Cyber Risks

2,035 views
1,915 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,035
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
99
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cyber Risks

  1. 1. CYBER RISKS Cyber Security, Privacy and the Regulatory environment
  2. 2. What is cyber? <ul><li>What does the term “cyber” mean? Refers to the use of computers, internet, computer networks, and electronic information databases </li></ul>
  3. 3. What creates cyber/privacy risk? <ul><li>internet connectivity </li></ul><ul><li>e-commerce </li></ul><ul><li>business websites and internet advertising </li></ul><ul><li>customer forums and support/message boards </li></ul><ul><li>credit card processing/online payment </li></ul><ul><li>data storage, ISP, website design </li></ul><ul><li>providing media content </li></ul><ul><li>paper documents </li></ul>
  4. 4. What is a data/privacy breach? <ul><li>A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. </li></ul><ul><li>Street values: $50/medical identity vs. $1/SSN* </li></ul><ul><li>*American Health Information management Association </li></ul>
  5. 5. What is 1 st party and 3 rd party? <ul><li>The Cyber Risks to which an organization is exposed fall into two general categories and Insurance coverage is available for both : </li></ul><ul><li>1) Those losses suffered by an organization (1 st Party Losses) </li></ul><ul><li>– extortion, employee theft, system failure, etc. </li></ul><ul><li>2) An organization's liability to third parties (3 rd Party Losses) </li></ul><ul><li>– hacker theft of data, Intellectual Property Infringement, </li></ul><ul><li>etc. </li></ul>
  6. 6. Foundations of Cyber Risk <ul><li>Focus is on data about the person not the person (e.g. traditional privacy torts) </li></ul><ul><li>Information technology and the Internet magnifies the risk </li></ul><ul><li>Multi-jurisdictional exposure </li></ul><ul><li>Data security v. data privacy </li></ul>
  7. 7. Data Security Risks <ul><li>Protection Risks (Information security): failure to implement adequate measures to protect private information from theft by others or disclosure to unauthorized persons </li></ul><ul><li>Failure to Warn Risks : failure to warn of actual or suspected unauthorized access to Personal Identifiable Information (PII) - e.g. breach notice laws </li></ul>
  8. 8. Data Privacy Risks <ul><li>Collection Risk : intrusively or secretly collecting PII without the consent of the individual </li></ul><ul><li>Disclosure and Mishandling Risk : mishandling of PII, disclosing PII in a fraudulent manner or providing PII to bad actors without consent </li></ul><ul><li>Choice/Consent Risks : failure to provide person with choice on how their PII is collected/handled, including failure to provide opt-in/opt-out </li></ul><ul><li>Notice Risks : failure to provide notice of PII handling practices or the provision of inadequate or fraudulent notice </li></ul><ul><li>Accuracy/Integrity Risks : disseminating inaccurate PII or failure to correct PII </li></ul><ul><li>Access Risks : failure to provide access to collected PII </li></ul><ul><li>Lack of Privacy Policy/Inadequate Privacy Policy </li></ul>
  9. 9. Regulatory Environment <ul><li>Florida Law (as of 9/6/2011) Fla Stat. 817.5681(7/1/2005) </li></ul><ul><li>Triggering Event : unlawful & unauthorized acquisition of computerized data that materially compromises security, confidentiality or integrity of PI unless investigation finds misuse of PI has not occurred or will not reasonably likely occur (retain documentation for 5 years) </li></ul><ul><li>Civil or Criminal Penalties: Yes (gov’t agencies are exempt) </li></ul><ul><li>Pre-breach measures required : No </li></ul><ul><li>Timing of Notification : Without unreasonable delay, but no later than 45 days unless investigation finds misuse of PI has not occurred or will not reasonably likely will occur (must retain documentation for 5 years) </li></ul><ul><li>Other parties to notify? : Consumer Reporting Agencies if notifying over 1,000 persons </li></ul>
