Cyber Risk Management

Size: px

Start display at page:

Download "Cyber Risk Management"

Maud Robinson
5 years ago
Views:

1 Cyber Risk Management Privacy & Data Protection Agenda 2 Introductions Risk Management 101 Defining & Quantifying a Breach Prevention, Mitigation & Transfer Strategies Finance Strategy- Cyber Insurance Underwriting Criteria First Party vs. Third Party Coverages Case Studies Q&A 1

2 What is Risk Management? Risk management is the continual process of identifying, measuring, and minimizing the effects of risk. Engage Assess Implement Plan Identify The Opportunities Organize & Categorize initiatives Quantify The Impact Prioritize The Initiatives Create a Strategic Plan Engage Team & Strategic Partners Continually Monitor Progress 3 Risk Management 101 Types of Risk Business Strategic Hazard Risk Management Strategies Prevent Transfer Mitigate Assume Finance 4 2

3 Defining a Breach A data breach is an incident that involves the unauthorized or illegal viewing, access, or retrieval of data by an individual, application, or service. It is a type of security breach specifically designed to steal and/or publish data to an unsecured or illegal location. 5 Source: Quantifying a Breach Average Number of Records Breached Per Incident: 28,765 Average Cost Per Breached Record: $192 - $240 Varying Factors Number of Records Breached Type of Breach (PCI, PHI, or PII) Class Action Lawsuit Filed? 6 Source: Ponemon Institute / Symantec Study 3

4 Risk Management Type of Risk Risk Management Strategies Prevent? Mitigate? Transfer? 7 My Password is 8 4

5 Finance Strategies Cyber Liability Insurance - A type of insurance designed to cover consumers of technology services or products (sometimes referred to Privacy & Data Protection Insurance). More specifically, the policies are intended to cover a variety of both liability and property losses that may result when a business engages in various electronic activities, such as selling on the Internet or collecting data within its internal electronic network. Most notably, but not exclusively, cyber and privacy policies cover a business liability for a data breach (either in physical form, or via an electronic platform). 9 Process of Financing Applications Underwriter Review Quote Review Purchase 10 5

6 Application Process Technical Questions Operational Questions Addendum On Additional Information 11 Underwriter Review Industry Classification Annual Revenue PII Quantity Minimum Controls Standard and Advanced Controls Red Flags 12 6

7 Key Coverages 1 st Party Notification Crisis Management Forensic Costs Public Relations Regulatory expenses Business Interruption 3 rd Party Liability 13 1 st Party Coverages Investigation Expense Coverage to determine the source or cause of the Data Privacy Wrongful Act or Network Security Wrongful Act. 14 Source: THDPNSLP 7

8 1 st Party Coverages Notification and Credit Monitoring Expense Coverage Notify customers Credit monitoring services Voluntary Notifications 15 1 st Party Coverages Business Interruption Income loss and extra expenses during the period of restoration Must result from a network attack A retention of 8-12 hours 16 8

9 1 st Party Coverages Crisis Management Expense Coverage Public Relations firm Crisis Management Firm IdentityTheft 911 Pre- and Post Breach Services 17 3 rd Party Coverages Data Privacy Regulatory Expense Coverage Fines and Penalties levied against insureds PCI Fines and Penalties 18 9

10 3 rd Party Coverages Privacy Liability the improper dissemination of Nonpublic Personal Information; or any breach or violation by the Insured of any Data Privacy Laws rd Party Coverages Network Security Liability Unauthorized access, use of the computer system Inability of an authorized 3 rd party to access Failure to prevent identity theft Transmission of malicious code Others 20 10

11 3 rd Party Coverages E-Media Liability Provides cover for suits from electronic media Libel, defamation, slander, copyright infringement 21 Crisis Management Services Pre-approved vendors 1 st party expenses Risk Management Services/Resources Web portals Phone services 22 11

12 Conditions Notification provisions Breach from 3 rd party services Definition of PII Unencrypted portable devises exclusion 23 Quote Evaluation Limits Sublimits Retentions 24 12

Lab MD: Choosing Vendors Wisely And Fighting The FTC Medical Testing Co with policies in place Good Samaritan vendor finds private data and offers to resolve for a fee GTC

13 Lab MD: Choosing Vendors Wisely And Fighting The FTC Medical Testing Co with policies in place Good Samaritan vendor finds private data and offers to resolve for a fee GTC Investigates $4.6MM revenue LabMD goes bankrupt; letting go of 30 employees Vendor discovered as only entity to see data 25 Outside the Dark Web Image: Kaspersky Lab 26 13

Outside the Dark Web Image: SBR Money 27

sent to a victim with the intent of tricking

14 Outside the Dark Web Image: SBR Money 27 Phishing Definition: a form of social engineering in which a message, typically an , with a malicious attachment of link I sent to a victim with the intent of tricking the recipient to open an attachment Top Industries ALL 28 14

Phishing How: Spear fishing: targeted attacks Phishing: mass communication Clone phishing: using legit content with modified links and resent Whaling: targeted attacks of senior executives

15 Phishing How: Spear fishing: targeted attacks Phishing: mass communication Clone phishing: using legit content with modified links and resent Whaling: targeted attacks of senior executives Impact: Loss of money Malicious code intrusion Loss of Personally Identifiable Information Loss of internal information 29 If you give a man a phish

16 you feed him for a day. 31 If you teach a man to phish

17 you might not get malware 33 Skimmer 34 17

18 ICS/IOT Vulnerabilities 35 ICS/IOT Vulnerabilities 36 18

19 ICS/IOT Vulnerabilities 37 Final Thoughts It s no longer a matter of if, but when Risk management matters...education/awareness matters Cyber indications are easy to obtain for most industries No two cyber policies are created equally Assess tools and resources available by the insurance companies offering coverage Cheaper is not always better but some protection is better than no protection Know the difference between cyber liability and crime insurance 38 19

20 Questions? 20

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them PROVIDED BY HUB INTERNATIONAL October 25th, 2016 W W W. C H I C A G O L A N D R I S K F O R U M. O R G AGENDA 1. The evolution of