Cyber-Insurance: Fraud, Waste or Abuse?

Similar documents
Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity

Cyber Risks & Insurance

PRIVACY AND CYBER SECURITY

At the Heart of Cyber Risk Mitigation

Cyber Risks & Cyber Insurance

Cyber Risk Mitigation

Protecting Against the High Cost of Cyberfraud

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

A GUIDE TO CYBER RISKS COVER

Cyber Risk Management

Cyber & Privacy Liability and Technology E&0

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

Your defence toolkit. How to combat the cyber threat

Data Breach Program Pricing Companies with revenues less than $1,000,000

Cyber Insurance for Lawyers

LIABILITY INTERRUPTION OF ACTIVITIES CYBER CRIMINALITY OWN DAMAGE AND COSTS OPTION: LEGAL ASSISTANCE

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017


ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

Case study. Malware mayhem. A targeted ransomware attack on a technology provider opens up a can of worms

Privacy and Data Breach Protection Modular application form

Cyber Insurance I don t think it means what you think it means

Cyber, Data Risk and Media Insurance Application form

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

Cyber Liability Insurance. Data Security, Privacy and Multimedia Protection

Cyber breaches: are you prepared?

NZI LIABILITY CYBER. Are you protected?

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

Add our expertise to yours Protection from the consequences of cyber risks

CYBER AND INFORMATION SECURITY COVERAGE APPLICATION

An Overview of Cyber Insurance at AIG

ACORD 834 (2014/12) - Cyber and Privacy Coverage Section

Cyber Security Liability:

Cyber Liability A New Must Have Coverage for Your Soccer Organization

Evaluating Your Company s Data Protection & Recovery Plan

Cyber Risk & Insurance

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Ball State University

Does the Applicant provide data processing, storage or hosting services to third parties? Yes No

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby

Cyber Risk Proposal Form

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

Cyber Incident Response When You Didn t Have a Plan

Combined Liability Insurance for Financial Technology Companies Proposal Form

Cyber Enhancement Endorsement

Cyber Security & Insurance Solution Karachi, Pakistan

When The Wind Blows: Renewable Energy Risk Management Strategies

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

HEALTHCARE INDUSTRY SESSION CYBER IND 011

Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor

MANAGING DATA BREACH

Conditions Of Use Disclaimer

my Identity Learning objectives

Determining Whether You Are a Business Associate

Visa s Approach to Card Fraud and Identity Theft

Solving Cyber Risk. Security Metrics and Insurance. Jason Christopher March 2017

MEDIATECH INSURANCE APPLICATION THIS APPLICATION IS FOR A CLAIMS MADE POLICY PLEASE INDICATE WHICH COVERAGES ARE REQUIRED Technology and Professional

Cyber Liability: New Exposures

CyberEdge. Proposal Form

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Summary of Form Changes e-md /MEDEFENSE Plus Insurance Policy (from version P1818CE-0115 to P1818CE-0716)

Cyber Risk Insurance. Frequently Asked Questions

Electronic Commerce and Cyber Risk

CYBERINSURANCE TRENDS AND DEVELOPMENTS

Cybersecurity Privacy and Network Security and Risk Mitigation

2017 Cyber Security and Data Privacy Study

CYBER LIABILITY REINSURANCE SOLUTIONS

Slide 1. Slide 2. Slide 3. Identity Theft Coverage. Today s Agenda. What is Identity Theft? What is Identity Theft?

Cyber Liability & Data Breach Insurance Nikos Georgopoulos Oracle Security Executives Breakfast 23 April Cyber Risks Advisor

BROKER-DEALER GUARD FIDELITY BOND

PAI Secure Program Guide

BEAZLEY BREACH RESPONSE INFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES SHORT FORM APPLICATION

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

PCI Fines and Assessments A Little Insight to the Process Jason Bucher, Senior Underwriting Manager

Does the Applicant provide data processing, storage or hosting services to third parties? Yes No. Most Recent Twelve (12) months: (ending: / )

Data Breach Financial Protection Program Terms and Conditions

DEBUNKING MYTHS FOR CYBER INSURANCE

Board of Legislators County Office Building, Room Court Street Belmont, New York Phone:

Cyber ERM Proposal Form

Whitepaper: Cyber Liability Insurance Overview

Fraud and Cyber Insurance Discussion. Will Carlin Ashley Bauer

REF STANDARD PROVISIONS

BREACH RESPONSE INFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES

Cybersecurity Insurance: New Risks and New Challenges

Vaco Cyber Security Panel

Surprisingly, only 40 percent of small and medium-sized enterprises (SMEs) believe their

RISK FACTOR ACKNOWLEDGEMENT AGREEMENT

CPM. Esurance TM CPM Application Form INSURANCE FOR CYBER, PRIVACY & MEDIA RISKS

DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY

ProtoType 2.0 Manufacturing E&O with CyberInfusion

Payment Card Industry (PCI) Data Security Standard Validation Requirements

AXIS PRO PRIVASURE INSURA

Improving Cyber-Security Through Insurance The Past, Present, and the Future

Cyber Liability Launch Event Moscow

australia Canada ireland israel united kingdom United states Rest of world cfcunderwriting.com

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

CYBER INSURANCE IN IF - with a touch of Casualty - August 18 th 2017 Kristine Birk Wagner

Transcription:

SESSION ID: STR-F03 Cyber-Insurance: Fraud, Waste or Abuse? David Nathans Director of Security SOCSoter, Inc. @Zourick

Cyber Insurance overview One Size Does Not Fit All 2

Our Research Reviewed many major policies and some not so major Spoke with Insurance agencies Spoke with Insurance agents Reviewed policies currently held by customers Got paid by insurance companies to perform Incident Response, forensics and breach analysis 3

Types of Insurance Loss of digital assets Damage, alteration, corruption, distortion, theft, misuse, distortion (caused by damage or destruction, operational mistakes, computer crime such as malware, etc) ** NOT RANSOMWARE Non-physical business interruption interruption, degradation in service (caused by damage or destruction, operational mistakes, computer crime such as malware, etc) Cyber Extortion Threat Must get express written consent to pay from insurance company and contact authorities (FBI) all prior to paying any extortion money 4

Types of Insurance Security Event Costs / Crisis Management Covers costs associated with resolving a breach, fines by government, regulatory or civil court. Other money for brand harm Network security and privacy Covers claims against you for acts, errors & omissions made by you and your contractors that results in a breach. (Not your breach, this is for a breach you caused somewhere else) 5

Types of Insurance Employee Privacy Liability Covers damages to employees resulting in a breach Electronic Media Liability Covers plagiarism or copyright infringement on your website Cyber Terrorism Covers system outage due to terrorism (gov, political, ideological motivation) 6

Types of Insurance Identity theft Covers the specific costs associated with notification of victims, credit monitoring, etc. Security breach remediation and notification Covers the cost of Incident response and legal notifications Funds transfer fraud Covers loss resulting directly from the use of any computer to fraudulently transfer insured property from inside the insured premises or bank premises to a person or place outside of the insured's premises or bank's premises 7

Types of Insurance Network security Covers a breach as a result of missing or misconfigured security services such as Firewalls, Intrusion Detection systems or missing anti-virus Malware liability Covers the cleanup and removal of viruses that infect external entities as a result of attackers using internal systems to spread infection via email or web. Indirect cost coverage Covers the cost of going out of business when a breach results in the loss of Intellectual property that makes a company no longer competitive in the marketplace 8

Types of Insurance Network security Covers a breach as a result of missing or misconfigured security services such as Firewalls, Intrusion Detection systems or missing anti-virus Malware liability Covers the cleanup and removal of viruses that infect external entities as a result of attackers using internal systems to spread infection via email or web. Indirect cost coverage Covers the cost of going out of business when a breach results in the loss of Intellectual property that makes a company no longer competitive in the marketplace 9

Fraud? 10

Fraud? Forced * PCI Compliance Fees Forced because they will waive the fee if you have a report of compliance from a registered PCI Qualified Security Assessor (QSA) 11

