• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Sept 2012   data security & cyber liability

Sept 2012 data security & cyber liability






Total Views
Views on SlideShare
Embed Views



1 Embed 3

http://www.linkedin.com 3



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Sept 2012   data security & cyber liability Sept 2012 data security & cyber liability Document Transcript

    • Emerging Risk: Data Security & Cyber Liability Autumn 2012“For any business that accepts non-cash payments or has a payroll - there is some data at risk.”
    • By the Numbers...$210,000 Estimated cost of a small data breach involving 1,000 records 40% Surveyed businesses with <500 employees that have experienced a data breach100% Virtually every business handles at-risk data 2-6 days Number of days within which 25% of businesses will go bankrupt without internet access42% Breaches caused by factors which cannot be mitigated through IT security measures – rogue employee, theft, and business interruptionAbout UsMidSouth Assurance- on Main Street, for Main Street. We believe that businesses can best beserved by an insurance agency that understands the environment in which a particular businessoperates. Similarly, we represent insurance carriers with a similar philosophy. This, we believe,will result in the most effective insurance programs for our clients.Over fifty years of experience in large and small brokerages, as well as independent agencies,allows us to effectively serve new ventures and growth businesses in the Greater Richmond area.We advise clients on a breadth of risk management issues, and develop appropriate mitigationstrategies for them, including specialty insurance programs. Insurance • Risk Management
    • RelevanceWhich businesses have this risk?Virtually every business utilizes sensitive According to Accenture, a majority of businessesinformation, and virtually any business can incur have lost sensitive personal information, andliability from employee’s cyber activities. In fact, among these organizations, the biggest causes areany business which has payroll data or collects internal control failures. In fact, there were overnon-cash payments captures Personally eight million computers stolen in the past threeIdentifiable Information (PII), or that information years; and according to the FBI only 3% arewhich is protected under law. PII includes an recovered.2 According to Ponemon Institute, eachindividual’s name in combination with a week there are 10,000 laptop computers lost atcredit/debit card numbers, bank account the 36 largest airports in the U.S., with an averageinformation, social security numbers, and driver’s cost of $50,000 per laptop, including: replacement,license numbers. Other sensitive personal detection, forensics, data breach, lost IP rights, lostinformation includes: IP addresses, vehicle productivity, and legal and regulatory expenses.registration numbers, fingerprints and biometric Moreover, 40% of small businesses havedata, address, age, gender, name of school experienced a loss of sensitive information. 3attended, professional grade or salary, criminal According to NetDiligence, a significant share ofrecord, and health care records.1 Combinations of breaches are attributable to hacking attacks;these data elements are valuable to criminals who however 42% are caused by factors which are notuse the information for illegal purposes. mitigated through IT security measures – rogue p. 2
    • employees, theft or loss of a device, and place. The primary variables include, but are notinterruption of internet connectivity or electricity limited to: the definition of the type of data whichservice.4 Paradoxically, Tower Watson has found constitutes PII, requirements regarding thethat amongst businesses who had foregone risk notification timing, the state agencies which musttransfer through a liability policy 37% justified the be contacted in the event of a data breach,decision in the belief that their IT departments and applicability of the law to various entity forms,internal controls were sufficient.5 applicability to physical data (not electronic data), provisions for notifying aggrieved parties ofWhile the healthcare, finance, utilities, and recommendations regarding credit freeze or frauddefense sectors are particularly likely targets for alerts, provisions requiring notification to thecyber attacks due to the volume of valuable data, credit monitoring agencies, and safe harborindustry experts still predict that the highest stipulations around the loss of an encrypted mobilelikelihood of breaches will occur in small device. In the event of a data breach, complexitybusinesses, particularly in healthcare, given their can become unwieldy as it is the aggrieved party’ssmaller IT