Evaluating Your Company s Data Protection & Recovery Plan

Size: px

Start display at page:

Download "Evaluating Your Company s Data Protection & Recovery Plan"

Cora Bryan
5 years ago
Views:

1 Evaluating Your Company s Data Protection & Recovery Plan CBIA Cybersecurity Webinar Series 11AM 12PM Part V. Presented by: Stewart Tosh Charles Bellingrath Date: December 7, 2017

2 Today s presenters Stewart Tosh, Key Insurance & Benefits Services VP, Business Development Charles Bellingrath, ARC Excess & Surplus LLC National Practice Leader Insurance Products offered are: Not FDIC-insured; not a deposit in, obligation of, nor insured by any federal government agency; not guaranteed or underwritten by the bank; not a condition to the provisions or terms of any banking service or activity. Insurance services, benefits consulting services and insurance products are offered through Key Insurance & Benefits Services, Inc. ( KIB ), which is a licensed insurance broker and agent. Insurance policies are obligations of the insurers that issue the policies. Insurance products may not be available in all states. KIB and KeyBank are separate entities, and when you purchase risk management services, business consulting services or insurance products you are doing business with KIB, and not KeyBank KeyCorp

3 Evolving Liabilities of Cyber, Privacy & Security Risks 63 % of organizations affected are privately owned According to the 2016 BakerHostetler Incident Response Report Personal Identifiable Information (PII) HIPAA Protected Heath Information (PHI) Payment Card Information (PCI) Corporate Confidential Information

4 Types of Fraud and how they originate Please note: This list is not comprehensive. Criminals are coming up with new and more efficient methods all of the time. Ransomware Business Compromise File sharing or Peer-to-Peer software Hacking/Malware Corrupt employees Spear Phishing, SMiShing, Vishing Social networking websites Account hijacking

5 Watch Out for Ransomware WannaCry?

6 Breaches: By Whom and Where? Who has Unauthorized Access? - Hackers - Employees, Faculty and Students - Outsourcers and Third Party Vendors What are they accessing? - Laptops - Computer Networks/Wireless Networks - PDAs/Cell Phones - Paper Files - Websites - Clouds

7 Latest Threat CryptoLocker (Ransome Malware) Spreads via phishing (fake FedEx or UPS) Finds critical files, shares, USB devices on the victim s PC Encrypts the data with a proprietary key Making the data unavailable Sends the decryption key back to their command and control (C2) system (bad guys) Splash pages tells victim where to go to recovery their encrypted files (for a price) Ransom payment is required (but not always honored)

8 Types of fraud: Social engineering Typically excluded under your standard Crime Policy. What it is: Social engineering is the practice of obtaining sensitive information by tricking people into breaking normal security procedures. Account hijacking One type of social engineering where an individual s account, computer account or any other account associated with a computing device or service is stolen or hijacked by a hacker Examples of social engineering techniques: Fraudsters, impersonating a trusted party, may attempt to contact you via SMS text message (mobile), (online), or telephone (in person)

9 Types of Social Engineering: Phishing What it is: Phishing seeks to acquire a user s credentials by contacting an individual falsely claiming to be a legitimate entity to scam them into surrendering passwords, financial or personal information, or infecting the individual's computer with malware. How it works: Fake notices that appear to be coming from banks, auction sites, e-pay systems, etc. are sent via or SMS text messages (SMiShing) Recipient is encouraged to take an immediate action; like click a link to enter or update personal data. Messages usually contain an urgent tone; like threats to block accounts or lose access if request is not completed.

10 Protect against Social Engineering Be suspicious of anyone requesting sensitive information. Never provide system credentials or any other personal information on an unsolicited inbound call. Always verify the identity of an unsolicited caller by insisting on calling him or her back at a trusted phone number listed for that company. Remember that Caller ID is not a foolproof way to verify a caller's identity.

11 Types of Phishing Friday, August 12, 2005 Monday, May 19, 2014 Dilbert - Used with permission

12 Latest Threat How Does Traditional Insurance Respond? Insurance coverage for Cyber, Privacy & Security Risks How does traditional insurance respond? While markets are starting to be more consistent in coverages offered as they pertain to Cyber, there is still a very wide variety. - Property Policies? - CGL Insurance Policies? - Crime Insurance Policies? - Directors & Officers Liability? - Errors & Omissions Liability?

