This document provides information about Brian D. Brown, a nationally recognized expert in network security, privacy, and cyber insurance. It discusses Brown's experience in the cyber field spanning over a decade, where he helped draft early cyber insurance products and taught the first classes on e-business risk and insurance. The document outlines Brown's expertise, involvement in industry organizations, published works, and background running the CyberSpecialist Group consulting firm in Atlanta, GA.
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
TechAssure Presentation PDF linkedin
1. Network Security and Privacy
(Cyber Coverage)
Sales and Production
Brian D. Brown
CyberSpecialist Group
Brian@CyberSpecialistGroup.com
404 849 3004
http://lnkd.in/XXCFi7
This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in
this presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
2. This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in this
presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
2
President
–
CyberSpecialists
Group
3495
Waddeston
Way,
Suite
101C,
Atlanta,
Georgia
30319
brian@CyberSpecialistGroup.com
404
849
3004
Brian
is
a
naEonally
recognized
expert
in
Network
Security
and
Privacy
(Cyber)
exposures
and
Insurance.
He
has
worked
in
the
Cyber
field
for
over
a
decade
and
had
a
hand
in
draSing
the
first
Cyber
products.
He
also
developed
and
taught
the
first
CIC
classes
on
e-‐Business
risk
and
insurance
responses.
Having
worked
with
both
naEonal
brokers
and
carriers,
he
brings
a
unique
and
broad
perspecEve
to
the
subject.
In
addiEon
to
Cyber
experEse,
Brian
was
an
account
execuEve
at
naEonal
brokers
so
has
a
broad
range
of
knowledge
and
skills
in
all
areas
of
property
and
casualty
insurance.
He
has
been
instrumental,
in
his
career,
in
developing
successful,
innovaEve,
cuWng
edge
programs
and
products
for
both
insurance
carriers
and
brokers.
Brian
is
an
acEve
member
of
the
PLUS
Southeastern
Chapter
and
a
regular
speaker
for
PLUS
and
RIMS
events
and
seminars.
He
is
also
a
published
author
in
Property
Casualty
360
and
the
American
Bar
AssociaEon
magazine.
In
the
last
month
he
has
an
arEcle
the
Texas
magazine,
The
Insurance
Record
–
September
4,
2014
and
another
naEonally
in
The
Insurance
Journal
–
September
22,
2014.
In
his
spare
Eme
Brian
is
a
freelance
fine
arEst
and
a
Dad
to
his
three
children
and
current
resides
in
Atlanta,
GA.
Brian D. Brown
3. 3
1. Discuss Data Privacy exposures
2. Determine the # of records at risk
3. Explain the costs of a Breach
4. Review causes of a Breach
• Negligence
• Rogue Employee
• Business Assoc./Vendor
•
Hacker
5. Present Insurance solution
Typical Sales Process
4. This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in this
presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
4
Your
Experiences
5. This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in this
presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
5
Not Us
Isn’t this already insured?
“BULLETPROOF Security”
I just don’t get this tech stuff
End
Costs Too Much
Apps. – Too Much Work
X
6. State Security Breach Notification Laws -
Forty-seven states, the District of Columbia, Puerto Rico and
the Virgin Islands have enacted legislation requiring
notification of security breaches involving personal information
http://www.digestiblelaw.com/files/upload/securitybreach.pdf
The Health Insurance Portability and Accountability Act of
1996 (HIPAA) - Health Information Technology for
Economic and Clinical Health (HITECH)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Gramm–Leach–Bliley Act
(Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. §§ 6801–
6809)
• The Safeguards Rule requires financial institutions to develop a written
information security plan that describes how the company is prepared
for, and plans to continue to protect clients’ nonpublic personal
information.
6
Not us?
This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in
this presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
7. Progress on Federal Notification Bill
7
National Data Breach Notification Bill Advances
Measure Would Pre-empt State Breach Notification Laws
By Eric Chabrow, April 15, 2015.
The House Energy and Commerce
Committee approved on April 15 the Data
Security and Breach Notification Act by a
29-20 vote, with only Republicans
supporting the measure. Even its
Democratic co-sponsor, Rep. Peter Welch
of Vermont, voted against it.
http://www.databreachtoday.com/national-data-breach-notification-bill-advances-a-8109
8. This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in this
presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
Further Federal Intervention
8
House Panel Passes Cyberthreat Info Sharing Bill
Democratic Attempts to Limit Liability Safeguards Fail
By Eric Chabrow, April 14, 2015.
"If you abide by the provisions of this
act," Cedric Richmond (D-LA) said,
"then you're exempt from liability. It's
just that simple. Instead of adding all
these other concepts to the liability
language, if we take the time to pass a
bill and you abide by it, you have liability
exemption. If you don't, then you don't
have exemption."
http://www.databreachtoday.com/house-panel-passes-cyberthreat-info-sharing-bill-a-8106
9. This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in this
presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
9
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-
breaches-hacks/
11. 11
Isn’t This Already Insured?
A. Coverage
2. Property Not Covered
Covered property does not include:
n. The following property, except as provided in the Coverage Extension for
Electronic Media And Records and Valuable Papers And Records:
(1) Electronic media and records, meaning the following:
(a) Media, meaning disks, drives, CD-ROMs, tapes, cells or other
computer software, or any media which are used with electronically
controlled equipment. Software includes systems and applications
software.
(b) Data, meaning information or facts stored on media described in (1)
(a) above. Data includes valuable papers and records converted
to data.