security budgets. McAfee recently home state which determines the applicable lawsidentified “industrial threats” first on its list of to which the breached business must adhere.2012 predictions, including the manipulation ordestruction of industrial controls. These risks are National regulation can increase the complexity ofparticularly relevant in the physical infrastructure navigating a breach event. Within certainsectors for transportation, energy and organizational contexts a range of regulations cantelecommunications. In 2009, the “Night Dragon” apply, these include: Sarbanes Oxley Act of 2002,coordinated attacks demonstrate the level of Gramm-Leach-Bliley Act (GLBA) on financialsophistication which has been achieved when transactions, Payment Card Industry (PCI) Dataattacking core infrastructure providers. Within this Security Standard, the Health Insurance Portabilityincident oil, energy and petrochemical firms were and Accountability Act of 1996 (HIPAA), Healthattacked through a combination of social Information Technology for Economic and Clinicalengineering, spear phishing, and remote Health (HITECH), the Fair and Accurate Creditadministration tools. The attacks are believed to Transactions Act (FACTA), Federal Informationhave originated from China, and were designed to Security Management Act (FISMA), the Geneticacquire confidential information regarding bidding Information Nondiscrimination Act of 2008 (GINA),and other project finance intelligence related to the Family Education Rights & Privacy Act (FERPA),large development projects.6 the FTC recommendations on protecting consumer privacy, especially section 5A on website dataRegulation usage, and the SEC Cyber Security guidance.9 It isWhat is required under law? important to note that in areas of conflictingRegulatory changes regarding data security and definitions or differing requirements, compliancecyber liability have developed at a rapid pace.7 A with the stricter law is generally required.compromise of confidential PII triggers arequirement under state laws to notify the Depending on the nationality of those for whomaggrieved parties. This notification is designed to data is held, and how the data is used,provide aggrieved parties information related to international law may apply. Several of the mostthe nature of the incident, the type of PII that was relevant, include: Canada’s Personal Informationcompromised, remedial actions the company took Protection and Electronic Documents Act, the UKto increase protection, a contact phone number for Data Protection Act of 1998, the U.S. Patriot Act,posing questions regarding the incident, and the U.S. – E.U. Safe Harbour Agreement, theinformation regarding credit monitoring. 8 European Union Data Protection Regulations,Requirements vary across the 47 states and three Malaysias Personal Data Protection Act 2010, andterritories which have data protection legislation in Indias IT Amendments Act.10 p. 3
    • Contributing Trends Causes of Loss Areas of Exposure Technological Perils Strategic Risk • Social Media & Web 2.0 • Cloud Computing Models • Mysterious • Business Model • Growth in Data Volume Disappearance or Obsolescence • Proliferation of Mobile Theft of Company • IT Vendor Negligence Devices Data • Sophisticated Attacks • Online Operational Risk Collaboration and • Data Breach Legal Social Media • Fraudulent Payment • Consumer Protection Postings • Defamatory Legislation • Phishing Tactics Communications Suit • Financial Transactions • Website • Unfair Trade Practices Suit Legislation Interference • Privacy Violations & Other • Industry Regulation • Unauthorized Employer Practices Liability • Judicial Precedent Network Access • Data Tracking Liability (e.g. Trojans, SQL Socio-Cultural Injections, Other Pure Risk • Increased Awareness of Malware) • Hacking Attacks Identity Theft • Social Activism • Physical Theft • Increased • Rogue Employees • Internet or Electrical Interconnectivity Service Interruption Figure 1: Data Security & Cyber Liability LandscapeScope of the RisksWhat does “Data Security & Cyber Liability” entail?Data security and cyber liability is a risk family that information that a business is bound to keepencompasses first-party and third-party liability confidential, such as intellectual property andresulting from the use of Information and trade secrets. 