Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2011 The Magnes Group Inc. CYBER LIABILITY AND SOCIAL ENGINEERING FRAUD RISK TRANSFER.

Published byLoraine Watson Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2011 The Magnes Group Inc. CYBER LIABILITY AND SOCIAL ENGINEERING FRAUD RISK TRANSFER."— Presentation transcript:

1 © 2011 The Magnes Group Inc. CYBER LIABILITY AND SOCIAL ENGINEERING FRAUD RISK TRANSFER

2 © 2011 The Magnes Group Inc. AGENDA ■ What is Cyber Liability?  Privacy Breach / Network Security Breach  Causes of Breach and Threats to Privacy Information  Costs of a Breach  Can Breaches be Preventable?  Insurance as a Risk Transfer Tool  What is Social Engineering Fraud?  Definition  Examples of Social Engineering Schemes  Key Risk Management Considerations  Insurance as a Risk Transfer Tool

3 © 2011 The Magnes Group Inc. What is a Cyber Liability Breach?  A Privacy Breach occurs when there is “unauthorized access to or collection, use or disclosure of personal information”  Common breaches happen when personal information of customers, patients, clients or employees is lost, stolen, or mistakenly disclosed. –i.e. a computer containing private information is stolen; USB key containing sensitive information is provided to an unauthorized person

4 © 2011 The Magnes Group Inc. What is a Cyber Liability Breach?  A Network Security Breach is an incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms  Example: a system security failure causes a virus to be transmitted from a supplier to their clients’ systems

5 © 2011 The Magnes Group Inc. EXTRA, EXTRA – READ ALL ABOUT IT! “Major [Bay St] law firms fall victim to cyber attacks” Globe & Mail April 6, 2011 “Elections Ontario Hit With Class Action Over Massive Privacy Breach” www.huffingtonpost.cawww.huffingtonpost.ca September 19, 2012 “Federal government faces third class-action lawsuit over privacy breach” Global News January 18, 2013 “Loss of mobile device by IIROC results in breach of 52,000 brokerage firm clients” Globe & Mail April 11, 2013 “Human Resources Canada faces 4 Lawsuits over lost data” CBC News January 22, 2013 “Nortel hit by suspected Chinese Cyber attacks for a decade” CBC News February 14, 2012

6 © 2011 The Magnes Group Inc. “There are only two types of companies: those that have been hacked and those that will be.” Robert Mueller Director, Federal Bureau of Investigation

7 © 2011 The Magnes Group Inc. If sophisticated organizations such as these can have a breach:  Amazon.com ▪ Wells Fargo  AT&T ▪ Research in Motion  Bell Canada ▪ Nortel  Cisco Systems ▪ SONY  Facebook ▪ IBM

8 © 2011 The Magnes Group Inc. Do you really think your IT security protocols makes your organization untouchable?

9 © 2011 The Magnes Group Inc. Causes of a Breach  Cyber Attack  Disgruntled Employees  Targeted, lost, stolen or mistakenly discarded: –Memory sticks –Smart phones –Laptops –Back-up tapes –Paper files –Photocopiers

10 © 2011 The Magnes Group Inc. Causes of a Breach (cont’d)  Human intervention and errors: –“Wikileaks” and the insider threat –Employees doing dumb things –Contractors doing dumb things  System errors –New technology, such as Cloud Computing –Software glitches

11 © 2011 The Magnes Group Inc. Cost of a Breach Personnel Costs  Staff time to research and collect information to measure the scope of the incident; executive time with legal counsel Post incident Costs  Media, investor relations, call centre, forensics, repairs, credit monitoring Legal Costs  Regulators, liability assessment, defence, damages Lost Revenue  Lost customers, lost opportunity costs

12 © 2011 The Magnes Group Inc. Can Breaches Be Preventable? YES! A solid data security strategy and policy comes down to: ▪ Educational Awareness ▪ Effective Technological Protection ▪ Assertive Governance

13 © 2011 The Magnes Group Inc. Formulating a Data Security Strategy  Develop a data breach protocol and ensure that it is updated periodically to reflect modern technologies and circumstances;  Incorporate in the organization’s data breach protocol a step that requires a report to the relevant Privacy Commissioner of any serious data breach;  Ensure that all third party service contracts explicitly require the third party contractor to immediately inform the organization of any possible or suspected breach;

14 © 2011 The Magnes Group Inc. Formulating a Data Security Strategy (Cont’d)  Revise the organization’s record retention and destruction policies and procedures, so that personal information is destroyed or “anonymized” once it is no longer required in compliance with existing privacy law requirements;  Ensure all employees/contractors of the corporation are aware of, and in compliance with, the organization’s policies and practice relating to third party personal information;  Develop a comprehensive security program to protect the confidentiality, integrity and availability of all information, not just personal information;

15 © 2011 The Magnes Group Inc. Formulating a Data Security Strategy (Cont’d) Last But Not Least…..  Consider transferring some of the exposure to an insurance policy as a backstop

16 © 2011 The Magnes Group Inc. Privacy & Network Security Breach Response Insurance ▪ Network security & privacy is not covered well by existing insurance such as property and liability policies; insurers are amending further to exclude coverage ■ Insurers have now collected enough claims experience to evaluate the risk ■ A standalone liability policy that addresses both first party and third party exposures has been created ■ Intended for businesses that do transactions over the internet and/or store private and confidential customer or employee information on their systems of premises

17 © 2011 The Magnes Group Inc. Privacy & Network Security Breach Response Insurance (cont’d) Mandatory Liability Coverage (Third Party) ▪ Covers the insured’s liability for injury as a result of a privacy and/or network security breach Example 1: Individual customers’ credit card data is stolen from the insured’s system by a hacker. Suit ensues.

