SlideShare a Scribd company logo

Cyber Review_April 2015

J
James Sheehan
1 of 9
Download to read offline
Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 1 Data Breach Incidents A Risk Mitigation Snapshot: 2014 into 2015 Contributing Authors: Jessica Flinn, James Sheehan, William J. McDonough If not already on the enterprise risk radar screen, cyber risks are quickly becoming a central issue for the C-suite and board members in a variety of industries. Today, mitigating cyber risk is a concern for a wide range of organizations. The scale and impact of breach incidents, coupled with the vulnerability of various organizations to such attacks, threaten businesses across all sectors. As cyber threats evolve, the network security and privacy liability insurance market tries to keep pace. Here, we will briefly consider how issues encountered in 2014 may influence market realities in 2015. For discussion purposes, we will treat data breaches as incidents in which an individual’s social security number, driver’s license number, medical record or financial record (e.g., account number, credit or credit card number) has been acquired either unlawfully or without authorization. The Frequency and Severity of Breaches Unfortunately, 2014 was a year in which we witnessed U.S. data breaches reach record levels. It was also the year when U.S. data breach incidents surpassed 5,000 with more than an estimated 675 million records implicated.1 It is also important to note that many data breach incidents go unreported as organizations do not want to incur the expense of notifying affected individuals or suffer the reputational harm resulting from a release or breach.2 On an industry basis, healthcare again topped the Identity Theft Resource Centers 2014 Breach List with 42.5 percent of the breaches identified in 2014. The general business sector ranked second with 33.0 percent of the data breach incidents, followed by the Government/Military sector at 11.7 percent, the Education sector at 7.3 percent and Banking/Credit/Financial at 5.5 percent.3 Among the larger breaches: Sony had 47,000 records stolen; J.P. Morgan had 83 million records stolen (affecting 76 million households and 7 million small businesses); Home Depot had 100 million records stolen (implicating 56 million credit cards and 53 million email addresses); and the eBay breach is estimated to involve the email addresses, physical addresses and login credentials of up to 145 million users.4 1 Identity Theft Resource Center (2015, January 12). Identity Theft Resource Center Breach Report Hits record High in 2014. Retrieved February 16, 2015, from http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html 2 Ibid., 1. 3 Ibid., 2. 4 Collins, K. (2014, December 12). A Quick Guide to the Worst Corporate Hack Attacks of 2014. Retrieved January 21, 2015, from http://www.bloomberg.com/graphics/2014-data-breaches/
Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 2 According to Ponemon Institute’s “2014 Cost of Data Breach Study: Global Analysis,” U.S. companies rank first in the cost per compromised record of $201 per record (Figure 1) and have the largest number of exposed records per breach (Figure 2). The news for U.S. companies deteriorates further as the report detailed the average total cost of a data breach increased 15% and the average per record cost increased more than 9%.5 The retail and healthcare sectors saw the largest increases in compromised systems at 5% and 4%, respectively.6 Figure 1. The average per capita cost of data breach over two years (Measured in US$) 5 Ponemon Institute. (2014, May 1). 2014 Cost of Data Breach Study: Global Analysis. Retrieved January 21, 2015, from http://www- 935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf 6 Maginot Revisited: More Real-World Results from Real-World Tests. (2015, January 1). Retrieved January 21, 2015, from https://www2.fireeye.com/rs/fireye/images/rpt-maginot-revisited.pdf
Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 3 Figure 2. The average number of breached records by country Shown below are the number of exposed or compromised records for organizations in the ten countries represented in this research. Organizations in the U.S., the Arabian region and India had the largest average number of records lost or stolen. The Cost of Compromised Security to U.S. Companies It is clear that the frequency and severity of data breach incidents have caused U.S. companies considerable consternation in 2014 (see Figure 4 – 2014 Cyber Fast Facts). Of additional concern is the regulatory framework that allows multiple agencies to assess fines and penalties when data has been released. Increased participation by regulatory agencies necessarily results in increased costs attributed to a release. The Federal Communications Commission’s (FCC) entry into the arena illustrates how a regulators involvement can significantly increase the total cost of a release. Recently, the FCC proposed fines of $10 million to two companies for alleged data security breaches. The Office for Civil Rights (OCR) issued seven resolution agreements in 2014 as a result of HIPAA related privacy issues. The fines ranged between $150,000 and $4.8 million. Such fines are in addition to those often levied by state attorneys general.
Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 4 Figure 3. 2014 Cyber Fast Facts New Tactics It’s Not All About Data Anymore No longer are cyber intrusions limited to searches for personally identifiable information and protected health information (PHI). There were several hacking incidents in 2014 that demonstrated how incursions into a company’s network could have direct repercussions in the operations of an organization with worldwide implications. Take, for instance, the attack on Sony. Aside from Sony’s data, the hackers took actions that rendered the company’s entire computer network and landline phones unusable. In a separate cyber intrusion, hackers gained access to a German iron plant’s blast furnace, and disrupted the plant’s production capabilities. These incidents go beyond cyber extortion and illustrate how intrusions into a company’s computer network can result in more than the soft expense associated with notification, data re-creation, remediation, etc. Hackers have now realized their ability to disrupt a businesses’ delivery of its core services. This disruption has real world tangible consequences and manifests itself in loss of business and future opportunities.7 Card Issuers as Victims In 2014 we witnessed the emergence of a new plaintiff’s class. The class consists of credit and debit card issuers who incur considerable expense in issuing replacement cards and refunding monies to customers as a result of a data breach. Take, for example, the Target case wherein the card issuers survived dismissal of their claims for out-of-pocket costs. Essentially, the court found that the card issuers furnished a plausible argument that Target was responsible for damages (i.e., the expense associated with the issuance of replacement cards) caused by the 7 King, R. (2014, December 18). Cyberattack on German Iron Plant Causes 'Widespread Damage' Retrieved January 21, 2015, from http://blogs.wsj.com/digits/2014/12/18/cyberattack-on-german-iron-plant-causes-widespread-damage-report/?mod=ST1
Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 5 hackers intrusion into Target’s network. The court’s finding was somewhat novel, in that, there did not exist a contractual relationship between Target and the card issuers. Allegations of negligence, it seems, may carry the day for banks and card issuers looking to recoup their costs from businesses who suffered an attack. Plaintiff’s Bar Moving the Ball The Target breach has also led to inroads for consumer plaintiffs’ pursuit of class action status. Previously, the plaintiffs’ bar has had difficulty surviving motions to dismiss due to an inability to satisfy the damages element of a negligence claim. Causes of action sounded in negligence require plaintiffs to allege actual or imminent injury. To date, plaintiff’s bar has been unable to show that parties affected by a release of data, on its own, have suffered damages or are in imminent risk of injury. However, the Court in the Target case appears more receptive to this type of class action litigation at the motion to dismiss stage of litigation. Specifically, the Court refused an individualized assessment of standing, instead concluding the requirement was met because some plaintiffs alleged injuries of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”8 This may significantly increase defense costs in the pre- class certification stage as additional resources will be deployed in the discovery phase. The Target court is not alone in moving the plaintiff’s bar closer to class certification. A recent California federal district court found plaintiffs have standing to sue based on increased risk of future harm due to the alleged release of their personally identifiable information. It should be noted that this ruling is contrary to the more accepted line of reasoning, which finds that the increased risk of identity theft does not satisfy the concrete or imminent injury requirement for standing. What Lies Ahead The era of the data breach is upon us and it is unlikely to recede. A new global standard for credit card security, commonly referred to as ‘chip and pin’ technology, may help insulate consumers from credit card fraud; however, hackers have turned their sights to the more lucrative fraud of identity theft. The misappropriation of an individual’s identity, either by the procurement of personally identifiable information or protected health information, will allow the hacker to command a significantly higher per record payment then credit card data alone. Personal Data Notification & Protection Act President Obama has proposed new legislation that would create a single country-wide data breach notification standard. The Act, as proposed, “clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard.”9 If passed, this Act will replace the current patchwork of notification requirements implemented by various governmental agencies and the individual states. 8 In re Target Corp. Customer Data Security Breach Litig., MDL No. 14-2522 (PAM/JJK) (D. Minn. Dec. 18, 2014). 9 FACT SHEET: Safeguarding American Consumers & Families. (2015, January 12). Retrieved January 21, 2015, from http://www.whitehouse.gov/the-press-office/2015/01/12/fact-sheet-safeguarding-american-consumers-families
Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 6 The Healthcare Industry Will Likely Retain First Place It comes as no surprise that the healthcare industry will remain squarely in hackers’ sights. The personal information contained in health records will enable hackers to perpetrate a multitude of different follow-up attacks and various types of fraud, including financial exploitation and identity fraud. The FBI has warned the healthcare industry that its attempts at cyber security remain woefully insufficient.10 As noted, in 2014 healthcare organizations accounted for about 42 percent of all major data breaches reported, according to the Identity Theft Resource Center.11 A Ponemon study estimates that the potential cost of healthcare industry breaches will reach $5.6 billion annually.12 Not surprisingly, it is expected that healthcare breaches will increase as we continue a move towards electronic medical records and growing usage of mobile and wearable technologies (Figure 4). Figure 4. Preparing for the Risks of Mobile and Wearable Technology13 10 Weisman, S. (2014, December 20). Cyber predictions for 2015. Retrieved January 21, 2015, from http://www.usatoday.com/story/money/personalfinance/2014/12/20/cyber-hack-data-breach/20601043/ 11 2014 Was Landmark Year for Health Data Breaches. (n.d.). Retrieved December 26, 2014, from http://www.healthdatamanagement.com/news/2014-Landmark-Year-for-Health-Data-Breaches-49505-1.html 12 Ponemon Institute. (2014, May 1). 2014 Cost of Data Breach Study: Global Analysis. Retrieved January 21, 2015, from http://www- 935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf 13 The Global State of Information Security Survey, 2015. M O B I L E S E C U R I T Y S T R A T E G Y M O B I L E D E VI C E M A N A G E M E N T S O F T W A R E B A N O F U S E R O W N E D D E V I C E S C O R P O R A T E E M A I L A N D C A L E N D A R … S T R O N G D E V I C E A U T H E N T I F I C A T I O N D E V I C E E N C R Y P T I O N U S E O F G E O - L O C A T I O N , G E O - F E N C I N G … I N T E R N A L A P P S T O R E 53.96 46.94 35.13 38.89 39.07 39.72 22.64 24.47 MOBILE TECHNOLOGY RISK PREVENTION INITIATIVES - ALL INDUSTRIES Percent of All Respondents
Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 7 Corporate IP and Trade Secrets Are Valuable The Sony hack sent shivers through every R&D department in the digital universe. Hackers not only exposed personal information and embarrassing internal communications, but also Sony’s valuable intellectual property in the form of scripts, profits and budget projections. The intellectual property and trade secrets cultivated by companies appears fair game for hackers interested in extortion. 14 Figure 5 – How Breaches Occur15 Note: Although preventable errors are often to blame for security incidents, it was impossible to identify the culprit in nearly 20 percent of the cases reviewed in the IBM Annual Report. Policy Implications The marketplace for cyber security and privacy liability insurance remains in its infancy and is struggling towards maturation. The standardization of coverage terms and claims handling are a distant dream. Policy terms and conditions differ from form to form, and market developments routinely result in mid-term revisions. Typically, policies contain a number of insuring clauses that speak to coverage for breach response costs and claims resulting from a cyber event. The forms may also provide coverage for extortion, network damage, public relations and crisis management, website media content and regulatory investigation costs arising out of a cyber event, as well as business interruption losses. Although provided, the sub-limits placed on these ancillary coverages likely leave many companies substantially exposed. Regulatory sub-limits placed on policies create a lack of meaningful coverage for many insureds, particularly in 14 Troutman Sanders LLP. (2014, December 19). 5 Reasons Sony Pictures Will Be a Cybersecurity Inflection Point. Retrieved January 21, 2015, from http://www.informationintersection.com/2014/12/5-reasons-sony-pictures-will-be-a-cybersecurity-inflection- point/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View- 15 IBM Security Services Cyber Security Intelligence Index Report, 2014 Misconfigured System 42% End User Error 31% Undetermined 15% Vulnerable Code 6% Targeted Attack 6% CAUSE OF BREACH
Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 8 the financial services and healthcare industries. With more regulators taking interest in cyber issues and data breaches implicating multiple states’ statutes, it is anticipated that regulatory fines will continue to expand. This will likely require insureds to make payments out-of-pocket for a portion of the regulatory fines, particularly if more than one breach occurs in any given policy period. In other instances the cyber policy may not provide coverage at all. For example, as evidenced by attacks on Sony and J.P. Morgan, companies are vulnerable to hacking by nation states, criminal organizations or terrorists. Many cyber policies have specific exclusions for acts of terrorism or acts of a nation state. Insureds will need to keep a careful eye on the breadth of any such exclusion on their cyber policies. Additionally, physical damage sustained by an insured as a result of a cyber-attack will likely be precluded from coverage. Property insurers have been making it increasingly clear that they do not intend to provide insurance for anything in the cyber realm. At this time, cyber insurance carriers have not shown an inclination to expand coverage for this type of exposure. However, to ensure robust coverage, the insurance market will need to adapt and create insuring clauses specifically geared towards addressing physical damage resulting from a cyber incident. Loss associated with an insured’s own intellectual property creates another vacuum in coverage. Today’s cyber policies may provide coverage for the intellectual property of others, but do not extend to include first party coverage. For instance, the loss Sony experienced relating to stolen screenplays and other valuable internal intellectual property would not be covered under the typical cyber policy. Perhaps, with time, cyber insurers can be convinced to add such coverage. Concluding Thoughts The cyber insurance market is in a constant state of fluidity. Carriers have been altering their policies to include loss prevention and risk mitigation tools, from breach response teams to risk analytics. As cyber incidents increase in frequency and severity, and evolve to keep pace with technological advances, the insurance industry will need to create new forms of cyber coverage to meet the needs of their clients. As we wait for the market to catch-up, your insurance broker may be able to help with other suggestions to increase the breadth of coverage by, for example, minimizing any state actor, contractual liability or bodily injury exclusions, expanding the definition of computer network and backdating the prior acts date as far as possible. Companies can also use collaboration to protect themselves. Information sharing platforms such as the Information Sharing and Analysis Centers (ISACs), industry associations, and government agencies are valuable risk-awareness tools. Sharing information should help companies improve their incident response through trusted collaboration, analysis, coordination, and drive decision-making by policy makers on cybersecurity, incident response, and risk mitigation and financing for breaches.
Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 9 About the Authors Jessica Flinn is a vice president within Integro’s Management Risk practice. She provides professional lines claims advocacy services, including detailed coverage analysis, contract interpretation, consultation and negotiation. She specializes in employment practices, directors & officers and errors & omissions coverages. James Sheehan is a principal of Integro Insurance Brokers, resident in the firm’s Boston office. An executive liability and professional liability insurance broker by background, he specializes in the placement of executive liability programs for healthcare organizations and private equity firms William McDonough is a managing principal within Integro’s Healthcare practice. Bill counsels clients across America on healthcare alternative risk financing vehicles, captive best practices, and loss prevention. He speaks and writes regularly on patient safety, reporting systems, and strategic planning, among other topics, and is a Fellow with the American Society for Healthcare Risk Management (ASHRM). About Integro Integro is an insurance brokerage and risk management firm. Clients credit Integro’s superior technical abilities and creative, collaborative work style for securing superior program results and pricing. The firm's acknowledged capabilities in brokerage, risk analytics and claims are rewriting industry standards for service and quality. Launched in 2005, Integro and its family of specialty insurance and reinsurance companies, some having served clients for more than 150 years, operate from offices in the United States, Canada, Bermuda and the United Kingdom. Its U.S. headquarter office is located at 1 State Street Plaza, 9th Floor, New York, NY 10004. 877.688.8701. www.integrogroup.com © Integro Ltd. 2015

