Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Liability Insurance Why we have it & How it works

Similar presentations


Presentation on theme: "Cyber Liability Insurance Why we have it & How it works"— Presentation transcript:

1 Cyber Liability Insurance Why we have it & How it works
Doug Selix, MBA, CISSP, CISM, PMP - DES Office of Risk Management April 9, 2015 SBCTC – IT Commission Meeting

2 Agenda Cyber Liability Incidents Cyber Liability Risks
Cyber Liability Risks Exposure What Happens if “it” Happens? Cyber Liability Insurance

3 Key Definitions Cyber Security is defined as:
“Measures taken to protect a computer or computer system (as on the Internet) and the data they contain against unauthorized access or attack.” Cyber Risk is defined as: “The possibility that data will end up in the possession of a party who is not authorized to have that data and who can use it in a manner that is harmful to the individual or organization that is the subject of the data and/or the party that collected and stored the data.” Doug’s Version - What happens when Cyber Security measures are not effective in protecting an organizations electronic data or computer systems from unauthorized access or attack.”

4 Key Definitions Cyber Risk Loss Exposure is defined as:
“Any condition that presents the possibility of financial loss to an organization from property, net income, or liability losses as a consequence of advanced technology transmissions, operations, maintenance, development, or support.” Doug’s Version - Costs arising from 1st party damages and 3rd party liabilities resulting from the use of your computer systems.

5 Why We Need Cyber Liability Insurance
Switch Gears Why We Need Cyber Liability Insurance Stuff Happens! Not a matter of “if”, but a matter of “when”

6 Incidents - The Big Picture Significant Data Breach Events
The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII). Source:

7 Incidents - The Big Picture Significant Data Breach Events
The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII).

8 Breaches in Academia Source:

9 Incidents - Education Instructional Data Breach Events
Maricopa Community Colleges – as of April 2013 2.4 Million Student and Employee Records $12 Million cost IT Director fired for dereliction of duty 2 Lawsuits Administrator of the Courts – May 2013 1 Million WDL and 160K SSN’s Web site hacked University of Washington – 2013 90,000 patient records. based attack Eastern Washington University – 2009 130,000 student records. Hack attack

10 What Risks are Covered by Cyber Liability Insurance?
Switch Gears What Risks are Covered by Cyber Liability Insurance?

11 Cyber Liability Risks Any condition that presents the possibility of financial loss as a consequence of using advanced technology. Sample Adverse Impacts Harm to Operations Harm to Assets Harm to Individuals Harm to Other Organizations Harm to the Nation Source: NIST SP

12 Cyber Liability Risks Cost to comply with Breach Notification Regulations RCW FERPA HIPAA PCI IRS Publication 1075

13 Cyber Liability Insurance Common Coverage Areas
Information Security & Privacy Liability Privacy Notification Costs Regulatory Defense and Penalties Website Media Content Liability Cyber Extortion First Party Data Protection First Party Network Business Interruption See APIP Document

14 Cyber Risk – Devils in the Detail
Source: NIST SP , NIST SP

15 Cyber Liability Insurance
Switch Gears Cyber Risk Exposure How Much Cyber Liability Insurance do you need?

16 Risk Exposure – Mostly About Data
Data that can cause financial harm to your agency “if” it is not kept secure, includes: Personally identifiable information (RCW ) Electronic personal health information (HIPAA Security Rule) Credit card information (PCI Data Security Standard) Bank account information used to process electronic fund transfers or payments IRS tax information (IRS 1075) Student education information (FERPA) Data protected by attorney client privilege Criminal justice information (FBI CJIS standards) Proprietary information (agreement, contract, or license)

17 Risk Exposure – Cost Factors
Example: Costs associated with breach notification $3 per record minimum cost – EWU 2009 breach actual cost ~$107 – Estimated public sector cost per record in data breach (Ponemon Institute 2014 US Cost of a Data Security Breach Report)

18 ORM 2014 Data Survey Results?
SBCTC & Community College View As of 6/3/2014

19 Estimating Your Cyber Risk Exposure
Compute Cyber Liability Risk Exposure Need to Document Your Confidential Data Use Risk Assessment Worksheet See Handout No. 1 Call Me, we can do this together.

20 What Happens if “it” Happens? Security Event Incident Response
Switch Gears What Happens if “it” Happens? Security Event Incident Response

21 Incident Response Team Follows the Plan
Follow Your Plan, Right? Incident Response Team Follows the Plan Who’s Got The Plan?

