Business Secured with HUB International. Greene Finney, LLP Client CPE Day Cyber Exposed Business Secured with HUB International. Thursday May 3, 2018 1
The material in this presentation does not cover all possible cyber threats that may exist, does not identify potential controls for those risks, and does not constitute legal advice. This material is not intended as advice to you or your insureds about specific risk control practices. Travelers disclaims all forms of warranties whatsoever, without limitation and implementation of any risk control practices suggested by this presentation is at your insured’s sole discretion. The material in this presentation does not amend, or otherwise affect, the provisions or coverages of any insurance policy issued by Travelers. This presentation is not a representation that coverage does or does not exist for any particular claim or loss under any insurance policy. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy provisions, and any applicable law. Availability of coverages referenced in this presentation may depend on state regulations. Also note: This presentation material is about coverages generally available in the marketplace, and is not based specifically on Travelers products. Disclaimer
Exposure Environment 3
Interconnectivity Think of all the places your personal information resides and all the ways it can be shared or transferred
The regulatory environment State Data Breach Laws Children’s Online Privacy Protection Act (COPPA) Health Insurance Portability & Accountability Act (HIPAA) Federal Information Security Management Act (FISMA) EU Data Protection Directive Health Information Technology for Economic & Clinical Health Act (HITECH Act) Gramm-Leach-Bliley Securities and Exchange Commission (SEC) FDIC and FFIEC Sarbanes-Oxley Payment Card Industry Data Security Standard (PCI-DSS)
How breaches can occur
True or False: Good risk management can effectively eliminate cyber threats.
Ever heard these objections before? “Only large organizations are targets.” “We have state of the art systems.” “We’ve never had an issue.” “We’ve outsourced our data so we are okay.” “We can handle the cost of a breach.” “We are already covered for cyber events.”
“Only large organizations are targets.”
Breaches by number of employees Small and mid-sized firms are just as exposed to data breaches as large firms Breaches by number of employees 1 – 250 employees 2500+ employees 251 - 2500 employees Source: SymantecTM Internet Security Threat Report 2016
“We outsource our data, so we’re okay.”
Hosted Software Mobile Applications Online Accounts Anything on mobile devices! Hosted Software ASP, ERP, CRM, HR, Accounting, Operational, etc Online Accounts Banks, vendors, partners, paid data hosting & backup/recovery vendors
What do you outsource? Vendors “Data owner” is company who originally had the data Cloud Suppliers Data owner has liability for privacy no matter where data is compromised! Payment processors Payment services (PayPal, etc.)
“We can handle the cost of a breach.”
per compromised record Costs of data breach Information losses cost U.S. businesses an average of: total cost $7.01M per compromised record $221 Source: Ponemon Institute 2016 Cost of Data Breach Study, for surveyed companies that experienced a breach which required the company to notify victims under state law.
Summary: Potential impact of a cyber event Costs of legal compliance O Forensics, legal consultants S Network damages and costs to repair or upgrade T Business interruption S Indemnify victims
Summary: Potential impact of a cyber event …and more C Indemnify financial institutions O Defense costs S Injunctive relief T Damage to shareholders S Ticking time-bomb theory
CyberRisk Coverage Broad coverage for multiple industries and all business sizes From small to Fortune 500 companies Offered as a standalone policy or part of a suite of other management liability coverages Customers include: Private companies Public companies Financial Institutions Non-profit organizations
What does cyber insurance cover? Coverage triggers Unauthorized access to or use of data Virus transmission Failure to provide access Failure to notify Website/social media liability Covered data Insured’s systems Data in transit Non-electronic data Data residing on others’ systems Employees’ data Corporate data
CyberRisk Third Party Coverages Coverage for claims arising from unauthorized access to data, failure to provide notification of a data breach where required by law, transmission of computer virus or failure to provide authorized users with access to the company website Network and Information Security Liability Communications and Media Liability Regulatory Defense Expenses Coverage for claims arising from copyright infringement, plagiarism, defamation, libel and slander in electronic content Coverage for governmental claims made as a result of network and information security liability or communications and media liability
CyberRisk First Party Coverages Crisis Management Event Expenses Coverage for public relations services to mitigate negative publicity Funds Transfer Fraud Coverage for loss of money or securities due to fraudulent transfer instructions to a financial institution Security Breach Remediation & Notification Expenses Coverage for costs associated with notification of individuals breached, credit monitoring, fraud expense reimbursement and call center Computer Fraud Coverage for loss of money, securities or other property due to unauthorized system access E-Commerce Extortion Coverage for money paid as a result of threats made to fraudulently transfer funds, destroy data, introduce a virus, attack a system or disclose electronic customer info Computer Program & Electronic Data Restoration Expenses Coverage for expenses to restore data lost from system damage due to computer virus or unauthorized access Business Interruption & Expenses Coverage for loss of income and expenses to restore operations as a result of a computer system disruption caused by a virus or unauthorized computer attack
Cyber Coverage Examples 22
The following examples are generic Cyber Insurance forms differ greatly between companies Disclaimer Examples are exploring general coverage “intent” to illustrate differences that may exist between various coverages Individual claim circumstances and complaint wording can trigger or limit coverage in a variety of ways
Example: Lost paper records BACKGROUND Company profile: Manufacturer with 400 employees The IRS discovered hundreds of fraudulent tax returns were filed on behalf of employees that work for the same manufacturing company. They notified the FBI and the FBI alerted the manufacturer. The manufacturer hired a forensic investigator to determine how the employees’ personally identifiable information was accessed.