Recommended

Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Stanford GSB Corporate Governance Research Initiative
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
Paul Ferrillo
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
Akshay Ajgaonkar
 
2015 cost of data breach study global analysis
2015 cost of data breach study global analysis2015 cost of data breach study global analysis
2015 cost of data breach study global analysis
xband
 
Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706
Carolyn Kopf
 
White Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedWhite Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US Localized
Stuart Clarke
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
PwC France
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
Patricia M Watson
 

Recommended

Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Stanford GSB Corporate Governance Research Initiative
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
Paul Ferrillo
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
Akshay Ajgaonkar
 
2015 cost of data breach study global analysis
2015 cost of data breach study global analysis2015 cost of data breach study global analysis
2015 cost of data breach study global analysis
xband
 
Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706
Carolyn Kopf
 
White Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedWhite Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US Localized
Stuart Clarke
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
PwC France
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
Patricia M Watson
 
Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E Commerce
EamonnORagh
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
EMC
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment Report
Divya Kothari
 
Online Identity Theft: Changing the Game
Online Identity Theft: Changing the GameOnline Identity Theft: Changing the Game
Online Identity Theft: Changing the Game
- Mark - Fullbright
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
Don Grauel
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
David Sweigert
 
Final cyber risk report 24 feb
Final cyber risk report 24 febFinal cyber risk report 24 feb
Final cyber risk report 24 feb
mharbpavia
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014
- Mark - Fullbright
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
Cyber Crime is Wreaking Havoc
Cyber Crime is Wreaking HavocCyber Crime is Wreaking Havoc
Cyber Crime is Wreaking Havoc
Hewlett Packard Enterprise Business Value Exchange
 
Cyber Claims: GDPR and business email compromise drive greater frequencies
Cyber Claims: GDPR and business email compromise drive greater frequenciesCyber Claims: GDPR and business email compromise drive greater frequencies
Cyber Claims: GDPR and business email compromise drive greater frequencies
Δρ. Γιώργος K. Κασάπης
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Compliancy Group
 
Ponemon institute: 2014 cost of a data breach
Ponemon institute: 2014 cost of a data breachPonemon institute: 2014 cost of a data breach
Ponemon institute: 2014 cost of a data breach
Derk Yntema
 
State of Cyber Crime Safety and Security in Banking
State of Cyber Crime Safety and Security in BankingState of Cyber Crime Safety and Security in Banking
State of Cyber Crime Safety and Security in Banking
IJSRED
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
canadianlawyer
 
INFORMATION SECURITY STUDY REGARDING PII
INFORMATION SECURITY STUDY REGARDING PIIINFORMATION SECURITY STUDY REGARDING PII
INFORMATION SECURITY STUDY REGARDING PII
- Mark - Fullbright
 
Data Security for Nonprofits
Data Security for NonprofitsData Security for Nonprofits
Data Security for Nonprofits
NPowerCR
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
spencerharry
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van Symons
Clear Technologies
 
Cyber liability and public entities infographic
Cyber liability and public entities infographic Cyber liability and public entities infographic
Cyber liability and public entities infographic
Glatfelter Public Practice Insurance
 
IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016
thinkASG
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
Ulf Mattsson
 

More Related Content

What's hot

JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment Report
Divya Kothari
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
Don Grauel
 
Final cyber risk report 24 feb
Final cyber risk report 24 febFinal cyber risk report 24 feb
Final cyber risk report 24 feb
mharbpavia
 
