CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Transcription

1 CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

2 Agenda Threat Landscape and Trends Breach Response Process Pitfalls and Critical Points BBR Services Breach Prevention 2

3 A Simplified Response Methodology Discovery of a Data Breach Evaluation of the Data Breach Managing the Short-Term Crisis Handling the Long-Term Consequences Theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public Information or Third Party Corporate Information that is in the care, custody or control of the Insured Organization, or a third party for whom the Insured Organization is legally liable Forensic Investigation and Legal Review Notification and Credit Monitoring Crisis Management Class-Action Lawsuits Regulatory Fines, Penalties, and Consumer Redress Reputational Damage Income Loss

4 Decisions, Decisions, Decisions Is it a breach? Was hard copy or computerized data involved? Do you involve law enforcement? Do you hire a forensics company? Do you retain counsel? Do you involve regulatory agencies? Is crisis management necessary? Do you offer credit monitoring? 4

5 2016 Incidents: General vs. Financial 2016 Incidents by Cause All Industries 2016 Financial Incidents by Cause Unknown 6% Physical Loss/ Non Electronic Record 10% Other 3% Hack or Malware 32% Physical Loss/ Non Electronic Record 6% Unknown 6% Other 2% Hack or Malware 40% Unintended Disclosure 28% Unintended Disclosure 32% Portable Device 8% Insider 8% Payment Card Fraud 1% *Source: Beazley Portable Device 7% Payment Card Fraud 4% Insider 7% 5

6 Financial Incidents: 2015 vs Unintended Disclosure 24% 2015 Financial Incidents Unknown 3% Hack or Malware 27% 2016 Financial Incidents Physical Loss/ Non Electronic Record 6% Unknown 6% Other 2% Hack or Malware 38% Stationary Device 2% Portable Device 5% Insider 7% Unintended Disclosure 28% Physical Loss/ Non-Electronic Records 15% Payment Card Fraud 9% Other 8% *Source: Beazley Insider 7% Payment Card Fraud 4% Portable Device 7% 6

7 Pitfalls and Critical Points Initial Communication of Incident Breaking Down Silos/Pulling In Correct People Lack of Preparedness for Type of Incident Timing and Messaging Strategic Thinking 7

8 Incident Response Team The Incident Response Team (IRT) manages and coordinates the security event investigation, response, reporting and corrective action activities. The IRT should be activated upon learning of an event. The IRT should be authorized to take appropriate steps deemed necessary to contain, mitigate or resolve a computer security incident. 8

9 Membership of the Incident Response Team IRT leader/coordinator Privacy officer Legal Risk management Others as appropriate Information security HR, employee relations, patient relations Public relations Fulfillment Vendor Beazley/Broker Outside legal counsel Crisis Management Firm 9

10 Messaging Goals and Risks Goals Comply with all applicable laws and regulations. Be thorough and descriptive without causing unnecessary concern. Provide reassurance without overpromising. Strive for openness and transparency without creating unnecessary risk. Complaints Risks Negligence, Invasion of Privacy Lawsuits Class Action Lawsuits Regulatory Action Damage to Brand and Trust 10

11 Using the Word Breach "Breach" has legal significance "Breach" suggests something bad happened or is going to happen Use Breach" too frequently and cutomers or regulators may think you are subject to numerous breaches Incident? Event? 11

12 Offer Credit Monitoring? Why Offer To mitigate harm or risk of identity theft Satisfy affected individuals expectations Satisfy regulators expectations Why Not to Offer Cannot address all forms of fraud May imply increased risk of fraud unnecessarily May impact litigation position 12

13 Breach Prevention Securing Your System Security Assessment Hardware Encryption and Passwords Employee Training Policies and Procedures Awareness Phishing Testing 13

14 Pavel Sternberg (415) Gus Springmann (312)