CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited © 2014 CUNA Mutual Group, All Rights Reserved. Data Breaches and Cyber Risks KCUA & NCUL Annual Meeting Presented by: Ken Otsuka Credit Union Protection Risk Management CUNA Mutual Group

2 Data Breaches – How do they Happen? Network hackers Malware Employee negligence / theft Lost / stolen laptops, backup tapes / disks and other data-bearing mobile devices Vendor leaks

3 Agenda Data breach studies by the Ponemon Institute, Verizon and Mandient Data breach insurance claims study – NetDiligence Best practices for securing members’ confidential data Mobile devices Incidence response planning NIST’s Cybersecurity Framework

4 Ponemon Institute Is Your Company Ready for a Big Data Breach? 43% of the organizations experienced a data breach involving a theft of more than 1,000 records 60% of the organizations experienced more than one data breach during the last two years Source: Ponemon Institute’s 2014 study, Is Your Company Ready for a Big Data Breach?

5 Ponemon Institute Is Your Company Ready for a Big Data Breach? The Good 73% of the organizations have an incident response plan in place compared to 61% in last year’s study The Bad 78% of the organizations say they don’t review and update their incident response plan or have no set timeframe for doing so Only 30% of the respondents say their organizations are effective or very effective in developing and executing their incident response plan 68% of the organizations feel they are unprepared to deal with negative publicity following a breach Source: Ponemon Institute’s 2014 study, Is Your Company Ready for a Big Data Breach?

6 Ponemon Institute Is Your Company Ready for a Big Data Breach? The Bad 56% of the organizations do not perform a risk assessment on their information systems to identify vulnerabilities Only 41% provide for continuous monitoring (20%) or daily monitoring (21%) of their information systems for suspicious/anomalous traffic –44% say they never monitor their information systems (28%) or are unsure if monitoring takes place (16%) Only 54% of the organizations have training and security awareness programs –Only 34% of the organizations train customer service representatives on how to respond to questions in the event a breach occurs Source: Ponemon Institute’s 2014 study, Is Your Company Ready for a Big Data Breach?

7 Verizon 2015 Data Breach Investigations Report External threats far exceed internal threats and partner threats. Source: Verizon 2015 Data Breach Investigations Report

8 Mandient’s 2015 M-Trends Report Source: Mandient 2015 M-Trends Report

9 NetDiligence 2014 Cyber Liability & Data Breach Insurance Claims 2014 NetDiligence ® Cyber Liability & Data Breach Claims Study Per breach costs –Average payout: $733,109Median payout: $144,000 –Claim range$1,000 to $13.7 million –Typical claim$30,00 to $400,000 Per record costs –Average cost per record: $956.21Median cost per record: $19.84 –Average records lost: 2.4 millionMedian records lost: 3,500 Crisis service costs –Average cost of crisis services: $366,484Median cost of crisis services: $110,594 –Crisis services include the cost of forensics, legal counsel guidance, notification and credit monitoring Legal costs –Average cost of legal defense: $698,797Median cost of legal defense: $283,300 –Average cost of settlement: $558,520Median cost of settlement: $150,000 Source: NetDiligence 2014 Cyber Liability & Data Breach Claims Study

10 Why the Problem? The Internet is an open network Credit unions collect, store and share a vast amount of member confidential data Websites are porous and need constant care –Hardening and patching Lack of encryption Intrusion detection and network monitoring is weak Cyber thieves take advantage of human error –Unchanged default settings –Failing to install patches –Failing to protect laptops –Improper disposal of paper records –Weak passwords Source: Imperva - Consumer Password Worst Practices

11 Best Practices Encryption –Data residing on the network (servers, workstation hard drives and laptops) –Data residing on mobile devices –Backup tapes/disks –Data transmitted over the Internet and in s Endpoint security –Protects the endpoints (devices) connected to credit union network –Includes typical protections such as a firewall and antivirus/antimalware software Intrusion detection system (IDS)/intrusion prevention system (IPS) Install operating system patches when made available Protect data wherever it is located At rest In motion In use

