Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION SECURITY & PRIVACY OVERVIEW September 23, 2014.

Published byClemence Sullivan Modified over 9 years ago

Similar presentations

Presentation on theme: "INFORMATION SECURITY & PRIVACY OVERVIEW September 23, 2014."— Presentation transcript:

1 INFORMATION SECURITY & PRIVACY OVERVIEW September 23, 2014

2 MARSH Agenda Information Security & Privacy Risk Exposures Information Security & Privacy Insurance Overview Information Security & Privacy Benchmarking & Cost Modeling Analysis Risk Transfer Solutions 1 May 16, 2015

3 MARSH Information Security & Privacy Risk Exposures May 16, 2015 2

4 MARSH Data Privacy and Network Security: A Multi-Threat Environment External  Business Associates  Vendors/Suppliers (contractors, outside counsel, cloud providers)  Foreign and domestic organized crime  Hackers/Hacktivists Regulatory  HHS, HIPAA & HIPAA HITECH  Identity Red Flags  SEC, FTC, state attorney generals  State breach notification laws  PCI Compliance Internal  Rogue employees  Careless staff  BYOD Old School  Laptop theft  Dumpster diving  Photocopier Technology  Viruses, SQL Injections, DDoS attacks, etc.  Structural vulnerability  Social Media/Networking  Phishing 3 May 16, 2015

5 MARSH What are the Risks? Legal liability to others for computer security breaches Legal liability to others for privacy breaches, including both personal and commercial confidential information Vicarious liability for acts of vendors/service providers Compliance with breach notification laws, including credit monitoring/identity restoration costs Regulatory actions and scrutiny Loss or damage to data/information Loss of revenue/extra expense due to a system outage, including an outage suffered or caused by a vendor/service provider Loss or damage to reputation Cyber-extortion Social Media 4 May 16, 2015

6 MARSH 5 What types of information is at Risk Many people think that without credit cards or PHI, they don’t have a data breach risk. But can you think of any business without any of the below kinds of information? Consumer Information Credit Cards, Debit Cards, and other payment information Social Security Numbers, ITIN’s, and other taxpayer records Customer Transaction Information, like order history, account numbers, etc. Protected Healthcare Information (PHI), including medical records, test results, appointment history Personally Identifiable Information (PII), like Drivers License and Passport details Financial information, like account balances, loan history, and credit reports Non-PII, like email addresses, phone lists, and home address that may not be independently sensitive, but may be more sensitive with one or more of the above Employee Information Employers have at least some of the above information on all of their employees Business Partners Vendors and business partners may provide some of the above information, particularly for Sub-contractors and Independent Contractors All of the above types of information may also be received from commercial clients as a part of commercial transactions or services In addition, B2B exposures like projections, forecasts, M&A activity, attorney- client communication, litigation strategy and trade secrets May 16, 2015

7 MARSH Business activities to keep in mind include… Do you have: –Interactive websites –Business partners, contractors that touch personal data –Social media sites (Facebook and Twitter) that collect and display private information –Contracts with third parties to provide (or develop) services or products on your behalf Do you do: –Process credit card payments –Data storage (online and traditional shipping of paper records or back-up tapes) –Housing of private data on laptops –Providing of online content or media –Cloud computing and outsourced computing –Development of software –Performance of system integration services or software maintenance services –Broadcasting or distribution of content 6 May 16, 2015

8 MARSH Information Security & Privacy Insurance Overview May 16, 2015 7

9 MARSH Information Security & Privacy Coverage Overview Privacy Liability:Harm suffered by others due to the collection or disclosure of confidential information. Network Security Liability: Harm suffered by others from a failure of your network security. Media Liability: Harm suffered by others due to libel, slander, product disparagement, copyright infringement, trademark infringement or other advertising injury/personal injury. Cyber-Extortion: The cost of investigation and the extortion demand (limited cover for ransom & crisis consultant expenses). Regulatory Defense:Legal counsel for regulatory actions including coverage for fines and penalties where permissible. Privacy Event/Breach Costs: The costs of complying with the various breach notification laws and regulations including legal expense, call centers, credit monitoring and forensic investigation. Data Restoration:The cost to recreate data stolen, destroyed, or corrupted by a computer attack. Business Interruption: Business income that is interrupted by a computer attack or a failure of technology including the extra expense. Professional Liability: Harm suffered by others due to negligence in rendering a service and/or a product’s failure to function as intended. Coverage for Privacy Liability requires no negligence on the part of the insured and provides coverage for the intentional acts of insured’s employees 8 May 16, 2015

10 MARSH 9 Simplified Data Breach Timeline Discovery First Response External Issues Long-Term Consequences Actual or alleged theft, loss, or unauthorized collection/disclosure of confidential information that is in the care, custody or control of the Insured, or a 3 rd for whom the Insured is legally liable. Discovery can come about several ways: Self discovery: usually the best case Customer inquiry or vendor discovery Call from regulator or law enforcement Actual or alleged theft, loss, or unauthorized collection/disclosure of confidential information that is in the care, custody or control of the Insured, or a 3 rd for whom the Insured is legally liable. Discovery can come about several ways: Self discovery: usually the best case Customer inquiry or vendor discovery Call from regulator or law enforcement Forensic Investigation and Legal Review Forensic tells you what happened Legal sets out options/obligations Forensic Investigation and Legal Review Forensic tells you what happened Legal sets out options/obligations Remedial Service Offering Public Relations Civil Litigation Regulatory Fines, Penalties, and Consumer Redress Damage to Brand or Reputation Income Loss Notification May 16, 2015

