Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice...
-
Upload
tyrone-stafford -
Category
Documents
-
view
221 -
download
0
Transcript of Data and its Perils October 2015 Presented by – Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Vice...
Data and its Perils Data and its Perils
October 2015Presented by –
Sharon A. Koches, CPCU, RPLU, AAI, AU, ITPVice President, Insurance Operations & Technical Affairs
Dissecting the Cyber Liability Policy
I. Introduction and Overview
II. Data Breach Exposures
III. Regulations
IV. Coverage Gaps
V. Coverage Considerations
VI. What we need to know
Breach ActivityThink you can’t be hacked….You might want to
think again after reading these headlines….~ “Federal Reserve confirms website hacked” (2012-2013)
~ “Hackers hit US Department of Energy” (2013)
~ “Cyber 9/11 may be on the horizon”~ “Romanian arrested on Pentagon, NASA hacking charges” (2012)
~ “Hackers launched Cyber attack on US Public Utility”
…if they can, so can you and your clients!
Hackers broke into the company's server, taking 15 million people's names, addresses, Social Security numbers, birthdays and other identification numbers.
Data Breach Trends2015 – first 6 months
1860 incidents exposing 228 million records
2014 record breaking 1.1 billion (3014 incidents) personal and sensitive records compromised
2014 - 22.3 % Increase in number of records and a 28.5% Increase in number of breaches disclosed from 2013Resource: Risk Base Security http://seclists.org/dataloss/2015/q1/134. March 2015. 2015-MidYearData BreachQuickView.pdf
Resource: Data Breach QuickView sponsored by Risk Based Security foundation. April 2014.
2015 Data Breach Trends• 5 Hacking incidents alone exposed 181.3
million records (2014 – 4 incidents – 647 million incidents)
• A single act of Hacking exposed 78.8 million records (2014 – Fraud – 104 million records)
2015 Data Breach Trends
• The Business Sector accounted for 43.6% of reported incidents and 59.4% of records exposed.
• Phishing accounted for 17 incidents and the exposure of 1.4 million records
• Breaches involving US entities accounted for 37.6% of incidents and 55.3 of the exposed records (2014 - 44.5% of incidents and 47.9% of exposed records)
2015 Data Breach Trends Number of breaches caused by Hacking 78.4%
Hacking alone resulted in 95.5% of all exposed records
81.2% of incidents and 96.6% of the total exposed records are the result of outside activity
Resource: Risk Base Security http://seclists.org/dataloss/2015/q1/134. March 2015. RiskBasedSecurity.com 2015-MidYearDataBreachQuickView.pdf
2015 Data Breach Trends
Analysis of events showed most targeted data types:
Resource: Risk Base Security http://seclists.org/dataloss/2015/q1/134. March 2015. RiskBasedSecurity.com 2015-MidYearDataBreachQuickView.pdf
2015 Mid Year 2014
Password 55.4% 62.6%
User Name 44.6% 50.5%
eMail 48.0% 49.2%
Name 26.5% 31.9%
2015 US State – Top 9
2015 Incidents 2015 Exposed Records
California Indiana
Florida DC
Texas Alaska
New York California
Virginia Washington
Illinois Maryland
Pennsylvania New York
Indiana Colorado
Georgia Alabama
Top Data Breaches of 2015
• Anthem - 80 million customers – names, social security numbers, medical ID’s, employment info and income data
• Premara Blue Cross – 11 million
• International Bank Hack - $1 billion in cash dispensed from ATMs without physical presence
Reference: identityforce.com
Top Data Breaches of 2015
• Equifax – several hundred credit reports sent to an individual
• Internal Revenue Service – suspected 100,000 tax returns stolen; now believe over 600,000 Americans affected
• Ashley Madison • CVSphoto.com
Top Data Breaches of 2014• Target – 110 million people’s personal info• Sony Pictures – internal data (employee passwords
and medical information stored, movie scripts, salaries)
• Ebay – 145 million users (email addresses and passwords)
• JP Morgan Chase – 76 million (bank customers and credit card data)
Resource: hotforsecurity.com “Top 10 Data Breaches of 2014; Lessons Learned for a Safer 2015. By Alexandria Gheorghe December 31, 2014
Top Data Breaches of 2014• Home Depot – 56 million (email addresses using 3rd
party vendor credentials)• Snapchat – 4.6 million (user names and phone
numbers)• Community Health Systems – 4.5 million patients• Michael’s – 1250 stores (point of sale devices to steal
credit and debit card numbers and associated PIN numbers)
Resource: hotforsecurity.com “Top 10 Data Breaches of 2014; Lessons Learned for a Safer 2015. By Alexandria Gheorghe December 31, 2014
Top Data Breaches of 2014• AOL – 120 million registered accounts (user info
including encrypted passwords, encrypted answers to security questions, postal addresses and address book contacts)
• Neiman Marcus – 1.1 million (backdoor software to steal customer email addresses, user names, credit card data and encrypted PINs)
• Staples – 1.16 million payment cards (115 retail stores affected with malware )
Resources: Hotforsecurity.com “Top 10 Data Breaches of 2014; Lessons Learned for a Safer 2015”. By Alexandria Gheorghe December 31, 2014
SecurityWeek.com “Top Data Breaches of 2014”. By Brian Prince, December 29, 2014
Key Homeland Security official urges passage of cybersecurity bill
“A top Department of Homeland Security official on October 1, 2014 called on Congress to pass cyber security legislation, saying there is a ‘dire need’ to strengthen the department’s ability to defend against cyberattacks.”