State of Cyber Crime Safety and Security in Banking
State of Cyber Crime Safety and Security in BankingState of Cyber Crime Safety and Security in Banking
State of Cyber Crime Safety and Security in Banking
IJSRED
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
canadianlawyer
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van Symons
Clear Technologies
 

What's hot (19)

Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E Commerce
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment Report
 
Online Identity Theft: Changing the Game
Online Identity Theft: Changing the GameOnline Identity Theft: Changing the Game
Online Identity Theft: Changing the Game
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
 
Final cyber risk report 24 feb
Final cyber risk report 24 febFinal cyber risk report 24 feb
Final cyber risk report 24 feb
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
 
Cyber Crime is Wreaking Havoc
Cyber Crime is Wreaking HavocCyber Crime is Wreaking Havoc
Cyber Crime is Wreaking Havoc
 
Cyber Claims: GDPR and business email compromise drive greater frequencies
Cyber Claims: GDPR and business email compromise drive greater frequenciesCyber Claims: GDPR and business email compromise drive greater frequencies
Cyber Claims: GDPR and business email compromise drive greater frequencies
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 
Ponemon institute: 2014 cost of a data breach
Ponemon institute: 2014 cost of a data breachPonemon institute: 2014 cost of a data breach
Ponemon institute: 2014 cost of a data breach
 
State of Cyber Crime Safety and Security in Banking
State of Cyber Crime Safety and Security in BankingState of Cyber Crime Safety and Security in Banking
State of Cyber Crime Safety and Security in Banking
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
 
INFORMATION SECURITY STUDY REGARDING PII
INFORMATION SECURITY STUDY REGARDING PIIINFORMATION SECURITY STUDY REGARDING PII
INFORMATION SECURITY STUDY REGARDING PII
 
Data Security for Nonprofits
Data Security for NonprofitsData Security for Nonprofits
Data Security for Nonprofits
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van Symons
 

Similar to Cyber Review_April 2015

Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
Ulf Mattsson
 
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
Daniel Kapellmann Zafra
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
Numaan Huq
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
Numaan Huq
 
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docxwww.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
ericbrooks84875
 
Cost of Data Breach Study in 2015 - United States - Presented by IBM and Pono...
Cost of Data Breach Study in 2015 - United States - Presented by IBM and Pono...Cost of Data Breach Study in 2015 - United States - Presented by IBM and Pono...
Cost of Data Breach Study in 2015 - United States - Presented by IBM and Pono...
David J Rosenthal
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
msdee3362
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Ethan S. Burger
 

Similar to Cyber Review_April 2015 (20)

Cyber liability and public entities infographic
Cyber liability and public entities infographic Cyber liability and public entities infographic
Cyber liability and public entities infographic
 
IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
 
Cyber liability and the growing threat to emergency services
Cyber liability and the growing threat to emergency servicesCyber liability and the growing threat to emergency services
Cyber liability and the growing threat to emergency services
 
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 
2015 cost of data breach study
2015 cost of data breach study2015 cost of data breach study
2015 cost of data breach study
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
 
Data Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector PlanData Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector Plan
 
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docxwww.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
 
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
Ict forensics and audit bb
Ict forensics and audit bbIct forensics and audit bb
Ict forensics and audit bb
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
 
National Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy AgendaNational Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy Agenda
 
Cost of Data Breach Study in 2015 - United States - Presented by IBM and Pono...
Cost of Data Breach Study in 2015 - United States - Presented by IBM and Pono...Cost of Data Breach Study in 2015 - United States - Presented by IBM and Pono...
Cost of Data Breach Study in 2015 - United States - Presented by IBM and Pono...
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 

