CYBERSECURITY AND PRIVACY: REDUCING YOUR COMPANY S LEGAL RISK. By: Andrew Serwin

Size: px
Start display at page:

Download "CYBERSECURITY AND PRIVACY: REDUCING YOUR COMPANY S LEGAL RISK. By: Andrew Serwin"

Transcription

1 CYBERSECURITY AND PRIVACY: REDUCING YOUR COMPANY S LEGAL RISK By: Andrew Serwin January 19, 2018

2 Overview What are companies concerned about? What information are we concerned about? Cybersecurity Who are the threat actors? Steps to address a breach Consequences of a breach Examples of incidents Steps to prepare and respond Notice on a global basis Litigation and enforcement Morrison & Foerster LLP 1

3 Overview Continued How concerned are Boards? What are the relevant legal obligations for the Board? How should the Board think about cyber? Where should cyber be addressed at the Board? What are the threats and challenges? What should the Board do about cyber? What should Management do about cyber? What are emerging SEC issues regarding cyber? Lessons learned and takeaways What questions should you ask? Morrison & Foerster LLP 2

4 Top-Level Concerns Controller v. processor Data misuse Generally a first-party issue Failure to fully disclose data practices; Failure to comply with applicable laws; Marketing mistakes; and Others. Attacks Third-party focused There are two primary types of attacks: Theft of information (e.g., PI, trade secrets); and Attacks on the grid (e.g., denial of service, attempts to shutdown systems). Morrison & Foerster LLP 3

5 All Companies Have Information of Value Companies create and process a significant amount of information: Financial information; Information regarding individuals (employees and customers); Proprietary/confidential information IP; Undisclosed M&A activity; Business and marketing plans; and Pricing; Information regarding businesses processes, including process improvements; Information regarding business trends; Social data/user-generated content; Machine data; and Many other forms of information. Morrison & Foerster LLP 4

6 Understanding the Cyber Threat YESTERDAY Threat Actors Isolated Criminals Script Kiddies Goals Identity Theft Self-promotion Theft of Content or Services TODAY Threat Actors Organized Criminals Nation States Hacktivists Insiders Goals Intellectual Property Financial Information Strategic Access/Destruction Terrorism Embarrassment Morrison & Foerster LLP 5

7 Breaches are on the Rise Security breaches are becoming more common and reported on more frequently Morrison & Foerster LLP 6

8 Have you Stopped Buying Based upon a Breach? 90% 80% 78% 70% 60% 50% 40% 30% 20% 22% 10% 0% Yes No Morrison & Foerster LLP 7

9 You ve Been Breached Now What? Investigate and stop intrusion. Determine notice obligations and comply with deadlines. Evaluate whether PR firm is needed. Morrison & Foerster LLP 8

10 Common Issues Escalation Privilege Who is in charge? The role of third-party vendors Morrison & Foerster LLP 9

11 Should You Hire a Vendor? Vendors can investigate breach and plug infiltration. You may also need third parties for notice-related issues, PR, and other services. Morrison & Foerster LLP 10

12 Tips & Suggestions Regarding Privilege in the U.S. Copying a lawyer on an does not necessarily make it privileged. To be privileged, the must be seeking legal advice or contain legal advice. Limit the distribution of documents containing legal advice to people who have a need to know. Do not cc: or forward s containing legal advice to any third party (e.g., government, other companies). Stamp or add legend to documents that are privileged to make them easy to identify. But simply stamping everything privileged can hurt more than it helps, so don t overuse the designation. Morrison & Foerster LLP 11

13 Privilege Quick-Reference Guide Attorney-Client Privilege: DO: Only applies to communications with lawyers regarding legal advice Is usually lost (waived) if shared outside the company Consult with attorneys before hiring consultants to decide whether the engagement should be privileged Ask attorney before forwarding privileged DON'T: Wait to consult attorney before taking initial steps to stop an incident Put heat-of-the-moment opinions or speculations in writing that could later embarrass the company Forward privileged s to people who do not have a need to know or who are outside the company Morrison & Foerster LLP 12

14 What are the Consequences of a Breach? Impact on brand/trust; Bad PR; Corporate governance issues; Significant costs and use of internal resources; Enforcement by regulators on a global basis; and Private litigation in the United States. Morrison & Foerster LLP 13

15 Incident Number 1 IP Theft A publically traded U.S. company has spent a significant amount of money creating a chemical compound that is critical to the manufacturing of solar panels, and it is protecting the compound via trade secret protection. A month before the company is getting ready to release the product, the General Counsel receives a call from the FBI informing her that there are indicators that a foreign state has penetrated the company s network and stolen a significant amount of data, including the proprietary formula for the solar panel compound, as well as other intellectual property. What do you do? Morrison & Foerster LLP 14

16 Incident Number 2 PII Theft A Fortune 50 retailer receives a call from a prominent member of the press informing the company that he is aware of a security breach involving the company and over 40,000,000 credit cards. He will be making the breach public in 24 hours and asks for a comment from the company. What do you do? Morrison & Foerster LLP 15

17 Incident Number 3 A Grid Attack A global Financial Services company sees an uptick in fraud and subsequently discovers that it has been attacked and 200,000,000 user credentials have been stolen from the company. The company hires a forensic expert who determines how the attackers have accessed the network and then takes steps to block the attackers from having continued access. As soon as the attackers are removed from the system, the company is hit with a sophisticated Distributed Denial of Service (DDoS) attack that causes its entire network to crash. What do you do? Morrison & Foerster LLP 16

18 Incident Number 4 Public Embarrassment A Fortune 100 health care company with a significant number of government contracts receives an from a Hacktivist group demanding a number of concessions from the company, including terminating certain lines of business that the Hacktivists find objectionable, or the group will begin disseminating damaging information regarding the company. The company has 48 hours to respond, and it does not meet the group s demands. The Hacktivists respond by posting numerous s on a Peer-to- Peer Network that reveal a pattern of inappropriate conduct by the CEO, and seem to indicate that there may be government fraud occurring. The company is given another 48 hours to meet the Hacktivist s demands. Morrison & Foerster LLP 17

