HEALTHCARE INDUSTRY SESSION CYBER IND 011

Similar documents
Cyber & Privacy Liability and Technology E&0

Cyber-Insurance: Fraud, Waste or Abuse?

PRIVACY AND CYBER SECURITY

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

Protecting Against the High Cost of Cyberfraud

DEBUNKING MYTHS FOR CYBER INSURANCE

Evaluating Your Company s Data Protection & Recovery Plan

An Overview of Cyber Insurance at AIG

Cyber Risks & Insurance

RIMS Cyber Presentation

Cyber Risk & Insurance

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity

Your defence toolkit. How to combat the cyber threat

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

Cybersecurity Insurance: New Risks and New Challenges

Cyber Risk Mitigation

Cyber Liability A New Must Have Coverage for Your Soccer Organization

503 SURVIVING A HIPAA BREACH INVESTIGATION

Cyber Liability State of the Insurance Market & Risk Update Sept 8, ISACA North Texas

Cyber Insurance I don t think it means what you think it means

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

Cyber Insurance 2017:

Cybersecurity Insurance: The Catalyst We've Been Waiting For

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

CYBER LIABILITY REINSURANCE SOLUTIONS

At the Heart of Cyber Risk Mitigation

Healthcare Data Breaches: Handle with Care.

Vaco Cyber Security Panel

Trends in Cyber-Insurance Coverage to Meet Insureds Needs

How to mitigate risks, liabilities and costs of data breach of health information by third parties

Cyber Risk. October 2017

Privacy and Data Breach Protection Modular application form

Cyber Enhancement Endorsement

Cyber Security & Insurance Solution Karachi, Pakistan

Cyber, Data Risk and Media Insurance Application form

Cyber breaches: are you prepared?

Cyber Risks & Cyber Insurance

Whitepaper: Cyber Liability Insurance Overview

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

Cyber Risk Management

Cyber Risks A Reinsurer s Perspective on Exposure & Claims. EMEA Claims Conference 2018, Rüschlikon, 6th 7th March, Anthony Cordonnier

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

What is a privacy breach / security breach?

Crossing the Breach. It won t happen to us

Solving Cyber Risk. Security Metrics and Insurance. Jason Christopher March 2017

Chubb Cyber Enterprise Risk Management

2017 Cyber Security and Data Privacy Study

Protecting Knowledge Assets Case & Method for New CISO Portfolio

2015 EMEA Cyber Impact Report

ANALYSIS & ASSESSMENT OF TECHNOLOGY FROM A BOARD S PERSPECTIVE STEPHANIE L. BUCKLEW SLB CONSULTING

Cyber Security Liability:

2015 Latin America Cyber Impact Report

The working roundtable was conducted through two interdisciplinary panel sessions:

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby

A broker guide to selling cyber insurance. CyberEdge Sales Playbook

MANAGING DATA BREACH

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

Cyber Liability Insurance. Data Security, Privacy and Multimedia Protection

Cyber a risk on the rise. Digitalization Conference Beirut, 4 May 2017 Fabian Willi, Cyber Risk Reinsurance Specialist

The Continuous Evolution of the. Implications (Session Code CRM11/690)

Case study. Malware mayhem. A targeted ransomware attack on a technology provider opens up a can of worms

ARE YOU HIP WITH HIPAA?

Cyber COPE. Transforming Cyber Underwriting by Russ Cohen

Summary of Form Changes e-md /MEDEFENSE Plus Insurance Policy (from version P1818CE-0115 to P1818CE-0716)

Untangling the Web of Cyber Risk: An Insurance Perspective

HOW TO INSURE CYBER RISKS? Oulu Industry Summit

When The Wind Blows: Renewable Energy Risk Management Strategies

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

H 7789 S T A T E O F R H O D E I S L A N D

Determining Whether You Are a Business Associate

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker


CYBER CRIME: THE ACHILLES HEEL OF THE BUSINESS WORLD

Electronic Commerce and Cyber Risk

Critical Issues in Cybersecurity:

The Internet of Everything: Building Cyber Resilience in a Connected World

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

Priciest HIPAA Incidents of 2015

13th AMC Security & Privacy Conference June 12, 2017

Emerging legal and regulatory risks

Client Risk Solutions Going beyond insurance. Risk solutions for the Healthcare sector. Start

ConSept: Policy Highlights: Other Coverage Features

Cyber Risk some strategic issues

T A B L E of C O N T E N T S

NZI LIABILITY CYBER. Are you protected?

