1. Business Secured with HUB International.
Greene Finney, LLP Client CPE Day
Cyber Exposed
Business Secured with HUB International.
Thursday May 3, 2018 1

2. The material in this presentation does not cover all possible cyber threats that may exist, does not identify potential controls for those risks, and does not constitute legal advice.
This material is not intended as advice to you or your insureds about specific risk control practices. Travelers disclaims all forms of warranties whatsoever, without limitation and implementation of any risk control practices suggested by this presentation is at your insured’s sole discretion.
The material in this presentation does not amend, or otherwise affect, the provisions or coverages of any insurance policy issued by Travelers.
This presentation is not a representation that coverage does or does not exist for any particular claim or loss under any insurance policy.
Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy provisions, and any applicable law.
Availability of coverages referenced in this presentation may depend on state regulations.
Also note:
This presentation material is about coverages generally available in the marketplace, and is not based specifically on Travelers products.
Disclaimer

3. Exposure Environment 3

4. Interconnectivity
Think of all the places your personal information resides and all the ways it can be shared or transferred

5. The regulatory environment
State Data Breach Laws
Children’s Online Privacy Protection Act (COPPA)
Health Insurance Portability & Accountability Act (HIPAA)
Federal Information Security Management Act (FISMA)
EU Data Protection Directive
Health Information Technology for Economic & Clinical Health Act (HITECH Act)
Gramm-Leach-Bliley
Securities and Exchange Commission (SEC)
FDIC and FFIEC
Sarbanes-Oxley
Payment Card Industry Data Security Standard (PCI-DSS)

6. How breaches can occur

7. True or False:
Good risk management can effectively eliminate cyber threats.

8. Ever heard these objections before?
“Only large organizations are targets.”
“We have state of the art systems.”
“We’ve never had an issue.”
“We’ve outsourced our data so we are okay.”
“We can handle the cost of a breach.”
“We are already covered for cyber events.”

9. “Only large organizations are targets.”

10. Breaches by number of employees
Small and mid-sized firms are just as exposed to data breaches as large firms
Breaches by number of employees
1 – 250 employees
employees
employees
Source: SymantecTM Internet Security Threat Report 2016

11. “We outsource our data, so we’re okay.”

12. Hosted Software Mobile Applications Online Accounts
Anything on mobile devices!
Hosted Software
ASP, ERP, CRM, HR, Accounting, Operational, etc
Online Accounts
Banks, vendors, partners, paid data hosting & backup/recovery vendors

13. What do you outsource?
Vendors
“Data owner” is company who originally had the data
Cloud
Suppliers
Data owner has liability for privacy no matter where data is compromised!
Payment processors
Payment
services
(PayPal, etc.)

14. “We can handle the cost of a breach.”

15. per compromised record
Costs of data breach
Information losses cost U.S. businesses an average of:
total cost
$7.01M
per compromised record
$221
Source: Ponemon Institute 2016 Cost of Data Breach Study, for surveyed companies that experienced a breach which required the company
to notify victims under state law.

16. Summary: Potential impact of a cyber event
Costs of legal compliance O
Forensics,
legal consultants S
Network damages and costs to repair or upgrade T
Business interruption S
Indemnify victims

17. Summary: Potential impact of a cyber event
…and more C
Indemnify financial institutions O
Defense costs S
Injunctive relief T
Damage to shareholders S
Ticking time-bomb theory

18. CyberRisk Coverage
Broad coverage for multiple industries and all business sizes
From small to Fortune 500 companies
Offered as a standalone policy or part of a suite of other management liability coverages
Customers include:
Private companies
Public companies
Financial Institutions
Non-profit organizations

19. What does cyber insurance cover?
Coverage triggers
Unauthorized access to or use of data
Virus transmission
Failure to provide access
Failure to notify
Website/social media liability
Covered data
Insured’s systems
Data in transit
Non-electronic data
Data residing on others’ systems
Employees’ data
Corporate data

20. CyberRisk Third Party Coverages
Coverage for claims arising from unauthorized access to data, failure to provide notification of a data breach where required by law, transmission of computer virus or failure to provide authorized users with access to the company website
Network and Information Security Liability Communications and Media Liability Regulatory Defense Expenses
Coverage for claims arising from copyright infringement, plagiarism, defamation, libel and slander in electronic content
Coverage for governmental claims made as a result of network and information security liability or communications and media liability

21. CyberRisk First Party Coverages
Crisis Management Event Expenses
Coverage for public relations services to mitigate negative publicity
Funds Transfer Fraud
Coverage for loss of money or securities due to fraudulent transfer instructions to a financial institution
Security Breach Remediation & Notification Expenses
Coverage for costs associated with notification of individuals breached, credit monitoring, fraud expense reimbursement and call center
Computer Fraud
Coverage for loss of money, securities or other property due to unauthorized system access
E-Commerce Extortion
Coverage for money paid as a result of threats made to fraudulently transfer funds, destroy data, introduce a virus, attack a system or disclose electronic customer info
Computer Program & Electronic Data Restoration Expenses
Coverage for expenses to restore data lost from system damage due to computer virus or unauthorized access
Business Interruption & Expenses
Coverage for loss of income and expenses to restore operations as a result of a computer system disruption caused by a virus or unauthorized computer attack

22. Cyber Coverage Examples22

23. The following examples are generic
Cyber Insurance forms differ greatly between companies
Disclaimer
Examples are exploring general coverage “intent” to illustrate differences that may exist between various coverages
Individual claim circumstances and complaint wording can trigger or limit coverage in a variety of ways

24. Example: Lost paper records
BACKGROUND
Company profile: Manufacturer with 400 employees
The IRS discovered hundreds of fraudulent tax returns were filed on behalf of employees that work for the same manufacturing company. They notified the FBI and the FBI alerted the manufacturer.
The manufacturer hired a forensic investigator to determine how the employees’ personally identifiable information was accessed.

25. Example: Lost paper records
THE STORY
The investigation determined the personnel files of 298 past and current employees had been accessed. A criminal gained access to a box of W2s as they were being transported to a storage facility.
As a result the manufacturer incurred expenses for a forensic investigation, credit monitoring for the employees and legal costs.
Additionally the company hired a public relations firm after the local news picked up the story when affected employees contacted the media.

26. Example: Lost paper records
COSTS
Cost estimates according to the NetDiligence® Data Breach Cost Calculator*
Estimated Incident investigation
$180,000
Estimated Customer notification/ crisis management
$29,000
Estimated Fines and penalties
$6,000
ESTIMATED TOTAL COSTS
$215,000
The NetDiligence® Data Breach Cost Calculator is available to insureds on the Travelers’ eRisk Hub®.

27. Example: Losing paper records
PRIVACY LEGISLATION
California Databreach Protection Act
 Applies if you have customers in the state

28. Example: Losing paper records
PRIVACY LEGISLATION
Today, 47 states, DC and Puerto Rico have enacted privacy legislation requiring notification of compromised personal information
Existing Federal laws, including FACTA, Gramm Leach Bliley, Sarbanes-Oxley
Obama’s 2013 Cyber Security Executive Order led to NIST Cyber Security Standards
2015 Obama Executive Order created additional information sharing of security threats
SEC – 2014 Audits of Registered Investment Advisors
FDIC Privacy audits, recommending cyber insurance
FTC privacy enforcement actions

29. Example: Lost paper records
RISK MANAGEMENT
TIPS
An information retention policy should be established and include guidance on what types of information should be retained, how long it should be retained and procedures for destruction of unneeded data
New hire training and regularly scheduled refresher training courses should be established in order to instill the data security culture of your organization
Create, implement and test an incident response plan

30. Example: Lost laptop
BACKGROUND
Company profile: Not-for-profit hospital, $100M in annual revenue
An employed physician of the hospital accidently left his hospital-issued laptop on a train. The laptop contained an unencrypted database of current patient records that included protected health information with name, SSN, credit card, insurance ID, and limited medical information of 550 patients.
The data stored on that laptop was completely unsecured as it did not contain remote take down capabilities nor was it password protected.

31. Example: Lost laptop
THE STORY
Upon learning of the lost laptop, the hospital immediately contacted a privacy lawyer who advised the hospital to report the breach to the US Department of Health and Human Services as is required under HITECH guidelines.
Next, the hospital notified the affected individuals, in compliance with HIPAA/HITECH guidelines as well as the individual state notification requirements for the seven states in which the affected individuals reside. 
Thereafter, the Office of Civil Rights launched an investigation and the hospital was fined as a result of a HIPAA violation and credit monitoring had to be put in place for all affected individuals.

32. Example: Lost laptop $180,000 $34,000 $167,000 $381,000 COSTS
Cost estimates according to the NetDiligence® Data Breach Cost Calculator*
Estimated Incident investigation
$180,000
Estimated Customer notification/crisis management
$34,000
Estimated Fines and penalties
$167,000
ESTIMATED TOTAL COSTS
$381,000
The NetDiligence® Data Breach Cost Calculator is available to insureds on the Travelers’ eRisk Hub®.

33. Example: Lost laptop HIPAA and HITECH
DETAIL
HIPAA and HITECH
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

34. Example: Lost laptop DETAIL
Four categories of violations that reflect increasing levels of responsibility
Tier A: Violations without “Knowledge”
Tier B: “Reasonable Cause” Violations
Tier C: Willful Neglect with Timely Correction
Tier D: Willful Neglect without Timely Correction

35. Example: Lost laptop TIPS
RISK MANAGEMENT
TIPS
Implement procedures for using effective passwords and mandate periodic changes
If protected health information (PHI) is stored on laptops you should consider implementing security measures including encrypting the information and having remote disabling capabilities
Consider storing PHI on a central server and access via a secure connection

36. Risk Assessment 36

37. Exposure evaluation
Customers?
Employees?
Other businesses or individuals?
Whose sensitive information does your organization have? How sensitive is this data? How is it collected, protected, used, shared, and destroyed? Virus transmission exposure? Failure to provide access? Social media activities?
Financial
Medical
Intellectual property
Personal
By you
By your partners & vendors
By others that host or have access to your data

38. Exposure evaluation
Any data or systems your client’s operations depend on?
Data Centers (owned or non-owned)
Would customers leave permanently after a while?
How many records could be breached?
Would your client incur public- relations expenses after a breach?
Any data or systems your client’s operations depend on?
Cloud vendors?
Hosted, shared, or backed up?
Any data or systems that could be a target?
Financially-minded hackers?
Thrill-seeker hackers (schools, government, high-profile)
Politically-motivated hackers

39. Management controls
Contractual risk transfer with vendors and customers
IT and physical security controls required by each party
Define responsibilities and warranties
Indemnification for other’s errors
Insurance requirements
Intellectual property
IP clearance procedures similar to security policies
Software copyrights (including open source)
Security policies and procedures
Written IT policy and procedures
Person or dept. in charge of corporate data security
Monitoring & audits
Backups and redundancies
Incident response plan
Who does what, when, how?
What technologies, backups, or fail-safes will be relied upon?

40. True or False:
Good risk management can effectively eliminate cyber threats.

41. Questions

42. FINAL CONCLUSIONS
Information Security Risks, data breaches and identity fraud are not disappearing trends
Attacks are becoming more complex in nature
Legislation and contractual requirements have added to the complexity of managing cyber threats
Insurance is one tool the businesses can use to manage risk