CYBER RISK INFORMATION CFO Division Office of Risk Services November, 2010

1 U N I V E R S I T Y O F C A L I F O R N I A THE ART of INSURANCE IIT Meets Insurance

2 U N I V E R S I T Y O F C A L I F O R N I A The Threat The Pentagon's second-in-command, Deputy Secretary William J. Lynn III asserted that the threat to intellectual property of businesses, universities and the government may be "the most significant cyberthreat" facing the country. By Ellen NakashimaEllen Nakashima Washington Post Staff Writer Thursday, September 16, 2010

3 U N I V E R S I T Y O F C A L I F O R N I A The Risks 498 breaches reported in 2009, which is down from 656 breaches reported in 2008, but up from 446 breaches reported in : 16% of all reported breaches occurred in the educational sector 13% of breaches occurred in the healthcare and medical sectors Since 2001, 20% of reported breaches involve the Educational sector and 13% involve the Healthcare/Medical sector. 2 The average direct cost of a data breach in 2009 was $6.8 million, about $204 per name – an increase of 48% over This cost includes The largest increase in this cost is related to increased legal costs associated in the ex post response. The size of the breaches experienced by companies surveyed ranged from approximately 5,000 compromised records to approximately 101,000 compromised records, with a cost range of approximately $750,000 up to nearly $31 million. Source: 1. Identity Theft Resource Center, US Department of Justice, 2009 Data Breach Stats Open Security Foundation/DataLossDB Reports Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, LLC

4 U N I V E R S I T Y O F C A L I F O R N I A Impact of Data Breach Direct Costs Discovery / Data Forensics Notification costs Identity monitoring costs Real-time crisis management costs Additional security measures, remediation Defense Costs/Settlements Regulatory fines Call Center Management Civil Suits Indirect Costs Loss of student/faculty confidence Executive management distraction from core objectives Loss of employee productivity Alumni impact, giving etc. Impact on enrollment Loss of management credibility

5 U N I V E R S I T Y O F C A L I F O R N I A Data Breaches at UC Campuses to present From Privacy Rights Clearinghouse (PrivacyRights.org) Location# of Records Compromised # of Incidents UCSD6,8002 UCB256,8933 UCSF74,3557 UCD2,2202 UCLA800,9002 UCI7,2872 TOTAL1,148,455*18* *Does not include an unconfirmed breach at UCSF of an additional 6,313 records At the current average direct cost of $204 per record, the total costs of these breaches would be $234,284,820

6 U N I V E R S I T Y O F C A L I F O R N I A Known Costs of Regents Cyber Events Claim Cost currently covered under GL Program Smith (UCSF): Indemnity reserve - $1M Defense reserve - $858K; Paid - $685K Powell (UCSD): Indemnity reserve - $500K Defense reserve - $1.5M; Paid - $387K By exception extended defense coverage – under self-insured retention. Pending coverage opinion from excess carrier on potential breach fees of $1,000 per record which could total $230m Recent Uninsured Events UCLA data breach in 2008 incurred approximately $500K in related costs. Berkeley/UHS cyber breach incurred approximately $430K in related costs.

7 U N I V E R S I T Y O F C A L I F O R N I A Recent Higher Education/Med Center High Profile Events October 2010 – A University of Hawaii faculty member inadvertently uploaded files to an unprotected server, exposing the names, academic performance, disabilities and other sensitive information of 40,101 students who attended the Manoa campus from 1990 to 1998 and in June 2010 – University of Louisville has alerted roughly 700 patients in the university’s dialysis program that personal information, including names and S.S. #’s, was briefly accessible outside of the program. The information was not password protected and was leaked to the public domain on the internet. March 2010 – University of Calgary Clinic. Patients were cautioned that their personal medical history may have been revealed to hackers after a virus hit a computer that stored medical data. Jan 2010 – Eastern Washington University has notified present and former students of a massive data breach of it systems that could affect up to 130,000 people. Data involved dates back to 1987 and includes names, S.S. #’s and birth dates.

8 U N I V E R S I T Y O F C A L I F O R N I A Additional Costs relating to Privacy Breach HIPAA Breaches of patient information may also result in HIPAA Fines, which can range from $100 to $50,000 per violation, up to $1.5 million maximum. HHS Office of Civil Rights reports over 50,000 complaints have been reported since HIPAA enforcement began in Approximately 21% of complaints that fell within OCR’s juristiction resulted in some corrective action by a covered entity. FERPA Breaches of student records may result in penalties including a cutoff of federal funding to the institution, including grants and financial aid.

9 U N I V E R S I T Y O F C A L I F O R N I A Best Practices – Protecting UC’s Brand and Integrity Protecting against Cyber Risks should be an organizational commitment – ERM Insurance is becoming more available, but should be the last line of defense Traditional underwriting was not an option for UC CRO/Broker approached insurance markets regarding a new solution - reverse underwriting concept. “Reverse Underwriting”: Underwrite to standards rather than to existing conditions Provide CIOs with a tool to drive improved behavior around cyber risk Provides first dollar insurance coverage for those that meet UC’s policies – rewarding best practices Provides a secondary savings through consolidation of systems (utility cost, space, maintenance, IT redundancy) Supports improved post-loss Risk Response

10 U N I V E R S I T Y O F C A L I F O R N I A Security & Privacy Insurance Policy Coverage Overview Risks Coverage Existing Insurance Policies Improved Insurance Policies Legal liability to others for privacy breaches Privacy Liability: Harm suffered by others due to the disclosure of confidential information Legal liability to others for computer security breaches Network Security Liability: Harm suffered by others from a failure of your network security Loss or damage to data/ information Property Loss: The value of data stolen, destroyed, or corrupted by a computer attack Loss of revenue due to a computer attack Loss of Revenue: Business income that is interrupted by a computer attack Extra expense to recover/ respond to a computer attack Cyber Extortion: The cost of investigation and the extortion demand Loss or damage to reputation Identity TheftExpenses resulting from identity theft Privacy Notification Requirements Cost to comply with privacy breach notification statues Regulatory ActionsLegal defense for regulatory actions Legend:No coverageLimited coverageFull coverage

11 U N I V E R S I T Y O F C A L I F O R N I A Cyber Insurance Coverage Limits Property- $5 Billion Limits $7.5 Million deductible Covers physical loss or damage to hardware and software. Liability- $275 Million Limits $2.5 Million deductible Covers negligent acts or omissions. Cyber/Privacy Breach- $2 Million Aggregate $1 Million deductible Covers damages and expenses caused by a privacy, confidentiality or security breach. First dollar coverage for campuses within self-insurance program