Cyber Incident Response When You Didn t Have a Plan

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

ACORD 834 (2014/12) - Cyber and Privacy Coverage Section

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Personal Information Protection Act Breach Reporting Guide

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Cyber Insurance for Lawyers

2017 Global Cyber Risk Transfer Comparison Report

CyberRisk: What we know and what we don't know

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Transcription:

HEALTHCARE INDUSTRY SESSION CYBER IND 011 Speakers: Jody Westby, Chief Executive Officer, Global Cyber Risk René Siemens, Partner, Covington & Burling LLP Brent Rieth, Senior Vice President and Team Leader, Aon Risk Solutions Jeff Driver, Chief Executive Officer, The Risk Authority Stanford 1

Learning Objectives At the end of this session, you will: Have an understanding of the cyber threats facing healthcare Be able to identify the most common drivers of cyber risk in healthcare Understand cyber insurance coverage, key coverage concerns, potential gaps and limitations Learn strategies for managing and mitigating healthcare cyber risk 2

Healthcare in Cybercrime Bullseye 100 million medical records breached in 2015; 1/3 US population (Fox News) 81% of medical organizations targeted by cyber attack or malware (KPMG, 8/15) 2014 FBI issued a Private Industry Notification to healthcare sector warning of attacks on electronic health care records and medical devices AHA 2015 Most Wired survey: weak areas are use of encryption, use of intrusion detection systems, and incident response planning In 2013, researchers Rios and McCorkle found that medical devices had same type of software vulnerabilities as those found in other control systems manufactured by same company Medical data more valuable than PII: credit card numbers sell for $1-2 each but medical data can bring $20+; a complete medical record combined with a SSN can go for $300; Medicare # $500. Individuals can spend 200+ hours to respond; avg $13,450 (Ponemon) 3

Healthcare Technology Assets at Risk Healthcare sector utilizes many types of data, applications, networks, and devices Corporate business systems Industrial control systems Medical devices, shared databases, interconnected networks Data involves: Personally identifiable information (PII): SSN, drivers license, passport, permanent residence card, family information Personal health information (PHI): medical benefit plans, need for life support systems, physician statements, device data Debit and credit card data Confidential and proprietary data (bank account info, transactional data, payroll data, internal communications, strategic plans, R&D data, intellectual property) Privileged data (attorney-client privilege, attorney work product) Control system data 4

Cyber Threat Environment Events involve: Targeted attacks & sophisticated malware Ransomware and cyber extortion Hacktivism and cyber espionage Nation states Insider actions Multi-pronged attacks signal new era in cybercrime Cybercriminals cooperate with one another Many jurisdictions may be involved The objective is to mitigate; it is not possible to eliminate 5

Drivers of Cyber Risk in Healthcare Todays operating environment Globalization & 24/7 connectivity Dependence on IT to operate (pharmacy, lab data, patient info, medical testing, monitoring) Complex IT architectures, clouds, outsourcing, mobile, IoT Blending of personal/professional lives Management awareness lags behind threats Little understanding of impact of cyber events No data on cyber risks & loss exposures Lack of governance structure or defined roles/responsibilities Lack of resources to develop adequate cybersecurity programs Terrorism on the rise Conflicting compliance requirements, inconsistent cybercrime laws Difficulties in attribution and prosecuting cybercrimes Inadequate security controls & incident response planning 6

Cybercrime Facilitating Factors Criminals Data: PII, PHI, IP, Conf/Proprietary Medical Industrial Control Systems International Cooperation: MLAT or Letters Rogatory Process May Take Months Senior Management & Board Lack Cyber Governance Weak Cybersecurity Programs Medical Devices Lack Security Victims Cyberterrorism Conflicting or Inconsistent Laws & Regulations 7

What are the Risks? Source: 2015 Annual Cost of Cyber Crime Study (Ponemon Institute) 8

Severity of Risk (millions) Average Annualized Cost of Cyber Crime by Industry Segment Source: 2015 Annual Cost of Cyber Crime Study (Ponemon Institute) 9

Tangible Financial Cyber Loss Spectrum 1 st Party 3 rd Party Any major cyber event will result in PR, Response, and continuity costs Immediate and extended revenue loss Restoration expenses Defense costs Third parties will seek to recover Civil penalties and awards Consequential revenue loss Restoration expenses Cyber Loss Spectrum Physical damage is now possible 1 st party property damage 1 st party bodily injury Physical damage may cascade to others 3 rd party property damage 3 rd party bodily injury 10