Cyber Review_April 2015

  • 1. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 1 Data Breach Incidents A Risk Mitigation Snapshot: 2014 into 2015 Contributing Authors: Jessica Flinn, James Sheehan, William J. McDonough If not already on the enterprise risk radar screen, cyber risks are quickly becoming a central issue for the C-suite and board members in a variety of industries. Today, mitigating cyber risk is a concern for a wide range of organizations. The scale and impact of breach incidents, coupled with the vulnerability of various organizations to such attacks, threaten businesses across all sectors. As cyber threats evolve, the network security and privacy liability insurance market tries to keep pace. Here, we will briefly consider how issues encountered in 2014 may influence market realities in 2015. For discussion purposes, we will treat data breaches as incidents in which an individual’s social security number, driver’s license number, medical record or financial record (e.g., account number, credit or credit card number) has been acquired either unlawfully or without authorization. The Frequency and Severity of Breaches Unfortunately, 2014 was a year in which we witnessed U.S. data breaches reach record levels. It was also the year when U.S. data breach incidents surpassed 5,000 with more than an estimated 675 million records implicated.1 It is also important to note that many data breach incidents go unreported as organizations do not want to incur the expense of notifying affected individuals or suffer the reputational harm resulting from a release or breach.2 On an industry basis, healthcare again topped the Identity Theft Resource Centers 2014 Breach List with 42.5 percent of the breaches identified in 2014. The general business sector ranked second with 33.0 percent of the data breach incidents, followed by the Government/Military sector at 11.7 percent, the Education sector at 7.3 percent and Banking/Credit/Financial at 5.5 percent.3 Among the larger breaches: Sony had 47,000 records stolen; J.P. Morgan had 83 million records stolen (affecting 76 million households and 7 million small businesses); Home Depot had 100 million records stolen (implicating 56 million credit cards and 53 million email addresses); and the eBay breach is estimated to involve the email addresses, physical addresses and login credentials of up to 145 million users.4 1 Identity Theft Resource Center (2015, January 12). Identity Theft Resource Center Breach Report Hits record High in 2014. Retrieved February 16, 2015, from http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html 2 Ibid., 1. 3 Ibid., 2. 4 Collins, K. (2014, December 12). A Quick Guide to the Worst Corporate Hack Attacks of 2014. Retrieved January 21, 2015, from http://www.bloomberg.com/graphics/2014-data-breaches/
  • 2. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 2 According to Ponemon Institute’s “2014 Cost of Data Breach Study: Global Analysis,” U.S. companies rank first in the cost per compromised record of $201 per record (Figure 1) and have the largest number of exposed records per breach (Figure 2). The news for U.S. companies deteriorates further as the report detailed the average total cost of a data breach increased 15% and the average per record cost increased more than 9%.5 The retail and healthcare sectors saw the largest increases in compromised systems at 5% and 4%, respectively.6 Figure 1. The average per capita cost of data breach over two years (Measured in US$) 5 Ponemon Institute. (2014, May 1). 2014 Cost of Data Breach Study: Global Analysis. Retrieved January 21, 2015, from http://www- 935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf 6 Maginot Revisited: More Real-World Results from Real-World Tests. (2015, January 1). Retrieved January 21, 2015, from https://www2.fireeye.com/rs/fireye/images/rpt-maginot-revisited.pdf
  • 3. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 3 Figure 2. The average number of breached records by country Shown below are the number of exposed or compromised records for organizations in the ten countries represented in this research. Organizations in the U.S., the Arabian region and India had the largest average number of records lost or stolen. The Cost of Compromised Security to U.S. Companies It is clear that the frequency and severity of data breach incidents have caused U.S. companies considerable consternation in 2014 (see Figure 4 – 2014 Cyber Fast Facts). Of additional concern is the regulatory framework that allows multiple agencies to assess fines and penalties when data has been released. Increased participation by regulatory agencies necessarily results in increased costs attributed to a release. The Federal Communications Commission’s (FCC) entry into the arena illustrates how a regulators involvement can significantly increase the total cost of a release. Recently, the FCC proposed fines of $10 million to two companies for alleged data security breaches. The Office for Civil Rights (OCR) issued seven resolution agreements in 2014 as a result of HIPAA related privacy issues. The fines ranged between $150,000 and $4.8 million. Such fines are in addition to those often levied by state attorneys general.
  • 4. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 4 Figure 3. 2014 Cyber Fast Facts New Tactics It’s Not All About Data Anymore No longer are cyber intrusions limited to searches for personally identifiable information and protected health information (PHI). There were several hacking incidents in 2014 that demonstrated how incursions into a company’s network could have direct repercussions in the operations of an organization with worldwide implications. Take, for instance, the attack on Sony. Aside from Sony’s data, the hackers took actions that rendered the company’s entire computer network and landline phones unusable. In a separate cyber intrusion, hackers gained access to a German iron plant’s blast furnace, and disrupted the plant’s production capabilities. These incidents go beyond cyber extortion and illustrate how intrusions into a company’s computer network can result in more than the soft expense associated with notification, data re-creation, remediation, etc. Hackers have now realized their ability to disrupt a businesses’ delivery of its core services. This disruption has real world tangible consequences and manifests itself in loss of business and future opportunities.7 Card Issuers as Victims In 2014 we witnessed the emergence of a new plaintiff’s class. The class consists of credit and debit card issuers who incur considerable expense in issuing replacement cards and refunding monies to customers as a result of a data breach. Take, for example, the Target case wherein the card issuers survived dismissal of their claims for out-of-pocket costs. Essentially, the court found that the card issuers furnished a plausible argument that Target was responsible for damages (i.e., the expense associated with the issuance of replacement cards) caused by the 7 King, R. (2014, December 18). Cyberattack on German Iron Plant Causes 'Widespread Damage' Retrieved January 21, 2015, from http://blogs.wsj.com/digits/2014/12/18/cyberattack-on-german-iron-plant-causes-widespread-damage-report/?mod=ST1