12 Regardless of the IT deliveryCommunication Technologies (ICT). Technological model, the firm as the “data owner” retainsand Regulatory trends have brought rise to a group responsibility for protection, even in the case of aof perils, from which the risks arise; and these risks data breach experienced by an outsourced partner.fall within three areas: (a) Strategic Risks; (b) It is also important to bear in mind that pure risks,Operational Risks; and (c) Pure Risks (see figure 1). such as an ICT service interruption or a hackingThe risks can result in first party losses, such as attack, increase the risk of data loss – highlightinginvestigations and remedial action following a data the inter-relatedness of the various risk elements.breach. Also, a number of third-party liabilities are Similarly, theft of mobile devices constitutespresent, and are based upon the principle that an another such risk, especially unencrypted dataindividual has a right to control the collection, use storage. Other relevant risks, include: (1)and disclosure of his/her personal information.11 Defamatory Communications, or social media postings, which held to the legal standards ofThe Risks: Operational risk is the largest commercial publications, are judged to becomponent – particularly Data Breach, or the misleading and/or guilty of libel or slander; (2)compromise of personally identifiable information Unfair Trade Practices, or the publication of social(PII) or other sensitive material – whether in media judged to include misleading endorsementselectronic form or represented in physical or disparagements; (3) Privacy Violations,documents. “Sensitive information” includes that Harassment and Discrimination, includes a range ofdata which is protected under the Health Insurance employment practices liabilities within the socialPortability and Accountability Act, Fair Credit media space – for example consideration of anReporting Act, criminal records, and other individual’s social media postings which include p. 4
    • information that would be judged off-limits in an be weighed against cost, efficiency and scalabilityinterview setting; and (4) Data Tracking, or the benefits.collection of data related to consumer behavior,which is conducted unbeknownst to the individual The Causes: There are a range of factors whichor which is conducted in a manner which doesn’t cause these losses. The causes can range from theallow a consumer opt-out.13 straight-forward to the complex – employee communications, physical theft or mysteriousThere is an exposure related to cloud delivery disappearance of data sources (especially mobilemodels, and the use of outsourced IT providers, devices), skimming credit and debit card numberswith third party mistakes now accounting for 46% at a point of sale, phishing tactics to masqueradeof data loss.14 Most cloud providers simply cannot as a trustworthy entity to solicit sensitiveafford to indemnify all platform tenants;15 as such information (including counterfeit social mediait’s incumbent upon cloud service providers and web pages), website interference or defacement,data center operators to investigate risk transfer and complex network intrusions. Motives for boththrough technology errors & omissions coverage. negligent and malicious behavior can includeAs client businesses seek cost efficiencies and political and social activism, financial gain, ordeployment speed through cloud delivery models, employee retribution.18unique risks arise, such as: disruptive force (i.e.business model obsolescence), lack of Contributing Trends: These risks have emergedtransparency, reliability and performance issues, from a range of trends, including legislation tostrategic business model risks, vendor lock-in, and protect individuals – creating compliancesecurity concerns.16 Moreover, daisy chain effects requirements. The rise of social media and Webof liability have been documented – where the 2.0 collaboration, mobile data communications,primary company utilizes an outsourced IT explosive growth in data volumes, and cloudprovider, who in turn outsources some elements of architectures have all contributed to the growthdata storage or manipulation to another provider. the growth in data security and cyber liabilityThis chain of data handlers may extend to multiple risks.19 Furthermore, data security is becomingvendors, which increases loss-of-control and increasingly difficult. The advent of quantumoverall exposure.17 In short, an evaluation of cloud computing has been predicted to create anarchitecture and outsourced IT relationships ecosystem in which it will be impossible to keepshould include a thorough risk assessment of data secure for any length of time, and thatresultant cyber liabilities; and the liabilities should governments and large corporations won’t connect p. 5
