nuances within network security and privacy risk management -...
TRANSCRIPT
Nuances within Network Security
and Privacy Risk Management
RIMS Minneapolis Annual Meeting
Melissa Krasnow, Partner, Dorsey & Whitney LLP (Minneapolis, MN)
Bala Larson, Senior Underwriter, Beazley Professional Liability, Specialty Lines (San Francisco, CA)
Mario Paez, Midwest Practice Leader for Tech., Privacy, Network Risk, Wells Fargo Insurance (Minneapolis, MN)
May 20, 2014
1
Agenda
� Recent Statistics
� Legal update and the regulatory environment
� Incident response
� Insurance solutions & underwriting insight
2
Statistics
3
Recent statistics
� Average Costs for each lost or stolen record containing sensitive and confidential information increased from $188 to $201.
� Industry breakdown: Healthcare ($316); Transportation ($286); Education ($259); Energy ($237); Financial ($236); Services ($223); Technology ($181); Public ($172); Media ($183); Retail ($125); Hospitality ($93).
� The total average cost paid by organizations increased from $5.4M to $5.9M.
� Average probability of a data breach involving a minimum of 10,000 records in the next 24 months: 18.7%.
� 32% of respondents “have a cyber insurance policy to manage the risk of attacks and threats”.
� “An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company,” Ponemon Institute notes. “While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.”
Ponemon Institute 2014 Cost of Data Breach Study: US ; Global Analysis
4
9 patterns of incidents/breachesFrom 2014 Verizon Data Breach Investigations Report Exec. Summary
1. Miscellaneous errors - any mistake that compromises security (‘04-‘13 Incidents: 27%)
2. Crimeware – includes malware (e.g., phishing)(19%)
3. Insider and privilege misuse (19%)
4. Physical theft and loss (16%)
5. Web app attacks (8%)
6. Denial of service attacks - on systems and applications causing normal business operations to stop (2%)
7. Cyber-espionage (1%)
8. Point-of-sale (POS) intrusions- on computers and servers that run POS applications, with intent to capture payment data (1%)
9. Payment card skimmers (1%)
5
Percentage of breaches by data type
33%
27%
19%
10%
11%
PII
PHI
Credit Card
Other Financial
Other Financial
*Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2013 Study (Sample size = 135 Breaches)
6
Percentage of breaches by cause of loss
19%
21%
10%9%
11%
6%
4%
21%
Hacker
Lost laptop/ device
Malware / virus
Paper records
Rogue employee
Theft
Third-party
Other
•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2013 Study (Sample size = 135 Breaches)
7
Percentage of breaches by business sector
7%3%
15%
29%
3%
6%
11%
13%
8%2%3% Education
Entertainment
Financial services
Healthcare
Hospitality
Non-profit
Professional services
Retail
Technology
Telecommunications
Other
•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2013 Study (Sample size = 135 Breaches)
8
Percentage of breaches by company size
22%
13%
23%
12%
4%1%
25%
Nano-cap (< $50M)
Micro-cap ($50M - $300M)
Small-cap ($300M - $2B)
Mid-cap ($2B - $10B)
Large-cap ($10B - $100B)
Mega-cap (> $100B)
Unknown
•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2013 Study (Sample size = 135 Breaches)
9
The grander scheme of things
Not only can a security event have a severely negative impact on your reputation but it could:
� Adversely impact your debt covenants
� Impair cash flow as funds are redirected to respond to the costs associated with the security event
� Affect stock price
� Redirect the focus of key employees from their daily jobs (the estimated “people-hour” cost for a breach is $30 per record breached)
� Cause an exodus of customers
� Create vulnerabilities that competitors can exploit
10
Current Regulatory Environment
11
Breach notification laws and provisions in
contracts and policies
� 47 states when Kentucky law effective July 14, 2014, plus District of Columbia, Guam, Puerto Rico and Virgin Islands have laws
� No Alabama, New Mexico and South Dakota laws yet
� Trend of state laws being amended, including for state attorney general notification (for example Iowa law amendment effective July 1, 2014)
� HIPAA / HITECH Act breach notification provisions for covered entities and business associates regarding protected health information at the federal level
� Laws in other countries (e.g., Canada)
� Provisions in contracts and policies
12
Cybersecurity laws and guidance and
provisions in contracts and policies
� State security procedures laws: Massachusetts, California and Texas and certain other states
� Issued in February 2014:
– Federal: National Institute of Standards and Technology critical infrastructure cybersecurity framework
– California cybersecurity guidance
� Provisions in contracts and policies
13
Enforcement and other consequences
� Federal Trade Commission
� Department of Health and Human Services
� State attorneys general (e.g., California)
� Foreign regulators
� Litigation
� Other consequences
14
Insurance Solutions
15
Enterprise network security/privacy coverage Third party liability coverage includes:
� Privacy liability
– Arising from theft or disclosure of Personally Identifiable or Corporate Information
� Network security
– Responds to a privacy/security breach caused by unauthorized access / use of computer systems, transmission of malicious code, denial of service attacks.
