personal information protection & global insurance best...
TRANSCRIPT
Personal Information Protection & Global Insurance Best Practices
Privacy Global Edge 2014
Murray Wood
Head of Financial Specialties
Aon Asia
Seoul
17 April 2014
Research Conclusions: Risk Maturity & Performance
1
Social Media
�Two distinct sources of risk: corporate and employee activity
�Network Security, Privacy. Social Engineering
�Defamation, product disparagement, IP infringement, harassment, and invasion of privacy.
International Laws and Regulations
Telematics, Device data collection, and location tracking, GPS.
Big Data Analytics
South Korea Specific Laws:(partial sample)
� Financial Services Commission: 2014 Enhanced Information Security Rules
� Personal Information Protection Act (Minister of Public Administration and Security)
� IT Network Protection Act
� Financial Supervisory Services financial institutions checklist and self-audit
� Act on Promotion of Information and Communications Network Utilization and Information Protection
Mobile Device Payment Apps
�Mobile payment hardware, software, and mobile wallet technology is exploding globally
�Juniper Research study predicts mobile transactions will hit $1.3 trillion worldwide by 2015
�PCI Council guidance addresses account data security, mobile devices; hardware, software, usage, and customer relationship
�How is risk affected for all participants in the payment value chain?
Cloud Computing
� What are the risk oversight and security controls of the cloud provider?
� Where will the data be stored and will the provider make a contractual commitment to obey privacy laws?
� How is our data segregated from other data?
� How can I recover my data if disaster strikes?
� What if the provider goes out of business? How can I get my data back?
� How is liability allocated?
Emerging Cyber Risks
2
Co
mm
erc
e
Co
nte
nt
Infr
astr
uctu
re
AccessE-commerce theft Customer behavior Jurisdiction/law Trust Confidentiality and identity Digital money Non-traceability of transactions Regulatory Tax Unfair trade practices Customer awareness Customer choice Quality of data Information protection Failure to provide promised services Security of data Privacy Consumer access Legitimate use Authenticity Non-reputability Business practice disclosure Transaction integrity/reliability Fraud and Identity theft Business design Technology obsolescence Snooping Corruption Misuse of information Personal threats Errors and Omissions
Inappropriate content on company servers Customer behaviour Domain name hijacking Trust Cybersquatting Confidentiality and identity Security Regulatory Loss of trade secrets Unfair trade practices Customer awareness Personal threats Jurisdiction/law Infringement of intellectual property Privacy Customer choice Quality of data Security of data Consumer access Linking and framing risk Meta-tag abuse Legitimate use Information protection Snooping Identity theft Corruption Misuse of information Errors and omissions Customer Information
Access Reliability Performance Jurisdiction/law Trust Security of data Privacy Regulatory Defective hardware/ software Legitimate use Business design Technology obsolescence Physical damage Efficacy
1 2 3
What Happens if You Get Hacked
3
� 2014 International Compendium of Data Privacy Laws – Mandates? Compulsory? http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/International-Compendium-of-Data-Privacy-
Laws.pdf
2005
2009
2011
2014
2013
2012
2010
Annual non-life premiums are in excess of USD 167 Billion
On-going legislation across the region
� Singapore� Malaysia
� China� Taiwan� Philippines� Hong Kong
� South Korea� India
� Japan
Year Gross Written Premium (USD)
2002 < 75 Million
2004 200 Million
2006 350 Million
2010 600 Million
2012 > 1 Billion(= 1/167 of P&C)
Cyber Insurance: Growth Correlated to Growth Laws & Regulations
4
� We are increasingly dependent on information technology systems and infrastructure; system inadequacies, operating failures, or security breaches could harm our business. We rely to a large extent on sophisticated information technology systems and infrastructure. The size and complexity of these systems make them potentially vulnerable to breakdown, malicious intrusion, and random attack. Likewise, confidentiality or data privacy breaches by employees or others with permitted access to our systems may pose a risk that valuable trade secrets, personal information, or other sensitive data may be exposed to unauthorised persons or to the public. Such information security breaches may be very difficult to detect. To date, system breakdowns and, to the extent we have been made aware of them, security breaches, have been infrequent in occurrence and their aggregate impact on our operations and expenses has not been material. While we have invested heavily in the protection of data and information technology, there can be no assurance that our efforts will prevent breakdowns or breaches in our systems that could adversely and materially affect our business.
