1
Cyber Risk Management
Privacy & Data Protection
•2
Agenda
► Introductions
►Risk Management 101
►Defining & Quantifying a Breach
►Prevention, Mitigation & Transfer Strategies
►Finance Strategy- Cyber Insurance
►Underwriting Criteria
►First Party vs. Third Party Coverages
►Case Studies
►Q&A
2
•3
What is Risk Management?
Engage
Assess
Plan
Implement
► Identify The Opportunities
► Organize & Categorize initiatives
► Quantify The Impact
► Prioritize The Initiatives
► Create a Strategic Plan
► Engage Team & Strategic Partners
► Continually Monitor Progress
Risk management is the continual process of identifying, measuring, and minimizing the effects of risk.
•4
Risk Management 101
Types of Risk
Business
Strategic
Hazard
Risk Management
Strategies
► Prevent► Transfer► Mitigate► Assume► Finance
3
•5
A data breach is an incident that involves the unauthorized or illegal viewing, access, or retrieval of data by an individual, application, or service. It is a type of security breach specifically designed to steal and/or publish data to an unsecured or illegal location.
Defining a Breach
Source: www.techopedia.com
•6
Average Number of Records Breached Per Incident:
28,765
Average Cost Per Breached Record:
$192 - $240
Varying Factors
► Number of Records Breached
► Type of Breach (PCI, PHI, or PII)
► Class Action Lawsuit Filed?
Source: Ponemon Institute / Symantec Study
Quantifying a Breach
4
•7
Risk Management
Type of Risk Risk Management
Strategies
► Prevent?► Mitigate?► Transfer?
•8
My Password is…
https://www.youtube.com/watch?v=opRMrEfAIiI
5
•9
Cyber Liability Insurance -
A type of insurance designed to cover consumers of technology services or products (sometimes referred to Privacy & Data Protection Insurance). More specifically, the policies are intended to cover a variety of both liability and property losses that may result when a business engages in various electronic activities, such as selling on the Internet or collecting data within its internal electronic network.
Most notably, but not exclusively, cyber and privacy policies cover a business’ liability for a data breach (either in physical form, or via an electronic platform).
Finance Strategies
•10
Process of Financing
► Applications
► Underwriter Review
► Quote Review
► Purchase
6
•11
Application Process
►Technical Questions
►Operational Questions
►Addendum On Additional Information
•12
Underwriter Review
► Industry Classification
►Annual Revenue
►PII Quantity
►Minimum Controls
►Standard and Advanced Controls
►Red Flags
7
•13
Key Coverages
► 1st Party
► Notification
► Crisis Management
► Forensic Costs
► Public Relations
► Regulatory expenses
► Business Interruption
► 3rd Party Liability
•14
1st
Party Coverages
Investigation Expense Coverage
► to determine the source or cause of the Data Privacy Wrongful Act or Network Security Wrongful Act.
Source: THDPNSLP
8
•15
1st
Party Coverages
Notification and Credit Monitoring Expense Coverage
► Notify customers
► Credit monitoring services
► Voluntary Notifications
•16
1st
Party Coverages
Business Interruption
► Income loss and extra expenses during the period of restoration
► Must result from a network attack
► A retention of 8-12 hours
9
•17
1st
Party Coverages
Crisis Management Expense Coverage
► Public Relations firm
► Crisis Management Firm
► IdentityTheft 911
► Pre- and Post Breach Services
•18
3rd
Party Coverages
Data Privacy Regulatory Expense Coverage
► Fines and Penalties levied against insureds
► PCI Fines and Penalties
10
•19
3rd
Party Coverages
Privacy Liability
► the improper dissemination of Nonpublic Personal Information; or
► any breach or violation by the Insured of any Data Privacy Laws.
•20
3rd
Party Coverages
Network Security Liability
► Unauthorized access, use of the computer system
► Inability of an authorized 3rd party to access
► Failure to prevent identity theft
► Transmission of malicious code
► Others…
11
•21
3rd
Party Coverages
E-Media Liability
► Provides cover for suits from electronic media
► Libel, defamation, slander, copyright infringement…
•22
Crisis Management Services
Pre-approved vendors
► 1st party expenses
Risk Management Services/Resources
► Web portals
► Phone services
12
•23
Conditions
► Notification provisions
► Breach from 3rd party services
► Definition of PII
► Unencrypted portable devises exclusion
•24
Quote Evaluation
► Limits
► Sublimits
► Retentions
13
•25
Medical Testing Co with policies
in place
Good Samaritan vendor finds
private data and offers to resolve
for a fee
GTC Investigates
$4.6MM revenue LabMD goes bankrupt; letting go of 30
employees
Vendor discovered as only entity to
see data
Lab MD: Choosing Vendors Wisely
And Fighting The FTC
•26
Outside the Dark Web
Image: Kaspersky Lab
14
•27
Outside the Dark Web
Image: SBR Money
•28
Phishing
Definition: a form of social engineering in which a message, typically an email, with a malicious attachment of link I sent to a victim with the intent of tricking the recipient to open an attachment
Top Industries
► ALL
15
•29
Phishing
How:
► Spear fishing: targeted attacks
► Phishing: mass communication
► Clone phishing: using legit content with modified links and resent
► Whaling: targeted attacks of senior executives
Impact:
► Loss of money
► Malicious code intrusion
► Loss of Personally Identifiable Information
► Loss of internal information
•30
“If you give a man a phish…”
https://www.phishtank.com/what_is_phishing.php
16
•31
“…you feed him for a day.”
•32
“If you teach a man to phish…”
http://lts.lehigh.edu/sites/lts.lehigh.edu/files/Phishing_20151209.JPG
17
•33
“…you might not get malware”
http://lts.lehigh.edu/sites/lts.lehigh.edu/files/Phishing_20151209.JPG
•34
Skimmer
18
•35
ICS/IOT Vulnerabilities
•36
ICS/IOT Vulnerabilities
19
•37
ICS/IOT Vulnerabilities
•38
► It’s no longer a matter of “if”, but “when”
► Risk management matters...education/awareness matters
► Cyber indications are easy to obtain for most industries
► No two cyber policies are created equally
► Assess tools and resources available by the insurance companies offering coverage
► Cheaper is not always better…but some protection is better than no protection
► Know the difference between cyber liability and crime insurance
Final Thoughts
20
Questions?