  10. 10. Regulatory Environment <ul><li>Information Security Laws </li></ul><ul><li>Control Requirements : </li></ul><ul><ul><li>HIPAA </li></ul></ul><ul><ul><li>FACTA ID Theft Red Flag Rules </li></ul></ul><ul><ul><li>Data disposal laws (e.g. Colo. Rev. Stat. Ann. §6-1-713) </li></ul></ul><ul><ul><li>Encryption laws (Mass and Nevada) </li></ul></ul><ul><ul><li>State “reasonable security” laws (e.g. Cal. AB 1950) </li></ul></ul><ul><ul><li>Gramm-Leach Bliley (GLB --Financial Industry) </li></ul></ul><ul><ul><li>Written Information Security Program (Mass) </li></ul></ul><ul><ul><li>International laws (EU Data Protection Directive) </li></ul></ul><ul><li>Failure to Warn Laws: </li></ul><ul><ul><li>“ Breach-Notice Laws” in about 46 States </li></ul></ul><ul><ul><li>HITech Act (within HIPAA): 2011 Annual Report to Congress Statistics </li></ul></ul>
  11. 11. The Value of Your Data <ul><li>Information and Intellectual Property are an organization’s most valuable asset today </li></ul><ul><li>No longer a “Bricks & Mortar” world </li></ul><ul><li>Impact of a data breach on an organization is huge </li></ul><ul><ul><li>Financial </li></ul></ul><ul><ul><li>Business Distraction </li></ul></ul><ul><ul><li>Loss of Customers </li></ul></ul><ul><ul><li>Damage to Reputation </li></ul></ul><ul><li>The “Next Product” – becoming a standard product </li></ul>
  12. 12. Other Coverage <ul><li>The Cyber Risks to which a corporation is exposed fall into two general categories and insurance coverage is available for both: </li></ul><ul><li>1) Those losses suffered by an Insured(1st Party Losses) </li></ul><ul><li>2) An Insured's liability to third parties (3rd Party Losses) </li></ul><ul><li>Standard Property, Liability or Crime policies will not traditionally cover damage to or loss of intangible assets (data and systems) so there exists a significant gap in coverage, both in terms of exposure and because of the ever greater dependency on technology to be able to do business. </li></ul><ul><li>Traditional property/casualty programs do not meet the need ! </li></ul>
  13. 13. Typical Agreements/Capabilities <ul><li>Third party liabilities: </li></ul><ul><li>Technology E&O </li></ul><ul><li>Employee Privacy </li></ul><ul><li>Intellectual Property(electronic media) </li></ul><ul><li>Network/Privacy Liability </li></ul><ul><li>Denial of Service </li></ul><ul><li>Transmission of malicious code </li></ul><ul><li>First party losses: </li></ul><ul><li>Unauthorized access </li></ul><ul><li>Cyber extortion and cyber terrorism </li></ul><ul><li>Unauthorized use </li></ul><ul><li>Loss of digital assets </li></ul><ul><li>Business interruption(non CGL) </li></ul><ul><li>Security event costs </li></ul>
  14. 14. First Party Causes of Loss – May Include <ul><li>Accidental Damage or Destruction </li></ul><ul><ul><li>Physical damage of data – no longer machine-readable </li></ul></ul><ul><ul><li>Failure of power supply that is under your direct control </li></ul></ul><ul><li>Administrative or Operational Mistakes </li></ul><ul><ul><li>Entry or modification of your data </li></ul></ul><ul><li>Computer Crime and Computer Attacks </li></ul><ul><ul><li>Malicious code introduction; unauthorized access; unauthorized use; denial of service attack </li></ul></ul>
  15. 15. Non-Physical Business Interruption <ul><li>Extra expenses incurred to avoid or minimize suspension of business </li></ul><ul><ul><li>Lost profits (net income) </li></ul></ul><ul><ul><li>Fixed operating expenses incurred during the period of restoration </li></ul></ul><ul><ul><li>Costs related to outside consultants and service providers </li></ul></ul>
  16. 16. Network Security and Privacy Liability <ul><li>Damages and claim expenses arising from an alleged breach of security or privacy breach </li></ul><ul><li>3 rd party suits involving Damages </li></ul><ul><li>Typically includes errors or omissions by outside service providers for whom you are legally liable </li></ul>
  17. 17. Cyber Extortion Threat <ul><li>Extortion expenses and extortion monies resulting directly from a credible threat during the policy period </li></ul><ul><li>Typically includes requirement to involve law enforcement, FBI (every reasonable attempt to consult with) prior to payment of extortion monies </li></ul>
  18. 18. Electronic Media Liability <ul><li>Publishing liability for content on your internet or intranet site </li></ul><ul><ul><li>Defamation, libel, slander </li></ul></ul><ul><ul><li>Invasion of privacy </li></ul></ul><ul><ul><li>Plagiarism, misappropriation </li></ul></ul><ul><ul><li>Copyright or domain name infringement </li></ul></ul><ul><ul><li>Excludes any patent infringement </li></ul></ul>
  19. 19. A Cyber Event Occurs: Now what?
