Evaluating Your Company s Data Protection & Recovery Plan

Similar documents
CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

Fraud and Cyber Insurance Discussion. Will Carlin Ashley Bauer

Cyber Risks & Insurance

Protecting Against the High Cost of Cyberfraud

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

Vaco Cyber Security Panel

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Your defence toolkit. How to combat the cyber threat

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

Cyber-Insurance: Fraud, Waste or Abuse?

RIMS Cyber Presentation

Healthcare Data Breaches: Handle with Care.

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

PRIVACY AND CYBER SECURITY

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

Surprisingly, only 40 percent of small and medium-sized enterprises (SMEs) believe their

Cyber Risk Mitigation

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

CYBER LIABILITY REINSURANCE SOLUTIONS

Determining Whether You Are a Business Associate

Cybersecurity Privacy and Network Security and Risk Mitigation

Cyber Enhancement Endorsement

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

Protecting against and recovering from fraud and identity theft WHAT TO DO

Cyber breaches: are you prepared?

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

MANAGING DATA BREACH

ANALYSIS & ASSESSMENT OF TECHNOLOGY FROM A BOARD S PERSPECTIVE STEPHANIE L. BUCKLEW SLB CONSULTING

Cyber Risk Management

Summary Comparison of Current Senate Data Security and Breach Notification Bills

Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity

o The words "You" and "Your" mean a South Shore Bank Home Banking customer.

Privacy and Data Breach Protection Modular application form

Data Thefts and Protecting Client Tax Information

ARE YOU HIP WITH HIPAA?

HEALTHCARE INDUSTRY SESSION CYBER IND 011

Cyber, Data Risk and Media Insurance Application form

AFTER THE OMNIBUS RULE

Trends in Cyber-Insurance Coverage to Meet Insureds Needs

Cyber & Privacy Liability and Technology E&0

Cyber Risks & Cyber Insurance

OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE

Cyber Liability Insurance for Sports Organizations

Cyber Incident Response When You Didn t Have a Plan

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby

January to June 2016 fraud update: Payment cards, remote banking and cheque

FirstB2B Agreement. 5. Statements. All transfers made with the Service will appear on Customer s account.

EXCERPT. Do the Right Thing R1112 P1112

Citibank Online & Citi Mobile App

Year-end 2016 fraud update: Payment cards, remote banking and cheque

Cyber Liability & Data Breach Insurance Nikos Georgopoulos Oracle Security Executives Breakfast 23 April Cyber Risks Advisor

FRAUD ALERT! Cyber-Crime Impact on IDENTITY THEFT ACCOUNT FRAUD. n Minimize Risk n Vigilance Works n Fraud Prevention Tools

CYBER AND INFORMATION SECURITY COVERAGE APPLICATION

Citizens Federal Savings and Loan Association 110 N Main Street Bellefontaine OH citizensfederalsl.com

Effective Date: 4/3/17

Securing Treasury. Craig Jeffery, Managing Partner, Strategic Treasurer Rosemary Lyons, Business Project Manager, Cigna. You. Are. Not. Done.


HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

Privacy and Security Standards

CyberRisk: What we know and what we don't know

PO Box Providence, RI Toll Free Phone: ONLINE BANKING DISCLOSURE & AGREEMENT

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Southwest National Bank Internet Banking Agreement

c» BALANCE C:» Financially Empowering You Identity Theft Podcast [Music plays] Nikki:

Ball State University

Visa s Approach to Card Fraud and Identity Theft

mitigating Payments Fraud risk:

2016 Business Associate Workforce Member HIPAA Training Handbook

Cyber Risk Insurance. Frequently Asked Questions

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

ACORD 834 (2014/12) - Cyber and Privacy Coverage Section

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

HEALTHCARE BREACH TRIAGE

ADDENDUM F COMBINED COMERICA WEB PAY EXPRESS AND COMERICA WEB INVOICING TERMS AND CONDITIONS

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

DEBUNKING MYTHS FOR CYBER INSURANCE

Cyber Risk Proposal Form

Union Savings Bank Electronic Communications Disclosure

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

Personal Information Protection Act Breach Reporting Guide

CYBER LIABILITY INSURANCE: CLAIMS ISSUES AND TRENDS THAT AUDITORS NEED TO KNOW

HOW TO INSURE CYBER RISKS? Oulu Industry Summit

Attachment to Identity Theft Prevention Service Provider Attestation

ebanking Agreement and Disclosure

Sussex Bank Online Banking Agreement. Our Agreement

2017 Cyber Security and Data Privacy Study

An Overview of Cyber Insurance at AIG

Sara Robben, Statistical Advisor National Association of Insurance Commissioners

Cyber Liability State of the Insurance Market & Risk Update Sept 8, ISACA North Texas