  • 5. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 5 hackers intrusion into Target’s network. The court’s finding was somewhat novel, in that, there did not exist a contractual relationship between Target and the card issuers. Allegations of negligence, it seems, may carry the day for banks and card issuers looking to recoup their costs from businesses who suffered an attack. Plaintiff’s Bar Moving the Ball The Target breach has also led to inroads for consumer plaintiffs’ pursuit of class action status. Previously, the plaintiffs’ bar has had difficulty surviving motions to dismiss due to an inability to satisfy the damages element of a negligence claim. Causes of action sounded in negligence require plaintiffs to allege actual or imminent injury. To date, plaintiff’s bar has been unable to show that parties affected by a release of data, on its own, have suffered damages or are in imminent risk of injury. However, the Court in the Target case appears more receptive to this type of class action litigation at the motion to dismiss stage of litigation. Specifically, the Court refused an individualized assessment of standing, instead concluding the requirement was met because some plaintiffs alleged injuries of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”8 This may significantly increase defense costs in the pre- class certification stage as additional resources will be deployed in the discovery phase. The Target court is not alone in moving the plaintiff’s bar closer to class certification. A recent California federal district court found plaintiffs have standing to sue based on increased risk of future harm due to the alleged release of their personally identifiable information. It should be noted that this ruling is contrary to the more accepted line of reasoning, which finds that the increased risk of identity theft does not satisfy the concrete or imminent injury requirement for standing. What Lies Ahead The era of the data breach is upon us and it is unlikely to recede. A new global standard for credit card security, commonly referred to as ‘chip and pin’ technology, may help insulate consumers from credit card fraud; however, hackers have turned their sights to the more lucrative fraud of identity theft. The misappropriation of an individual’s identity, either by the procurement of personally identifiable information or protected health information, will allow the hacker to command a significantly higher per record payment then credit card data alone. Personal Data Notification & Protection Act President Obama has proposed new legislation that would create a single country-wide data breach notification standard. The Act, as proposed, “clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard.”9 If passed, this Act will replace the current patchwork of notification requirements implemented by various governmental agencies and the individual states. 8 In re Target Corp. Customer Data Security Breach Litig., MDL No. 14-2522 (PAM/JJK) (D. Minn. Dec. 18, 2014). 9 FACT SHEET: Safeguarding American Consumers & Families. (2015, January 12). Retrieved January 21, 2015, from http://www.whitehouse.gov/the-press-office/2015/01/12/fact-sheet-safeguarding-american-consumers-families
  • 6. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 6 The Healthcare Industry Will Likely Retain First Place It comes as no surprise that the healthcare industry will remain squarely in hackers’ sights. The personal information contained in health records will enable hackers to perpetrate a multitude of different follow-up attacks and various types of fraud, including financial exploitation and identity fraud. The FBI has warned the healthcare industry that its attempts at cyber security remain woefully insufficient.10 As noted, in 2014 healthcare organizations accounted for about 42 percent of all major data breaches reported, according to the Identity Theft Resource Center.11 A Ponemon study estimates that the potential cost of healthcare industry breaches will reach $5.6 billion annually.12 Not surprisingly, it is expected that healthcare breaches will increase as we continue a move towards electronic medical records and growing usage of mobile and wearable technologies (Figure 4). Figure 4. Preparing for the Risks of Mobile and Wearable Technology13 10 Weisman, S. (2014, December 20). Cyber predictions for 2015. Retrieved January 21, 2015, from http://www.usatoday.com/story/money/personalfinance/2014/12/20/cyber-hack-data-breach/20601043/ 11 2014 Was Landmark Year for Health Data Breaches. (n.d.). Retrieved December 26, 2014, from http://www.healthdatamanagement.com/news/2014-Landmark-Year-for-Health-Data-Breaches-49505-1.html 12 Ponemon Institute. (2014, May 1). 2014 Cost of Data Breach Study: Global Analysis. Retrieved January 21, 2015, from http://www- 935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf 13 The Global State of Information Security Survey, 2015. M O B I L E S E C U R I T Y S T R A T E G Y M O B I L E D E VI C E M A N A G E M E N T S O F T W A R E B A N O F U S E R O W N E D D E V I C E S C O R P O R A T E E M A I L A N D C A L E N D A R … S T R O N G D E V I C E A U T H E N T I F I C A T I O N D E V I C E E N C R Y P T I O N U S E O F G E O - L O C A T I O N , G E O - F E N C I N G … I N T E R N A L A P P S T O R E 53.96 46.94 35.13 38.89 39.07 39.72 22.64 24.47 MOBILE TECHNOLOGY RISK PREVENTION INITIATIVES - ALL INDUSTRIES Percent of All Respondents
