CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited © 2014 CUNA Mutual Group, All Rights Reserved.

Data Breaches and Cyber LiabilityCoastal Supervisory Committee and

Internal Auditor Conference

Presented by: Ken OtsukaBusiness Protection Risk Management

CUNA Mutual Group

2

Data Breaches – How do they Happen?

• Network hackers and malware• Employee negligence / theft• Lost / stolen laptops, backup tapes /

disks and other data-bearing mobile devices

• Vendor leaks/mistakes

3

Data Breaches

• Financial risk• Compliance / Legal risk• Reputation risk

A data breach can result in more than lost data. It can damage the credit union’s reputation, shake member trust, and cost tens of thousands to repair.

4

Agenda

• Data breach studies by the Ponemon Institute, Verizon, Mandient and PricewaterhouseCoopers

• Data breach insurance claims study – NetDiligence• Best practices for securing members’ confidential data• Mobile devices• Incidence response planning• National Institute of Standards and Technology’s Cybersecurity

Framework

5

Ponemon InstituteIs Your Company Ready for a Big Data Breach?

The Good• 73% of the organizations have an incident response plan in place compared to

61% in last year’s studyThe Bad

• 78% of the organizations say they don’t review and update their incident response plan or have no set timeframe for doing so

• Only 30% of the respondents say their organizations are effective or very effective in developing and executing their incident response plan

• 56% of the organizations do not perform a risk assessment on their information systems to identify vulnerabilities

• Only 54% of the organizations have training and security awareness programs– Only 34% of the organizations train customer service representatives on how to

respond to questions in the event a breach occurs

Source: Ponemon Institute’s 2014 study, Is Your Company Ready for a Big Data Breach?

6

Ponemon InstituteIs Your Company Ready for a Big Data Breach?

The Ugly• 43% of the organizations experienced a data breach involving a theft of more

than 1,000 records• 60% of the organizations experienced more than one data breach during the

last two years• Only 41% provide for either continuous monitoring (20%) or daily monitoring

(21%) of their information systems for suspicious/anomalous traffic– 44% say they either never monitor their information systems (28%) or are unsure if

monitoring takes place (16%)

7

Verizon 2015 Data Breach Investigations Report

External threats far exceed internal threats and partner threats.Source: Verizon 2015 Data Breach Investigations Report

8

Mandient’s 2015 M-Trends Report

Source: Mandient 2015 M-Trends Report

Early Detection is Critical

9

PwC’s Global State of Information Security Survey 2015

201224.9 million

201328.9 million

201442.8 million

Total number of security incidents reported by respondents climbed to 42.8 million. The equivalent to 117,339 incoming attacks per day

Source: PwC Global State of Information Security Survey 2015

10

NetDiligence2014 Cyber Liability & Data Breach Insurance Claims

2014 NetDiligence® Cyber Liability & Data Breach Claims Study

• Per breach costs– Average payout: $733,109 Median payout: $144,000– Claim range $1,000 to $13.7 million– Typical claim $30,00 to $400,000

• Per record costs– Average cost per record: $956.21 Median cost per record: $19.84– Average records lost: 2.4 million Median records lost: 3,500

• Crisis service costs– Average cost of crisis services: $366,484 Median cost of crisis services: $110,594– Crisis services include the cost of

forensics, legal counsel guidance, notification and credit monitoring

• Legal costs– Average cost of legal defense: $698,797 Median cost of legal defense: $283,300– Average cost of settlement: $558,520 Median cost of settlement: $150,000

Source: NetDiligence 2014 Cyber Liability & Data Breach Claims Study

11

Why the Problem?

The Internet is an open network• Credit unions collect, store and share a vast amount of member confidential

data

• Websites are porous and need constant care– Hardening and patching

• Lack of encryption

• Intrusion detection and network monitoring is weak

• Cyber thieves take advantage of human error– Unchanged default settings– Failing to install patches– Failing to protect laptops– Improper disposal of paper records– Weak passwords

Source: Imperva -Consumer Password Worst

Practices

12

Best Practices

• Encryption– Data residing on the network (servers, workstation hard drives and laptops)– Data residing on mobile devices– Backup tapes/disks– Data transmitted over the Internet and in emails

• Endpoint security– Protects the endpoints (devices) connected to credit union network– Includes typical protections such as a firewall and antivirus/antimalware

• Intrusion detection system (IDS)/intrusion prevention system (IPS)• Install operating system patches when made available• Vulnerability assessments• Penetration testing

Protect data wherever it is located

At rest

In motion

In use

13

Best Practices

• Monitor system logs• Disable / lockdown workstation USB ports and CD Rom drives