� Reliance on third-party relationships and outsourcing arrangements could adversely affect our business. We utilise third parties, including suppliers, alliances with other pharmaceutical and biotechnology companies, and third-party service providers, for selected aspects of product development, the manufacture and commercialisation of certain products, support for information technology systems, and certain financial transactional processes. Failure of these third parties to meet their contractual, regulatory, or other obligations to us could adversely affect our business.
Cyber Exposure Trends: Sample US Listed Company 10–K (ADR)
5
$138
$182
$197 $202 $204
$214
$194$188
2005 2006 2007 2008 2009 2010 2011 2012
Average Total Organisational Cost of a Data Breach
Average Cost Per Capita of a Data Breach
$200
$150
$100
$50
$250
$1
$2
$3
$4
$5
$6
$7
$8
$4.54$4.79
$6.36 $6.66 $6.75$7.24
$5.50 $5.40
� A portion of the “cost” in this study = abnormal churn post-breach = uninsurable in Cyber policies � Study excludes data breaches in excess of 100,000 records � The percentage of malicious attacks grew from 12% in 2008 to 41% in 2012
Source: Ponemon 2013 Cost Of A Data Breach Study
Ave
rage
To
tal O
rga
nis
atio
nal C
ost (M
illio
ns U
SD
)A
vera
ge
Co
st P
er C
ap
ita(U
SD
)
Cyber Exposure Trends: Changing Cost of an Average Data Breach
6
All Values in USD
Averages
2011 Findings
(117 Claims Studied)
2012 Findings
(137 Claims Studied)
2013 Findings
(140 Claims Studied)
# of Records Exposed 1.7 Million 1.4 Million 2.3 Million
Cost Per Claim $2,400,000 $3,700,000 $3,500,000
Legal Defense $500,000 $600,000 $574,984
Legal Settlement $1,000,000 $2,100,000 $258,099
Crisis Services $800,000 $1,000,000 $737,473
� Forensics $170,000 $341,000 $104,740
� Notification $201,000 $180,000 $126,703
� Call Centre $15,000 $50,000 (not broken out)
� Credit Monitoring $253,000 $345,000 $55,865
� Legal Counsel $242,000 $66,000 $29,225
Source: NetDiligence Annual Cyber Liability & Data Breach Insurance Claims: A Study of Actual Claim Payouts
Cyber Exposure Trends: Break Down of Data Breach Expenses
Regulatory Fines
Crisis Services
Legal Defence
Legal Settlement
PCI Fines
Total Claim Payouts by Type of Cost:
7
Risk Management
Senior Management
InformationSecurity
Broker / Insurer
Law Department
Understand the top risks to your company and communicate to management the risks that are and are not insurable. If not insurable, then identify alternative options.
Know and meet regularly with your Information Security / IT Team. Understand incidents or “near misses”.
Understand your contracts with your customers and vendors. What risks are your company assuming? What insurance are you required to maintain?
Review your risks with your insurance broker and insurer continually. Insurance coverage is negotiable.
Cyber Risk Mitigation: Sustainability Risk Management
8
� Comprehensive Enterprise-wide Cyber Risk Mitigation Programme: Needs Management Support
� IT Security & Use policies are important, BUT IT IS MORE THAN AN IT ISSUE
� Engage inter-departmental coordination and cooperation
– CPO, CIO, CISO, IT Security
– Legal
– Risk Management
– Finance/Treasury
– Human Resources
– Compliance/Internal Audit
� Education on Legal Exposures: train & monitor employees & third parties
� Ensure Compliance with Organisation’s Privacy Policy regarding 3rd party Personally Identifiable Information
� Data Breach Management Policy – continuously update incident response plan
� Third Party Exposures
– Vendor/Supplier Management
– Contractual Considerations
– Vendor/Supplier Audits
Integrate Vendor Management Process with
Business Owners
Cyber Risk Mitigation
9
Cyber Risk Mitigation: 10 Sample Questions to Ask Your IT Expert
Question Service
Do you have an Information Security Policy?Most will say yes. If no, it would suggest a lack of awareness of the issues and therefore would be unlikely to be ready for the product.