22 “Good” Security is Planned
Use the NIST Cyber Security Framework Breach Response

23 Or Maybe Not We can deal with whatever comes up…..

24 “Good” Computer Security Incident Response is also Planned
NIST – Computer Security Incident Handling Guide (SP R2)

25 The OCIO Has a Plan IT Security Incident Communication Policy
Agencies shall report all IT security incidents to the OCIO CTS Security shall investigate to determine degree of severity and assist with mitigation CTS Security shall notify the OCIO (if required) OCIO will convene a Security Incident Communication Team (if required) OCIO will authorized coordinated release of public notification with breached agency(s) (if required)

26 The OCIO Has a Plan Step 3. - CTS Security shall notify the OCIO (if required) CTS Security will notify OCIO and AGG for OCIO At this time the CTS Security Officer, in conjunction with the Washington State Office of the Attorney General, will also provide the CISO with an informed opinion as to whether or not the severity of the incident’s impact warrants public notification as required by law

27 Most IT/IR Guidance Stops Short
Focus tends to be on putting out the flame.

28 Fire is out, who cleans up the mess?
What we have so far: Policy to prevent breaches by implementing security best practices Resources (CTS Security) to react to the breach. State policy to manage public notification when breaches do occur. Fire is out, who cleans up the mess?

29 What we Don’t Have: A State level plan for dealing with the impact from a breach that includes: Access to highly skilled legal and public relations resources to advise the OCIO, AGO, and agency leadership during a breach event. Access to risk financing resources to recover losses from the breach Access to production capacity to do the work necessary to comply with breach notification regulations

30 Today Who cleans up the mess? How will they do it? The Affected Agency
Small breach – Deal with it internally Big breach – Depends?????????? May have Cyber Liability Insurance May not – have to dip into reserves or ask for budget

31 Cyber Liability Insurance?
Switch Gears Cyber Liability Insurance? (Provides Response Resources)

32 Cyber Liability Insurance
Current Policy (APIP) - “Alliant Property Insurance Program” Agency must be on the State Master Property Insurance Policy to have APIP Cyber Liability Insurance Aggregate limits apply $25M for APIP Pool $2M for State of Washington

33 Warning Not All Colleges and Universities have this policy

34 APIP Cyber Liability Insurance
Cyber Liability General Coverages ($100K Deductible) $2M Information Security & Privacy Liability $500K Privacy Notification Cost, $1M if carrier's preferred vendors are utilized $2M Regulatory Defense and Penalties $2M Website Media Content Liability $2M Cyber Extortion Loss $2M Data Protection Loss and Business Interruption Loss

35 APIP Details Sent Details to your Risk Manager And to You

36 Montana Lessons Learned May 2014 HIPAA Breach
APIP Cyber Liability Insurance Worked Response Services Worked Rapid Response Event Management Forensic Analysis Root Cause Determine Data Exposure Legal Services Public Relations Services Notification Production Call Center Operation Manage Internal Reporting (Gov) 1.3 Million Dept. of Health Patient Records. Baker Hostetler

37 We have a Plan See Handout No. 2

38 How will APIP Work for you?
Based on decision in Step 3 of the OCIO Incident Communication Plan AGO will notify the Office of Risk Management if we need to file a claim with our Cyber Liability Insurance carrier. Cyber Liability Insurance will provide resources to the Agency

39 Is There State Level Cyber Liability Insurance
No, APIP is all we have 2014 – Decision Package for $30M CL Policy Did not make it into Governor’s Budget ASK ME “WHY” OCIO IT Budget Requests Prioritized for FY 15-17

40 Academic Point Insurance is about “Risk Finance” Risks can be Avoided, Reduced, Accepted, or Transferred. Insurance is how we transfer Financial Risk Exposure Cyber Liability Insurance is not a Technology Topic, it is a Finance Topic

41 Cyber Insurance Lumped With IT Proposals Next to Last Priority

42 Can Your Agency Buy More Cyber Liability Insurance?
Switch Gears Can Your Agency Buy More Cyber Liability Insurance?

43 Additional Cyber Liability Insurance is Available
Each Agency must decide how much is needed based on your Risk Exposure Agency completes an application Get application from Office of Risk Management (ORM) Return to ORM, ORM Submits to Broker Broker will develop a quote Advantages: No aggregate Limits Lower retention possible Sized to fit the agency risk exposure Example: CWU AIG Quote ($3M for $33K, $5M for $44K)

44 We need to measure your Cyber Liability Risk Exposure
Next Steps We need to measure your Cyber Liability Risk Exposure Send me your completed spreadsheets IT Commission could recommend more Cyber Liability Insurance Each College buy their own policy Buy one policy for all 34 Colleges Call me if you need help telling this story to your management

45 Questions Thank you!

46 Cyber Liability Program
Doug Selix, CISM, CISSP, PMP Cyber Liability Program Manager Department of Enterprise Services Office of Risk Management Office Phone:


Download ppt "Cyber Liability Insurance Why we have it & How it works"

Similar presentations


Ads by Google