Evaluating Your Company s Data Protection & Recovery Plan CBIA Cybersecurity Webinar Series 11AM 12PM Part V. Presented by: Stewart Tosh Charles Bellingrath Date: December 7, 2017
Today s presenters Stewart Tosh, Key Insurance & Benefits Services VP, Business Development Charles Bellingrath, ARC Excess & Surplus LLC National Practice Leader Insurance Products offered are: Not FDIC-insured; not a deposit in, obligation of, nor insured by any federal government agency; not guaranteed or underwritten by the bank; not a condition to the provisions or terms of any banking service or activity. Insurance services, benefits consulting services and insurance products are offered through Key Insurance & Benefits Services, Inc. ( KIB ), which is a licensed insurance broker and agent. Insurance policies are obligations of the insurers that issue the policies. Insurance products may not be available in all states. KIB and KeyBank are separate entities, and when you purchase risk management services, business consulting services or insurance products you are doing business with KIB, and not KeyBank. 2017. KeyCorp. 171115-320596
Evolving Liabilities of Cyber, Privacy & Security Risks 63 % of organizations affected are privately owned According to the 2016 BakerHostetler Incident Response Report Personal Identifiable Information (PII) HIPAA Protected Heath Information (PHI) Payment Card Information (PCI) Corporate Confidential Information
Types of Fraud and how they originate Please note: This list is not comprehensive. Criminals are coming up with new and more efficient methods all of the time. Ransomware Business Email Compromise File sharing or Peer-to-Peer software Hacking/Malware Corrupt employees Spear Phishing, SMiShing, Vishing Social networking websites Account hijacking
http://www.propertycasualty360.com/2016/04/12/what-arethe-leading-causes-of-data-security-breac https://en.wikipedia.org/wiki/wannacry_ransomware_attack Watch Out for Ransomware WannaCry?
Breaches: By Whom and Where? Who has Unauthorized Access? - Hackers - Employees, Faculty and Students - Outsourcers and Third Party Vendors What are they accessing? - Laptops - Computer Networks/Wireless Networks - PDAs/Cell Phones - Paper Files - Websites - Clouds
Latest Threat CryptoLocker (Ransome Malware) Spreads via phishing (fake FedEx or UPS) Finds critical files, shares, USB devices on the victim s PC Encrypts the data with a proprietary key Making the data unavailable Sends the decryption key back to their command and control (C2) system (bad guys) Splash pages tells victim where to go to recovery their encrypted files (for a price) Ransom payment is required (but not always honored) https://www.us-cert.gov/ncas/alerts/ta14-295a
Types of fraud: Social engineering Typically excluded under your standard Crime Policy. What it is: Social engineering is the practice of obtaining sensitive information by tricking people into breaking normal security procedures. Account hijacking One type of social engineering where an individual s email account, computer account or any other account associated with a computing device or service is stolen or hijacked by a hacker Examples of social engineering techniques: Fraudsters, impersonating a trusted party, may attempt to contact you via SMS text message (mobile), email (online), or telephone (in person)
Types of Social Engineering: Phishing What it is: Phishing seeks to acquire a user s credentials by contacting an individual falsely claiming to be a legitimate entity to scam them into surrendering passwords, financial or personal information, or infecting the individual's computer with malware. How it works: Fake notices that appear to be coming from banks, auction sites, e-pay systems, etc. are sent via email or SMS text messages (SMiShing) Recipient is encouraged to take an immediate action; like click a link to enter or update personal data. Messages usually contain an urgent tone; like threats to block accounts or lose access if request is not completed.
Protect against Social Engineering Be suspicious of anyone requesting sensitive information. Never provide system credentials or any other personal information on an unsolicited inbound call. Always verify the identity of an unsolicited caller by insisting on calling him or her back at a trusted phone number listed for that company. Remember that Caller ID is not a foolproof way to verify a caller's identity.
Types of Phishing Friday, August 12, 2005 Monday, May 19, 2014 Dilbert - Used with permission
Latest Threat How Does Traditional Insurance Respond? Insurance coverage for Cyber, Privacy & Security Risks How does traditional insurance respond? While markets are starting to be more consistent in coverages offered as they pertain to Cyber, there is still a very wide variety. - Property Policies? - CGL Insurance Policies? - Crime Insurance Policies? - Directors & Officers Liability? - Errors & Omissions Liability?
Wording Coverage Trigger Definition of Breach Definition of Claim System Damage Minimum Standards Encryptions Paper Records Defense Counsel Attorney Client Privilege Preservation of Evidence
Exclusions Fraud/Dishonesty Failure to Disclose Unencrypted Devices Cell Phones/Laptops Wireless Network Call Back Verification Errors and Omissions of Third Parties Terrorism
Understanding the Breach and Your Loss There are two types of losses the first is Coverage for liability to other entities when a breach occurs defense and covered damages First Party Loss - Cost to hire a breach coach/legal services - Cost to hire a computer security/forensic expert - Cost to notify the affected individuals - Cost to provide credit monitoring to affected individuals - Cost to hire a public relations/crisis management firm to help remediate reputational harm resulting from the breach Cyber Business Income & Extra Expense including Data Restoration Cyber Extortion / Ransomware Payments
Understanding the Breach and Your Loss The second is Coverage for liability to other entities when a breach occurs defense and covered damages Third Party Loss - Failure to implement and maintain reasonable security measures - Negligence - Unfair, deceptive and unlawful business practices - Violation of privacy - Invasion of the customer s right to privacy - Breach of contract and violation of Consumer Fraud Act - Defense and damges - Media/Intellectual property - Regulatory actions including fines and penalties - PCI fines, penalties and assessments
Latest Threat Dealing With A Security Breach 47 States now have Breach Notification Requirements Data Breach Team and Incident Response Plan need to be in place. Compliance with Breach Notification Laws (local, federal, foreign) Notice all potentially applicable insurance The benefits of a dedicated Cyber Insurance Policy (risk transfer, access to breach coaches, forensic experts, etc.) Click the link below to see your states notification requirements: https://www.beazley.com/usa/specialty_lines/professional_liability/technology_media_and_b usiness_services/beazley_breach_response/security_breach_notification_laws.html
Latest Threat Connecticut Rules 90 days The discloser shall be made without unreasonable delay, but not later than ninety days after the discovery of the breach. Persons Covered by Statute Any persons, business or agency that conducts business in CT, and who, in the ordinary course of such Entity s business, owns, license, or maintains computerized data that includes PI. The provision governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on CT residents, whether or not the Entity conducts business in CT. Remember there are 47 States with breach rulings and you will have to follow each depending on where your customers reside.
Latest Threat Typical Costs Notification Costs: $1 to $2 per individual Credit Monitoring: $15 to $25 per person; 10% to 15% acceptable rate Average total cost of breach response: $665,000** Average breach cost for large companies is $5.97MM** Average cost to defend a claim is $434,345* Average claim settlement is $880,836* * = Source 2015 netdiligence Claims Study ** = Source 2016 netdiligence Claims Study
Has your organization made changes to its cybersecurity controls as a result of recent cyber events? 23% 24% 53% Yes No Don't Know The Unfortunate Reality Not if but when The Costs of a data breach event may be significant Costs generally not covered by traditional insurance Information security and privacy liability insurance is available as a specialty coverage Advisen October 2017
Best Practices In addition to speaking with your insurance agent about fraud prevention solutions: Always be aware and keep informed on trends in the industry Monitor your accounts frequently Evaluate your policies Verify your employee access rights and credentials regularly Review your payment types and methods Utilize dual controls and ensure separation of duties Implement fraud prevention and mitigation solutions Educate and train your employees Create an environment where employees are empowered Implement a Bring Your Own Device (BYOD) policy for your organization Use strong password protections and data encryption
Questions Questions Questions Questions Questions Questions Questions Questions