    • to the “red internet.”20 FBI Director, Robert Muller, there have been 2,870 data breaches affecting 543stated, “But in the not too distant future, we million records. Furthermore, Privacy Rightsanticipate that the cyber threat will pose the Clearinghouse reported 535 breaches in 2011 thatnumber one threat to our country.”21 Data stores involved 30.4 million records.24 Historic statisticsare growing at an exponential rate,22 and the regarding data breach have been incomplete, withincreasing use of Bring-Your-Own device policies many going unreported. It is only in the pastare creating further security concerns and reducing several years that notifications have been madethe organization’s control over the data for which mandatory.it is legally responsible.23 Lastly, according to theFederal Trade Commission, 9 million Americans Severitybecome identity theft victims each year. As this How significant are the losses?victimization becomes more prevalent, public When considering statistics related to dataawareness of data breaches and confidentiality breaches and other cyber liabilities, it is importantissues is increasing. to remember that large breaches skew the average.25 That said the overall average cost of aFrequency breach involving personal data is $7.2 million.26 AHow often are losses experienced? recent study by Ponemon revealed that theData loss has been occurring since records have average cost from a data breach of PII is $214 perbeen taken; however the collection of statistics record. Consequently, for a small business whichregarding data loss is only in its infancy. Since experiences the theft of 1,000 records – we2005, frequency in data breaches has grown at an estimate damages of approximately $210,000.27average rate of 27%. In an Accenture survey, 40% Costs vary depending on the cause of the data loss,of small businesses with less than 500 employees and across a wide array of breach scenarios. Forexperienced a loss of sensitive information, while example, business interruption cost due to denialover half of those respondents with over 1,000 of internet or other technical services has been theemployees had experienced a loss. Since 2005, most severe type of loss.28 2 – 14 Days 2+ Years Assessment Short-term & Long-term Crisis Management • Privacy Counsel • Repairs and Upgrades to Impacted Systems • Containment • Credit Monitoring & Call Center Support Potential First • Forensic Data Investigation • Business Interruption Costs Party Losses • Crisis Management / • Legal Defence Reputation Risk Advisory • Fines • Notifications to Aggrieved Parties • Compensatory Damages for Lost Income • Loss of Funds – Fraudulent e-Payment Potential Third • Bodily Injury for Mental Anguish Party Losses • Content Injuries – Loss of IP, Trade Secret • Reputational Damages (i.e. libel, defamation) • Systems Injuries for Security Failures • Impaired Access Damages • Punitive Damages Figure 2: Data Security & Cyber Liability Exposures Response p. 6
    • In many instances, especially regarding network correlated to the complexity of the IT architectureintrusions, the hacker has had access for an and sophistication of pre-existing securityextended period.29 However, it is the moment of measures (not the number of breached files). Theawareness of a potential data loss which triggers cost of a forensic examination is typicallythe crisis response. The costs associated with this $50,000.31 Dependent upon the nature of theinitial period, which we estimate at 2 days to 2 breach, ten to thirty hours of crisis managementweeks, is incurred through efforts to stop and services may be undertaken by a reputational riskcontain an intrusion or other attack including advisory firm or a public relations consultant.32 Atsecurity upgrades or other remediation efforts. the end of this period notifications are distributedAwareness of a potential data loss should set in to aggrieved parties in order to comply withmotion a precise response methodology. The statutory obligations, and with costs estimated attimeline in figure 2 provides a high-level view of $10 - $15 per record.33the process the firm will undergo. Within the first2 days to 2 weeks, a crisis assessment exercise is For the subsequent two years (or more) a range ofundertaken – preferably under the guidance of a further first party costs are incurred, includingprivacy attorney well positioned to provide legal further remediation such as physical securityoversight, to limit exposure, and to control the measures and technical changes. Thesecirculation of communications regarding the augmentations may include data restoration,incident. The attorney is generally required for 10 software upgrades, and hardware replacement; or– 30 hours of service. 30 Also, in the case of may be as extensive as fundamental changes in:suspected electronic data loss, a forensic outsourcing relationships and service levelexamination is required to confirm whether a ag reem ents, dat a models, inf rast ructurebreach has occurred, and if so, it’s extent. The architecture, and security-related policy andscope and cost of this examination is most governance protocols. In some instances p. 7
