1. C Y B E R S E C U R I T Y I N S U R A N C E S E M I N A R
Can You Afford NOT To Have
Cybersecurity?
March 4, 2015
2. TODAY’S
PRESENTERS
Reggie Dejean
Specialty Lines Manager
Lawley & Lawley Andolina Verdi
Mary Beth DiBacco
Specialty Insurance Manager
Chubb Insurance
Carl Cadregari
Executive Vice President and Practice
Lead
Bonadio IT/IS Risk Management
5. HEADLINES EXPLAINED
Identities left exposed in Indiana salvage yards - items
included medical records, bank statements, insurance
cards, employee identification cards, car registrations, a
signature, a child’s name, dates of birth, and an
application for welfare assistance.
Stolen Pioneer bank laptop contained some customers’
data
Pioneer Bank over the weekend alerted some of its customers that
an employee’s laptop stolen Jan. 26 contained “secured personal
information of certain customers, including names, social security
numbers, street addresses, and account and debit card
numbers.”
Harel Chiropractic Clinic notifies 3,000 patients of breach
6. HEADLINES EXPLAINED CONT.
St. Peter’s Health Partners is warning
of a possible data breach in its
email system, following the theft of
a manager’s cellphone.
California Pacific Medical Center
discovers employee was improperly
accessing patient records for one
year
Natural Grocers Investigating Card
Breach - traced a pattern of fraud
on customer credit and debit cards
suggesting that hackers have
tapped into cash registers at
Natural Grocers locations across the
country
7. HEADLINES EXPLAINED CONT.
Data Breach Results in $4.8
Million HIPAA Settlements
from New York and
Presbyterian Hospital
A 214 bed Medical Center
laptop stolen with data in
an excel spreadsheet -
Medical Center says data is
safe since the thief would
have to know how to
unhide columns in Excel
spreadsheet to read them
8. THREATS TO DATA
Internal Threats
External Threats
Have You Heard About Target?
Not just credit card information but also personal identifiable information (PII) is at risk
According to recent surveys
Street Cost – Social Security Number……..$ 1.00
Street Cost – Financial Record ……........... $ 0.50
Lost Medical Record………………………..$316.00
9. CSIRP
Computer Security Incident Response Plan
• Wh a t to d o wh e n y o u “ th i n k o r k n o w” y o u h a v e h a d
a d i s c l o s u r e
• Th e wh o , wh a t wh e r e a n d wh e n to f o l l o w
• S te p b y s te p p r o c e s s
• M a y b e r e q u i r e d b y s o m e l a ws a n d r e g u l a ti o n s
10. CSIRP
You Need a Breach Notification Policy
1. NY State, HIPAA, PCI, GLBA requires a documented policy that
includes all factors of breach notification including:
• When to alert persons whose data has been breached
• What you have to pay for
• When to send lost data information to the Attorney General
and regulatory bodies
• When you are to place conspicuous notice on your website
• When you are to alert local media and television
11. CSIRP
You need a plan to follow that includes:
1. What constitutes a breach
2. Who is on the team
3. Who is allowed to talk to any external entity
4. When to involve external crisis management
5. When to trigger your liability policy
12. CSIRP
1. How to assess the risks (likelihood and severity)
2. Does the breach fall into pre-defined categories
(and what are they)
3. What to do to investigate the breach
4. What to do to minimize the breach
5. What to do to report on the breach
6. What to do to never repeat the breach
7. How to close the incident
14. WHAT IS THE IMMEDIATE EXPENSE?
• Notification
• Creating letter or
other notification
• Printing or design
• Mailing or other
transmission
• Public Relations
• Call Center
operations
• Credit Monitoring
or Identity Theft
Remediation
• Advertising &
Press Releases
• Forensics
• Legal Expenses for outside
Attorney
• Cost of Forensic
Examination
• Cost to Remediate
Discovered Vulnerabilities
15. KEY COSTS TO A DATA BREACH
DIRECT
COSTS
VICTIM COSTS
INDIRECT COSTS
($134)
Cost Per Record $201 (2014)
• Discovery
• Data Forensics
• Notification
• Call Center
• Identity Monitoring
• Identity Remediation
• Lawsuits
• Regulatory Fines
• Additional Security &
Audit Requirements
• Reputational
Damage/Lost Business
Source: Ponemon Institute, LLC and Symantec Corporation. 2014 Annual Study: U.S. Cost of a Data Breach.
March 2014
16. DATA IS VULNERABLE
Data can escape your organization in many different ways
Source: Privacy Rights Clearinghouse, Chronology of Data Breaches 2008-2013.
www.privacyrights.org
4% 6% 12% 12% 18% 23% 25%
STATIONARY
DEVICE
UNKNOWN
PHYSICAL
MALICIOUS
INSIDER
NEGLIGENCE
HACKING
PORTABLE
DEVICES
17. COMPUTER SECURITY vs. INFORMATION
SECURITY
COMPUTER SECURITY
This means the collective processes and
mechanisms by which sensitive and
valuable information and services are
protected from publication, tampering
ro collapse by unauthorized activiites or
untrustworthy individuals and unplanned
events.
INFORMATION SECURITY
This is the practice of defending
information from unauthorized access,
use, disclosure, disruption, modification,
perusal, inspection, recording or
destruction. It is a general term that can
be used regardless of the form the data
may take (electronic, physical, etc.).