11 MARSH Information Security & Privacy Benchmarking & Cost Modeling Analysis May 16, 2015 10

12 MARSH 11 What would a Breach Cost? Number of Records Compromised100,000500,0001,000,000 Number of Credit Card Numbers Compromised100,000500,0001,000,000 Forensics, Legal & Advisory Costs$100,000 $250,000 Notification Costs$200,000$1,000,000 Call Center Costs$100,000$500,000$1,000,000 Credit Monitoring Costs$300,000$1,500,000$2,250,000 Identity Theft Repair Costs$375,000$1,875,000$3,750,000 Estimated First Party Costs$1,075,000$4,975,000$8,250,000 Credit Card Reissuance Costs$600,000$3,000,000$6,000,000 Consumer Redress Fund & Fines$600,000$3,000,000$6,000,000 Other Liability$500,000$2,500,000$5,000,000 Defense Costs$100,000$500,000$1,000,000 Estimated Third Party Liability (Inc. defense)$1,800,000$9,000,000$18,000,000 Estimated Privacy Event Insurable Cost$2,875,000$13,975,000$26,250,000 Assumptions Per record notification cost$2.00 $1.00 Call center participation rate20% Per call cost$5.00 Credit monitoring participation rate15% Credit monitoring per record cost$20.00 $15.00 Identity theft rate of occurrence0.75% Identity theft per record cost$500.00 Credit card reissuance cost per card$6.00 Consumer Redress & Fines per record$6.00 Other liability experience rate1% Other liability cost per record$500.00 May 16, 2015

13 MARSH Privacy IDEAL – Frequency (EXAMPLE ANALYSIS) The likelihood of a data breach event is correlated with a company’s industry. Historical data shows that if a company has had prior data breach events, there is a greater likelihood they will have another data breach event in the future. Company’s with lower data security face an increased risk of suffering a data breach event. Using the proprietary Marsh Cyber Self-Assessment, a client can achieve a better understanding their level of data security. By default, the Privacy IDEAL model uses an average level of data security. Companies with higher revenue face a higher probability of a data breach event due to publicity and the perceived greater number of records. *Note: This is an example analysis run on a fictional organization. With specific exposure detail we can execute the analysis for Marsh clients. What is the probability that Retail #2 will have a data breach event over the next 12 months? Probability of at least one Data Breach Event: 7.09% 12 May 16, 2015

14 MARSH Privacy IDEAL – Range of Potential Outcomes (EXAMPLE ANALYSIS) 13 May 16, 2015 *Note: This is an example analysis run on a fictional organization. With specific exposure detail we can execute the analysis for Marsh clients.

15 MARSH Privacy IDEAL – Cost Analysis (EXAMPLE ANALYSIS) First Party Costs Third Party Costs Note: Costs due not include business interruption due to the high degree of variability. 14 May 16, 2015 *Note: This is an example analysis run on a fictional organization. With specific exposure detail we can execute the analysis for Marsh clients.

16 MARSH Risk Transfer Solutions May 16, 2015 15

17 MARSH Underwriting Process for Information Security & Privacy Insurance Application Security self-assessment: –Marsh proprietary document based on Security ISO 27001/2 –Acceptable as a submission by markets Approach to underwriting is different by insurer: –Industry –Business Interruption –Revenue –Record count Principal Insurers: –ACE –AIG –AWAC –AXIS –Beazley –Chubb –CNA –Liberty –Lloyds Markets –Zurich 16 May 16, 2015

18 MARSH Considerations in Selecting an Insurer Overall Experience Program Cost Scope of Coverage Treatment of Privacy Event Costs; Dollar limit vs. Per Person limit? Sub-limits offered and erosion of policy limits Approach to selection of vendors; are you required to use the panel chosen by the Insurer? –Forensic Investigation –Privacy Law Firm –Identity Theft Monitoring/Call Center –Public Relations/Crisis Management Firm Pre and Post Loss Service Considerations: –On line resources; eRisk Hub, ePlace Solutions –On site risk assessments –Claims expertise –Access to other resources; NetDiligence 17 May 16, 2015

19 MARSH Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer, and Oliver Wyman. This document and any recommendations, analysis, or advice provided by Marsh (collectively, the “Marsh Analysis”) are intended solely for the entity identified as the recipient herein (“you”). This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh’s prior written consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or reinsurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. Copyright © 2014 Marsh LLC All rights reserved. May 16, 2015 18

Download ppt "INFORMATION SECURITY & PRIVACY OVERVIEW September 23, 2014."

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Beazley presentation master February 2008 Data Security & Beazley Breach Response Max Perkins October 4, 2013.

Beazley presentation master February 2008 Data Security & Beazley Breach Response Max Perkins October 4, 2013.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.

Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,

Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,
Responding to a Data Security Breach

Responding to a Data Security Breach
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.

Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.
Recent Trends and Insurance Considerations March 2015

Recent Trends and Insurance Considerations March 2015
Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.

Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius 4444 50% Hiscox 33 50% to May 2010, replaced.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.

Similar presentations

Ads by Google