    • re-certification with PCI standards may be professional negligence.36 Also, relating to othernecessitated.34 Also, the ongoing operation of a call risks there are potential third party liabilitiescenter may be required to meet compliance arising from fraudulent electronic payments,requirements. There may also be costs related to damages arising from an unfair trade practices suitbusiness interruption, especially in relation to due to employee social media postings, anddenial of data access, website outage, or other liabilities arising from invasion of privacy, especiallyservice outage. Lastly, legal defense costs and in relation to data tracking. Lastly, there is also aregulatory fines of up to $1.5 million may be risk of compensatory damages for employmentincurred. One primary exposure, outside data practices liabilities, data breach incidents, orbreach scenarios, typically concerns the liability defamatory social media postings. These damagesassociated with third-party damages.35 As figure 2 can include loss of income, mental anguish, andillustrates, there are a range of potential liabilities punitive damages.37related to Data Security and Cyber Liability. Thereare potential claims against the data owner from Recommended Approachemployees, potential employees, customers, What should be done to mitigate the risks?suppliers and competitors. Depending upon the Enterprise Risk Management (ERM)has become anature of the cyber event third party liabilities can sophisticated discipline of coordinated activities toinclude: investigation, mitigation and remediation mitigate the negative impacts of uncertainty,costs relating to a data breach; costs for including the use of complex regression analysescompliance with various laws and regulations after and probabilistic models.39 Data Security & Cybera breach; class action lawsuits alleging disclosure of Liability, as a risk family, should be consideredPII; business partners alleging breach of contract, within an organization’s ERM efforts, and withinnegligence or demands for indemnification; or each segment of the ERM framework. Figure 3 What extreme events could happen, and how is a cyber loss related to other risk areas? Do we have sensitive information? What actions can we To what extent are we take to better defend willing to accept the risk against cyber loss? of a data loss? How effective are we at preventing Have we implemented data loss and cyber policies, and defending against assigned accountability attacks? for data crisis response? Do we track the right security Have we determined the scale and information regarding data in use, scope of potential breach scenarios? data transfer and data storage? Figure 3: Risk Management Framework Applied to Data Security & Cyber Liability38 p. 8
    • provides several illustrative questions the risk A strong response to data security and cybermanagement professional should consider when liability results in effective internal controls toincorporating Data Privacy and Cyber Liability mitigate risk; a plan for a crisis event (pre- andwithin an ERM program. post-claim); and robust risk transfer through insurance designed to address the risks. Like allOur approach to Data Security and Cyber Liability risk management efforts, the challenge is in theapplies the breadth of the ERM Framework, while details. Businessowners Policies (BOPs) andgrounding action within traditional project Commercial Package Policies generally excludemanagement methodology. For example, within potential exposures. Endorsements may bethe first tranche of work firms should focus efforts available, but are typically limited in their scope ofon identifying all relevant risks, including sources coverage given the nature of these risks. The savvyof the risk, areas of impact, estimates of frequency firm will seek effective risk transfer throughand severity and preliminary findings on appropriate policies designed to cover theirinterdependencies. By surfacing all relevant data specific risk exposures. The most effective plan forsecurity and cyber liability risks, the firm is well managing the risk and related response will bepositioned to conduct a robust analysis, covering: specifically tailored to the firm, and companies thatfactors that affect the likelihood of realization, combine a contingency plan and an appropriatelyexisting controls, interdependencies, and crafted policy are best positioned to survive thesensitivities. risks. Objective Effectively Manage Data Security & Cyber Liability Risks Project Management & Communications Activities Risk Risk Risk Risk Identification Analysis Evaluation Treatment A B C D Milestone A Milestone B Milestone C Milestone D • Existing risk • IT security • Compliance • Risk