First Party Coverage (triggered by discovery of an incident) Privacy Event Expenses Cyber Extortion Business Interruption / Dependent Business Interruption / Systems Failure Digital Asset Protection / Extra Expense Third Party Liability (triggered by a claim) Security Liability Privacy Liability Privacy Regulatory Proceedings Media Liability Coverage Overview Payment Card Industry Data Security Standards (PCI-DSS) Please note this is a summary of coverage. Actual policy language will expand upon this overview. 11

Who is Issuing Cyber Insurance Policies? 12

Cyber Insurance Market Trends $3,000,000,000 $2,500,000,000 $2,750,000,000 $2,000,000,000 $1,500,000,000 $1,000,000,000 $500,000,000 $0 $300,000,000 $800,000,000 $600,000,000 $500,000,000 $1,000,000,000 $1,300,000,000 $2,000,000,000 2005 2008 2009 2010 2011 2012 2013 2014 Total Premiums Underwritten Source: The Betterly Report 13

Cyber Insurance Key Coverage Concerns Lack of Standardization 14

Cyber Insurance Key Coverage Concerns Complexity 15

Cyber Insurance Key Coverage Concerns Coverage Limitations 16

Cyber Insurance Key Coverage Concerns Coverage Gaps 17

Cyber Insurance Key Coverage Concerns Claims Process 18

Cyber Insurance Common Limitations Covered Services/Breach Response Expenses 19

Cyber Insurance Common Limitations Limits 20

Cyber Insurance Common Limitations Prior Events/Retroactive Coverage 21

Cyber Insurance Other Common Limitations Notice Provision Choice of Counsel Definition of Application Definition of Insureds Network Definition of Wrongful Act (Trigger of Coverage) Intentional Acts Exclusion / Rogue Employees Legacy Systems Exclusions (i.e. Unencrypted Devices) 22

Cyber Insurance Potential Gaps Terrorism 23

Cyber Insurance Potential Gaps Bodily Injury/Infrastructure Damage 24

Cyber Insurance Claims Process Subrogation 25

Cyber Insurance Claims Process Vendor Indemnities 26

Cyber Insurance Claims Process Covered Damages 27

Commercial Considerations Contract Certainty Use your resources Broker Claims Counsel Coverage Counsel Engage with the underwriters Read your policy(ies) and ask questions Rinse and repeat Test Your Strategy Conduct table top exercises AND include your broker Secure breach response vendors and communicate with your insurer(s) Cultivate Relationships Meet with your underwriters and their claims staff Ask about their experiences 28

What about Traditional Insurance? 29

Traditional Insurance Will it Apply? 30

Traditional Insurance General Liability Insurance 31

Traditional Insurance Property Insurance 32

Traditional Insurance D&O Insurance 33

Traditional Insurance Crime Insurance 34

The Risk Authority Stanford Stanford University Medical Network 35

In the Headlines U.S. hospitals are getting hit by hackers http://money.cnn.com/2016/03/23/technology/hospi tal-ransomware/index.html 24x7 Magazine http://www.24x7mag.com/2016/03/st-joseph-health-7-5mpatient-data-dump/ 36

It s not IF it s WHEN Top Health Care Cyber Attacks Individuals Affected Anthem 78.8M Premera Blue Cross 11M Excellus Health Plan 10M UCLA Health 4.5M Medical Informatics Engineering 3.9M CareFirst Blue Cross BlueShield 1.1M Beacon Health System 220K Advantage Dental 151K Muhlenberg Community Hospital 84K Source: http://hitconsultant.net/2016/01/05/healthcare-cyber-attacks-in-2015-infographic/ Accessed: March 23, 2016 37

An Enterprise View Operational Financial Clinical Cyber is a risk to the entire enterprise. Reputational Cyber Incident Legal / Regulatory It is not an isolated information technology event. Technology 38

The CRO s Perspective Cyber is an immature risk, changing quickly The potential impact of an incident is not easily quantified Reputational costs can be greater than financial costs Auditors and rating agencies are beginning to include an organization s approach to cyber as part of their analysis Cyber risk needs more than the traditional downside risk management approach 39

Value-Driven Enterprise Risk Management Builds on the core of Traditional Risk Management and Enterprise Risk Management Value-focused Uses data and decision analysis to create actionable risk intelligence 40

Value-Driven Enterprise Risk Management Decision Analysis Based Process Value Protected & Value Create 41

