Cyber Liability Insurance Why we have it & How it works Doug Selix, MBA, CISSP, CISM, PMP - DES Office of Risk Management April 9, 2015 SBCTC – IT Commission Meeting
Agenda Cyber Liability Incidents Cyber Liability Risks Cyber Liability Risks Exposure What Happens if “it” Happens? Cyber Liability Insurance
Key Definitions Cyber Security is defined as: “Measures taken to protect a computer or computer system (as on the Internet) and the data they contain against unauthorized access or attack.” Cyber Risk is defined as: “The possibility that data will end up in the possession of a party who is not authorized to have that data and who can use it in a manner that is harmful to the individual or organization that is the subject of the data and/or the party that collected and stored the data.” Doug’s Version - What happens when Cyber Security measures are not effective in protecting an organizations electronic data or computer systems from unauthorized access or attack.”
Key Definitions Cyber Risk Loss Exposure is defined as: “Any condition that presents the possibility of financial loss to an organization from property, net income, or liability losses as a consequence of advanced technology transmissions, operations, maintenance, development, or support.” Doug’s Version - Costs arising from 1st party damages and 3rd party liabilities resulting from the use of your computer systems.
Why We Need Cyber Liability Insurance Switch Gears Why We Need Cyber Liability Insurance Stuff Happens! Not a matter of “if”, but a matter of “when”
Incidents - The Big Picture Significant Data Breach Events The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII). Source: www.InformationisBeautiful.com
Incidents - The Big Picture Significant Data Breach Events The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII).
Breaches in Academia Source: www.InformationisBeautiful.com
Incidents - Education Instructional Data Breach Events Maricopa Community Colleges – as of April 2013 2.4 Million Student and Employee Records $12 Million cost IT Director fired for dereliction of duty 2 Lawsuits Administrator of the Courts – May 2013 1 Million WDL and 160K SSN’s Web site hacked University of Washington – 2013 90,000 patient records. email based attack Eastern Washington University – 2009 130,000 student records. Hack attack
What Risks are Covered by Cyber Liability Insurance? Switch Gears What Risks are Covered by Cyber Liability Insurance?
Cyber Liability Risks Any condition that presents the possibility of financial loss as a consequence of using advanced technology. Sample Adverse Impacts Harm to Operations Harm to Assets Harm to Individuals Harm to Other Organizations Harm to the Nation Source: NIST SP 800-30
Cyber Liability Risks Cost to comply with Breach Notification Regulations RCW 42.56.590 FERPA HIPAA PCI IRS Publication 1075
Cyber Liability Insurance Common Coverage Areas Information Security & Privacy Liability Privacy Notification Costs Regulatory Defense and Penalties Website Media Content Liability Cyber Extortion First Party Data Protection First Party Network Business Interruption See APIP Document
Cyber Risk – Devils in the Detail Source: NIST SP 800-30, NIST SP 800-39
Cyber Liability Insurance Switch Gears Cyber Risk Exposure How Much Cyber Liability Insurance do you need?
Risk Exposure – Mostly About Data Data that can cause financial harm to your agency “if” it is not kept secure, includes: Personally identifiable information (RCW 42.56.590) Electronic personal health information (HIPAA Security Rule) Credit card information (PCI Data Security Standard) Bank account information used to process electronic fund transfers or payments IRS tax information (IRS 1075) Student education information (FERPA) Data protected by attorney client privilege Criminal justice information (FBI CJIS standards) Proprietary information (agreement, contract, or license)
Risk Exposure – Cost Factors Example: Costs associated with breach notification $3 per record minimum cost – EWU 2009 breach actual cost ~$107 – Estimated public sector cost per record in data breach (Ponemon Institute 2014 US Cost of a Data Security Breach Report)
ORM 2014 Data Survey Results? SBCTC & Community College View As of 6/3/2014
Estimating Your Cyber Risk Exposure Compute Cyber Liability Risk Exposure Need to Document Your Confidential Data Use Risk Assessment Worksheet See Handout No. 1 Call Me, we can do this together.
What Happens if “it” Happens? Security Event Incident Response Switch Gears What Happens if “it” Happens? Security Event Incident Response
Incident Response Team Follows the Plan Follow Your Plan, Right? Incident Response Team Follows the Plan Who’s Got The Plan?
“Good” Security is Planned Use the NIST Cyber Security Framework http://www.nist.gov/cyberframework/ Breach Response
Or Maybe Not We can deal with whatever comes up…..