18 © 2011 The Magnes Group Inc. Privacy & Network Security Breach Response Insurance (cont’d) Example 2: Medical records of thousands of patients are accidentally posted on the internet Example 3: A disgruntled employee exceeds authorized access and customers cannot transact business with the insured on a timely fashion resulting in the customers suffering a financial loss

19 © 2011 The Magnes Group Inc. Privacy & Network Security Breach Response Insurance (cont’d) Optional Additional Coverages: ▪ Privacy Notification Expense (First Party): Provides reasonable and necessary cost of notifying Persons who may be directly affected by the potential or actual unauthorized access of a record and can include costs to cover resulting expenses, such as but not limited to: -Changing their account numbers, identity numbers and security codes -Providing them with credit monitoring or similar services to protect them against fraudulent use of their Record for a stipulated period of time

20 © 2011 The Magnes Group Inc. Privacy & Network Security Breach Response Insurance (cont’d) Optional Additional Coverages: ▪ Crisis Management (First Party): Expenses incurred by the Insured to obtain independent advice from outside counsel, forensic investigators, public relations consultants or costs to conduct advertising or public relations activities ▪ Business Interruption and Extra Expense (First Party): Pays loss of revenue and additional expenses incurred by the insured during the Period of Recovery as a result of an actual impairment or denial of Operations resulting from Fraudulent Access or Transmission

21 © 2011 The Magnes Group Inc. CYBER CRIME – SOCIAL ENGINEERING FRAUD

22 © 2011 The Magnes Group Inc. What is Social Engineering Fraud?  As businesses have become more increasingly dependent upon technology, criminals have shifted their focus from theft of physical assets to the theft of electronic information  Cyber crime can threaten various processes, such as and not limited to:  point of sale purchases debit/credit cards – retail  ATM transactions – banking  E-commerce and online sales  Electronic business communications

23 © 2011 The Magnes Group Inc. What is Social Engineering Fraud?  Technical security measures implemented in response to increased regulation make direct pure technological attacks more difficult and costly  As a result, cyber criminals have shifted their focus away from such pure technological attacks and instead have attacked employees through the use of “social engineering” – a collection of techniques used to manipulate people into performing actions or divulging confidential information  A social engineer is nothing but a con man who uses technology to swindle people and manipulate them into disclosing passwords or bank information or granting access to their computer

24 © 2011 The Magnes Group Inc. Examples of Social Engineering Schemes  Social Engineers prey on innate human emotions (ie. fear, curiosity, the natural desire to help, the tendency to trust, complacency)  Weakest link in the security chain of businesses is the employee who accepts a person or scenario at face value – social engineers target this vulnerability  Few common examples:  Messages from Trustworthy Sources  Phishing Schemes  Baiting Scenarios  Impersonating Superiors

25 © 2011 The Magnes Group Inc. Guarding Against Social Engineering – Key Risk Management Considerations  Risk Assessment  Policies and Procedures  Security Incident Management  Training Programs  Transfer of Risk to an Insurance Policy

26 © 2011 The Magnes Group Inc. Traditional Crime Insurance May Not Cover Social Engineering  Many businesses believe that traditional crime policies (or financial institution bonds) cover all cyber-related losses  Although most crime insurance policies today carry computer fraud and funds transfer insuring agreements, courts have generally held that incidents where the insured voluntarily or is duped into transferring funds are not covered  An insured seeking to cover the risk of loss from social engineering should consider insurance coverage tailored to address these risks

27 © 2011 The Magnes Group Inc. Social Engineering Fraud Coverage  As of fall 2015, some insurers are now offering the option of purchasing a sub-limit for social engineering fraud coverage as an add on to an insured’s existing crime insurance policy subject to an additional premium  More insurers are currently sub-limiting coverage for this exposure to a maximum limit of $250,000 and subject to a deductible  Some insurers may also have restrictions in their coverage as it relates to covered claims for this exposure (ie. supplier/customer verification requirements)

28 © 2011 The Magnes Group Inc. Questions Sources of Information/References: ▪Chubb Insurance Company of Canada ▪AXIS Reinsurance Company of Canada

Download ppt "© 2011 The Magnes Group Inc. CYBER LIABILITY AND SOCIAL ENGINEERING FRAUD RISK TRANSFER."

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Travelers CyberRisk for Insurance Companies

Travelers CyberRisk for Insurance Companies
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius 4444 50% Hiscox 33 50% to May 2010, replaced.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.

Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
Bank Crime Investigation Techniques by means of Forensic IT

Bank Crime Investigation Techniques by means of Forensic IT
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Similar presentations

Ads by Google