1. Data/Cyber Security: an Essential Part of Risk Management
October 16, 2016
Data/Cyber Security:  an Essential Part of Risk Management
Presented by:
Kim Ferenchak
Practice Leader
Executive Risk
Oswald Companies
| OSWALD

2. Privacy/Cyber Agenda Exposures Defined Emerging Risks Costs Defined
Cyber Myths/Insurance Solutions
Post Incident Response
Cyber Risk Management

3. What is Cyber Liability?
Liability arising out of the loss of or unauthorized access to private and/or confidential information in your care, custody & control

4. What is Private Information?
Personally Identifiable Information (Non-Public)
Social Security Number
Drivers License Number
Debit/Credit Card Numbers
Bank Account Numbers
Passport Number
Confidential Information (Business)
Trade Secret
Information subject to a confidentiality agreement
Protected Healthcare Information
First and Third Party Information

5. Security & Privacy Exposures
Physical Loss: Improper disposal of Paper, Stolen or lost portable device (laptop, smart phone, iPad, etc.) and Portable data (flash drives, portable hard drives, etc.)
Database/Server Breach: Unauthorized person accesses or hacks into computer system

6. Security & Privacy Exposures
Stolen Data by Otherwise Authorized Users: Employee Misuse/Theft – send data to another unauthorized location
Third Party Breach: a service provider suffers a breach

7. Cloud Computing What is it and why is it valuable Business advantages
TPA providing infrastructure services, hardware resources, platform services, data storage or software services contained in a remote location available through a public or private network
Business advantages
Cost Savings
Efficiency
Outsourced Expertise
Business disadvantages
Loss of control of data
Mandatory Data Destruction Requirements
Security issues
Prone to Cyber Attack
How would Insurance respond to a suspected incident?

8. Cloud Considerations
Review and negotiate your contracts. Consult an attorney.
Cloud providers may be willing to indemnify customers for third-party claims related to breach of confidentiality obligations, although this indemnification is usually limited in some way (such as to negligence or intentional wrongful acts).
Limitations of liability are standard, however, the total dollar limit is often negotiable.
Require your Cloud Service Provider to have standard security and internal control certifications such as SSAE 16.
Review for compliance with Gramm-Leach-Bliley Act
Make sure you address post-termination transition of your data.

9. Emerging Risks Ransomware Social Engineering
Cyber Information Sharing Act (CISA) & Presidential Policy Directive: PPD-41 Voluntary Notification

10. Exposure: Regulatory Climate
Inconsistent laws relative to notice triggers:
What is PII in breach state-
Type of Data: Paper/Electronic
Timeliness notification – decrease in time to notify
Notification content
Notification of Attorney General and other state agencies
Removing Encryption as a safe harbour
New items added to definition of PII:
Mother’s maiden name
Marriage certificate
Medical information

11. Regulatory Outlook Evolving Enforcement
Inconsistent State Requirements
Global Implications
Washington focused on Fines and Penalties
GLBA: Civil Penalties include fines of $100K per violation and key officers may be fined up to $10K per violation
HIPAA: maximum fine increased to $1.5MM
Fines and penalties can be viewed as a source of revenue.
Increase in staffing/resources allocated to compliance/oversight anticipated

12. Things Regulators Dislike
Unencrypted backup tapes
Unencrypted portable devices
Slow incident detection and notification
Default configurations/passwords
Absence of appropriate policies
Insufficient employee training/awareness
Insufficient sanctions for employee(s) responsible for breach
Insufficient dedicated security roles
Failure to address issues identified by risk assessments

13. Dispelling Detection Myths
How is a breach detected:
31% of victims detect the breach internally
69% of victims are notified by an external authority
How long does it take before companies become aware of a compromise?
205: Median number of days that threat groups were present on a victims network before detection
Adapted from Mandiant’s MTrends Beyond the Breach 2015 Threat R
report

14. Dispelling Privacy Insurance Myths
“Our firm isn’t large enough to be a target for hackers and data thieves.”
“We have an “add-on” on our X Insurance Contract”
“We outsource our data storage so the liability would ultimately fall to our 3rd party provider.”
“Wouldn’t that be covered under our General Liability or Professional Liability policy?”

15. Overview of Cyber Insurance Solutions
First Party
Notification
Credit Monitoring
Business Interruption/Income/Extra Expense
Extortion
Crises Management/PR
Third Party
Invasion of Privacy Rights
Media Intellectual Property
Failure to implement, maintain or enforce reasonable security policies
Unfair, Deceptive and unlawful business practices
Regulatory Actions

16. First Party Privacy Insurance Coverage
First Party Coverages (Losses/expenses incurred by insured)
Event Management Expense: Coverage for notification costs, credit monitoring/restoration services, legal assistance, forensic investigation costs, and costs to hire PR firm to minimize harm
Cyber Extortion: Costs incurred to investigate and terminate an extortion threat to commit an intentional computer attack against the insured
Information Asset: Covers replacement costs as a result of damage to or theft of insured’s information assets due to a covered computer attack (Data Restoration)
Business Interruption: Coverage for loss (costs and lost income) in the wake of a computer attack that interrupts or suspends your business

17. Third Party Privacy Insurance Coverage
Third Party Liability (Economic damages suffered by others)
Network Security Liability: Coverage for damages and defense costs resulting from breaches in network security; i.e. computer virus, unauthorized access, denial-of service, identity theft
Privacy Liability: Coverage for failure to protect or wrongful disclosure of PI or PHI, whether or not due to failure of network security
Privacy Regulatory Proceeding Coverage: Covers costs resulting from civil, administrative or regulatory proceedings alleging violation of privacy laws
Electronic (Website) Media Liability Coverage: Coverage for content- based injuries such as libel, slander, defamation, copyright

18. Post Incident Insurance Assistance
PR Firm available to manage reputational consequences:
Internally
Externally
Reputational Risk
Contract and Business Income Consequences
Notification & Call Centers
Credit Monitoring/Freezing/Thawing
Fines and Penalties
Data Reconstruction

19. Breach Cost Leaders Lost Business Legal Defense
Business Income
Reputational Risk
Legal Defense
Investigation & Forensics

20. Cyber Risk Management Plan
Enterprise Risk Issue
Board Oversight
Written Information Security Program (WISP)
Assemble Incident Response Team
Draft Incident Response Plan & Test the Plan
Identify regulatory requirements
Roles and responsibilities/alternates
Escalation procedures
Proper Disposal Procedures
Quarterly or Annually Tested Plan

21. Cyber Risk Management Plan
Building Your Incident Response Team
Legal IT
Risk Management/Insurance HR
Marketing
Public Relations
Compliance & Internal Audit
Physical Security
Other executives, as appropriate
3rd party response services (e.g., forensics, privacy counsel, notification)
Organization that embrace a cross disciplinary, collaborative approach have more positive outcomes than those who do not

22. Cyber Risk Management Plan
Proper and ongoing training of employees on company’s data security programs
Complete a Data Privacy Review
Identify access to PII, CI & PHI
Security Policies and Procedures: physical & electronic
Vendor Contracts
Document retention
Social Media
NIST
Explore coverage through a Comprehensive Privacy and Security Insurance Policy

23. National Institute of Standards & Technology Framework (nist.gov)
Identify – develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
Protect – develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
Detect – develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Transfer – develop and implement appropriate insurance program that deals with cyber and privacy events
Respond – develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Recover – develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

24. We Have an Incident or Situation Now What??
Determine what actions need to be taken:
Call your Privacy Attorney
Call your Insurance Agent
Engage the Incident Response Team & assign a leader
Do not use the B…. word
Act prudently but not prematurely: notification/credit monitoring
Consider utilizing a PR Firm to manage reputational consequences - internally & externally to provide consistent messaging
What resources can insurance provide?

25. Information Resources 25

26. Q & A Thank you for your time! Kimberly K Ferenchak
Practice Leader, Vice President Executive Risk
Oswald Companies
1100 Superior Avenue, Suite 1500
Cleveland, OH  44114
The information displayed is for preliminary information purposes only; it is not intended to be a complete description of all exposures or potential insurance solutions. Any coverage afforded by potential polices described herein is subject to and governed by the terms and conditions of each policy issued. This presentation is not intended to give  legal or regulatory advice.