“Good” Computer Security Incident Response is also Planned NIST – Computer Security Incident Handling Guide (SP 800-61 R2)
The OCIO Has a Plan IT Security Incident Communication Policy Agencies shall report all IT security incidents to the OCIO CTS Security shall investigate to determine degree of severity and assist with mitigation CTS Security shall notify the OCIO (if required) OCIO will convene a Security Incident Communication Team (if required) OCIO will authorized coordinated release of public notification with breached agency(s) (if required)
The OCIO Has a Plan Step 3. - CTS Security shall notify the OCIO (if required) CTS Security will notify OCIO and AGG for OCIO At this time the CTS Security Officer, in conjunction with the Washington State Office of the Attorney General, will also provide the CISO with an informed opinion as to whether or not the severity of the incident’s impact warrants public notification as required by law
Most IT/IR Guidance Stops Short Focus tends to be on putting out the flame.
Fire is out, who cleans up the mess? What we have so far: Policy to prevent breaches by implementing security best practices Resources (CTS Security) to react to the breach. State policy to manage public notification when breaches do occur. Fire is out, who cleans up the mess?
What we Don’t Have: A State level plan for dealing with the impact from a breach that includes: Access to highly skilled legal and public relations resources to advise the OCIO, AGO, and agency leadership during a breach event. Access to risk financing resources to recover losses from the breach Access to production capacity to do the work necessary to comply with breach notification regulations
Today Who cleans up the mess? How will they do it? The Affected Agency Small breach – Deal with it internally Big breach – Depends?????????? May have Cyber Liability Insurance May not – have to dip into reserves or ask for budget
Cyber Liability Insurance? Switch Gears Cyber Liability Insurance? (Provides Response Resources)
Cyber Liability Insurance Current Policy (APIP) - “Alliant Property Insurance Program” Agency must be on the State Master Property Insurance Policy to have APIP Cyber Liability Insurance Aggregate limits apply $25M for APIP Pool $2M for State of Washington
Warning Not All Colleges and Universities have this policy
APIP Cyber Liability Insurance Cyber Liability General Coverages ($100K Deductible) $2M Information Security & Privacy Liability $500K Privacy Notification Cost, $1M if carrier's preferred vendors are utilized $2M Regulatory Defense and Penalties $2M Website Media Content Liability $2M Cyber Extortion Loss $2M Data Protection Loss and Business Interruption Loss
APIP Details Sent Details to your Risk Manager And to You
Montana Lessons Learned May 2014 HIPAA Breach APIP Cyber Liability Insurance Worked Response Services Worked Rapid Response Event Management Forensic Analysis Root Cause Determine Data Exposure Legal Services Public Relations Services Notification Production Call Center Operation Manage Internal Reporting (Gov) 1.3 Million Dept. of Health Patient Records. Baker Hostetler
We have a Plan See Handout No. 2
How will APIP Work for you? Based on decision in Step 3 of the OCIO Incident Communication Plan AGO will notify the Office of Risk Management if we need to file a claim with our Cyber Liability Insurance carrier. Cyber Liability Insurance will provide resources to the Agency
Is There State Level Cyber Liability Insurance No, APIP is all we have 2014 – Decision Package for $30M CL Policy Did not make it into Governor’s Budget ASK ME “WHY” OCIO IT Budget Requests Prioritized for FY 15-17
Academic Point Insurance is about “Risk Finance” Risks can be Avoided, Reduced, Accepted, or Transferred. Insurance is how we transfer Financial Risk Exposure Cyber Liability Insurance is not a Technology Topic, it is a Finance Topic
Cyber Insurance Lumped With IT Proposals Next to Last Priority
Can Your Agency Buy More Cyber Liability Insurance? Switch Gears Can Your Agency Buy More Cyber Liability Insurance?
Additional Cyber Liability Insurance is Available Each Agency must decide how much is needed based on your Risk Exposure Agency completes an application Get application from Office of Risk Management (ORM) Return to ORM, ORM Submits to Broker Broker will develop a quote Advantages: No aggregate Limits Lower retention possible Sized to fit the agency risk exposure Example: CWU AIG Quote ($3M for $33K, $5M for $44K)
We need to measure your Cyber Liability Risk Exposure Next Steps We need to measure your Cyber Liability Risk Exposure Send me your completed spreadsheets IT Commission could recommend more Cyber Liability Insurance Each College buy their own policy Buy one policy for all 34 Colleges Call me if you need help telling this story to your management
Questions Thank you!
Cyber Liability Program Doug Selix, CISM, CISSP, PMP Cyber Liability Program Manager Department of Enterprise Services Office of Risk Management Office Phone: 360-407-8081 Email: doug.selix@des.wa.gov