Fraud? What do you get for these fees? Security Awareness Training: We partnered with security experts to give you easy to understand security awareness training. Consuming this content will help you protect your digital assets against common threats (such as phishing scams and keylogging malware attacks). Web based training Threat Prevention Tools: Cybercriminals value credit card data and target vulnerable businesses that accept it as a form of payment. Threat prevention tools simplify PCI compliance and raise your cyber-defenses, making it easier to meet PCI Data Security Standards and fight cybercrime. Vulnerability scan 12

Fraud? What do you get for these fees? Card Data Breach Protection: With the rise of Advanced Persistent Threats (APTs), it is impossible to be 100% certain that your business will be safe from cybercrime. To give you peace of mind, your PCI service provides up to $50,000 in coverage for two large, unexpected expenses from a breach. Such as: Forensic exams completed by QSA (Qualified Security Assessor) Fines levied by card issuers (Visa, MasterCard, AMEX, and Discover) 13

Waste? According to AIG, insurance underwriters collected $1.6 billion in premium income in 2015. Allianz projects premium income to grow to $20 billion by 2025. 14

Waste? 15

Abuse? Things to think about when looking at purchasing a policy Does the insurance broker you re working with have extensive cyber insurance experience? Is the policy you re considering the right one for your specific cyber and data risks and coverage needs? What types of breaches does the policy cover? What types of claims does the policy exclude? Does the insurance broker or cyber insurer offer any tools or resources to its policyholders? Can you name your own legal team, IT provider, Managed Security Service Provider? 116

Secrets As a security practitioner, how do you use insurance to your advantage? Follow the policy requirements and evaluate exclusions Check the box!!! 17

Policy Requirements Firewall and firewall rule management Virus scans Named person responsible for security Data restrictions and controls Documented hiring process for employees No previous history of security issues (or higher premiums) 18

Policy Requirements Encryption at rest, transit and access via mobile devices, are devices encrypted Understanding of types of data collected Written Policies reviewed by an attorney and acknowledged by employees Network monitoring & Intrusion detection Incident response procedures 19

Policy Requirements 20

Policy Requirements Documented data destruction policies Access and authorization controls for all users and contractors Performance of penetration testing and vulnerability scans of networks and devices 21

$$$ Average cost of yearly premiums for smaller businesses $1,000 to $5,000 Depends on: Size of business in revenue Type of data Number of potential records Average cost of yearly premiums for larger businesses $30,000 to $500,000 (or more) Depends on: All the above + customizations + amount of coverage 22

Take away Cybersecurity management company MUST be added by endorsement to the policy or you get what they give you. Knowledgeable person has to notify insurance company of a loss in writing within 60 days, company must provided detailed proof of all circumstances leading to the loss event. Including, description of the incident, equipment list involved, logs, security logs, statements from outside experts and description of digital assets involved. Company must take reasonable steps to protect from further loss or damage including ensuring all traces of malware have been removed. Must provide final statement of loss within 120 days after discovery of loss. 23

Take away Policies will not cover ANYTHING if an executive officer is aware of a condition that would reasonably be regarded as a basis for the claim. (if they knew about vulnerabilities but did nothing about it and got breached) Will not cover if claim is based on a Wrongful act = failure to prevent unauthorized access or use electronic or non-electronic data containing PII, failure to prevent the transmission of a virus to someone else, failure to provide notification of an actual or potential unauthorized access to PII 24

Take away Things to think about AFTER purchasing a policy How does insurance modify your Incident Response processes? Where are your security gaps that insurance does not cover? Where do you invest in cyber security? How do you train your staff to comply with your policy 25

How to get a great policy? Have a great insurance agent Who does not laugh when you say Cyber Who carries multiple products to choose from Who can help you fill out the application Who knows how to get customizations Who has access to cyber resources in your area 25

Final Thought Insurance companies will begin to really help change the executive mindset of cyber security when premiums are based off the value scale. Actually be secure or pay more for insurance 26

Questions? 27

SESSION ID: STR-F03 Cyber-Insurance: Fraud, Waste or Abuse? David Nathans Director of Security SOCSoter, Inc. @Zourick

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback