Presentation is loading. Please wait.

Presentation is loading. Please wait.

Executive Risk Monday September 21, 2015 Northern Ohio Association for Financial Professionals 2015 Idea Exchange Seminar Data Security/Privacy (Cyber)

Published byAlexia Barnett Modified over 9 years ago

Similar presentations

Presentation on theme: "Executive Risk Monday September 21, 2015 Northern Ohio Association for Financial Professionals 2015 Idea Exchange Seminar Data Security/Privacy (Cyber)"— Presentation transcript:

1 Executive Risk Monday September 21, 2015 Northern Ohio Association for Financial Professionals 2015 Idea Exchange Seminar Data Security/Privacy (Cyber) 101

2 Nicholas J Milanich, Vice President Hylant Executive Risk Phone # (216) 674-2413 nick.milanich@hylant.com hylantexecutiverisk.com

3 AGENDA The Risk Cyber Attacks Recent Data Breach Examples Loss Statistics Legislative Environment Emerging Risks The Insurance 3 rd Party Coverage 1 st Party Coverage Coverage examples

4 CYBER ATTACKS Microsoft X-Box, Sony Playstation (denial of service) US State Department (cyber vandalism) US Weather Station (satellite system) Sony Pictures (corporate information) VeriSign (internet security company) TD Waterhouse (unauthorized access) YouTube (website content) Care First of Maryland (website content) Authorize.net (denial of service attack) Six Apart, Ltd. (denial of service attack) Paine Weber (malicious code)

5 RECENT DATA BREACH EXAMPLES Federal Government – Office of Personnel Management Up to 20 million individuals PII – names, addresses, DOB’s, SS#’s Key-point credentials compromised via zero-day malware (pre-patch) Anthem 80 million current and former members information Unencrypted data; employee password compromised; State sponsored action Mostly PII: names, addresses, social security #’s, medical ID #’s, birth dates, salaries, email addresses Self-insured plans may have notice requirements Home Depot 56 million credit card numbers Targeted attack at payment terminals Announced estimated costs so far of $62 million $27 million insurance recovery 44 lawsuits consolidated to two: consumer and financial institution Target 110 million credit/debit card numbers Malware at POS $236 million direct data breach costs. Half for software upgrades $90 million insurance recovery

6 HISTORICAL LARGE DATA BREACH EXAMPLES Heartland Payment Systems 6 th largest credit-card payment processor in the country 100 million card transactions each month, 250,000 businesses May-November 2008, spyware installed Unencrypted credit card data – 250 million records Magnetic strip & names More than 220 banks effected Hannaford Brothers Grocery chain 4.2million credit/debit card numbers 1800 cases of identity theft 26 lawsuits TJ Max 94 million individuals Criminals had access for 17 months 3 year credit monitoring/ victim assistance Follow-on D&O, other litigation Total estimated cost over $1.3 billion

7 CYBER EXTORTION Avid Life Media - Ashley Madison (8/15) Credit card info, names, addresses, email addresses- demanded that the site be taken down and an undisclosed amount of money Nokia (7/14) Source code for operating system – “several million euros” Dominos (6/14) Customer data in Europe - $40,000 demand Express Scripts (2/12) PHI – unknown demand

8 LOSS STATISTICS - FREQUENCY Summary from Risk Based Security, Inc. – 2014 Number of Breaches 3,014 in 2014 – up 33% 2,261 in 2013 Number of Records exposed 1.1 billion in 2014 – up 34% 823 million in 2013 How Records were exposed Outside (hackers) – 76% Inside, accidental – 9.5% Inside, malicious – 6% Inside, unknown – 4.5% Unknown – 4%

9 LOSS STATISTICS – FREQUENCY Summary from Risk Based Security, Inc. – 2014

10 LOSS STATISTICS Summary of Ponemon Institute’s 2014 Annual Cost of a Data Breach Report: –Average cost and per record cost increased modestly to $5.8 million and $201, respectively. –Direct costs are estimated at $66 per record. (notification letters, credit monitoring, forensic IT, etc.) Cost by industry classPer record Average$201 Education$294 Retail$105 Healthcare$359 Financial Institutions$206

11 LOSS STATISTICS Summary of NetDiligence 2014 Cyber Claims Study: –Insurance company database of actual claims between 2011 – 2013 –Average total cost was $733,109 –Only 12% of the claims resulted in follow-on litigation, only 5% in regulatory action and only 3% PCI fines/penalties Cost TypeAverage Cost Forensics$119,278 Notification$175,147 Legal Guidance$117,613 Public Relations$4,513 Legal Defense$698,797 Legal Settlement$558,520 Regulatory Defense$1,041,906 Regulatory Settlement$937,500 PCI fines/penalties$2,328,667

12 LOSS STATISTICS Possible Additional Costs Associated with Data Breach –Defense costs and settlements associated with follow-on litigation –Regulatory enforcement body (HHS, OCR, FTC, FCC, States Attorney General) –Private plaintiffs (common law privacy, breach of contract, emotional distress allegations) –HIPAA fines/penalties ($5k-$50k per offense, up to $1.5m cap) –FACTA fines/penalties ($1k-$2.5k per employee + puni’s, fees) –PCI compliance fines/penalties

13 LEGISLATIVE ENVIRONMENT Federal Statutes Gramm Leach Bliley, HIPAA, GINA, FACTA Consumer Fraud & Abuse Act, Stored Communications Act, Electronic Communication Privacy Act Obama Personal Data Notification and Protection Act (pending) 30 days, likely to pre-empt State Notification laws (below) State Notification Laws (46 + D.C., Puerto Rico, V.I.) Mass. – requires written security policy, min. standards) CA. – Zip codes Ohio: Section 1349.19 Computer related only Encryption safe-harbor Notification ASAP, within 45 days $1,000/day penalties which escalate after 60/90 days Common law allegations Invasion of privacy Negligence Breach of implied contract Right of publicity