19 What Can Companies Do to Prepare? Pre-breach considerations include: Identifying critical systems; Identifying key legal and notice requirements; Creating an incident response plan; Identifying key internal and external stakeholders, including important customers and regulators who may require notice; Identifying professionals to assist in the event of a breach; Conducting a tabletop exercise; Anomaly detection; Establishing relationships with law enforcement and others in your industry to discuss sharing information; and Conducting a security review. Morrison & Foerster LLP 18

20 What Should Companies do to Respond? When a breach occurs: Containment and recovery; Advising on information sharing strategy (e.g., critical partners); Document preservation, including forensic collection, if appropriate, with consideration of the application of the work-product doctrine; Making the facts stand still; Creating a PR plan based upon the nature and scope of the incident; Assessing notice, disclosure, and other legal obligations; Advising on engagement strategy with law enforcement; and Conducting a lessons learned review. Morrison & Foerster LLP 19

21 Notice of Security Breach Legislation Common issues: When notice must be given; The form of the notice; Who notice must be given to; The scope of federal preemption; and The effect of existing security policies. Morrison & Foerster LLP 20

22 Data Breach Laws Vary by State in the U.S. Most states have enacted data breach notification laws requiring businesses and other entities to notify affected individuals when a data breach involving their personally-identifiable information occurs. The requirements of these laws vary and sometimes conflict. Morrison & Foerster LLP 21

23 There Are Federal Laws as Well HIPAA is an emerging issue for many technology companies. Morrison & Foerster LLP 22

24 GDPR GDPR attempts to harmonize European data protection rules, including implementing a European notice of security breach rule. Morrison & Foerster LLP 23

25 GDPR What Is a Breach? Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. Morrison & Foerster LLP 24

26 Notice Requirements A Controller must notify the Individual of a Personal Data Breach, without undue delay, where that Personal Data Breach is likely to result in a high risk to the rights and freedoms of the Individual in order to allow him or her to take the necessary precautions. The Controller also must notify the DPA of a Personal Data Breach, unless the Personal Data is unlikely to result in a risk to the rights and freedoms of the Individual, without undue delay and, where feasible, not later than 72 hours after having become aware of it. Exceptions. Morrison & Foerster LLP 25

27 Asia/South Asia: Data Security Reasonable organizational, technical, and administrative measures to protect data. More detailed rules in: India Japan Korea Taiwan Morrison & Foerster LLP 26

28 Examples of Asian Countries with Breach Notification Laws or Voluntary Standards Japan Korea Philippines Singapore Taiwan Morrison & Foerster LLP 27

29 Strategy for Compliance Review and comply with the breach notifications laws for each relevant country or state (i.e., those states where individuals whose personal information is held by the company reside, or where your data controller exists). Time is often of the essence. Determine whether other entities need to be contacted (state attorney general, office of consumer affairs, FTC, consumer credit reporting agencies). Morrison & Foerster LLP 28

30 What If I Fail to Notify? Failure to notify could result in enforcement action, penalties, or lawsuits brought by affected consumers. Morrison & Foerster LLP 29

31 The Different Legal Fronts A high-profile nationwide breach may require the largest coordinated legal effort in a company s history Government investigations State AGs FTC SEC Functional regulators (e.g., FCC, HHS, federal banking agencies) Congress International regulators (e.g., Canada OPC) Litigation Consumer class actions Shareholder suits Bank class actions Morrison & Foerster LLP 30

32 Class Action Risk for Data Breach Class action bar has targeted companies that are victims of data breaches. File multiple copycat class actions across the country. Brought on behalf of nationwide and state classes. Morrison & Foerster LLP 31

33 Legal Theories Violation of state consumer protection laws Negligence Breach of contract Invasion of privacy Violations of state data security regulations (e.g., Mass. Data Security Reg.) Violations of federal data compliance/security regulations (e.g., FCRA, ECPA, CFAA, etc.) Civil RICO Morrison & Foerster LLP 32

34 How Concerned are Boards about Cyber? According to a 2016 NACD survey, 46% of Boards were concerned about cyber, the fourth highest ranked concern of Boards for Morrison & Foerster LLP 33

35 Have You Stopped Buying Based upon a Breach? Research by the Lares Institute in % 80% 78% 70% 60% 50% 40% 30% 20% 22% 10% 0% Yes No Morrison & Foerster LLP 34

36 Fiduciary Duties Generally Fiduciary duties are state law specific. Generally, directors have: Duty of Care Duty of Loyalty Duty of Oversight The most relevant duties are the Duty of Care and Oversight. Morrison & Foerster LLP 35

37 Duty of Care The Board must act on an informed basis after due consideration of relevant materials and proper deliberation. Adequate procedure drives the court s inquiry did the Board: have access to relevant information? receive input from management and advisors? consider alternatives? follow a reasonable process? adequately deliberate? Directors may rely on the reports and advice of appropriate advisors, including officers and employees of the Company, counsel, and other professionals. Morrison & Foerster LLP 36

38 Business Judgment Rule Ordinarily, a decision to take action, or a conscious decision not to act, is entitled to the protection of the business judgment rule and a court will not substitute its judgment for that of the Board. To be eligible for this protection, the Board s actions must be: Based on material information available with reasonable diligence and inquiry Made in good faith Made in the honest belief that the action taken or not taken is in the best interest of the Company and its stockholders Made without a conflict of interest A person challenging the Board s decision has burden to show the Board failed to satisfy its fiduciary duties. Morrison & Foerster LLP 37