– Helps prevent insider theft of confidential member data• Data loss prevention (DLP) solution

– Identifies, monitors, and protects data at rest, in motion, and in use– DLP tools allow credit unions to see which databases, file servers, desktops and laptops hold

sensitive data– Identifies when someone is transmitting data via email or downloading to external storage

devices• Third-party reviews of network security• Secure paper records

Protect data wherever it is located

At rest

In motion

In use

14

Best Practices

• Accessing network/systems remotely– Telecommuters working from home– Third-party vendors

Protect data wherever it is located

At rest

In motion

In use

Remote Access Best Practices• Prohibit remote employees from using home computers to access network• Establish a virtual private network (VPN)

– A VPN is a network that uses the Internet to provide remote employees with secure access to the credit union’s network

• Prohibit employees from using unsecure wireless networks (public Wi-Fi)• Require multifactor authentication – not just usernames and passwords

– One-time-password tokens– Plug-in tokens

15

Mobile Devices: Laptops / Tablets / Smartphones

• Credit union issued versus employee use of personal devices (BYOD)– Both should be secured

• Secure the business side of the device (sandboxing)– Good Technology– MaaS360

Mobile Devices Used for Business Purposes

• Antivirus software

• Password protect the device/time-out feature to lock the device

• Remote wipe capability

• Prohibit employees from storing confidential member data to the device

If it is necessary to store such data on the device, the data should be encrypted

• Encrypt confidential member data transmitted in emails

16

Data Breaches – Employee Negligence

• Credit union discovered malware on least 24 workstation pc’s– Malware captures screen shots– Social Security numbers, account information and transaction records for 115,000 accountholders

(members) may have been compromised

• Credit union employee accidentally published a file on the credit union’s public-facing website– File contained member names, addresses, Social Security numbers, account

numbers and account passwords

• Credit union employee accidently emailed a spreadsheet to a member– Spreadsheet contained member names and account numbers

Source: CUMIS Insurance Society, Inc..

17

Data Breaches – Vendor Negligence

• Credit union uses third-party vendor to mail monthly account statements– Members received their correct statements plus a portion of statements

belonging to other members

• Credit union downloaded confidential member data to a thumb drive for their outside auditor- Auditor lost the thumb drive in a public park while watching son’s football

game- 14,500 members impacted

Source: CUMIS Insurance Society, Inc..

18

Planning and Responding

• Written incident response plan to address incidents of unauthorized access to member information

• Required by NCUA(Rules and Regulations Part 748, Appendix B)

• Minimum requirements include:- Assess nature and scope of incident- Identify what member information systems

and the member information breached- Take appropriate action to contain and

control the incident to prevent further unauthorized access to or use of member information

- Notify NCUA Regional Director or appropriate state supervisory authority

- File Suspicious Activity Report, if needed- Notify appropriate law enforcement agency- Notify impacted members

Activate incident response team Contain the breach Analyze the breach Record all information relevant to breachWho, what, when and how Forensics*

Contact breach coach / legal counsel specializing in privacy issuesCan be done immediately after discovery

Notify your cyber liability insurance provider of potential loss

Notify regulator File Suspicious Activity Report, if needed Analyze legal implications Identify federal, state and local laws /

regulations impacted State data breach notification and timing

requirements

Incident Response Plan Suggested Practices

* Have a pre-determined list of IT forensics firms available

Update & test the plan annually

19

Security Awareness Training

• Must be addressed in the credit union’s information security program• All employees should receive training on at least an annual basis• The goal is to change employee behavior to reinforce good data

security practices

20

Malware – Beyond Theft of Data

• Targeted 100 financial institutions in 30 countries, including U.S.

• Losses per institution ranged from $2.5M to $10M

• Funds stolen from institutions – not from depositor accounts

• Distributed via phishing attacks• Sought out employees with administrative

rights• Performed reconnaissance (video) to learn

details of the 3rd party EFT systems used• Logged into 3rd party EFT systems to transfer

funds to other institutions

Carbanak Malware

Source: Kaspersky Lab, The Great Bank Robbery: The Carbanak APT

21

Carbanak Malware – Lessons Learned

• Tighten acceptable use policies• Frequent staff training• Ensure AV software is updated regularly• Patch management• Vulnerability scans• Monitor outbound communications of

servers and workstation computers• Intrusion detection system / intrusion

prevention system• Review logs

22

The National Institute of Standards and Technology (NIST)

Framework for Improving Critical Infrastructure Cybersecurity(Cybersecurity Framework

23

NIST’s Cybersecurity FrameworkBackground

• President Obama issued Executive Order 13636 (Improving Critical Infrastructure Cybersecurity) in 2013– Directed the National Institute of Standards and Technology (NIST) to spearhead the

development of a framework to reduce cyber risks to “critical infrastructure”

• NIST published the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) in 2014

• Critical Infrastructure is defined in Presidential Policy Directive 21 (Critical Infrastructure Security and Resilience) to include the following sectors:

Industry Sectors• Chemical• Commercial facilities• Communications• Critical manufacturing• Dams• Defense industrial base• Emergency services• Energy

• Financial services• Food and agriculture• Government facilities• Healthcare and public health• Information technology• Nuclear reactors, materials and waste• Transportation systems• Water and wastewater system

24

NIST’s Cybersecurity FrameworkWhat is it?