Methodology Value-Driven Enterprise Risk Management Decision Analysis Based Process Methodology Description Applications Statistical Data Analysis Subjective Probability Assessment Analyze historical data and construct statistical model for making projections Produces probabilities and significance as outputs of analysis Careful use of appropriate methods to assess subjective estimates for uncertainties Uses probabilities to describe the likelihood for either discrete events (a fire) or continuous ones (the number of patients next year) Appropriate for a stable system and statistically significant data set Most risks (competitor actions, capital project cost and schedule, economic variables, etc.) The use of scenario analysis and subjective probability assessment for cyber is appropriate. Cyber is an evolving risk and historical events may not be a good representation of future events. 42

Value Creation Value-Driven Enterprise Risk Management Decision Analysis Based Process Value Protection Value & Risk Maps Quantified Risks and Uncertainties Quantified Value Model Key Value Drivers Value at Risk Value-based Risk Tolerance Components of Value Simple, Decision Analysis-based Process Monitor & React Mitigate Risk & Increase Value Evaluate Assess Identify Value Protected & Value Created 43

Value-Driven Enterprise Risk Management Identify Identify what kinds of future events might prevent or slow the achievement of objectives Severe Batch Medical Malpractice Earthquake Regulatory Cyber Uninsurable Insurable Directors & Officers Brand/ Reputation Financial Partially Insurable Not Severe Workers Comp Nurse Strike Known Unknown 44

Value-Driven Enterprise Risk Management Assess Determine which risks are most critical and how individual risks are related to each other UNKNOWN RISKS Cyber KNOWN RISKS Insurable 45

Value-Driven Enterprise Risk Management Evaluate Evaluate outcomes and decide which risks to address Scenario 1: Financial 1M Medical Records Breached $12.5M Legal $1M Reputation $100M Technology $10M Operational $1M Unknown $12.5M Scenario 1: $137M Online tools can help estimate data breach costs. Example: http://www.privacyrisksadvisors.com/data-breach-toolkit/data-breach-calculators/ But they only help estimate the financial costs, other components such as reputation, can be multiples of the financial loss, as seen above. 46

Value-Driven Enterprise Risk Management Mitigate Once risks are evaluated, identify opportunities to mitigate risk and increase value. Insurance/Captive Awareness/Training IT Controls and Compliance Policies and Procedures Network Infrastructure Leadership Alignment and Support 1. Review all options 2. Build a statistical model that tests all the options 3. Select the options that give the best return 4. Implement 47

Value-Driven Enterprise Risk Management Scenario 1: 1M Medical Records Breached Potential Mitigation Financial $12.5M Insurance / Captive Legal $1M Reputation $100M Technology $10M Operational $1M Insurance / Captive Awareness / Training IT Security / Infrastructure Policies / Procedures and Leadership Support Unknown $12.5M Total Estimate: $137M Ongoing Assessment and Monitoring 48

Outputs: Violation of Risk Appetite 49

Mitigating Cyber Risk Leadership Alignment Proactive Security Measures Awareness and Training Governance and support of C-Suite and executives from IT, IT Security, Risk Management, General Counsel and Legal Two Councils Operational Privacy Governance Executive Privacy Governance Co-chaired by Privacy Officers of SHC/SCH and Stanford University Encryption for all computers, tablets, phones and USBs Mobile Device Management - AirWatch Robust process for all agreements that include any PHI and PII All vendor agreements are reviewed diligently for compliance with SHC/LPCH policies including an IT security review for contracts with IT components Value Protected & Value Create Strong privacy and security compliance program with robust policies including: Business Associate Electronic Data Access and Transfer Information Access Management PHI Removal/Transport Security Incident Monitoring, Detection and Response Privacy-Related Complaints, Reporting and Breach Notification 50

Mitigating Cyber Risk Captive Utilization Explore funding cyber policy SIR within captive Consider excess limits within captive Benefits: Improved, symmetrical enterprise approach to cyber liability Long-term cost smoothing for cyber liability risks Captive board oversight and support Value Protected & Value Create 51

Value-Driven Enterprise Risk Management Monitor Monitor the effectiveness of outlined steps and mitigation opportunities to reduce risks and boost gains. Value Protected & Value Create 52

Value-Driven Enterprise Risk Management Helps to understand the correlation of risks Communicates cyber risk in actionable business terms Weaves an ongoing business process into the decision framework Connects with different areas of the organization to fully understand and integrate risk Utilizes internal and external data Evolves as the system and cyber risk changes 53

Discussion and Questions 54

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback