain that coverage for Third Party Vendors is included
• You are still liable even if breach occurs from a 3rd Party Vendor (unless you have contractually transferred the risk to them)
• Intentional Acts Exclusion
• Policies will not respond is an employee intentionally causes a breach
• Antitrust violations may be excluded
• How are Breach Counsel and Vendors Selected?
• How does your Cyber Policy interact with other policies?
• How is your policy affected by any merger or acquisition?
It is critical that a professional reviews your policy. There is no standardization in the coverages offered by different insurers. Policy Terms, Language and Conditions vary from one insurer to the next
What is Social Engineering Fraud and Where can You Get Coverage?• Social Engineering Fraud is the art of manipulating people into performing
actions or divulging confidential information• Coverage is provided through Crime Insurance, NOT CYBER INSURANCE
• Typically through a sub-limit and is added as an endorsement by request
SMiShing Messages sent Each Day
200M33%Of Phishing Attacks
target Financial Services
$21MUK Banks alone Lost in 2014
from Vishing Attacks
75MFake or Duplicate
Facebook Accounts
Can a Director or Officer be Held Liable?• Although no individual director or officer has been held personally liable for the costs of a
data breach to date, such lawsuits have been filed and it is only a matter of time before unprepared and negligent directors and officers are held personally liable for the defense and damages in the event of a data breach.• Cyber Security is no longer an IT Department Issue; it is now a matter of corporate
governance
• Directors own Duties of Care and Loyalty-Duty of Oversight• Consider the Target Breach where at least 4 shareholder derivative lawsuits were
filed against the board alleging that they breached their fiduciary duty to protect and waste of corporate assets in their conduct before the data breach, misconduct that allowed the data breach to happen and lastly, that the D&O’s acted improperly in the way they disclosed, investigated and remediated the data breach.
• Following a Data Breach, it is likely that a derivative lawsuit against the board for “breaching it duty of loyalty by failing to act in the face of a reasonably known threat”• Plaintiff is not required to provide damages resulting from theft of PII
A BOARD THAT FAILRS TO MANAGE AND MONITOR CYBERSECIROTY, MOST LIKELY BREACHES ITS DUTIES OF CARE AND OVERSIGHT
How Do You Protect Against Board Liability
Board Must Become Well Informed and Drive a “CyberSecure” CultureBoard Should Appoint a
Committee Responsible for Privacy and Security
Hire at least one tech savvy member to
clarify risks
Follow best industry practices
D&O
Insu
ranc
e Co
nsid
erat
ions
Regulatory Exclusion
Bodily Injury Exclusion
Contractual Liability Exclusion
Prior/Pending Litigation Exclusion
D&O Insurance and Indemnity and Board-Drive Culture
The Current State of the Cyber Insurance MarketCyber Insurance is still in its infancy! There is no standardization of underwriting process or policy language
How many Cyber Insurance Companies?
Roughly 60 in the US and 26 in the UK Large organizations have difficulty obtaining adequate
limits in insurance companies stack their limits through layered programs
Who Does Not have Cyber Insurance?
Estimated that 75% of all Organizations do not have Cyber Insurance
US Cyber Insurance Market is expected to exceed $7.5B in annual premium, up from $2.5 billion today
Why is Cyber Risk Difficult to Underwrite?
The Complexity of the Risk The Lack of Historical Data Risk Aggregation
86
75%
3
top related