evaluations framework, measures requirements • Existing insurance communications, • Related Human • Risk criteria policies Inputs and context Resources policies • Risk analysis • Existing disaster documentation • Cyber risk log outcomes recovery plans • Industry • Industry data on intelligence retained risks • Exhaustive log of all • Frequency and • Prioritization of • Pre- and post-claim relevant risks and severity mapping required response plan Outputs Objective risks discounted • Sensitivities, treatments • Enhanced insurance • Existing treatments scenarios and • Outcomes of risk coverage dependencies technique decisions • Implemented risk Figure 4: Our Approach to Data Privacy & Cyber Liability controls Figure 4: Approach to Data Security & Cyber Liability p. 9
    • Endnotes1. Virginia Code § 18.2-186.6. Breach of personal information notification. 2008. See also: Sophos. (2010). Protecting Personally IdentifiableInformation: What data is at risk and what you can do about it. Boston: Stinger, J. Retrieved from:http://www.sophos.com/sophos/docs/eng/dst/sophos-protecting-pii-wpna.pdf2. Brigadoon Security Group. Retrieved September 10, 2012, from: http://www.pcphonehome.com/3. Accenture. (2009). How Global Organizations Approach the Challenge of Protecting Personal Data. Retrieved from:http://www.accenture.com/nl-en/Documents/PDF/Accenture_Data_privacy_reportLD.pdf Note: The included survey defines small businesses asthose with less than 500 employees, p. 14.4. NetDiligence. (2011, June). Cyber Liability & Data Breach Claims.5. Towers Watson. (2011). Risk and Finance Manager Survey – Full Report. Retrieved from:http://www.towerswatson.com/assets/pdf/4481/Towers-Watson-Risk-Financial-Manager-Survey-Report.pdf6. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4.7. Gartner. (2011). Gartner Says Half of all Organizations Will Revise Their Privacy Policies by End-2012. Retrieved September 10, 2012, from:http://www.gartner.com/it/page.jsp?id=17614148. Virginia Code § 18.2-186.6. Breach of personal information notification. 2008.9. Federal Trade Commission. (2012, March). Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business andPolicymakers. Retrieved September 10, 2012, from: http://ftc.gov/os/2012/03/120326privacyreport.pdf See also: U.S. Securities & ExchangeCommission, Division of Corporation Finance. (2011). CF Disclosure Guidance: Topic No. 2 Cybersecurity. Retrieved September 10, 2012, from:http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm See also: Property Casualty 360⁰. (2012, February 2). After ‘Year of theData Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from:http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca10. Capgemini. (2010, March 16). Putting Cloud Security in Perspective. Retrieved September 10, 2012, from:http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security-in-perspective/ See also: Committee of SponsoringOrganizations of the Treadway Commission: Enterprise Risk Management for Cloud Computing. Chicago, Crowe Horwath LLP: Chan, W., Leung, E.and Pili, H. Retrieved September 10, 2012, from: http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf11. Information & Privacy Commissioner. (2010, April). Privacy Risk Management. Ontario, Canada: Cavoukian, A. Retrieved September 10, 2012,from: http://www.ipc.on.ca/images/Resources/pbd-priv-risk-mgmt.pdf12. Godes, S. (2012, March 19). Surprising Sources of Coverage. Business Insurance, 46(12), p. 10.13. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich InsuranceGroup. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches14. Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker,M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca15. Zurich Insurance Group. (2012). Cyber Risk in 2012: Get Your Head in the Cloud. New Salem, Massachusetts: DeWitt, J. Retrieved September10, 2012, from: http://img.sbmedia.com/Perm/LH/PC360/Zurich/Cloud.pdf16. Committee of Sponsoring Organizations of the Treadway Commission: Enterprise Risk Management for Cloud Computing. Chicago, CroweHorwath LLP: Chan, W., Leung, E. and Pili, H. Retrieved September 10, 2012, from:http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf See also: Capgemini. (2010, March 16). Putting Cloud Securityin Perspective. Retrieved September 10, 2012, from: http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security-in-perspective/17. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich InsuranceGroup. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches18. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4. See also: U.S.Securities & Exchange Commission, Division of Corporation Finance. (2011). CF Disclosure Guidance: Topic No. 2 Cybersecurity. RetrievedSeptember 10, 2012, from: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm19. Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker,M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca20. The Futures Company. (2012). Public Worlds: How Digital Technology Will Transform Identity, Work and the City. London: Galgey, W.Retrieved September 10, 2012, from:http://www.marketingpower.com/ResourceLibrary/Documents/Content%20Partner%20Documents/The%20Futures%20Company/2012/future-perspectives-public-worlds.pdf21. Hoffman, M. (2012, March 19). Cyber Crime is Now a National Threat. Business Insurance, 46(12), p. 8.22. IDC. (2009, May). As the Economy Contracts, the Digital Universe Expands. Framingham, Massachusetts: Grantz, J. and Reinsel, D. RetrievedSeptember 10, 2012, from: http://www.emc.com/collateral/leadership/digital-universe/2009DU_final.pdf See also: Deloitte. (2011).Technology, Media and Telecommunications Predictions 2012. Retrieved September 10, 2012, from: http://www.deloitte.com/assets/Dcom-Australia/Local%20Assets/Documents/Industries/TMT/Deloitte_TMT_Predictions_2012.pdf23. Capgemini. (2011, October 17). Bring Your Own. Gillam, R. Retrieved September 10, 2012, from:http://www.at.capgemini.com/insights/publikationen/bring-your-own/ p. 10
    • 24. Property Casualty 360⁰. (2012, March 4). What’s Driving the Rise in Data Breaches? Kam, R. and Henley, J. Retrieved September 10, 2012,from: http://www.propertycasualty360.com/2012/03/14/whats-driving-the-rise-in-data-breaches#.T2zn3hJnP5g.email25. Ricardo, A. Beazley. (personal communication, September 6, 2012).26. Anonymous (2012, March 19). Cyber Risks 2012. Business Insurance, 46(12), pp. 16 - 17. See also: Property Casualty 360⁰. (2012, February 2).After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from:http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca27. Ponemon Institute. (2010, January). 2009 Annual Study: Cost of a Data Breach. Traverse City, Michigan. Retrieved September 10, 2012, from:http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf28. Ponemon Institute. (2011, August). Second Annual Cost of Cyber Crime Study. Traverse City, Michigan. Retrieved September 10, 2012, from:http://www.hpenterprisesecurity.com/collateral/report/2011_Cost_of_Cyber_Crime_Study_August.pdf29. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich InsuranceGroup. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches30. Ricardo, A. Beazley. (personal communication, September 6, 2012).31. Ibid32. Ibid33. Ibid34. Ibid35. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4.36. Property Casualty 360⁰. (2012, February 2). A Lawyer’s Advice for Evaluating Your Cyber Coverage, Godes, S. Retrieved September 10, 2012,from: http://www.propertycasualty360.com/2012/02/02/a-lawyers-advice-for-evaluating-your-cyber-coverag#.TzlYfgGr-8s.email37. Cyber Liability: Data, Privacy and the Perils of Social Networking. Available through Professional Liability Attorney Network. See:http://www.planattorney.org/38. Note: Figure 3 illustrate some of the questions to be posed across the Enterprise Risk Management Framework, as the segments apply to DataSecurity and Cyber Liability. See: http://www.rmahq.org/risk-management/enterprise-risk39. International Organization for Standardization. (2009, November 15). Risk Management – Principles and Guidelines (ISO 31000:2009). Geneva.Retrieved September 10, 2012, from: http://www.imeny.comyr.com/file/pdf/ISO-31000.pdf Disclaimer This document is not a representation that coverage does or does not exist for any particular claim or loss under any insurance policy. It is not intended as legal advice. A company should always seek the advice of a qualified attorney when evaluating legal or statutory considerations. This document is not intended as insurance advice. A company should always seek the advice of a qualified insurance agent or broker when considering their insurance coverage. p. 11
    • ContactFor more information about our Data Security & Cyber Liability Services, please contact :Max KoehlerPrincipal(804) 477-3073mkoehler@midsouthassurance.comDale FickettDirector – Risk Advisory(805) 335-7198dfickett@midsouthassurance.com Copyright © 2012 Midsouth About MidSouth Assurance Assurance, LLC. All rights reserved. Midsouth Assurance is a broker of commercial Midsouth Assurance and its logo insurance and an advisor in Risk Management. are trademarks of Midsouth Businesses are best served by an agency that Assurance. understands the local business environment, and that leverages strong industry points of view. Through our focus on small to medium enterprises in the Greater Richmond area, we collaborate to address client risks and provide the appropriate insurance. By being responsive to our clients’ needs, we build lasting relationships. Visit us at: www.midsouthassurance.com