1

Cyber Risk Management

Privacy & Data Protection

•2

Agenda

► Introductions

►Risk Management 101

►Defining & Quantifying a Breach

►Prevention, Mitigation & Transfer Strategies

►Finance Strategy- Cyber Insurance

►Underwriting Criteria

►First Party vs. Third Party Coverages

►Case Studies

►Q&A

2

•3

What is Risk Management?

Engage

Assess

Plan

Implement

► Identify The Opportunities

► Organize & Categorize initiatives

► Quantify The Impact

► Prioritize The Initiatives

► Create a Strategic Plan

► Engage Team & Strategic Partners

► Continually Monitor Progress

Risk management is the continual process of identifying, measuring, and minimizing the effects of risk.

•4

Risk Management 101

Types of Risk

Business

Strategic

Hazard

Risk Management

Strategies

► Prevent► Transfer► Mitigate► Assume► Finance

3

•5

A data breach is an incident that involves the unauthorized or illegal viewing, access, or retrieval of data by an individual, application, or service. It is a type of security breach specifically designed to steal and/or publish data to an unsecured or illegal location.

Defining a Breach

Source: www.techopedia.com

•6

Average Number of Records Breached Per Incident:

28,765

Average Cost Per Breached Record:

$192 - $240

Varying Factors

► Number of Records Breached

► Type of Breach (PCI, PHI, or PII)

► Class Action Lawsuit Filed?

Source: Ponemon Institute / Symantec Study

Quantifying a Breach

4

•7

Risk Management

Type of Risk Risk Management

Strategies

► Prevent?► Mitigate?► Transfer?

•8

My Password is…

https://www.youtube.com/watch?v=opRMrEfAIiI

5

•9

Cyber Liability Insurance -

A type of insurance designed to cover consumers of technology services or products (sometimes referred to Privacy & Data Protection Insurance). More specifically, the policies are intended to cover a variety of both liability and property losses that may result when a business engages in various electronic activities, such as selling on the Internet or collecting data within its internal electronic network.

Most notably, but not exclusively, cyber and privacy policies cover a business’ liability for a data breach (either in physical form, or via an electronic platform).

Finance Strategies

•10

Process of Financing

► Applications

► Underwriter Review

► Quote Review

► Purchase

6

•11

Application Process

►Technical Questions

►Operational Questions

►Addendum On Additional Information

•12

Underwriter Review

► Industry Classification

►Annual Revenue

►PII Quantity

►Minimum Controls

►Standard and Advanced Controls

►Red Flags

7

•13

Key Coverages

► 1st Party

► Notification

► Crisis Management

► Forensic Costs

► Public Relations

► Regulatory expenses

► Business Interruption

► 3rd Party Liability

•14

1st

Party Coverages

Investigation Expense Coverage

► to determine the source or cause of the Data Privacy Wrongful Act or Network Security Wrongful Act.

Source: THDPNSLP

8

•15

1st

Party Coverages

Notification and Credit Monitoring Expense Coverage

► Notify customers

► Credit monitoring services

► Voluntary Notifications

•16

1st

Party Coverages

Business Interruption

► Income loss and extra expenses during the period of restoration

► Must result from a network attack

► A retention of 8-12 hours

9

•17

1st

Party Coverages

Crisis Management Expense Coverage

► Public Relations firm

► Crisis Management Firm

► IdentityTheft 911

► Pre- and Post Breach Services

•18

3rd

Party Coverages

Data Privacy Regulatory Expense Coverage

► Fines and Penalties levied against insureds

► PCI Fines and Penalties

10

•19

3rd

Party Coverages

Privacy Liability

► the improper dissemination of Nonpublic Personal Information; or

► any breach or violation by the Insured of any Data Privacy Laws.

•20

3rd

Party Coverages

Network Security Liability

► Unauthorized access, use of the computer system

► Inability of an authorized 3rd party to access

► Failure to prevent identity theft

► Transmission of malicious code

► Others…

11

•21

3rd

Party Coverages

E-Media Liability

► Provides cover for suits from electronic media

► Libel, defamation, slander, copyright infringement…

•22

Crisis Management Services

Pre-approved vendors

► 1st party expenses

Risk Management Services/Resources

► Web portals

► Phone services

12

•23

Conditions

► Notification provisions

► Breach from 3rd party services

► Definition of PII

► Unencrypted portable devises exclusion

•24

Quote Evaluation

► Limits

► Sublimits

► Retentions

13

•25

Medical Testing Co with policies

in place

Good Samaritan vendor finds

private data and offers to resolve

for a fee

GTC Investigates

$4.6MM revenue LabMD goes bankrupt; letting go of 30

employees

Vendor discovered as only entity to

see data

Lab MD: Choosing Vendors Wisely

And Fighting The FTC

•26

Outside the Dark Web

Image: Kaspersky Lab

14

•27

Outside the Dark Web

Image: SBR Money

•28

Phishing

Definition: a form of social engineering in which a message, typically an email, with a malicious attachment of link I sent to a victim with the intent of tricking the recipient to open an attachment

Top Industries

► ALL

15

•29

Phishing

How:

► Spear fishing: targeted attacks

► Phishing: mass communication

► Clone phishing: using legit content with modified links and resent

► Whaling: targeted attacks of senior executives

Impact:

► Loss of money

► Malicious code intrusion

► Loss of Personally Identifiable Information

► Loss of internal information

•30

“If you give a man a phish…”

https://www.phishtank.com/what_is_phishing.php

16

•31

“…you feed him for a day.”

•32

“If you teach a man to phish…”

http://lts.lehigh.edu/sites/lts.lehigh.edu/files/Phishing_20151209.JPG

17

•33

“…you might not get malware”

http://lts.lehigh.edu/sites/lts.lehigh.edu/files/Phishing_20151209.JPG

•34

Skimmer

18

•35

ICS/IOT Vulnerabilities

•36

ICS/IOT Vulnerabilities

19

•37

ICS/IOT Vulnerabilities

•38

► It’s no longer a matter of “if”, but “when”

► Risk management matters...education/awareness matters

► Cyber indications are easy to obtain for most industries

► No two cyber policies are created equally

► Assess tools and resources available by the insurance companies offering coverage

► Cheaper is not always better…but some protection is better than no protection

► Know the difference between cyber liability and crime insurance

Final Thoughts

20

Questions?