39 Duty of Oversight In re Caremark (Del. Ch. 1996) Duty of oversight: A director s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by noncompliance with applicable legal standards. Stone v. Ritter (Del. 2006) To establish a breach of oversight, it must be pleaded and proven that: (a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention. Morrison & Foerster LLP 38

40 Understanding Cyber Cyber is an asymmetric threat. This means that the attackers may know more about your vulnerabilities than management does. The Board will inherently know less about the vulnerabilities than management. Ultimately managing cyber risk is a governance issue; and to appropriately manage this risk, the Board must understand the potential risks to the business. Information Risk/Value Information is an asset of the company, and the Board should ensure that it is appropriately protected, valued, and utilized for the benefit of the company. Morrison & Foerster LLP 39

41 The Costs of Cyber Costs of not addressing cyber can include: Financial; Legal/compliance; Reputational; and Operational risks. But there are costs to consider when addressing cyber: Costs of remediation; Customer friction; Loss of productivity; and Breaking systems. Ultimately, management must balance all of these costs and determine what the appropriate risk governance strategy is. Morrison & Foerster LLP 40

42 What Is Your Cyber Risk Tolerance? After examining the potential impact of a cyber event, management, with appropriate input from the Board, should determine what the company s risk tolerance is regarding cyber. Ultimately, the Board needs to understand the earnings impact of the risk tolerance of the Company and ensure that it and management are aligned, and it must ensure, via its oversight responsibility, that Company management appropriately addresses cyber. Morrison & Foerster LLP 41

43 Where Should Cyber Sit at the Board? Dodd-Frank requires certain financial institutions to have a Risk Committee at the Board. While it is not required for other companies, some Boards have created Risk Committees. The Board should determine where cyber fits in any relevant committees of the Board, whether that is through Audit, Risk, or other committees. While it is not a requirement, Boards should consider whether cyber should factor into other committees, including compensation, nominating and governance, as well as how it should fit into the Board Agenda. Morrison & Foerster LLP 42

44 All Companies Have Information of Value Companies create and process a significant amount of information: Financial information; Information regarding individuals (employees and customers); Proprietary/confidential information IP; Undisclosed M&A activity; Business and marketing plans; and Pricing; Information regarding businesses processes, including process improvements; Information regarding business trends; Social data/user-generated content; Machine data; and Many other forms of information. Morrison & Foerster LLP 43

45 Understanding the Cyber Threat Threat Actors Organized Criminals Nation States Hacktivists Insiders Goals Intellectual Property Financial Information Strategic Access/Destruction Terrorism Embarrassment Morrison & Foerster LLP 44

46 Challenges Threat actors have more time and more resources The threats constantly changing Inadequate information sharing Chief Information Security Officers cite gaps in skill sets on their teams, lack of bandwidth, and inadequate budgets as some of the biggest issues Morrison & Foerster LLP 45

47 Ramifications Cyber can impact the Company in a number of ways: Loss of trust/reputational harm; Bad PR; Impact on earnings due to: Loss of customers (including for B-to-B Companies); Increased costs that result from fines, response costs, investigative costs, litigation costs and settlements, remediation costs, as well as many others; and Significant distraction for employees, management, and the Board. Morrison & Foerster LLP 46

48 What Should the Board Do? Understand the cyber risk profile of the Company by discussing this with management, and any appropriate third parties; As appropriate, engage with management, to help set the risk tolerance for the company; Make sure that management has appropriate processes and programs to engage in appropriate risk assessment, which include identifying, assessing, and mitigating risk; Make sure that management appropriately communicates the risk; Engage in appropriate oversight by: making sure that cyber is appropriately addressed by the Board, including through relevant committees; ensuring that risks are appropriately remediated; and the cyber risk program is otherwise functioning appropriately; and Do an appropriate, executive-level table-top exercise. Morrison & Foerster LLP 47

49 What Should Management Do? Conduct an appropriate enterprise cyber risk assessment; Determine what your most critical systems and information are; Assist the Board with determining the Company s risk tolerance; Create an appropriate, cross-functional risk governance structure that continually assesses and improves cyber risk This includes organizational, behavioral, and technical changes; Keep the Board appropriately informed of the Company s cyber risks; Align incentives for employees with the risk tolerance of the Company; Make sure escalation criteria are clear; and Engage in appropriate business continuity planning; Morrison & Foerster LLP 48

50 What Should Management Do? Appropriately manage the company s cyber risks, via an appropriate cyber risk mitigation program, including appropriately remediating known cyber issues; Have a third-party evaluate your company (under privilege); Test and train employees, as appropriate, on common attack vectors such as phishing ; Make sure escalation criteria are clear; Appropriately plan for any foreseeable business disruption due to cyber; Engage in appropriate information sharing; Develop appropriate relationships with law enforcement; and Practice responding to a security incident. Morrison & Foerster LLP 49

51 SEC Issues Risk Factors need to be reviewed When to Disclose a Breach Enforcement (Coordination with DOJ) Pre-Breach Questions Post Breach Questions Morrison & Foerster LLP 50

52 Lessons Learned from Breaches Unclear decision making paths Unclear escalation criteria Lack of practice on incident response plan Lack of business continuity planning Morrison & Foerster LLP 51

53 Board Dos and Don ts Ask the right questions Ask if the right experts have been retained Engage in appropriate oversight Morrison & Foerster LLP 52

54 What Should the Board Be Asking? Is our actual cyber risk consistent with our intended cyber risk? Have we considered appropriate risk shifting devices, such as insurance? Is the Board appropriately engaged regarding cyber, and does it have the appropriate organizational structures, including committees, to meet its oversight obligations? This includes assessing how often, and where, cyber is reported on to the Board. What organizational structures at the management level exist to measure, govern, and assess data and information risk, and how are threat assessments managed and reported? Does management appropriately report on cyber risk to the Board? Does management consider cyber risk, as appropriate, when it makes decisions regarding new products or services? Morrison & Foerster LLP 53