14 ORC 2744 Ohio State Immunity Very little information regarding immunity and data breaches Expect to incur data breach expenses: notification, credit monitoring, forensic IT, etc. Contractual obligations: PCI/DSS Federal Statues: HIPAA, HITECH, FACTA

15 EMERGING ISSUES NIST to become de facto standard? Supply chain data risk Chip & Pin (EMV) – retail merchants “Internet of Things” – open source, manufacturing Article III standing “Do not track” cases Persistent identifiers (User ID’s, device identifiers, IP addresses) Terms of service Legal developments in Cloud computing and BYOD

16 BASIC BEST PRACTICES Inventory your data: What kind? How much? Where is it? Who has access? How is it protected? Evaluate contracts with outside service providers – especially 3 rd party IT, payment processors, data storage or data processing vendors Consider requiring certificates of insurance for both professional E&O and Data Security/Privacy (Cyber) coverage Continuous 3 rd party security and vulnerability assessments of your organization Establish an incident response plan and team with experienced outside vendors Test your incident response plan Insurance is a “safety net”, but not a substitute for internal and external safeguards

17 John Menefee CyberRisk Underwriting Manager Travelers Phone # (216) 643-2429 jmenefee@travelers.com travelers.com

18 18 Network/Privacy Insurance Coverage Triggers Virus transmission Failure to provide access Unauthorized access or use of data Failure to Notify Website/Social Media Liability Covered Data Insured’s systems Data in transit Non-electronic data Data residing on others’ systems Employees’ data Corporate data

19 19 Network/Privacy Insurance – First Party Costs Notification & Crisis Management Expenses Breach Coach Legal costs to determine applicability of breach laws Computer forensics Notification documents (preparing and sending) Call center for incoming and outgoing communications Payment card charge backs Other fees to comply with requirements of breach laws Public relations expenses to respond to negative publicity and restore brand reputation ID Fraud Policies / Credit Monitoring to affected individuals

20 20 Network/Privacy Insurance – First Party Costs Crime –Computer fraud –Funds transfer fraud Cyber extortion –Threat of release of information, damage of data or systems, introduction of virus, or restriction of access to system resources Fines/Penalties –PCI contract penalties –Regulatory fines/penalties Telecommunications theft –Outgoing long distance phone calls Network business income/extra expense –Business interruption due to network event – typically some form of denial of service –Dependent Business Interruption (very limited market)

21 21 Limitations to watch for Specific exclusions to watch for –“Reckless Disregard” –Unencrypted laptops / mobile devices –Violating own policies & procedures –Keeping IT security up to date –Exclusions for known viruses / malicious software –Coverage limited to electronic data only

22 22 Employee Mistake Unauthorized Access Lost Laptop Coverage Examples

23 23 These examples are generic. CGL, E&O, and Cyber Insurance forms differ greatly between companies. Examples are exploring general coverage “intent” to illustrate the differences that may exist between the various coverages. Individual claim circumstances and complaint wording can trigger or limit coverage in a variety of ways. Disclaimer:

24 24 Scenario 1 – Employee Mistake What Happened: Your employee accidentally or deliberately publishes private customer information on your company’s website or via e-mail. Your customer sues. Coverage:  Look for coverage under the personal injury section of the CGL. Publication of material that violates a right or privacy – check to see if your CGL excludes or limits this grant when the publication occurs in an electronic format.  Look to a dedicated Cyber Liability policy.

25 25 Scenario 2 – Customer / Employee Info What Happened: A hacker gains unauthorized access to your network and steals personally identifiable information of employees and customers Coverage: Look for coverage in a Cyber Insurance policy.

26 26 Scenario 3 – Lost Laptop What Happened: An employee’s laptop computer containing customer information is lost or stolen during travel. Coverage: Cost to replace the physical property that was stolen may be covered under a property policy, however additional costs associated with an information breach typically will not. May find coverage under a Cyber Liability policy Check policy wording for limitations regarding whether the laptop needs to be part of the “communications network.” Check policy wording for limitations regarding encryption of data.

27 Thank you!

Download ppt "Executive Risk Monday September 21, 2015 Northern Ohio Association for Financial Professionals 2015 Idea Exchange Seminar Data Security/Privacy (Cyber)"

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Travelers CyberRisk for Insurance Companies

Travelers CyberRisk for Insurance Companies
Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.

Presented at: Ctuit Software and Lathrop & Gage LLP Food & Hospitality Roundtable San Francisco, CA April 29, 2013 Presented by: Leib Dodell, Esq.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Page 1 Recording of this session via any media type is strictly prohibited. Edward M. Joyce Partner Jones Day Invasion of Privacy, Hacking & IP Claims:

Page 1 Recording of this session via any media type is strictly prohibited. Edward M. Joyce Partner Jones Day Invasion of Privacy, Hacking & IP Claims:
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Overview of Identity Theft, Data Breaches and Cyber/Privacy Liability Insurance October 6, 2009.

Overview of Identity Theft, Data Breaches and Cyber/Privacy Liability Insurance October 6, 2009.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.

Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.
Recent Trends and Insurance Considerations March 2015

Recent Trends and Insurance Considerations March 2015
Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.

Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius 4444 50% Hiscox 33 50% to May 2010, replaced.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.

Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.

Similar presentations

Ads by Google