(c) Computer program, meaning a set of related electronic instructions
which direct the operations and functions of a computer or device
connected to it, which enable the computer or device to receive,
process, store, retrieve or send data.
ISO BUILDING AND PERSONAL PROPERTY CP-00-10
This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in
this presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
12. 12
Isn’t This Already Insured?
ISO COMMERCIAL GENERAL LIABILITY COVERAGE FORM
CG-00-01 12 04 (Cov. A - BI & PD)
This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in
this presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
p. Electronic Data
Damages arising out of the loss of, loss of use
of, damage to, corruption of, inability to
access, or inability to manipulate electronic
data.
As used in this exclusion, electronic data
means information, facts or programs stored
as or on, created or used on, or transmitted to
or from computer software, including systems
and applications software, hard or floppy
disks, CD- ROMS, tapes, drives, cells, data
processing devices or any other media which
are used with electronically controlled
equipment.
Exclusion
Pg. 5 of 15
14. 14
PROFESSIONAL LIABILITY POLICIES
HEALTH CARE ORGANIZATIONS AND PROVIDERS PROFESSIONAL LIABILITY, GENERAL
LIABILITY AND EMPLOYEE BENEFIT LIABILITY POLICY
- ONE BEACON - HPF-10002-02-13
(12)
(a) unauthorized, unlawful, or unintentional taking, obtaining, accessing, using, disclosing,
distributing, disseminating, transmitting, gathering, collecting, acquiring, corrupting, damaging,
destroying, deleting, or impairing of any information or data of any kind, including but not limited to any
health care or other medical information or Personally Identifiable Health Information;
provided, that this Exclusion (D)(12)(a) shall not apply to any Claim for a Professional Services Wrongful
Act as defined in DEFINTION (OO)(3); “((3) any inadvertent: (a) publication)”
(b) failure or inability of any computer, computer component (including but not limited to any hardware,
network, terminal device, data storage device, input and output device, or back up facility), application,
program, software, code, or script of any kind (a “System”) to perform or function as planned or intended,
including but not limited to any failure or inability of any System to prevent any hack, virus, contaminant,
worm, trojan horse, logic bomb, or unauthorized or unintended accessing or use involving any System;
Be careful of exclusions
disguised as sub-limits
•Back
This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in
this presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
15. 15
“Jam Up and Jelly Tight”
BOTTOM LINE
There is always an incremental risk – It is unavoidable…
AND IT IS PERFECTLY “OKAY”.
•Back
This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in
this presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
Automatic Sprinkler Analogy
16. There is no need to get into extremely deep technical details
As with most insurance, one of the underwriting consideration
is management concern (resources and focus)
Brief Network Security and Privacy Primer
• Architecture
• Concerns
o Hardware
o Software
o People
o Mobile
o “Off network” risks
16
I Just Don’t Get This Tech Stuff
This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in
this presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
17. 17
I Just Don’t Get This Tech Stuff
Wireless
The Network
Remote Users/Laptops
Vendor
•BackThis is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in
this presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
Realms of “Cyber” Exposures
18. This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in this
presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
18
Interest
/Need
Complete
Application
Obtain
Quotes
Present
Bind
Interest
/Need
Complete
Application
Obtain
Pricing
Present
Bind
Obtain
Quotes
Traditional Cyber Cycle
BACK
The Sales
Process is Now
Flipped
19. This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in this
presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
Sample Costs - $1M limit - $250k Sub-Limits
Matrix for Community Banks
Revenues Bands
Option #1
Premium Range
$0 - $1M $1,000
$1M - $2M $1,000 - $1,450
$2M - $3M $1,450 - $2,000
$3M - $4M $2,000 - $2,350
$4M - $5M $2,350 - $2,700
$5M - $7.5M $2,700 - $3,500
$7.5M - $10M $3,500 - $4,300
$10M - $20M $4,300 - $8,150
19
Back
20. This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in this
presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
Insurance Pricing
How it REALLY works.
20
Back
It’s a very complex process. Insurance can’t be
priced like most products, by supply and demand,
because the money people pay for it is intended to
help protect against the cost of unforeseen future
happenings—for example, a fire, a burglary or an
auto accident. While many factors are considered
in rate making, rates basically are dependent on
one major factor—the combined cost of all the
losses or claims—known as the company’s loss
experience.
http://www.pia.org/IRC/qs/qs_other/QS90360.pdf
21. This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in this
presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
Insurance Pricing
How it REALLY works.
21
Back
'Underwriting Cycle'
At the beginning of the cycle, the underwriting
business is soft due to increased competition and
excess insurance capacity, as a result of which
premiums are low. (leading to) lower insurance
capacity … enabling insurers to raise premiums
and post solid earnings growth. This robust
underwriting environment attracts more
competitors, which gradually leads to more
capacity and lower premiums, setting the stage
for a repetition of the underwriting cycle.
http://www.investopedia.com/terms/u/underwriting-cycle.asp
22. This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in this
presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
Bang for Your Buck
Nearly all States have a Safe Harbor provision
included in their State Notification Law for
Personal Identifiable Information which is
encrypted.
TX –
“Sensitive personal information” only applies to
data items that are not encrypted.
Free Sites
https://www.gnupg.org/
http://en.wikipedia.org/wiki/
Comparison_of_disk_encryption_software
And others.22
23. This is for illustrative purposes only and is in no way complete, or comprehensive.. The use and reliance on all information contained in this
presentation is at the users sole discretion. Any and all policy language shall be paramount in all cases.
Brian D. Brown
23
brian@CyberSpecialistGroup.com
404 849 3004
CyberSpecialistGroup.com