55 What Should the Board Be Asking? Has management reviewed and de-conflicted these cyber organizational structures with the organizational structures for other risks i.e., is your cyber risk management consistent in approach with the management of other risks? Have the company's security processes and systems been reviewed by a third-party assessor? Third-party review of cybersecurity readiness can be a crucial factor in defending the company after a security incident, as well as helping a company to take reasonable steps to prepare for and defend against a cyberattack. Has internal audit been appropriately engaged? Does the company have an incident response plan, and are the appropriate business leaders identified in it? Is it cross-functional? Have you tested it through a tabletop? Morrison & Foerster LLP 54

56 What Should the Board Be Asking? Has the level of penetration testing (internal and external), software patching, and other similar activities been reviewed by a third party to ensure it is adequate for your company? Has the company benchmarked its cybersecurity risk posture against those of other similar businesses? Has management determined what the company s information sharing strategy is? Has management allocated responsibility for protecting the Company s information assets appropriately? Has management completed a high-level data inventory of the company's information assets so that it has an understanding of what information the Company has and generally where it is located? Morrison & Foerster LLP 55

57 What Should the Board Be Asking? Has management done a thorough review of policies and procedures to ensure that they comply with the relevant data security laws and are consistent with industry best practice? Has management done appropriate resiliency planning for a cyber attack? Morrison & Foerster LLP 56

Cybersecurity Insurance: New Risks and New Challenges

Cybersecurity Insurance: New Risks and New Challenges SESSION ID: SDS1-F01 Cybersecurity Insurance: New Risks and New Challenges Mark Weatherford Chief Cybersecurity Strategist varmour @marktw The cybersecurity market in the Asia Pacific region contributes

More information

Cybersecurity Insurance: The Catalyst We've Been Waiting For

Cybersecurity Insurance: The Catalyst We've Been Waiting For SESSION ID: CRWD-W16 Cybersecurity Insurance: The Catalyst We've Been Waiting For Mark Weatherford Chief Cybersecurity Strategist varmour @marktw Agenda Insurance challenges in the market today 10 reasons

More information

Cyber Incident Response When You Didn t Have a Plan

Cyber Incident Response When You Didn t Have a Plan Cyber Incident Response When You Didn t Have a Plan April F. Doss Saul Ewing LLP How serious is the cybersecurity threat? Some sobering numbers from 2015: Over half a billion personal records were stolen

More information

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018 1 HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier March 22, 2018 2 Today s Panel: Kimberly Holmes - Moderator - Vice President, Health Care, Cyber Liability & Emerging Risks, TDC Specialty Underwriters,

More information

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY Agenda Threat Landscape and Trends Breach Response Process Pitfalls and Critical Points BBR Services Breach Prevention

More information

Cyber-Insurance: Fraud, Waste or Abuse?

Cyber-Insurance: Fraud, Waste or Abuse? SESSION ID: STR-F03 Cyber-Insurance: Fraud, Waste or Abuse? David Nathans Director of Security SOCSoter, Inc. @Zourick Cyber Insurance overview One Size Does Not Fit All 2 Our Research Reviewed many major

More information

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: May 2016 Ponemon Institute Research Report

More information

Anatomy of a Data Breach

Anatomy of a Data Breach Anatomy of a Data Breach May 17, 2017 Lucie F. Huger Officer, Greensfelder, Hemker & Gale, P.C. Mary Ann Wymore Officer, Greensfelder, Hemker & Gale, P.C. Information is the New Oil! Companies are collecting

More information

Evaluating Your Company s Data Protection & Recovery Plan

Evaluating Your Company s Data Protection & Recovery Plan Evaluating Your Company s Data Protection & Recovery Plan CBIA Cybersecurity Webinar Series 11AM 12PM Part V. Presented by: Stewart Tosh Charles Bellingrath Date: December 7, 2017 Today s presenters Stewart

More information

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do ARTICLE Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do By Gene Griggs and Saad Gul This article analyzes cybersecurity issues for retirement plans. Introduction

More information

Cyber Risks & Insurance

Cyber Risks & Insurance Cyber Risks & Insurance Bob Klobe Asst. Vice President & Cyber Security Subject Matter Expert Chubb Specialty Insurance Legal Disclaimer The views, information and content expressed herein are those of

More information

The Guide to Budgeting for Insider Threat Management

The Guide to Budgeting for Insider Threat Management The Guide to Budgeting for Insider Threat Management The Guide to Budgeting for Insider Threat Management This guide is intended to help show you how to approach including Insider Threat Management within

More information

Vaco Cyber Security Panel

Vaco Cyber Security Panel Vaco Cyber Security Panel ISACA Charlotte Chapter December 5 th, 2017 Vaco is an international talent solutions firm headquartered in Nashville, Tennessee, with more than 35 locations around the globe.

More information

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them PROVIDED BY HUB INTERNATIONAL October 25th, 2016 W W W. C H I C A G O L A N D R I S K F O R U M. O R G AGENDA 1. The evolution of

More information

The Race to GDPR: A Study of Companies in the United States & Europe

The Race to GDPR: A Study of Companies in the United States & Europe The Race to GDPR: A Study of Companies in the United States & Europe Sponsored by McDermott Will & Emery LLP Independently conducted by Ponemon Institute LLC Publication Date: April 2018 2018 McDermott

More information

Cyber Risks & Cyber Insurance

Cyber Risks & Cyber Insurance Cyber Risks & Cyber Insurance Terry Quested Executive Director Associated Risk Managers of Ohio Darren Faye Vice President Leonard Insurance / Assured Partners Legal Disclaimer The views, information and