13 Wording Coverage Trigger Definition of Breach Definition of Claim System Damage Minimum Standards Encryptions Paper Records Defense Counsel Attorney Client Privilege Preservation of Evidence

14 Exclusions Fraud/Dishonesty Failure to Disclose Unencrypted Devices Cell Phones/Laptops Wireless Network Call Back Verification Errors and Omissions of Third Parties Terrorism

15 Understanding the Breach and Your Loss There are two types of losses the first is Coverage for liability to other entities when a breach occurs defense and covered damages First Party Loss - Cost to hire a breach coach/legal services - Cost to hire a computer security/forensic expert - Cost to notify the affected individuals - Cost to provide credit monitoring to affected individuals - Cost to hire a public relations/crisis management firm to help remediate reputational harm resulting from the breach Cyber Business Income & Extra Expense including Data Restoration Cyber Extortion / Ransomware Payments

16 Understanding the Breach and Your Loss The second is Coverage for liability to other entities when a breach occurs defense and covered damages Third Party Loss - Failure to implement and maintain reasonable security measures - Negligence - Unfair, deceptive and unlawful business practices - Violation of privacy - Invasion of the customer s right to privacy - Breach of contract and violation of Consumer Fraud Act - Defense and damges - Media/Intellectual property - Regulatory actions including fines and penalties - PCI fines, penalties and assessments

17 Latest Threat Dealing With A Security Breach 47 States now have Breach Notification Requirements Data Breach Team and Incident Response Plan need to be in place. Compliance with Breach Notification Laws (local, federal, foreign) Notice all potentially applicable insurance The benefits of a dedicated Cyber Insurance Policy (risk transfer, access to breach coaches, forensic experts, etc.) Click the link below to see your states notification requirements: usiness_services/beazley_breach_response/security_breach_notification_laws.html

18 Latest Threat Connecticut Rules 90 days The discloser shall be made without unreasonable delay, but not later than ninety days after the discovery of the breach. Persons Covered by Statute Any persons, business or agency that conducts business in CT, and who, in the ordinary course of such Entity s business, owns, license, or maintains computerized data that includes PI. The provision governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on CT residents, whether or not the Entity conducts business in CT. Remember there are 47 States with breach rulings and you will have to follow each depending on where your customers reside.

Latest Threat Typical Costs Notification Costs: $1 to $2 per individual Credit Monitoring: $15 to $25 per person; 10% to 15% acceptable rate Average total cost of breach response: $665,000** Average

19 Latest Threat Typical Costs Notification Costs: $1 to $2 per individual Credit Monitoring: $15 to $25 per person; 10% to 15% acceptable rate Average total cost of breach response: $665,000** Average breach cost for large companies is $5.97MM** Average cost to defend a claim is $434,345* Average claim settlement is $880,836* * = Source 2015 netdiligence Claims Study ** = Source 2016 netdiligence Claims Study

20 Has your organization made changes to its cybersecurity controls as a result of recent cyber events? 23% 24% 53% Yes No Don't Know The Unfortunate Reality Not if but when The Costs of a data breach event may be significant Costs generally not covered by traditional insurance Information security and privacy liability insurance is available as a specialty coverage Advisen October 2017

Best Practices In addition to speaking with your insurance agent about fraud prevention solutions: Always be aware and keep informed on trends in the industry Monitor your accounts frequently

21 Best Practices In addition to speaking with your insurance agent about fraud prevention solutions: Always be aware and keep informed on trends in the industry Monitor your accounts frequently Evaluate your policies Verify your employee access rights and credentials regularly Review your payment types and methods Utilize dual controls and ensure separation of duties Implement fraud prevention and mitigation solutions Educate and train your employees Create an environment where employees are empowered Implement a Bring Your Own Device (BYOD) policy for your organization Use strong password protections and data encryption

22 Questions Questions Questions Questions Questions Questions Questions Questions

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

CYBER LIABILITY INSURANCE OVERVIEW FOR Prepared by: Evan Taylor NFP Targeted Industries Business Sector Financial Services 10% Non-Profit 11% Retail 10% Other 37% Other 18% Type of Data PII 40% Professional