18. INCIDENT RESPONSE PLAN
1. If a company does not have one they are playing with fire
2. Essential for company to have in place in order to effectively respond to a security
breach
3. IRP’s should be tested at least on an annual basis using various breach scenarios
4. IRP’s typically include:
1. A. IRP Team (Ideally SR Mgmt. in Info Tech, Customer Service, Legal, Privacy & PR
2. B. Clear guidelines categorizing a risk/threat level
3. C. Documentation Instructions
4. D. Guidelines for getting third parties involved
5. E. Notification Process
-- One of the most important practices --
19. Sets the security foundation
First measure that must be taken to
reduce the risk of unacceptable use
of the company’s information
resources
Companies define which assets are
critical and ways to protect them
Development and implementation
of a security policy turns employees
into active participants towards
securing company information
(helps prevent human factor)
Should be tested and reviewed on
an annual basis
INFORMATION SECURITY POLICY
20. Key factors to help a company
protect their systems
Protection starts with firewalls as they
protect resources on a private
network
Anti-virus software can be used to
prevent, detect & remove viruses
Intrusion detection software monitors
the network for malicious activity or
policy violations & reports back
(should be reviewed monthly at a
minimum)
Penetration tests look for vulnerable
access points (preferred but many
small companies don’t run.
VIRUS PREVENTION, INTURSION
DETECTION & PENETRATION TESTING
21. Iphones, Blackberrys & Laptops bring
on challenges to protecting data
A mobile device security policy
should prohibit the storage of
confidential data on mobile devices
If data is stored on a mobile devices,
the security policy should mandate
the use of data encryption (128 Bit
recommended)
Want to see power up passwords, kill
switches, and alerts in internal system
when PII is sent
MOBILE DEVICE SERCURITY
22. WHAT WE CAN PROVIDE IN
PROTECTION & PREVENTION
CYBERSECURITY
23. THE PATH TO UNDERSTANDING
Exposure & Causes of Loss
“You hold private information”
Legal Issues
“You are obligated to protect it”
Costs of a Data Breach
“Breaches are costly and
complicated”
BBR
Key Features
“Coverage is
available”
24. Consumer Information
Credit cards, debit cards, payment info
Social Security Numbers, ITIN’s, taxpayer records
Protected Healthcare Information (PHI), e.g.
medical records, test results
Personally Identifiable Information (PII), e.g.
Drivers License / Passport details
Non-PII, like email addresses, phone lists, address
Employee Information
Employers have at least some of the above
information
on all of their employees
Business Partners
Sub-contractors and Independent Contractors
Information received from commercial clients as
a part of
commercial transactions or services
B2B exposures like projections, forecasts, M&A
activity,
trade secrets
INFORMATION AT RISK
PII: Personal Identifiable Information
PHI: Personal Health Information
Many people think that without credit cards
or PHI, they don’t have a data breach risk.
But can you think of any business without
any of the above kinds of information?
25. WHAT IS A DATA BREACH?
Actual release or disclosure of information to an unauthorized
individual/entity
that relates to a person and that:
May cause the person inconvenience or harm (financial/reputational)
- Personally Identifiable Information (PII)
- Protected Healthcare Information (PHI)
May cause your company inconvenience or harm
(financial/reputational)
- Customer Data, Applicant Data
- Current/Former Employee Data, Applicant Data
- Corporate Information/Intellectual Property
Paper or Electronic
Potential Security Threats
- Compromises to the integrity, security or confidentiality of
information
- Circumstances where a data breach may have happened or could
happen
in the future. (e.g. lost flash drive with PII)
26. KEY CAUSES OF LOSS
• Lost/Stolen Portable
Computers or Media
• Employee Misuse
• Negligent Release
• Improper Disposal of
Paper Records
• Lost/Stolen Backup
Tapes
• Computer Hacking
• Vendor Negligence
• Improper Disposal of
Computer Equipment
Hackers make the headlines, but almost
half of data breach incidents result from
“insider negligence”.
(Ponemon Institute)
28. CAUSES OF LOSS
Malicious or
Criminal
Attack
36%
System
Glitch
29%
Human
Factor
35%
• Hacking
• Virus, Malware
• Phishing
• Spear Phishing
• Network Intrusion
• Lost laptops
• Improper disposal of backup
tapes
• Accidental release
• Broken business practices
• Un-shredded documents
• Negligent release
Source: 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute ,
May 2013
64% of breaches
are accidental
29. TYPICAL COSTS
• Response costs – sending out notices, call center services, and the offer of
credit monitoring:
o Up to $30 per record
• Forensics, to determine the size and scope of the breach:
o $25,000 to more than $500,000
• Legal Costs:
o Very costly: $200,000 up to the millions
• A retailer with just 10 sales a day would pay $781,000 for a year’s worth of
breached records.
• An MRI facility conducting 15 scans a day would face expenses exceeding
$1 million for every year of patient records compromised.
30. IT TAKES 20
YEARS TO BUILD
A REPUTATION,
AND FIVE
MINUTES TO
DESTROY IT.
-- Warren
Buffett
“
”
31. Q&A Reggie Dejean
Specialty Lines Manager
Lawley & Lawley Andolina Verdi
Mary Beth DiBacco
Specialty Insurance Manager
Chubb Insurance
Carl Cadregari
Executive Vice President and Practice
Lead
Bonadio IT/IS Risk Management