  • 7. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 7 Corporate IP and Trade Secrets Are Valuable The Sony hack sent shivers through every R&D department in the digital universe. Hackers not only exposed personal information and embarrassing internal communications, but also Sony’s valuable intellectual property in the form of scripts, profits and budget projections. The intellectual property and trade secrets cultivated by companies appears fair game for hackers interested in extortion. 14 Figure 5 – How Breaches Occur15 Note: Although preventable errors are often to blame for security incidents, it was impossible to identify the culprit in nearly 20 percent of the cases reviewed in the IBM Annual Report. Policy Implications The marketplace for cyber security and privacy liability insurance remains in its infancy and is struggling towards maturation. The standardization of coverage terms and claims handling are a distant dream. Policy terms and conditions differ from form to form, and market developments routinely result in mid-term revisions. Typically, policies contain a number of insuring clauses that speak to coverage for breach response costs and claims resulting from a cyber event. The forms may also provide coverage for extortion, network damage, public relations and crisis management, website media content and regulatory investigation costs arising out of a cyber event, as well as business interruption losses. Although provided, the sub-limits placed on these ancillary coverages likely leave many companies substantially exposed. Regulatory sub-limits placed on policies create a lack of meaningful coverage for many insureds, particularly in 14 Troutman Sanders LLP. (2014, December 19). 5 Reasons Sony Pictures Will Be a Cybersecurity Inflection Point. Retrieved January 21, 2015, from http://www.informationintersection.com/2014/12/5-reasons-sony-pictures-will-be-a-cybersecurity-inflection- point/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View- 15 IBM Security Services Cyber Security Intelligence Index Report, 2014 Misconfigured System 42% End User Error 31% Undetermined 15% Vulnerable Code 6% Targeted Attack 6% CAUSE OF BREACH
  • 8. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 8 the financial services and healthcare industries. With more regulators taking interest in cyber issues and data breaches implicating multiple states’ statutes, it is anticipated that regulatory fines will continue to expand. This will likely require insureds to make payments out-of-pocket for a portion of the regulatory fines, particularly if more than one breach occurs in any given policy period. In other instances the cyber policy may not provide coverage at all. For example, as evidenced by attacks on Sony and J.P. Morgan, companies are vulnerable to hacking by nation states, criminal organizations or terrorists. Many cyber policies have specific exclusions for acts of terrorism or acts of a nation state. Insureds will need to keep a careful eye on the breadth of any such exclusion on their cyber policies. Additionally, physical damage sustained by an insured as a result of a cyber-attack will likely be precluded from coverage. Property insurers have been making it increasingly clear that they do not intend to provide insurance for anything in the cyber realm. At this time, cyber insurance carriers have not shown an inclination to expand coverage for this type of exposure. However, to ensure robust coverage, the insurance market will need to adapt and create insuring clauses specifically geared towards addressing physical damage resulting from a cyber incident. Loss associated with an insured’s own intellectual property creates another vacuum in coverage. Today’s cyber policies may provide coverage for the intellectual property of others, but do not extend to include first party coverage. For instance, the loss Sony experienced relating to stolen screenplays and other valuable internal intellectual property would not be covered under the typical cyber policy. Perhaps, with time, cyber insurers can be convinced to add such coverage. Concluding Thoughts The cyber insurance market is in a constant state of fluidity. Carriers have been altering their policies to include loss prevention and risk mitigation tools, from breach response teams to risk analytics. As cyber incidents increase in frequency and severity, and evolve to keep pace with technological advances, the insurance industry will need to create new forms of cyber coverage to meet the needs of their clients. As we wait for the market to catch-up, your insurance broker may be able to help with other suggestions to increase the breadth of coverage by, for example, minimizing any state actor, contractual liability or bodily injury exclusions, expanding the definition of computer network and backdating the prior acts date as far as possible. Companies can also use collaboration to protect themselves. Information sharing platforms such as the Information Sharing and Analysis Centers (ISACs), industry associations, and government agencies are valuable risk-awareness tools. Sharing information should help companies improve their incident response through trusted collaboration, analysis, coordination, and drive decision-making by policy makers on cybersecurity, incident response, and risk mitigation and financing for breaches.
  • 9. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 9 About the Authors Jessica Flinn is a vice president within Integro’s Management Risk practice. She provides professional lines claims advocacy services, including detailed coverage analysis, contract interpretation, consultation and negotiation. She specializes in employment practices, directors & officers and errors & omissions coverages. James Sheehan is a principal of Integro Insurance Brokers, resident in the firm’s Boston office. An executive liability and professional liability insurance broker by background, he specializes in the placement of executive liability programs for healthcare organizations and private equity firms William McDonough is a managing principal within Integro’s Healthcare practice. Bill counsels clients across America on healthcare alternative risk financing vehicles, captive best practices, and loss prevention. He speaks and writes regularly on patient safety, reporting systems, and strategic planning, among other topics, and is a Fellow with the American Society for Healthcare Risk Management (ASHRM). About Integro Integro is an insurance brokerage and risk management firm. Clients credit Integro’s superior technical abilities and creative, collaborative work style for securing superior program results and pricing. The firm's acknowledged capabilities in brokerage, risk analytics and claims are rewriting industry standards for service and quality. Launched in 2005, Integro and its family of specialty insurance and reinsurance companies, some having served clients for more than 150 years, operate from offices in the United States, Canada, Bermuda and the United Kingdom. Its U.S. headquarter office is located at 1 State Street Plaza, 9th Floor, New York, NY 10004. 877.688.8701. www.integrogroup.com © Integro Ltd. 2015