More information

NONPROFIT CORPORATE GOVERNANCE IN THE HEALTHCARE WORLD

NONPROFIT CORPORATE GOVERNANCE IN THE HEALTHCARE WORLD NONPROFIT CORPORATE GOVERNANCE IN THE HEALTHCARE WORLD SC BAR NONPROFIT CORPORATE UPDATE Jeanne M. Born, RN, JD FEBRUARY 5, 2015 Jborn@nexsenpruet.com Current Health Care Environment Health Care reform

More information

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015 APRIL 2015 CYBER RISK IS HERE TO STAY Even an unlimited budget for information security will not eliminate your cyber risk. Tom Reagan Marsh Cyber Practice Leader 2 SIMPLIFIED CYBER RISK MANAGEMENT FRAMEWORK

More information

HEALTHCARE BREACH TRIAGE

HEALTHCARE BREACH TRIAGE IAPP Privacy Academy September 30 October 2, 2013 HEALTHCARE BREACH TRIAGE Theodore P. Augustinos EDWARDS WILDMAN PALMER LLP Kenneth P. Mortensen CVS/CAREMARK 2013 Edwards Wildman Palmer LLP & Edwards

More information

The General Data Protection Regulation s Impact on M&A

The General Data Protection Regulation s Impact on M&A The General Data Protection Regulation s Impact on M&A PRACTICAL ADVICE ON HOW TO CONTINUE A SMOOTH M&A PROCESS Presented by Avi Gesser, Davis Polk partner, Litigation/Cybersecurity Pritesh P. Shah, Davis

More information

H 7789 S T A T E O F R H O D E I S L A N D

H 7789 S T A T E O F R H O D E I S L A N D ======== LC001 ======== 01 -- H S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 01 A N A C T RELATING TO INSURANCE - INSURANCE DATA SECURITY ACT Introduced By: Representatives

More information

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP CYBER LIABILITY INSURANCE OVERVIEW FOR Prepared by: Evan Taylor NFP Targeted Industries Business Sector Financial Services 10% Non-Profit 11% Retail 10% Other 37% Other 18% Type of Data PII 40% Professional

More information

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

NOTIFICATION OF PRIVACY AND SECURITY BREACHES NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally

More information

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING 2015 Verizon Data Breach Report 79,790 security incidents 2,122 confirmed data breaches Top industries affected: Public, Information,

More information

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE As many of you know, Gramm-Leach-Bliley requires "financial institutions" to establish and implement a Safeguard Rule Compliance

More information

SOX, Corporate Governance and Working with the Board

SOX, Corporate Governance and Working with the Board SOX, Corporate Governance and Working with the Board HCCA Compliance Institute New Orleans, Louisiana April 18, 2005 Lisa Murtha Parente Randolph, LLC Two Penn Center Plaza Suite 1800 Philadelphia, PA

More information

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment

More information

503 SURVIVING A HIPAA BREACH INVESTIGATION

503 SURVIVING A HIPAA BREACH INVESTIGATION 503 SURVIVING A HIPAA BREACH INVESTIGATION Presented by Nicole Hughes Waid, Esq. Mark J. Swearingen, Esq. Celeste H. Davis, Esq. Regional Manager 1 Surviving a HIPAA Breach Investigation: Enforcement Presented

More information

Board of Directors Role in Corporate Compliance and Ethics

Board of Directors Role in Corporate Compliance and Ethics Board of Directors Role in Corporate Compliance and Ethics ACC Compliance and Ethics Committee Teleconference March 15, 2016 John Marshall Mosser, General Counsel of Elliott Davis Decosimo Darryl R. Marsch,

More information

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017 You ve been hacked Riekie Gordon & Roger Truebody & Alexandra Schudel Why should you care? U$4.6 - U$121 billion - Lloyds U$45 billion not covered 2 The plot thickens 2016 Barkly Survey: It s a business

More information

Risky Business: Protecting the Personal Assets of Ds&Os. Steven Cohen, Marsh Inc. Jay Dubow, Pepper Hamilton LLP Bob Hickok, Pepper Hamilton LLP

Risky Business: Protecting the Personal Assets of Ds&Os. Steven Cohen, Marsh Inc. Jay Dubow, Pepper Hamilton LLP Bob Hickok, Pepper Hamilton LLP Risky Business: Protecting the Personal Assets of Ds&Os Steven Cohen, Marsh Inc. Jay Dubow, Pepper Hamilton LLP Bob Hickok, Pepper Hamilton LLP Thursday, January 28, 2016 Topics Nuts and Bolts - D&O Liability,

More information

Determining Whether You Are a Business Associate

Determining Whether You Are a Business Associate The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information

More information

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016 Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions June 2016 Program Overview Regulatory Environment Who Needs a Privacy Program and Common Questions Components of a Comprehensive

More information

Trade Secret Theft: Protecting the Crown Jewels March 25, 2015

Trade Secret Theft: Protecting the Crown Jewels March 25, 2015 Trade Secret Theft: Protecting the Crown Jewels March 25, 2015 Presented by: Dan Rubinstein Today s elunch Presenter Dan Rubinstein Litigation Chicago, Los Angeles drubinstein@winston.com 2 Trade Secret

More information

Cyber Risk Mitigation

Cyber Risk Mitigation Cyber Risk Mitigation Eide Bailly Howalt + McDowell Insurance Introduction Meet your presenters Eric Pulse Risk Advisory Director 20 years in the public accounting and consulting industry providing information

More information

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group SPECIAL GUEST JAMES GRAY Underwriter, London UK Specialty Treaty Beazley Group All 6 Beazley Lloyd's Syndicates are rated A (Excellent) by A.M. Best Admitted Carrier in the US Beazley Ins Co rated A (Excellent)

More information

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES I, Maria T. Vullo, Superintendent of Financial Services, pursuant to the

More information

Compliance With the Red Flags Rules

Compliance With the Red Flags Rules For Audio Participation, Please Call 1.866.281.4322, *1382742* Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321

More information

DATA PROTECTION ADDENDUM

DATA PROTECTION ADDENDUM DATA PROTECTION ADDENDUM In the event an agreement ( Underlying Agreement ) entered into by and between (i) either Sunovion Pharmaceuticals Inc. or its subsidiary, Sunovion Pharmaceuticals Europe Ltd.