� Media liability
– Coverage may be limited to electronic content or content on a website.
– Gap filler, especially for social media exposures
� Regulatory action* (sub-limit may apply)
– For violation of a privacy statute or regulation
– May also include coverage for regulatory fines and penalties (also PCI fines/penalties)
16
Enterprise network security/privacy coverage First party reimbursement coverage includes:
� Privacy notification costs
– Typically legal fees and costs (including mailing expenses) to notify customers of a privacy breach
– New approaches provide per person notification, sub-limits outside the limit of liability
� Crisis management expenses
– Costs associated with hiring a PR firm to mitigate negative publicity after a breach
� Credit monitoring costs
– Pays to monitor affected individuals for identity theft
– Medical/health identity restoration
� Forensic investigation
– Costs to determine scope and cause of breach
Regulatory Expenses, Notification Expenses, Credit Monitoring and other Crisis Management Expenses are generally offered on a sub-limited basis and varies by carrier.
17
Enterprise network security/privacy coverage Other first party reimbursement coverages:
� Cyber extortion
– Threat to commit an attack against an Insured’s computer system or to disclose Personally Identifiable Information obtained through a security breach
� Business interruption
– Interruption of the Insured’s normal business activities that produce revenue from the sale of goods or services due to a network security breach
� Data Restoration
– Fund to recover or restore data that is damaged, altered, destroyed, stolen, or misused by a covered cause of loss
18
Behind the curtains – What goes into
underwriting?
� The application is key – think of it as an audition. It’s an opportunity to present your organization in the best light possible.
� Provide any assessments you have conducted. More recent the better. These could be security assessments. PCI assessments, etc.
� Policies and procedures that are distributed to employees or posted on the internal website. Privacy policy posted on website.
� Any training provided to employees, at time of hire, annual, etc. Is it kept updated? Are relevant updates provided to employees in a timely manner?
� Implementation of firewalls, virus protection is assumed. But do you have an Incident response plan or breach preparedness plan? Do your employees know what to do in the event of an incident?
� Any previous incidents? How it was handled, remediation, etc.
� Most importantly, how do you protect the date that is entrusted in your care? Encryption, tokenization, reduce risk by not storing unnecessary data or storing data beyond business need.
19
Who is currently buying?
� Retail
� Hospitality/Leisure
� Higher Education
� Hospitals, Clinics, Physicians
� Health Insurers
� Utilities
� Law Firms
� Financial Institutions
20
Marketing and underwriting process
Evaluation of exposures: Consultation to determine exposures – First Party,
Third Party and/or Privacy
1Required applications and/or assessment
completed2
Marketing process: Submit application to selected markets to
solicit proposals
3
Proposal analysis and discussions
4
Possible on-line security assessment and/or conference call with
insurer
5Binding the coverage
21
Are you at riskAsk your team.
� Has your organization ever experienced a data breach or system attack event?
� Does your organization collect, store or transmit any personal, financial or health data?
� Do you have a solid incident response plan in place?
� Do you outsource any part of computer network operations to a third-party service provider?
� Do you partner with businesses and does this alliance involve the sharing or handling of their data (or your data) or do your systems connect/touch their systems?
� Does your posted Privacy Policy actually align with your internal data management practices?
� Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers?
22
7 Common Themes / RecommendationsFrom 2014 Verizon Data Breach Investigations Report Exec. Summary
1. Monitor
2. Educate and train staff
3. Limit access to systems and data (‘need to know basis’)
4. Patch promptly (e.g., up-to-date anti-virus)
5. Encrypt sensitive data
6. Use two-factor authentication
7. Physical security
23
How does a finance executive rank risk?*
Ranking in 2008* Ranking in 2012*
1. International operations 1. Information security
2. Project management 2. International operations
3. Extended enterprise 3. Excess cash
4. Data privacy 4. Corporate culture
5. Fraud 5. Compliance
6. IT 6. Third-party relationships
7. Business continuity management 7. Cost reduction pressures
8. Shared services 8. Human resource
9. Tax management 9. Social media
*CFO.com 2012
24
How can we help?Please contact us directly
Bala LarsonBeazley Group101 California Street, Suite 2920, San Francisco, CA 94114, USA(415) [email protected]
Mario PaezWells Fargo Insurance Services400 Highway 169 SouthSaint Louis Park, MN 55426(952) [email protected]
Melissa KrasnowDorsey & Whitney50 South Sixth Street, Suite 1500Minneapolis, MN 55402-1498(612) [email protected]
25
Thank you!