Cyber Risks & Cyber Insurance Terry Quested Executive Director Associated Risk Managers of Ohio Darren Faye Vice President Leonard Insurance / Assured Partners
Legal Disclaimer The views, information and content expressed herein are those of the authors and presenters and do not necessarily represent the views of any insurance company, insurance broker or risk manager. This presentation is advisory in nature and necessarily general in content. No liability is assumed by reason of the information provided. Whether or not or to what extent a particular loss is covered depends on the facts and circumstances of the loss and the terms and conditions of an insurance policy as issued. The precise coverage afforded is subject to the terms and conditions of the policies as issued. The information provided should not be relied on as legal advice or a definitive statement of the law in any jurisdiction. For such advice, an applicant, insured, listener or reader should consult their own legal counsel. Slide 2
Today s Agenda Part One: Part Two: What Is Cyber Risk? Security Breaches & Privacy Part Three: Security Breaches & Theft of Funds Part Four: Security Breaches & Business Interruption Part Five: Part Six: Other Cyber Risks Concluding Thoughts Slide 3
Part I: What Is Cyber Risk - And, Cyber Insurance? Slide 4
Different Risks to Different People Retailer - Loss of Customer Information (e.g. credit card numbers) Bank - Loss of Customers Funds (e.g. cash from accounts) Electric Utility - Interruption of the system and loss of revenue. Slide 5
Cyber Insurance Policies Expense Coverage Crisis Management Expense: Notification expenses, credit monitoring expenses; Related legal & forensic expenses. Business Interruption & Extra Expense. Extortion. Vandalism. Liability Coverage Failure to keep data secure. Failure to keep network secure from malicious interruption. Intellectual property infringement. Libel/slander through on-line activities. Slide 6
Part Two Slide 7
Slide 8
Slide 9
A Few Statistics Between January 10 th, 2005 and January 7th, 2015, there were 4,478 Data Breaches, allowing unauthorized access to 932,729,111 Records. Source: Privacy Rights Clearinghouse, Chronology of Data Breaches, February 2nd, 2015.
Data Breach Causes 2005-2014 Stationary Device 6% Unkown 3% Unintended Disclosure 18% Source: Privacy Rights Clearing House; www.privacyrights.org/databreach/new Portable Device 25% Physical Loss 8% Insider 13% Hacking or Malware 26% Payment Card Fraud 1% Slide 11
Dumps For Sale! Slide 12
What Is Data? Data when used in the context of a data breach generally means: A person s name in conjunction with: A Social Security Number; A Driver s License Number or State ID Number; A Financial Account Number, in conjunction with the security code, password or other mechanism needed to access the account; or Medical Information, when such information is not encrypted or redacted. But, different States may define it differently! Slide 13
State Breach Notification Statutes California was the first state to enact security breach notification legislation July 1, 2003 [SB 1386]. Currently, 46 additional states have enacted some type of security breach notification legislation, plus: The District of Columbia, Puerto Rico and the U.S. Virgin Islands. Slide 14
The Reach Of The Laws Slide 15
The Breach Response Cycle Breach Coach Consultation Forensic Analysis Breach Coach Consultation Notification Design & Mailing Public Relations Credit/Fraud Monitoring Call Center Operations Slide 16
Cyber Insurance Policies Expense Coverage Crisis Management Expense: Notification expenses, credit monitoring expenses; Related legal & forensic expenses. Business Interruption & Extra Expense. Extortion. Vandalism. Liability Coverage Failure to keep data secure. Failure to keep network secure from malicious interruption. Intellectual property infringement. Libel/slander through on-line activities. Slide 17
Notification, If Not Done Correctly... May Invite Notification Litigation Slide 18
Slide 19
Litigation Various Types Civil Litigation Brought by affected natural persons, individually or as a class. Brought by affected organizations (e.g. banks) individually or as a class. Regulatory Actions Brought by: Federal Trade Commission; Other Federal or State Regulators (e.g. HHS) State Consumer Protection Departments; and/or State Attorneys General. Slide 20
Cyber Insurance Policies Expense Coverage Crisis Management Expense: Notification expenses, credit monitoring expenses; Related legal & forensic expenses. Business Interruption & Extra Expense. Extortion. Vandalism. Liability Coverage Failure to keep data secure. Failure to keep network secure from malicious interruption. Intellectual property infringement. Libel/slander through on-line activities. Slide 21
Part Three Slide 22
Slide 23
Slide 24
Account Takeover - A significant and growing threat for banks and their BUSINESS CUSTOMERS. A. Crooks target small to medium size businesses. B. Utilizing increasingly sophisticated types of malware or phishing techniques they either take control of the victim s computer, or they obtain the victim s online banking information. C. Once they have control of the computer, or they have the necessary log-in information, they loot the victim s demand deposit account by sending wire or ACH instructions to the bank. Slide 25
Who s Responsible - The Business Customer... Or, the Bank? Slide 26
Alternative Policies May Apply For the Bank: Electronic Computer Crime Policy. For the Customer: Commercial Crime Policy. Slide 27
Part Four Slide 28
Slide 29
Principal Causes of E-Business Interruption Employee or someone with authorized access corrupts, deletes or destroys Data, or otherwise impairs the operation of the System. Hacker corrupts, deletes or destroys Data, or otherwise impairs the operation of the System. Distributed Denial of Service [DDoS] Attacks Slide 30
Cyber Insurance Policies Expense Coverage Crisis Management Expense: Notification expenses, credit monitoring expenses; Related legal & forensic expenses. Business Interruption & Extra Expense. Extortion. Vandalism. Liability Coverage Failure to keep data secure. Failure to keep network secure from malicious interruption. Intellectual property infringement. Libel/slander through on-line activities. Slide 31
Part Five Slide 32
Slide 33
Cyber Insurance Policies Expense Coverage Crisis Management Expense: Notification expenses, credit monitoring expenses; Related legal & forensic expenses. Business Interruption. Extortion. Vandalism. Liability Coverage Failure to keep data secure. Failure to keep network secure from malicious interruption. Intellectual property infringement. Libel/slander through on-line activities. Slide 34
The hackers who stole millions of credit and debit card numbers from Target may have used a Pittsburgh-area heating and refrigeration business as the back door to get in. Fazio Mechanical Services Inc., a contractor that does business with Target, issued a statement Thursday saying it was the victim of a "sophisticated cyberattack operation," just like Target. It said it is cooperating with the Secret Service and Target to figure out what happened. Slide 35
Cyber Insurance Policies Expense Coverage Crisis Management Expense: Notification expenses, credit monitoring expenses; Related legal & forensic expenses. Business Interruption. Extortion. Vandalism. Liability Coverage Failure to keep data secure. Failure to keep network secure from malicious interruption. Intellectual property infringement. Libel/slander through on-line activities. Slide 36
Part Six Slide 37
What Do You Do? Slide 38
Incident Response Plans Critical for an effective and efficient response to an intrusion or data breach; Should be tested using tabletop exercises; and Should be updated to reflect any changes in the organization. Slide 39
And, Please Consider Insurance - Risk Identify Assess Control Transfer Slide 40
Are There Any - Slide 41