More information

DATA PROCESSING AGREEMENT/ADDENDUM

DATA PROCESSING AGREEMENT/ADDENDUM DATA PROCESSING AGREEMENT/ADDENDUM This Data Processing Agreement ( DPA ) is made and entered into as of this day of, 2018 forms part of our Terms and Conditions (available at www.storemaven.com/terms-of-service)

More information

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking Draft 11/29/16 Enhanced Cyber Risk Management Standards Advance Notice of Proposed Rulemaking The left column in the table below sets forth the general concepts that the federal banking agencies are considering

More information

South Carolina General Assembly 122nd Session,

South Carolina General Assembly 122nd Session, South Carolina General Assembly 122nd Session, 2017-2018 R184, H4655 STATUS INFORMATION General Bill Sponsors: Reps. Sandifer and Spires Document Path: l:\council\bills\nbd\11202cz18.docx Companion/Similar

More information

2016 Risk Practices Survey

2016 Risk Practices Survey Strong Board. Strong Bank. 2016 Risk Practices Survey MAR 2016 RESEARCH Sponsored by: 2 2016 RISK PRACTICES SURVEY TABLE OF CONTENTS Executive Summary 3 Risk Governance & Oversight 4 Risk Culture & Infrastructure

More information

HOW TO INSURE CYBER RISKS? Oulu Industry Summit

HOW TO INSURE CYBER RISKS? Oulu Industry Summit HOW TO INSURE CYBER RISKS? Oulu Industry Summit 2017 6.10.2017 Panu Peltomäki Liability and Financial Lines Practice Leader Marsh Oy Marsh A Leader in Quality, Scope, and Scale GLOBAL RISKS OF CONCERN

More information

Aligning Risk Management with CU Business Strategy

Aligning Risk Management with CU Business Strategy Aligning Risk Management with CU Business Strategy Managing your most pressing risks CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited 2016 CUNA Mutual Group, All Rights

More information

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber Protection Data Creates Duties What data do you access, and

More information

Whistleblower Update MAPI LAW COUNCIL MEETING FALL Miriam Fisher Eric Swibel November 9, 2017

Whistleblower Update MAPI LAW COUNCIL MEETING FALL Miriam Fisher Eric Swibel November 9, 2017 MAPI LAW COUNCIL MEETING FALL 2017 Whistleblower Update Miriam Fisher Eric Swibel November 9, 2017 Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the

More information

Best Practices Trump Regulatory Compliance

Best Practices Trump Regulatory Compliance Best Practices Trump Regulatory Compliance Brian Hamburger, JD, CRCP President and CEO February 16, 2017 T3 Advisor Conference T3 Advisor Conference Cybersecurity Recruiting Equity Plan Design Succession

More information

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage James P. Bobotek james.bobotek@pillsburylaw.com (202) 663-8930 Pillsbury Winthrop Shaw Pittman LLP DOCUMENT

More information

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners 2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and

More information

The Cost of Identity Theft to Business What Business Owners Must Know Now

The Cost of Identity Theft to Business What Business Owners Must Know Now The Cost of Identity Theft to Business What Business Owners Must Know Now An Introduction to the Fair and Accurate Credit Reporting Act (FACTA): What Business Owners Must Know Now It often seems that there

More information

RIMS Cyber Presentation

RIMS Cyber Presentation RIMS Cyber Presentation Forrest Pace Cyber & Strategic Risk Leader South Zone AIG Property Casualty Forrest.Pace@aig.com 1 Bio Forrest Pace is the Cyber and Strategic Risk Leader for the South Zone, coordinating

More information

Cyber Risk & Insurance

Cyber Risk & Insurance Cyber Risk & Insurance Digitalization in Insurance a Threat or an Opportunity Beirut, 3 & 4 May 2017 Alexander Blom - AIG 1 Today s Cyber Presentation Cyber risks insights from an insurance perspective

More information

2/13/2013 MANAGING A COMPLIANCE CRISIS: BE PREPARED! THE CASE FOR COMPLIANCE:

2/13/2013 MANAGING A COMPLIANCE CRISIS: BE PREPARED! THE CASE FOR COMPLIANCE: SCCE UTILITIES & ENERGY COMPLIANCE & ETHICS CONFERENCE February 26, 2013 Houston, TX MANAGING A COMPLIANCE CRISIS: BE PREPARED! BART SCHWARTZ, GUIDEPOST SOLUTIONS LLC. THE CASE FOR COMPLIANCE: Not all

More information

Cyber Security Liability:

Cyber Security Liability: www.mcgrathinsurance.com Cyber Security Liability: How to protect your business from a cyber security threat or breach. 01001101011000110100011101110010011000010111010001101000001000000100100101101110011100110111

More information

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know 1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013

More information

Frequently Asked Questions

Frequently Asked Questions Frequently Asked Questions How do you protect my identity? We use our proprietary software to proactively monitor various sources. Through PrivacyArmor, you will also have the power to create thresholds

More information

Risk Associated with Meetings

Risk Associated with Meetings Risk Associated with Meetings Risks Associated with Meetings & Events: No Company is Exempt Meetings and events remain a necessary way for people and organizations to communicate information, build relationships,

More information

Medical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches. April 3, 2009

Medical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches. April 3, 2009 Medical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches April 3, 2009 Jon A. Neiditz Cynthia B. Hutto Ross E. Sallade Eli A. Poliakoff Nelson Mullins Healthcare Information

More information

Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity

Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity 2017 Public Safety Employees Pension & Benefits Conference Ronald A. King (517) 318-3015 rking@ I am convinced that there are only

More information

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15) Protected Health Info HIPAA Update: Avoiding Penalties IHCA (7/15) Preliminaries This presentation is similar to any other legal education materials designed to provide general information on pertinent

More information

DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses)

DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses) DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses) This Data Processing Agreement ("DPA") forms part of the Master Services and Subscription Agreement between Customer and

More information

Cyber & Privacy Liability and Technology E&0

Cyber & Privacy Liability and Technology E&0 Cyber & Privacy Liability and Technology E&0 Risks and Coverage Geoff Kinsella Partner http://map.norsecorp.com http://www.youtube.com/watch?v=f7pyhn9ic9i Presentation Overview 1. The Cyber Evolution 2.

More information

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms part of the Master Purchase Agreement, Customer Agreement, Channel Partner Agreement, End User License Agreement or other written agreement

More information

Information Security and Third-Party Service Provider Agreements

Information Security and Third-Party Service Provider Agreements The Iowa State Bar Association s ecommerce & Intellectual Property Law Sections presents 2016 Intellectual Property Law & ecommerce Seminar Information Security and Third-Party Service Provider Agreements

More information

Cyber Risk Management

Cyber Risk Management Cyber Risk Management Agenda Asset Inventory and Baselines Vendor Management Incident Response Planning Resilience Insurance Considerations All. Together. Certain. 2 1 Asset Inventory and Baselines All.

More information

The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions

The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions Our Speakers Mark Melodia is Partner and Co-Head of the Global Data Security, Privacy & Management

More information

FIDUCIARY DUTIES OF THE BOARD OF DIRECTORS

FIDUCIARY DUTIES OF THE BOARD OF DIRECTORS FIDUCIARY DUTIES OF THE BOARD OF DIRECTORS Jenifer R. Smith, Partner September 21, 2017 www.dlapiper.com September 2017 0 Introduction Every director owes fiduciary duties to the corporation and its shareholders.

More information

H E A L T H C A R E L A W U P D A T E

H E A L T H C A R E L A W U P D A T E L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.

More information

CYBER LIABILITY REINSURANCE SOLUTIONS

CYBER LIABILITY REINSURANCE SOLUTIONS CYBER LIABILITY REINSURANCE SOLUTIONS CYBER STRONG. CYBER STRONG. State-of-the-Art Protection for Growing Cyber Risks Businesses of all sizes and in every industry are experiencing an increase in cyber

More information

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker Safeguarding Your HIPAA and Personal Health Information Data Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker 1 Overview» Patient information confidentiality Grant requirements

More information

Cyber Liability State of the Insurance Market & Risk Update Sept 8, ISACA North Texas

Cyber Liability State of the Insurance Market & Risk Update Sept 8, ISACA North Texas Cyber Liability State of the Insurance Market & Risk Update Sept 8, 2016 ISACA North Texas Agenda Introduction Cyber Liability Overview State of Insurance Regulatory Update Questions and Discussion 2 Speakers

More information

How to Cut Down on Security Risks:

How to Cut Down on Security Risks: How to Cut Down on Security Risks: What You Don t Know About HIPAA Security October 29, 2015 2015 Epstein Becker & Green, P.C. All Rights Reserved. ebglaw.com Presented by Adam Solander Member of the Firm

More information

1.5 This policy meets the guidance provided by the ICO on data security breach management.

1.5 This policy meets the guidance provided by the ICO on data security breach management. William Austin Junior School Data Breach Policy Introduction 1.1 The Data Protection Act 2018 (DPA) is based around six principles of good information handling. These give people specific rights in relation

More information

Cybersecurity Curveballs in Vendor Risk Management Programs

Cybersecurity Curveballs in Vendor Risk Management Programs Cybersecurity Curveballs in Vendor Programs 2016 SoCal Cybersecurity, & Data Protection Retreat November 7, 2016 2016 Reed Smith LLP. All rights reserved. The contents of this presentation are for informational

More information

Your defence toolkit. How to combat the cyber threat

Your defence toolkit. How to combat the cyber threat Your defence toolkit How to combat the cyber threat Contents The threat of cyber crime 4 How UK businesses are targeted 6 Case studies 8 Why cyber security is so important to manufacturers now 10 The

More information

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations ! SECURITY POLICY This Security Policy ( Policy ) applies to all Services provided by Collective Medical Technologies, Inc. ( CMT ) pursuant to a Master Subscription Agreement ( Underlying Agreement )

More information

Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises

Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises By David Zetoony Partner, Bryan Cave LLP Courtney Stout Counsel, Davis Wright Tremaine LLP With Contributions By Suzanne Gladle,

More information

New legislation brings changes to how data is handled

New legislation brings changes to how data is handled New legislation brings changes to how data is handled April 2018 Lockton Companies New European Union (EU) data protection rules may require changes to how businesses handle personal data even if the businesses

More information

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability

More information

DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY

DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY Coverage under this endorsement is subject to the following: PART 1 RESPONSE

More information

MEASURING & PRICING THE COST DRIVERS OF A CYBER SECURITY RISK EVENT

MEASURING & PRICING THE COST DRIVERS OF A CYBER SECURITY RISK EVENT MEASURING & PRICING THE COST DRIVERS OF A CYBER SECURITY RISK EVENT IOWA ACTUARIES CLUB 2/25/16 EDUCATION DAY PRESENTED BY KEITH BURKHARDT, V.P. KRAUS-ANDERSON INSURANCE Overview I. Why are cyber security

More information

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP Learn more about how KeepItSafe can help to reduce costs, save time, and provide compliance for online backup, disaster recovery-as-a-service, mobile