12 Best Practices Vulnerability assessments Penetration testing Monitor system logs Disable / lockdown workstation USB ports and CD Rom drives –Helps prevent insider theft of confidential member data Data loss prevention (DLP) solutions –Identifies, monitors, and protects data at rest, in motion, and in use –DLP tools allow credit unions to see which databases, file servers, desktops and laptops hold sensitive data –Identifies when someone is transmitting data via or downloading to external storage devices Third-party reviews of network security Secure paper records Protect data wherever it is located At rest In motion In use

13 Best Practices Accessing network/systems remotely –Telecommuters working from home –Third-party vendors Protect data wherever it is located At rest In motion In use Remote Access Best Practices Establish a virtual private network (VPN) –A VPN is a network that uses the Internet to provide remote employees with secure access to the credit union’s network Require multifactor authentication – not just usernames and passwords –One-time-password tokens –Plug-in tokens Prohibit remote employees from using home computers to access network Prohibit employees from using unsecure wireless networks (public Wi-Fi) to access network

14 Mobile Devices: Laptops / Tablets / Smartphones Credit union issued versus employee use of personal devices (BYOD) –Both should be secured Secure the business side of the device (sandboxing) –Good Technology –MaaS360 Mobile Devices Used for Business Purposes Antivirus software Password protect the device/time-out feature to lock the device Remote wipe capability Prohibit employees from storing confidential member data to the device If it is necessary to store such data on the device, the data should be encrypted Encrypt confidential member data transmitted in s

15 Data Breaches – Employee Negligence Credit union discovered malware on at least 24 workstation pc’s –Malware captures screen shots –Social Security numbers, account information and transaction records for 115,000 accountholders (members) may have been compromised Credit union employee accidentally published a file on the credit union’s public-facing website –File contained member names, addresses, Social Security numbers, account numbers and account passwords Credit union employee accidently ed a spreadsheet to a member –Spreadsheet contained member names and account numbers Credit union’s website listed an incorrect fax number for members to fax loan applications –Loan applications faxed to someone in a western state –Credit union located in Midwest Source: CUMIS Insurance Society, Inc..

16 Data Breaches – Vendor Negligence Credit union uses third-party vendor to mail monthly account statements –Members received their correct statements plus a portion of statements belonging to other members Credit union downloaded confidential member data to a thumb drive for their outside auditor - Auditor lost the thumb drive in a public park while watching son’s football game - 14,500 members impacted Source: CUMIS Insurance Society, Inc..

17 Planning and Responding Written incident response plan to address incidents of unauthorized access to member information Required by NCUA (Rules and Regulations Part 748, Appendix B) Minimum requirements include: - Assess nature and scope of incident - Identify what member information systems and the member information breached - Take appropriate action to contain and control the incident to prevent further unauthorized access to or use of member information - Notify NCUA Regional Director or appropriate state supervisory authority - File Suspicious Activity Report, if needed - Notify appropriate law enforcement agency - Notify impacted members  Activate incident response team  Contain the breach  Analyze the breach  Record all information relevant to breach  Who, what, when and how  Forensics*  Contact breach coach / legal counsel specializing in privacy issues Can be done immediately after discovery  Notify your cyber liability insurance provider of potential loss  Notify regulator  File Suspicious Activity Report, if needed  Analyze legal implications  Identify federal, state and local laws / regulations impacted  State data breach notification and timing requirements Incident Response Plan Suggested Practices * Have a pre-determined list of IT forensics firms available Train employees and test the plan annually

18 Security Awareness Training Must be addressed in the credit union’s information security program All employees should receive training on at least an annual basis The goal is to change employee behavior to reinforce good data security practices