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

SAFEGUARDING YOUR CHILD S FUTURE. Child Identity Theft. Protecting Your Child s Identity

A GUIDE TO CYBER RISKS COVER

Data Breach Financial Protection Program Terms and Conditions

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

2016 Risk Practices Survey

Transcription:

Evaluating Your Company s Data Protection & Recovery Plan CBIA Cybersecurity Webinar Series 11AM 12PM Part V. Presented by: Stewart Tosh Charles Bellingrath Date: December 7, 2017

Today s presenters Stewart Tosh, Key Insurance & Benefits Services VP, Business Development Charles Bellingrath, ARC Excess & Surplus LLC National Practice Leader Insurance Products offered are: Not FDIC-insured; not a deposit in, obligation of, nor insured by any federal government agency; not guaranteed or underwritten by the bank; not a condition to the provisions or terms of any banking service or activity. Insurance services, benefits consulting services and insurance products are offered through Key Insurance & Benefits Services, Inc. ( KIB ), which is a licensed insurance broker and agent. Insurance policies are obligations of the insurers that issue the policies. Insurance products may not be available in all states. KIB and KeyBank are separate entities, and when you purchase risk management services, business consulting services or insurance products you are doing business with KIB, and not KeyBank. 2017. KeyCorp. 171115-320596

Evolving Liabilities of Cyber, Privacy & Security Risks 63 % of organizations affected are privately owned According to the 2016 BakerHostetler Incident Response Report Personal Identifiable Information (PII) HIPAA Protected Heath Information (PHI) Payment Card Information (PCI) Corporate Confidential Information

Types of Fraud and how they originate Please note: This list is not comprehensive. Criminals are coming up with new and more efficient methods all of the time. Ransomware Business Email Compromise File sharing or Peer-to-Peer software Hacking/Malware Corrupt employees Spear Phishing, SMiShing, Vishing Social networking websites Account hijacking

http://www.propertycasualty360.com/2016/04/12/what-arethe-leading-causes-of-data-security-breac https://en.wikipedia.org/wiki/wannacry_ransomware_attack Watch Out for Ransomware WannaCry?

Breaches: By Whom and Where? Who has Unauthorized Access? - Hackers - Employees, Faculty and Students - Outsourcers and Third Party Vendors What are they accessing? - Laptops - Computer Networks/Wireless Networks - PDAs/Cell Phones - Paper Files - Websites - Clouds

Latest Threat CryptoLocker (Ransome Malware) Spreads via phishing (fake FedEx or UPS) Finds critical files, shares, USB devices on the victim s PC Encrypts the data with a proprietary key Making the data unavailable Sends the decryption key back to their command and control (C2) system (bad guys) Splash pages tells victim where to go to recovery their encrypted files (for a price) Ransom payment is required (but not always honored) https://www.us-cert.gov/ncas/alerts/ta14-295a

Types of fraud: Social engineering Typically excluded under your standard Crime Policy. What it is: Social engineering is the practice of obtaining sensitive information by tricking people into breaking normal security procedures. Account hijacking One type of social engineering where an individual s email account, computer account or any other account associated with a computing device or service is stolen or hijacked by a hacker Examples of social engineering techniques: Fraudsters, impersonating a trusted party, may attempt to contact you via SMS text message (mobile), email (online), or telephone (in person)

Types of Social Engineering: Phishing What it is: Phishing seeks to acquire a user s credentials by contacting an individual falsely claiming to be a legitimate entity to scam them into surrendering passwords, financial or personal information, or infecting the individual's computer with malware. How it works: Fake notices that appear to be coming from banks, auction sites, e-pay systems, etc. are sent via email or SMS text messages (SMiShing) Recipient is encouraged to take an immediate action; like click a link to enter or update personal data. Messages usually contain an urgent tone; like threats to block accounts or lose access if request is not completed.

Protect against Social Engineering Be suspicious of anyone requesting sensitive information. Never provide system credentials or any other personal information on an unsolicited inbound call. Always verify the identity of an unsolicited caller by insisting on calling him or her back at a trusted phone number listed for that company. Remember that Caller ID is not a foolproof way to verify a caller's identity.

Types of Phishing Friday, August 12, 2005 Monday, May 19, 2014 Dilbert - Used with permission

Latest Threat How Does Traditional Insurance Respond? Insurance coverage for Cyber, Privacy & Security Risks How does traditional insurance respond? While markets are starting to be more consistent in coverages offered as they pertain to Cyber, there is still a very wide variety. - Property Policies? - CGL Insurance Policies? - Crime Insurance Policies? - Directors & Officers Liability? - Errors & Omissions Liability?

Wording Coverage Trigger Definition of Breach Definition of Claim System Damage Minimum Standards Encryptions Paper Records Defense Counsel Attorney Client Privilege Preservation of Evidence

Exclusions Fraud/Dishonesty Failure to Disclose Unencrypted Devices Cell Phones/Laptops Wireless Network Call Back Verification Errors and Omissions of Third Parties Terrorism

Understanding the Breach and Your Loss There are two types of losses the first is Coverage for liability to other entities when a breach occurs defense and covered damages First Party Loss - Cost to hire a breach coach/legal services - Cost to hire a computer security/forensic expert - Cost to notify the affected individuals - Cost to provide credit monitoring to affected individuals - Cost to hire a public relations/crisis management firm to help remediate reputational harm resulting from the breach Cyber Business Income & Extra Expense including Data Restoration Cyber Extortion / Ransomware Payments

Understanding the Breach and Your Loss The second is Coverage for liability to other entities when a breach occurs defense and covered damages Third Party Loss - Failure to implement and maintain reasonable security measures - Negligence - Unfair, deceptive and unlawful business practices - Violation of privacy - Invasion of the customer s right to privacy - Breach of contract and violation of Consumer Fraud Act - Defense and damges - Media/Intellectual property - Regulatory actions including fines and penalties - PCI fines, penalties and assessments

Latest Threat Dealing With A Security Breach 47 States now have Breach Notification Requirements Data Breach Team and Incident Response Plan need to be in place. Compliance with Breach Notification Laws (local, federal, foreign) Notice all potentially applicable insurance The benefits of a dedicated Cyber Insurance Policy (risk transfer, access to breach coaches, forensic experts, etc.) Click the link below to see your states notification requirements: https://www.beazley.com/usa/specialty_lines/professional_liability/technology_media_and_b usiness_services/beazley_breach_response/security_breach_notification_laws.html

Latest Threat Connecticut Rules 90 days The discloser shall be made without unreasonable delay, but not later than ninety days after the discovery of the breach. Persons Covered by Statute Any persons, business or agency that conducts business in CT, and who, in the ordinary course of such Entity s business, owns, license, or maintains computerized data that includes PI. The provision governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on CT residents, whether or not the Entity conducts business in CT. Remember there are 47 States with breach rulings and you will have to follow each depending on where your customers reside.

Latest Threat Typical Costs Notification Costs: $1 to $2 per individual Credit Monitoring: $15 to $25 per person; 10% to 15% acceptable rate Average total cost of breach response: $665,000** Average breach cost for large companies is $5.97MM** Average cost to defend a claim is $434,345* Average claim settlement is $880,836* * = Source 2015 netdiligence Claims Study ** = Source 2016 netdiligence Claims Study

Has your organization made changes to its cybersecurity controls as a result of recent cyber events? 23% 24% 53% Yes No Don't Know The Unfortunate Reality Not if but when The Costs of a data breach event may be significant Costs generally not covered by traditional insurance Information security and privacy liability insurance is available as a specialty coverage Advisen October 2017

Best Practices In addition to speaking with your insurance agent about fraud prevention solutions: Always be aware and keep informed on trends in the industry Monitor your accounts frequently Evaluate your policies Verify your employee access rights and credentials regularly Review your payment types and methods Utilize dual controls and ensure separation of duties Implement fraud prevention and mitigation solutions Educate and train your employees Create an environment where employees are empowered Implement a Bring Your Own Device (BYOD) policy for your organization Use strong password protections and data encryption

Questions Questions Questions Questions Questions Questions Questions Questions

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback