© 2011 The Magnes Group Inc. CYBER LIABILITY AND SOCIAL ENGINEERING FRAUD RISK TRANSFER

© 2011 The Magnes Group Inc. AGENDA ■ What is Cyber Liability?  Privacy Breach / Network Security Breach  Causes of Breach and Threats to Privacy Information  Costs of a Breach  Can Breaches be Preventable?  Insurance as a Risk Transfer Tool  What is Social Engineering Fraud?  Definition  Examples of Social Engineering Schemes  Key Risk Management Considerations  Insurance as a Risk Transfer Tool

© 2011 The Magnes Group Inc. What is a Cyber Liability Breach?  A Privacy Breach occurs when there is “unauthorized access to or collection, use or disclosure of personal information”  Common breaches happen when personal information of customers, patients, clients or employees is lost, stolen, or mistakenly disclosed. –i.e. a computer containing private information is stolen; USB key containing sensitive information is provided to an unauthorized person

© 2011 The Magnes Group Inc. What is a Cyber Liability Breach?  A Network Security Breach is an incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms  Example: a system security failure causes a virus to be transmitted from a supplier to their clients’ systems

© 2011 The Magnes Group Inc. EXTRA, EXTRA – READ ALL ABOUT IT! “Major [Bay St] law firms fall victim to cyber attacks” Globe & Mail April 6, 2011 “Elections Ontario Hit With Class Action Over Massive Privacy Breach” September 19, 2012 “Federal government faces third class-action lawsuit over privacy breach” Global News January 18, 2013 “Loss of mobile device by IIROC results in breach of 52,000 brokerage firm clients” Globe & Mail April 11, 2013 “Human Resources Canada faces 4 Lawsuits over lost data” CBC News January 22, 2013 “Nortel hit by suspected Chinese Cyber attacks for a decade” CBC News February 14, 2012

© 2011 The Magnes Group Inc. “There are only two types of companies: those that have been hacked and those that will be.” Robert Mueller Director, Federal Bureau of Investigation

© 2011 The Magnes Group Inc. If sophisticated organizations such as these can have a breach:  Amazon.com ▪ Wells Fargo  AT&T ▪ Research in Motion  Bell Canada ▪ Nortel  Cisco Systems ▪ SONY  Facebook ▪ IBM

© 2011 The Magnes Group Inc. Do you really think your IT security protocols makes your organization untouchable?

© 2011 The Magnes Group Inc. Causes of a Breach  Cyber Attack  Disgruntled Employees  Targeted, lost, stolen or mistakenly discarded: –Memory sticks –Smart phones –Laptops –Back-up tapes –Paper files –Photocopiers

© 2011 The Magnes Group Inc. Causes of a Breach (cont’d)  Human intervention and errors: –“Wikileaks” and the insider threat –Employees doing dumb things –Contractors doing dumb things  System errors –New technology, such as Cloud Computing –Software glitches

© 2011 The Magnes Group Inc. Cost of a Breach Personnel Costs  Staff time to research and collect information to measure the scope of the incident; executive time with legal counsel Post incident Costs  Media, investor relations, call centre, forensics, repairs, credit monitoring Legal Costs  Regulators, liability assessment, defence, damages Lost Revenue  Lost customers, lost opportunity costs

© 2011 The Magnes Group Inc. Can Breaches Be Preventable? YES! A solid data security strategy and policy comes down to: ▪ Educational Awareness ▪ Effective Technological Protection ▪ Assertive Governance

© 2011 The Magnes Group Inc. Formulating a Data Security Strategy  Develop a data breach protocol and ensure that it is updated periodically to reflect modern technologies and circumstances;  Incorporate in the organization’s data breach protocol a step that requires a report to the relevant Privacy Commissioner of any serious data breach;  Ensure that all third party service contracts explicitly require the third party contractor to immediately inform the organization of any possible or suspected breach;

© 2011 The Magnes Group Inc. Formulating a Data Security Strategy (Cont’d)  Revise the organization’s record retention and destruction policies and procedures, so that personal information is destroyed or “anonymized” once it is no longer required in compliance with existing privacy law requirements;  Ensure all employees/contractors of the corporation are aware of, and in compliance with, the organization’s policies and practice relating to third party personal information;  Develop a comprehensive security program to protect the confidentiality, integrity and availability of all information, not just personal information;

© 2011 The Magnes Group Inc. Formulating a Data Security Strategy (Cont’d) Last But Not Least…..  Consider transferring some of the exposure to an insurance policy as a backstop

© 2011 The Magnes Group Inc. Privacy & Network Security Breach Response Insurance ▪ Network security & privacy is not covered well by existing insurance such as property and liability policies; insurers are amending further to exclude coverage ■ Insurers have now collected enough claims experience to evaluate the risk ■ A standalone liability policy that addresses both first party and third party exposures has been created ■ Intended for businesses that do transactions over the internet and/or store private and confidential customer or employee information on their systems of premises

© 2011 The Magnes Group Inc. Privacy & Network Security Breach Response Insurance (cont’d) Mandatory Liability Coverage (Third Party) ▪ Covers the insured’s liability for injury as a result of a privacy and/or network security breach Example 1: Individual customers’ credit card data is stolen from the insured’s system by a hacker. Suit ensues.

© 2011 The Magnes Group Inc. Privacy & Network Security Breach Response Insurance (cont’d) Example 2: Medical records of thousands of patients are accidentally posted on the internet Example 3: A disgruntled employee exceeds authorized access and customers cannot transact business with the insured on a timely fashion resulting in the customers suffering a financial loss

© 2011 The Magnes Group Inc. Privacy & Network Security Breach Response Insurance (cont’d) Optional Additional Coverages: ▪ Privacy Notification Expense (First Party): Provides reasonable and necessary cost of notifying Persons who may be directly affected by the potential or actual unauthorized access of a record and can include costs to cover resulting expenses, such as but not limited to: -Changing their account numbers, identity numbers and security codes -Providing them with credit monitoring or similar services to protect them against fraudulent use of their Record for a stipulated period of time

© 2011 The Magnes Group Inc. Privacy & Network Security Breach Response Insurance (cont’d) Optional Additional Coverages: ▪ Crisis Management (First Party): Expenses incurred by the Insured to obtain independent advice from outside counsel, forensic investigators, public relations consultants or costs to conduct advertising or public relations activities ▪ Business Interruption and Extra Expense (First Party): Pays loss of revenue and additional expenses incurred by the insured during the Period of Recovery as a result of an actual impairment or denial of Operations resulting from Fraudulent Access or Transmission

© 2011 The Magnes Group Inc. CYBER CRIME – SOCIAL ENGINEERING FRAUD

© 2011 The Magnes Group Inc. What is Social Engineering Fraud?  As businesses have become more increasingly dependent upon technology, criminals have shifted their focus from theft of physical assets to the theft of electronic information  Cyber crime can threaten various processes, such as and not limited to:  point of sale purchases debit/credit cards – retail  ATM transactions – banking  E-commerce and online sales  Electronic business communications

© 2011 The Magnes Group Inc. What is Social Engineering Fraud?  Technical security measures implemented in response to increased regulation make direct pure technological attacks more difficult and costly  As a result, cyber criminals have shifted their focus away from such pure technological attacks and instead have attacked employees through the use of “social engineering” – a collection of techniques used to manipulate people into performing actions or divulging confidential information  A social engineer is nothing but a con man who uses technology to swindle people and manipulate them into disclosing passwords or bank information or granting access to their computer

© 2011 The Magnes Group Inc. Examples of Social Engineering Schemes  Social Engineers prey on innate human emotions (ie. fear, curiosity, the natural desire to help, the tendency to trust, complacency)  Weakest link in the security chain of businesses is the employee who accepts a person or scenario at face value – social engineers target this vulnerability  Few common examples:  Messages from Trustworthy Sources  Phishing Schemes  Baiting Scenarios  Impersonating Superiors

© 2011 The Magnes Group Inc. Guarding Against Social Engineering – Key Risk Management Considerations  Risk Assessment  Policies and Procedures  Security Incident Management  Training Programs  Transfer of Risk to an Insurance Policy

© 2011 The Magnes Group Inc. Traditional Crime Insurance May Not Cover Social Engineering  Many businesses believe that traditional crime policies (or financial institution bonds) cover all cyber-related losses  Although most crime insurance policies today carry computer fraud and funds transfer insuring agreements, courts have generally held that incidents where the insured voluntarily or is duped into transferring funds are not covered  An insured seeking to cover the risk of loss from social engineering should consider insurance coverage tailored to address these risks

© 2011 The Magnes Group Inc. Social Engineering Fraud Coverage  As of fall 2015, some insurers are now offering the option of purchasing a sub-limit for social engineering fraud coverage as an add on to an insured’s existing crime insurance policy subject to an additional premium  More insurers are currently sub-limiting coverage for this exposure to a maximum limit of $250,000 and subject to a deductible  Some insurers may also have restrictions in their coverage as it relates to covered claims for this exposure (ie. supplier/customer verification requirements)

© 2011 The Magnes Group Inc. Questions Sources of Information/References: ▪Chubb Insurance Company of Canada ▪AXIS Reinsurance Company of Canada