Nuances within Network Security

and Privacy Risk Management

RIMS Minneapolis Annual Meeting

Melissa Krasnow, Partner, Dorsey & Whitney LLP (Minneapolis, MN)

Bala Larson, Senior Underwriter, Beazley Professional Liability, Specialty Lines (San Francisco, CA)

Mario Paez, Midwest Practice Leader for Tech., Privacy, Network Risk, Wells Fargo Insurance (Minneapolis, MN)

May 20, 2014

1

Agenda

� Recent Statistics

� Legal update and the regulatory environment

� Incident response

� Insurance solutions & underwriting insight

2

Statistics

3

Recent statistics

� Average Costs for each lost or stolen record containing sensitive and confidential information increased from $188 to $201.

� Industry breakdown: Healthcare ($316); Transportation ($286); Education ($259); Energy ($237); Financial ($236); Services ($223); Technology ($181); Public ($172); Media ($183); Retail ($125); Hospitality ($93).

� The total average cost paid by organizations increased from $5.4M to $5.9M.

� Average probability of a data breach involving a minimum of 10,000 records in the next 24 months: 18.7%.

� 32% of respondents “have a cyber insurance policy to manage the risk of attacks and threats”.

� “An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company,” Ponemon Institute notes. “While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.”

Ponemon Institute 2014 Cost of Data Breach Study: US ; Global Analysis

4

9 patterns of incidents/breachesFrom 2014 Verizon Data Breach Investigations Report Exec. Summary

1. Miscellaneous errors - any mistake that compromises security (‘04-‘13 Incidents: 27%)

2. Crimeware – includes malware (e.g., phishing)(19%)

3. Insider and privilege misuse (19%)

4. Physical theft and loss (16%)

5. Web app attacks (8%)

6. Denial of service attacks - on systems and applications causing normal business operations to stop (2%)

7. Cyber-espionage (1%)

8. Point-of-sale (POS) intrusions- on computers and servers that run POS applications, with intent to capture payment data (1%)

9. Payment card skimmers (1%)

5

Percentage of breaches by data type

33%

27%

19%

10%

11%

PII

PHI

Credit Card

Other Financial

Other Financial

*Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2013 Study (Sample size = 135 Breaches)

6

Percentage of breaches by cause of loss

19%

21%

10%9%

11%

6%

4%

21%

Hacker

Lost laptop/ device

Malware / virus

Paper records

Rogue employee

Theft

Third-party

Other

•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2013 Study (Sample size = 135 Breaches)

7

Percentage of breaches by business sector

7%3%

15%

29%

3%

6%

11%

13%

8%2%3% Education

Entertainment

Financial services

Healthcare

Hospitality

Non-profit

Professional services

Retail

Technology

Telecommunications

Other

•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2013 Study (Sample size = 135 Breaches)

8

Percentage of breaches by company size

22%

13%

23%

12%

4%1%

25%

Nano-cap (< $50M)

Micro-cap ($50M - $300M)

Small-cap ($300M - $2B)

Mid-cap ($2B - $10B)

Large-cap ($10B - $100B)

Mega-cap (> $100B)

Unknown

•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2013 Study (Sample size = 135 Breaches)

9

The grander scheme of things

Not only can a security event have a severely negative impact on your reputation but it could:

� Adversely impact your debt covenants

� Impair cash flow as funds are redirected to respond to the costs associated with the security event

� Affect stock price

� Redirect the focus of key employees from their daily jobs (the estimated “people-hour” cost for a breach is $30 per record breached)

� Cause an exodus of customers

� Create vulnerabilities that competitors can exploit

10

Current Regulatory Environment

11

Breach notification laws and provisions in

contracts and policies

� 47 states when Kentucky law effective July 14, 2014, plus District of Columbia, Guam, Puerto Rico and Virgin Islands have laws

� No Alabama, New Mexico and South Dakota laws yet

� Trend of state laws being amended, including for state attorney general notification (for example Iowa law amendment effective July 1, 2014)

� HIPAA / HITECH Act breach notification provisions for covered entities and business associates regarding protected health information at the federal level

� Laws in other countries (e.g., Canada)

� Provisions in contracts and policies

12

Cybersecurity laws and guidance and

provisions in contracts and policies

� State security procedures laws: Massachusetts, California and Texas and certain other states

� Issued in February 2014:

– Federal: National Institute of Standards and Technology critical infrastructure cybersecurity framework

– California cybersecurity guidance

� Provisions in contracts and policies

13

Enforcement and other consequences

� Federal Trade Commission

� Department of Health and Human Services

� State attorneys general (e.g., California)

� Foreign regulators

� Litigation

� Other consequences

14

Insurance Solutions

15

Enterprise network security/privacy coverage Third party liability coverage includes:

� Privacy liability

– Arising from theft or disclosure of Personally Identifiable or Corporate Information

� Network security

– Responds to a privacy/security breach caused by unauthorized access / use of computer systems, transmission of malicious code, denial of service attacks.

� Media liability

– Coverage may be limited to electronic content or content on a website.

– Gap filler, especially for social media exposures

� Regulatory action* (sub-limit may apply)

– For violation of a privacy statute or regulation

– May also include coverage for regulatory fines and penalties (also PCI fines/penalties)

16

Enterprise network security/privacy coverage First party reimbursement coverage includes:

� Privacy notification costs

– Typically legal fees and costs (including mailing expenses) to notify customers of a privacy breach

– New approaches provide per person notification, sub-limits outside the limit of liability

� Crisis management expenses

– Costs associated with hiring a PR firm to mitigate negative publicity after a breach

� Credit monitoring costs

– Pays to monitor affected individuals for identity theft

– Medical/health identity restoration

� Forensic investigation

– Costs to determine scope and cause of breach

Regulatory Expenses, Notification Expenses, Credit Monitoring and other Crisis Management Expenses are generally offered on a sub-limited basis and varies by carrier.

17

Enterprise network security/privacy coverage Other first party reimbursement coverages:

� Cyber extortion

– Threat to commit an attack against an Insured’s computer system or to disclose Personally Identifiable Information obtained through a security breach

� Business interruption

– Interruption of the Insured’s normal business activities that produce revenue from the sale of goods or services due to a network security breach

� Data Restoration

– Fund to recover or restore data that is damaged, altered, destroyed, stolen, or misused by a covered cause of loss

18

Behind the curtains – What goes into

underwriting?

� The application is key – think of it as an audition. It’s an opportunity to present your organization in the best light possible.

� Provide any assessments you have conducted. More recent the better. These could be security assessments. PCI assessments, etc.

� Policies and procedures that are distributed to employees or posted on the internal website. Privacy policy posted on website.

� Any training provided to employees, at time of hire, annual, etc. Is it kept updated? Are relevant updates provided to employees in a timely manner?

� Implementation of firewalls, virus protection is assumed. But do you have an Incident response plan or breach preparedness plan? Do your employees know what to do in the event of an incident?

� Any previous incidents? How it was handled, remediation, etc.

� Most importantly, how do you protect the date that is entrusted in your care? Encryption, tokenization, reduce risk by not storing unnecessary data or storing data beyond business need.

19

Who is currently buying?

� Retail

� Hospitality/Leisure

� Higher Education

� Hospitals, Clinics, Physicians

� Health Insurers

� Utilities

� Law Firms

� Financial Institutions

20

Marketing and underwriting process

Evaluation of exposures: Consultation to determine exposures – First Party,

Third Party and/or Privacy

1Required applications and/or assessment

completed2

Marketing process: Submit application to selected markets to

solicit proposals

3

Proposal analysis and discussions

4

Possible on-line security assessment and/or conference call with

insurer

5Binding the coverage

21

Are you at riskAsk your team.

� Has your organization ever experienced a data breach or system attack event?

� Does your organization collect, store or transmit any personal, financial or health data?

� Do you have a solid incident response plan in place?

� Do you outsource any part of computer network operations to a third-party service provider?

� Do you partner with businesses and does this alliance involve the sharing or handling of their data (or your data) or do your systems connect/touch their systems?

� Does your posted Privacy Policy actually align with your internal data management practices?

� Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers?

22

7 Common Themes / RecommendationsFrom 2014 Verizon Data Breach Investigations Report Exec. Summary

1. Monitor

2. Educate and train staff

3. Limit access to systems and data (‘need to know basis’)

4. Patch promptly (e.g., up-to-date anti-virus)

5. Encrypt sensitive data

6. Use two-factor authentication

7. Physical security

23

How does a finance executive rank risk?*

Ranking in 2008* Ranking in 2012*

1. International operations 1. Information security

2. Project management 2. International operations

3. Extended enterprise 3. Excess cash

4. Data privacy 4. Corporate culture

5. Fraud 5. Compliance

6. IT 6. Third-party relationships

7. Business continuity management 7. Cost reduction pressures

8. Shared services 8. Human resource

9. Tax management 9. Social media

*CFO.com 2012

24

How can we help?Please contact us directly

Bala LarsonBeazley Group101 California Street, Suite 2920, San Francisco, CA 94114, USA(415) 263-4053bala.larson@beazley.com

Mario PaezWells Fargo Insurance Services400 Highway 169 SouthSaint Louis Park, MN 55426(952) 242-3006mario.paez@wellsfargo.com

Melissa KrasnowDorsey & Whitney50 South Sixth Street, Suite 1500Minneapolis, MN 55402-1498(612) 492-6106krasnow.melissa@dorsey.com

25

Thank you!