  20. 20. Cyber/Privacy Insurance <ul><li>Family Planning Council of Philadelphia: April 9th. Employee stole a computer storage device (flash drive kept in another employee’s desk) containing the personal and medical records of about 70,000 patients. No indication that the missing patient data had been inappropriately used. </li></ul><ul><li>Gucci: April 6th. Network engineer who was terminated by the company used his expertise and insider access to delete documents, emails and shut down Gucci’s server in excess of 24 hours. </li></ul><ul><li>New York Yankees : April 28th. Employee mistakenly sends email that contained a spreadsheet attachment with the personal information of 17,000 season ticket holders to other season ticket holders. </li></ul>
  21. 21. Cyber/Privacy Insurance <ul><li>Family Planning Council of Philadelphia: April 9th. Employee stole a computer storage device (flash drive kept in another employee’s desk) containing the personal and medical records of about 70,000 patients. No indication that the missing patient data had been inappropriately used. </li></ul><ul><li>Needs relating to this event: </li></ul><ul><li>- Investigation/Forensics (Network security team?) </li></ul><ul><li>- Defense and coverage counsel expenses </li></ul><ul><li>- Determine compliance with all relevant state and federal privacy laws </li></ul><ul><li>- Notification and credit monitoring where necessary </li></ul><ul><li>- Public Relations </li></ul><ul><li>- Possible recovery of data </li></ul><ul><li>- Monitoring of data/investigation assistance </li></ul><ul><li>- Financial impact </li></ul>
  22. 22. Cyber/Privacy Insurance <ul><li>Gucci: April 6th. Network engineer who was terminated by the company used his expertise and insider access to delete documents, emails and shut down Gucci’s server in excess of 24 hours. </li></ul><ul><li>Needs relating to this cyber event: </li></ul><ul><li>- Investigation/Forensics (Network security team) </li></ul><ul><li>- Defense and coverage counsel expenses </li></ul><ul><li>- Determine compliance with all relevant state and federal </li></ul><ul><li>privacy laws </li></ul><ul><li>- Notification and credit monitoring where necessary </li></ul><ul><li>- Public Relations </li></ul><ul><li>- Recovery/correction of data </li></ul><ul><li>- business interruption costs (cut email access to entire </li></ul><ul><li>country) </li></ul>
  23. 23. Cyber/Privacy Insurance <ul><li>New York Yankees : April 28th. Employee mistakenly sends email that contained a spreadsheet attachment with the personal information (specifically the names, addresses, phone numbers and e-mail addresses, seat numbers) of ‘several hundred’* season ticket holders to other season ticket holders. </li></ul><ul><li>Needs relating to this cyber event: </li></ul><ul><li>- Investigation/Forensics (network security team?) </li></ul><ul><li>- Defense and coverage counsel expenses </li></ul><ul><li>- Determine compliance with all relevant state and federal </li></ul><ul><li>privacy laws </li></ul><ul><li>- Notification and credit monitoring where necessary </li></ul><ul><li>- Public Relations </li></ul>
  24. 24. Cyber/Privacy Insurance <ul><li>Professionals Involved in Handling a Cyber Claim </li></ul><ul><li>- Breach Notice and defense Counsel(privacy attorneys). </li></ul><ul><li>- Computer Forensics Companies. </li></ul><ul><li>- Breach Investigation. </li></ul><ul><li>- Public Relations Firms. </li></ul><ul><li>- Credit Monitoring Firms. </li></ul><ul><li>- Breach Notification & Call Center </li></ul><ul><li>- data breach incident response planning; </li></ul><ul><li>- address list management; </li></ul><ul><li>- direct mail capability-prep, print and mail; </li></ul><ul><li>- call center; </li></ul><ul><li>- returned mail management </li></ul>
  25. 25. Cyber/Privacy Insurance <ul><li>Top 10 Trends for 2011 </li></ul><ul><li>More small scale data breaches in news </li></ul><ul><li>“ low-tech” theft will increase </li></ul><ul><li>Lost devices will continue to dominate </li></ul><ul><li>Data minimization will increasingly be seen as essential </li></ul><ul><li>Increased exchange and collaboration will increase risk </li></ul><ul><li>More social networking policies implemented </li></ul><ul><li>Data encryption = golden ticket </li></ul><ul><li>Business associates </li></ul><ul><li>Privacy awareness training </li></ul><ul><li>Overarching federal law? </li></ul><ul><li>*Kroll Fraud Solutions, Top Ten Data Trends for 2011 </li></ul>

×