Example: Lost paper records THE STORY The investigation determined the personnel files of 298 past and current employees had been accessed. A criminal gained access to a box of W2s as they were being transported to a storage facility. As a result the manufacturer incurred expenses for a forensic investigation, credit monitoring for the employees and legal costs. Additionally the company hired a public relations firm after the local news picked up the story when affected employees contacted the media.
Example: Lost paper records COSTS Cost estimates according to the NetDiligence® Data Breach Cost Calculator* Estimated Incident investigation $180,000 Estimated Customer notification/ crisis management $29,000 Estimated Fines and penalties $6,000 ESTIMATED TOTAL COSTS $215,000 The NetDiligence® Data Breach Cost Calculator is available to insureds on the Travelers’ eRisk Hub®.
Example: Losing paper records PRIVACY LEGISLATION California Databreach Protection Act Applies if you have customers in the state
Example: Losing paper records PRIVACY LEGISLATION Today, 47 states, DC and Puerto Rico have enacted privacy legislation requiring notification of compromised personal information Existing Federal laws, including FACTA, Gramm Leach Bliley, Sarbanes-Oxley Obama’s 2013 Cyber Security Executive Order led to NIST Cyber Security Standards 2015 Obama Executive Order created additional information sharing of security threats SEC – 2014 Audits of Registered Investment Advisors FDIC Privacy audits, recommending cyber insurance FTC privacy enforcement actions
Example: Lost paper records RISK MANAGEMENT TIPS An information retention policy should be established and include guidance on what types of information should be retained, how long it should be retained and procedures for destruction of unneeded data New hire training and regularly scheduled refresher training courses should be established in order to instill the data security culture of your organization Create, implement and test an incident response plan
Example: Lost laptop BACKGROUND Company profile: Not-for-profit hospital, $100M in annual revenue An employed physician of the hospital accidently left his hospital-issued laptop on a train. The laptop contained an unencrypted database of current patient records that included protected health information with name, SSN, credit card, insurance ID, and limited medical information of 550 patients. The data stored on that laptop was completely unsecured as it did not contain remote take down capabilities nor was it password protected.
Example: Lost laptop THE STORY Upon learning of the lost laptop, the hospital immediately contacted a privacy lawyer who advised the hospital to report the breach to the US Department of Health and Human Services as is required under HITECH guidelines. Next, the hospital notified the affected individuals, in compliance with HIPAA/HITECH guidelines as well as the individual state notification requirements for the seven states in which the affected individuals reside. Thereafter, the Office of Civil Rights launched an investigation and the hospital was fined as a result of a HIPAA violation and credit monitoring had to be put in place for all affected individuals.
Example: Lost laptop $180,000 $34,000 $167,000 $381,000 COSTS Cost estimates according to the NetDiligence® Data Breach Cost Calculator* Estimated Incident investigation $180,000 Estimated Customer notification/crisis management $34,000 Estimated Fines and penalties $167,000 ESTIMATED TOTAL COSTS $381,000 The NetDiligence® Data Breach Cost Calculator is available to insureds on the Travelers’ eRisk Hub®.
Example: Lost laptop HIPAA and HITECH DETAIL HIPAA and HITECH Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Example: Lost laptop DETAIL Four categories of violations that reflect increasing levels of responsibility Tier A: Violations without “Knowledge” Tier B: “Reasonable Cause” Violations Tier C: Willful Neglect with Timely Correction Tier D: Willful Neglect without Timely Correction
Example: Lost laptop TIPS RISK MANAGEMENT TIPS Implement procedures for using effective passwords and mandate periodic changes If protected health information (PHI) is stored on laptops you should consider implementing security measures including encrypting the information and having remote disabling capabilities Consider storing PHI on a central server and access via a secure connection
Risk Assessment 36
Exposure evaluation Customers? Employees? Other businesses or individuals? Whose sensitive information does your organization have? How sensitive is this data? How is it collected, protected, used, shared, and destroyed? Virus transmission exposure? Failure to provide access? Social media activities? Financial Medical Intellectual property Personal By you By your partners & vendors By others that host or have access to your data
Exposure evaluation Any data or systems your client’s operations depend on? Data Centers (owned or non-owned) Would customers leave permanently after a while? How many records could be breached? Would your client incur public- relations expenses after a breach? Any data or systems your client’s operations depend on? Cloud vendors? Hosted, shared, or backed up? Any data or systems that could be a target? Financially-minded hackers? Thrill-seeker hackers (schools, government, high-profile) Politically-motivated hackers
Management controls Contractual risk transfer with vendors and customers IT and physical security controls required by each party Define responsibilities and warranties Indemnification for other’s errors Insurance requirements Intellectual property IP clearance procedures similar to security policies Software copyrights (including open source) Security policies and procedures Written IT policy and procedures Person or dept. in charge of corporate data security Monitoring & audits Backups and redundancies Incident response plan Who does what, when, how? What technologies, backups, or fail-safes will be relied upon?
True or False: Good risk management can effectively eliminate cyber threats.
Questions
FINAL CONCLUSIONS Information Security Risks, data breaches and identity fraud are not disappearing trends Attacks are becoming more complex in nature Legislation and contractual requirements have added to the complexity of managing cyber threats Insurance is one tool the businesses can use to manage risk