• Collection of best practices, procedures and guidelines developed in partnership by the government and private sector to manage cyber risk

• Relies on industry standards and best practices (e.g., ISO and COBIT)• Intended to be used by organizations of all sizes to evaluate, maintain and improve

security over information systems• Not a “one-size-fits-all” approach• Enables credit unions to understand how their cybersecurity risk management

processes stack up against the ideal standards addressed in the Cybersecurity Framework

• Promotes participation in information sharing groups, such as FS-ISAC• Participation is voluntary – CUNA Mutual Group highly recommends participating

Risk of Not ParticipatingThe Cybersecurity Framework could potentially set cybersecurity standardsfor future legal rulings. For example, if a lawsuit is initiated against a creditunion alleging violation of privacy laws due to a data breach, the creditunion’s cybersecurity practices could be questioned. The court could identifyNIST’s Cybersecurity Framework as a baseline for what is consideredcommercially reasonable cybersecurity standards.

25

NIST’s Cybersecurity FrameworkWhat is it?

• Is not industry-specific• Organizations must adapt it to the regulatory requirements/guidelines

for their specific industry

Credit unions would refer to:• Appendix A to NCUA §748 (Guidelines for Safeguarding

Member Information);• NCUA Letter No. 06-CU-07 (IT Security Compliance

Guide); and• Appendix B to NCUA §748 (Guidance on Response

Programs)

26

NIST’s Cybersecurity FrameworkThree Components

2Framework

Implementation Tiers

3Framework

Profile

1Framework

Core

Framework Core• A set of cybersecurity activities,

desired outcomes and informative references

• Organized by 5 continuous Functions (pillars) – Identify, Protect, Detect, Respond and Recover

• Identifies underlying Categories and Subcategories for each function and matches them against example Informative References (industry standard best practices)

Framework Implementation Tiers• Describes the level of

sophistication a credit union employs in applying its cybersecurity practices

• Allows credit unions to see how their current cybersecurity risk management practices stack up against the ideal standards in the Framework Core

• NIST recommends organizations strive for Tier 3 or 4

Framework Profile• Alignment of Functions, Categories

and Subcategories with business needs, risk tolerance and resources

• Enables credit unions to establish a roadmap for reducing cybersecurity risk

27

NIST’s Cybersecurity FrameworkInformation Sharing

• Participation in FS-ISAC is strongly recommended by NIST– The FFIEC also recommends participating in FS-ISAC

• Organizations participating in information sharing forums (e.g., FS-ISAC) are far better prepared to identify vulnerabilities and attack methods and have successfully mitigated cyber-attacks on their systems

• CUNA Mutual Group’s collaboration with FS-ISAC– Credit unions that have or purchase a cyber liability insurance policy

through CUNA Mutual Group may be eligible for a discount on the basic membership (new memberships and renewals)

– Visit CUNA Mutual Group’s dedicated web page to learn morehttps://www.cunamutual.com/products/credit-union-protection/cyber-and-security-incident/fs-isac

28

Session Summary

• Information theft is one of today’smost common forms of fraud

• Given the financial, legal, and reputational risks of a data breach -- failing to prepare can be disaster

• Take proactive steps to prevent incidents from occurring in the first place

• Protection Resource Center@ www.cunamutual.com

29

Questions & Answers

Ken Otsuka, CPASenior Consultant - Risk ManagementCUNA Mutual GroupEmail: kenneth.otsuka@cunamutual.com

30

Disclaimer

This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond.

Credit Union Loss Scenarios – Case StudiesThe credit union loss scenario claim study examples do not make any representations that coverage does or does not exist for any particular claim or loss, or type of claim or loss, under any policy. Whether or not coverage exists for any particular claim or loss under any policy depends on the facts and circumstances involved in the claim or loss and all applicable policy language.

CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers’ needs. For example, the Workers’ Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability may be underwritten by Beazley Insurance Group.

This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions.

CUP-9053301.1-0414-0516 ©CUNA Mutual Group, 2015 All Rights Reserved

31