More information

RISK MANAGEMENT FRAMEWORK OVERVIEW

RISK MANAGEMENT FRAMEWORK OVERVIEW Perpetual Limited RISK MANAGEMENT FRAMEWORK OVERVIEW September 2017 Classification: Public Page 1 of 6 COMMITMENT TO RISK MANAGEMENT As a publicly listed company and provider of financial products and

More information

HOW TO EXECUTE THIS DPA:

HOW TO EXECUTE THIS DPA: DATA PROCESSING ADDENDUM (GDPR, and EU Standard Contractual Clauses) (Rev. April 20, 2018) This Data Processing Addendum ( DPA ) forms part of the Master Subscription Agreement or other written or electronic

More information

CYBER CLAIMS BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIMS & LEGAL GROUP

CYBER CLAIMS BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIMS & LEGAL GROUP www.willis.com July 2015 CYBER CLAIMS BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIMS & LEGAL GROUP INSIDE THIS EDITION... CYBER CLAIMS LANDSCAPE A SAMPLING OF LARGE CYBER SETTLEMENTS LEGAL

More information

The Impact of Technology on Nonprofit Governance (and its Regulation)

The Impact of Technology on Nonprofit Governance (and its Regulation) The Impact of Technology on Nonprofit Governance (and its Regulation) Presented to: 2017 NAAG/NASCO Annual Conference October 2, 2017 Washington, D.C. Michael W. Peregrine McDermott Will & Emery LLP MPeregrine@mwe.com

More information

GDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers

GDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers Area 1 Security, Inc. 142 Stambaugh Street Redwood City, CA 94063 EU GDPR DPA GDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers Who should execute this DPA: If you qualify

More information

Governing Body Responsibilities for Implementing Effective Compliance and Ethics Programs

Governing Body Responsibilities for Implementing Effective Compliance and Ethics Programs Governing Body Responsibilities for Implementing Effective Compliance and Ethics Programs Tim Timmons Corporate Integrity Officer Greater Oregon Behavioral Health, Inc. #NatCon14 What We ll Cover Today

More information

Outside the Courtroom Auditing Under Legal Privilege. Houston IIA Conference

Outside the Courtroom Auditing Under Legal Privilege. Houston IIA Conference Outside the Courtroom Auditing Under Legal Privilege Houston IIA Conference Some Interesting Statistics Around 25% of frauds are uncovered due to employee tips, while 19% are uncovered through internal

More information

Summary Comparison of Current Senate Data Security and Breach Notification Bills

Summary Comparison of Current Senate Data Security and Breach Notification Bills Data Security reasonable Standards measures Specific Data Security Requirements Personal Information Definition None (a) First name or (b) first initial and last name, in combination with one of the following

More information

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby Cyberinsurance: Necessary, Expensive and Confusing as Hell Presenters: Sharon Nelson and Judy Selby Setting the stage 2018 report from PwC one-third of US businesses have some form of cyberinsurance PwC

More information

Solving Cyber Risk. Security Metrics and Insurance. Jason Christopher March 2017

Solving Cyber Risk. Security Metrics and Insurance. Jason Christopher March 2017 Solving Cyber Risk Security Metrics and Insurance Jason Christopher March 2017 How We Try to Address Cyber Risk What is Cyber Risk? Definitions Who should be concerned? Key categories of cyber risk Cyber

More information

How to mitigate risks, liabilities and costs of data breach of health information by third parties

How to mitigate risks, liabilities and costs of data breach of health information by third parties How to mitigate risks, liabilities and costs of data breach of health information by third parties April 17, 2012 ID Experts Webinar www.idexpertscorp.com Rick Kam President and Co-Founder richard.kam@idexpertscorp.com

More information

Sponsored by. Is Your Data Safe? The 2016 Financial Adviser Cybersecurity Assessment

Sponsored by. Is Your Data Safe? The 2016 Financial Adviser Cybersecurity Assessment Sponsored by Is Your Data Safe? The 2016 Financial Adviser Cybersecurity Assessment Table of Contents Welcome 3 Executive Summary 4 Introduction and Methodology 6 Preparation and Readiness 8 - Client Awareness

More information

Tech and Cyber Claims Services

Tech and Cyber Claims Services Tech and Cyber Claims Services Insurance Tech, Cyber Claims and our Breach Response Service The technology industry is a significant area of expertise for the Firm where we advise on contentious and non-contentious

More information

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

Insuring your online world, even when you re offline. Masterpiece Cyber Protection Insuring your online world, even when you re offline Masterpiece Cyber Protection Protect your online information from being an open network 97% of Chubb clients who had a claim paid were highly satisfied

More information

LIABILITY INTERRUPTION OF ACTIVITIES CYBER CRIMINALITY OWN DAMAGE AND COSTS OPTION: LEGAL ASSISTANCE

LIABILITY INTERRUPTION OF ACTIVITIES CYBER CRIMINALITY OWN DAMAGE AND COSTS OPTION: LEGAL ASSISTANCE I N S U R A N C E a g a i n s t c y b e r r i s k s After "prevention", risk covering is always the next step. Good insurance policies have the substantial merit allowing people to progress, even choosing

More information

SECURITY SAFEGUARD BREACH GUIDE

SECURITY SAFEGUARD BREACH GUIDE SECURITY SAFEGUARD BREACH GUIDE On November 1, 2018, new regulations will come into force that will require all organizations, including insurance brokers, to report breaches of security safeguards that

More information

Cyber Security & Insurance Solution Karachi, Pakistan

Cyber Security & Insurance Solution Karachi, Pakistan March 2017 Cyber Security & Insurance Solution Karachi, Pakistan Ram Garg CFA, MBA Financial & Casualty Line J B Boda & Co (Singapore) Pte Ltd Karachi Insurance Institute Agenda Cyber Risk - Background

More information