Is it based on any Information Security Standard?
Ideal answer would be ISO27002 as this is well understood and recognised by the market.
What is the Governance Structure for management IS Risk & Controls?
Presence of a structure is an indicator of a mature organisation who understands and is looking to manage the risks.
How do you maintain assurance of your internal IT controls?
If there is an indication that a robust regime in place – a free scan should be positioned as additional assurance. No evidence is an opportunity for a free scan, but may also indicate a high risk.
Do you use third party suppliers? Need for the product is increased if yes; need to find out the scope of services –if critical, need for cyber risk transfer is increased.
Do you obtain assurance of their Data/Security Controls?
Ideal answer is yes via a recognised method i.e. SSAE 16/SAS 70 or other auditing standard. These will be readily accepted as evidence.
What is your approach to the management of mobile devices?
Every client will have this issue; Laptop and device encryption are key controls. Lack of an informed response is not a good indicator.
What are your key controls to determine if you are being subject to a cyber attack?
This provides an insight to the monitoring capability of the organisation. Most have poor levels of control unless they have outsourced a service.
Do you have a Cyber response team or plan?Key area for extra service sales – most do not and failure to response quickly enough drives up and final incident cost.
Have you ever needed to complete a forensic examination of your IT equipment?
As above – often key evidence is destroyed through lack of awareness
10
Factors that…
Decrease Breach Cost
� Have an incident response plan - $42
� Have a strong security posture - $34
� Appoint a Chief Information Security Officer - $53
� Outside consultant to contain/resolve breach - $13
Increase Breach Cost
� Trust third party vendors with data without protections + $43
� Notify customers ASAP + $37
� Lose a laptop (or other device) + $10
Ponemon 2013 Cost of a Data Breach Study
The Case for Risk Management
11
� Risk Assessments
– Identify, classify, qualify and quantify IT risks: prioritize (all vendors are not equal)
� Due Diligence and Selection of Service Providers
� Financial Condition
� Contract Provisions and Considerations
� Third-party reviews
� Third-party oversight
� Ongoing Monitoring requirements
� Business Continuity and Contingency Considerations
� Financial Statement Impact: Target Corporation = $200 MM+ damages• KT Mobile Data Breach 2014 and 2012
• 130K customers of Citibank/Standard Chartered Seoul breached (Dec 2013)
• MtGox faced 150,000 attacks per second before 2014 $500 MM breach
• Korea Credit Bureau 20 MM customers/105 MM files breach (Jan 2014)
• SK Communications operated social networking sites Nate and Cyworld / 35 million users’ personal information (July 2011)
• Hyundai Capital 420,000 customer records stolen via hackers (April 2011)
• SONY $280 MM+
Risk Mitigation: Cyber Risk Identification: Inventory All Vendors
12
PropertyGeneralLiability
Crime / Bond
Kidnap & Ransom
Errors & Omissions
Cyber / DataProtection
1st Party Privacy
Physical Damage to Data Only
Virus / Hacker Damage to Data Only
Denial of Service Attack
BI Loss From Security Event
Extortion Sabotage of Data Only
Employee Sabotage of Data Only
3rd Party Privacy
Theft / Disclosure of Private Information
Confidential Corporate Information Breach
Technology E&O
Media Liability (Electronic Content)
Privacy Breach Expense / Notification
Damage to 3rd Party Data Only
Regulatory Privacy Defence / Fines
Virus / Malicious Code Transmission
Coverage Provided
Coverage Possible
NoCoverage
For discussion purposes only, policy language and facts of claims will require further analysis
Gaps in Existing Coverage
13
Optimal Programme
Insurable RisksInsurable Risks
Contractual RequirementsContractual
Requirements
BudgetBudget
Risk Tolerance
Risk Tolerance
Maximum Probable Loss
Maximum Probable Loss
Peer Purchasing
Data
Peer Purchasing
Data
Scope of Coverage/
Control
Scope of Coverage/
Control
Market Limitations
Market Limitations
Cyber Insurance – Optimal Cyber Programme
14
0
1
2
3
4
5
6
7
8
9
10
Mil
lio
ns
US
DCyber Risk – Total Premiums by Industry