19 The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework)

20 NIST’s Cybersecurity Framework Background President Obama issued Executive Order (Improving Critical Infrastructure Cybersecurity) in 2013 –Directed the National Institute of Standards and Technology (NIST) to spearhead the development of a framework to reduce cyber risks to “critical infrastructure” NIST published the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) in 2014 Critical Infrastructure is defined in Presidential Policy Directive 21 (Critical Infrastructure Security and Resilience) to include the following sectors: Industry Sectors Chemical Commercial facilities Communications Critical manufacturing Dams Defense industrial base Emergency services Energy Financial services Food and agriculture Government facilities Healthcare and public health Information technology Nuclear reactors, materials and waste Transportation systems Water and wastewater system

21 NIST’s Cybersecurity Framework What is it? Collection of best practices, procedures and guidelines developed in partnership by the government and private sector to manage cyber risk Relies on industry standards and best practices Intended to be used by organizations of all sizes to evaluate, maintain and improve security over information systems Not a “one-size-fits-all” approach Enables credit unions to understand how their cybersecurity risk management processes stack up against the ideal standards addressed in the Cybersecurity Framework Promotes participation in information sharing groups, such as FS-ISAC Participation is voluntary – CUNA Mutual Group highly recommends participating Risk of Not Participating The Cybersecurity Framework could potentially set cybersecurity standards for future legal rulings. For example, if a lawsuit is initiated against a credit union alleging violation of privacy laws due to a data breach, the credit union’s cybersecurity practices could be questioned. The court could identify NIST’s Cybersecurity Framework as a baseline for what is considered commercially reasonable cybersecurity standards.

22 NIST’s Cybersecurity Framework What is it? Is not industry-specific Organizations must adapt it to the regulatory requirements/guidelines for their specific industry Credit unions would refer to: Appendix A to NCUA §748 (Guidelines for Safeguarding Member Information); NCUA Letter No. 06-CU-07 (IT Security Compliance Guide); and Appendix B to NCUA §748 (Guidance on Response Programs)

23 NIST’s Cybersecurity Framework Three Components 2 Framework Implementation Tiers 3 Framework Profile 1 Framework Core Framework Core A set of cybersecurity activities, desired outcomes and informative references Organized by 5 continuous Functions (pillars) – Identify, Protect, Detect, Respond and Recover Identifies underlying Categories and Subcategories for each function and matches them against example Informative References (industry standard best practices) Framework Implementation Tiers Describes the level of sophistication a credit union employs in applying its cybersecurity practices Tiers range from Partial (Tier 1) to Adaptive (Tier 4) Allows credit unions to see how their current cybersecurity risk management practices stack up against the ideal standards in the Framework Core NIST recommends organizations strive for Tier 3 or 4 Framework Profile Alignment of Functions, Categories and Subcategories with business needs, risk tolerance and resources Enables credit unions to establish a roadmap for reducing cybersecurity risk

24 NIST’s Cybersecurity Framework Information Sharing Participation in FS-ISAC is strongly recommended by NIST –The FFIEC also recommends participating in FS-ISAC Organizations participating in information sharing forums (e.g., FS- ISAC) are far better prepared to identify vulnerabilities and attack methods and have successfully mitigated cyber-attacks on their systems CUNA Mutual Group has negotiated with FS-ISAC to offer discounted membership fees for credit unions that have a cyber insurance policy through CUNA Mutual Group –Learn more at

25 Session Summary Information theft is one of today’s most common forms of fraud Given the financial, legal, and reputational risks of a data breach -- failing to prepare can be disaster Take proactive steps to prevent incidents from occurring in the first place Protection Resource

26 Questions & Answers Ken Otsuka, CPA Senior Consultant - Risk Management CUNA Mutual Group

27 Disclaimer This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Credit Union Loss Scenarios – Case Studies The credit union loss scenario claim study examples do not make any representations that coverage does or does not exist for any particular claim or loss, or type of claim or loss, under any policy. Whether or not coverage exists for any particular claim or loss under any policy depends on the facts and circumstances involved in the claim or loss and all applicable policy language. CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers’ needs. For example, the Workers’ Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability may be underwritten by Beazley Insurance Group. This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions. CUP ©CUNA Mutual Group, 2015 All Rights Reserved

28