2009 2010 2011 2012 2013
Financial Institutions have the largest amount of premium associated with cyber risks
Source: Aon Global Risk Insight Platform™
Cyber Insurance – Purchasing Patterns
15
Exposure Consequences
Category Source Event Type Internal Costs External Costs Revenue Loss Brand / Reputation Third Parties
Commercial Sensitive –client data
Inadvertent release by employee
n/a � Professional fees –lawyers
� Media / advertising � Regulatory Fine
Rating – 1
� Lost opportunity / competitive advantage
Rating – 2
� Competitive Positioning
� Relationship
Rating – 2
n/a
Disclosure to contractor / supplier subsequently breached via their systems
n/a As above
Rating – 1
As above
Rating – 2
As above
Rating – 2
n/a
External hacker accessingdata
� Removal costs� Defence costs
Rating – 1
As above
Rating – 1
As above
Rating – 2
As above
Rating – 2
n/a
Commercially Sensitive –client data
Inadvertent release by employee
� Notification costs – customers / regulators
Rating – 1
� Professional fees –lawyers
� Media / advertising � Regulatory Fine
Rating – 1
� Lost opportunity / competitive advantage / loss of customer
Rating – 2
� CompetitivePositioning
� Relationship� Customer
confidence
Rating – 2
� Financial loss –cost / brand / revenue
Rating – 3
Disclosure to contractor / supplier subsequently breached via their systems
As above
Rating – 1
As above
Rating – 1
As above
Rating – 2
As above
Rating – 2
As above
Rating – 3
External hacker accessing data
As above, plus� Removal costs� Defence costs
Rating – 1
As above
Rating – 1
As above
Rating – 2
As above
Rating – 2
As above
Rating - 3
Aon’s Cyber Risk Profiling Solutions
16
Aon’s Cyber Risk Profiling Solutions
17
18
� Privacy and Security Liability: Any business that keeps sensitive data on customers or employees is liable for damages if that information is breached, regardless of the reason. If a breach happens and a third party sues, privacy and security liability insurance covers the business.
― Personal Data Liability
― Corporate Data Liability
― Outsourcing Liability
― Data Security Liability
� Data Administrative Procedures:
― Data Administrative Investigation
― Data Administrative Fines
� Data Breach Crisis Management: In the event of a data breach, a business needs to immediately hire a forensic team to find out what happened, plug the hole, and comply with federal and state notification requirements. Sub-limited coverage is available to address extortion threats for intentional computer attacks
against the insured.
Cyber & Data Privacy Risk Insurance
19
� Business Interruption or Data Loss: If a hacker breaks into a company’s computer network and launches a virus or denial of service attack, data and software may be damaged and the system may need to be shut down to make repairs. Cyber coverage covers online events that destroy intangible property such as data or software applications.
� Internet Media Liability: As more companies rely on their websites and social media to advertise to consumers or other businesses, they may want coverage to protect against possible libel, plagiarism, defamation and false
� Brand Restoration: Enables the business to restore brand value through appropriate and effective public relations and public affairs crisis management
� Cyber Extortion Liability: Insurer pay monies paid by an Insured to terminate or end a security threat that might otherwise result in the harm of the Insured
Cyber & Data Privacy Risk Insurance
20
21
Aon Cyber
Specialists
Aon Cyber
DiagnosticTool
Aon Asia Cyber
Exposures & Solutions Report
Asia
Murray Wood
Head of Financial Specialties, Asia
Phone: +65-6645-0116
Email: [email protected]
https://www.aoncyberdiagnostic.com
http://view.aon.com/Korea_cyber_report_2014
Korea
Kevin (Kyoo Jung) Kim
Managing Director
Phone: +82-2-2260-2779
Email: [email protected]
Cyber & Data Privacy Risk & Insurance / Resources
Aon.com
22
Aon Korea Inc. 20th Floor, Kukdong Bldg.60-1, Chungmuro 3-ga, Jung-guSeoul, 100-705
www.aon.com
© Aon plc 2014. All rights reserved.
No part of this report may be reproduced, stored in a retrieval system, or transmitted in any way or by any means, including photocopying or recording, without the written permission of the copyright holder, application for which should be addressed to the copyright holder.