Resource: Washington Post by Jerry Markon, October 1, 2014
Breach Activity
Resource: Carrier Management, October 21st, 2014 by Chris Stromhttp://www.carriermanagement.com/news/2014/10/21/130678.htm
Breach Activity
Small Business
It’s not just about the big guys!
•Cyber Extortion
•EFT Issues
And more!
“Breach Fatigue”
Are consumers becoming complacent due to the increase number of breach notifications?
Are consumers less likely to protect themselves thereby leaving companies assuming responsibility for increasing levels of fraud and identity theft?
Data at Risk
Exposures Hacking Websites Fraud Email Skimming Viruses Lost/stolen laptops/USBs Improper Disposal Stolen Computers Cyber Extortion
From Outside Inside – Malicious Inside - Accidental
Data at RiskElectronic Data
Databases Websites Electronic Security
Paper Files YES – PAPER Files Large amounts of Personal Data
(PII and PHI) Physical Security (shredder operations)
Data at RiskPasswordsNameEmailUser NameAddressSocial Security NumberPhone NumberMedicalCredit CardDrivers License Number
Data at Risk
PII – Personal Identifiable Information
PHI – Protected Health Information*
PCI – Payment Card Industry
What you should be doing
• Encrypt devices• Automate patch management• Password protect• Be alert to phishing• Double check mailing details• Identify risks, plan, practice and training
Resource: Beazley URMI Presentation
Regulations
Federal LawsGramm-Leach-Bliley – personal financial informationHIPAA – Health Insurance Portability & Accountability ActHITECH – Health Information Technology for Economic &
Clinical Health PCI Security Standards Council – Payment Card Industry
Data & Security Standards Compliance
At least 35 Federal Laws with Data Protection or Privacy Protection
Regulations
47 States, District of Columbia, Guam, Puerto Rico and the Virgin Islands have Data Breach laws
Residence of affected individuals determines applicable notice law
Traditional Policies
Traditional Property and Liability Insurance
Damage to Tangible Property
Loss of revenue or extra expenses resulting from damage to tangible property
Liability for bodily injury and tangible property damage including loss of use of that property• Loss of use of undamaged tangible property
Cyber Reality
• Damage to intangible property
• Loss of use of intangible property
• Third party liability for negligent use of intangible property
• First party legal costs to protect intangible property
Commercial Property
Coverage Issues Physical loss or damage to property to trigger both
property damage and time element Non-physical events (eCommerce) Denial of Service (Non-physical event) Indemnity Period Provisions Computer Viruses Employee Dishonesty Valuation
CGL Coverage Gaps• Definition of “Property Damage” Physical damage to “Tangible Property”• Limited Worldwide Territory• No Advertising Injury if “in the business”• No Advertising Injury if “Advertising Products/Services
of Others”• Professional Services• No Patent coverage• Limited Copyright/Trademark Coverage• Fines and Penalties
Liability CoverageBodily Injury or Property Damage Liability• Excludes “loss of, loss of use of, damage to, corruption
of, inability to access, or inability to manipulate electronic data.”
• CG 04 37 04 13 – Electronic Data Liability Endorsement– Modifies above exclusion to give this coverage back ONLY if a
result of physical injury to tangible property– Modifies definition of “property damage” to include “loss of,
loss of us of, damage to, corruption of, inability to access or inability to manipulate electronic data resulting from physical injury to tangible property.
Liability CoverageCG 00 65 Electronic Data Liability Coverage
• Claims-Made form• Legal liability because of “loss of electronic data” from
an “electronic incident”• Exclusions
Providing computer products or services Damage to your data Infringement of intellectual property rights, copyright or
trademark Unauthorized use of electronic data by insureds and
employees Criminal or Fraudulent Acts
Personal and Advertising Injury Liability
• Excludes “infringement of copyright, patent, trademark, trade secret or other intellectual property rights.”
• Excludes media and internet type business
• Excludes chat rooms or bulletin boards
ISO CGL
• May 1, 2014 – The day the Cyber Liability insurance world changed forever
• CG 21 06 – Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability
• Mandatory endorsement on all CGL policies after May 1
Crime Employee theft• Theft committed by an employee, identified or not
Computer Fraud & Electronic Funds Transfer• Using computers to fraudulently transfer property• Fraudulently misdirecting transfer of funds(Money and securities)
Only covers money, security and “other property” Key definitions : “electronic data”, “Computer
programs”, “Fraudulent instruction”
Property Coverage
Direct – EDP Coverage
• Hardware• Software•Media• Data Recovery• Business interruption and extra expense
ISO E-Commerce Policy (EC 00 10)
Eight Insuring Agreements1. Web Site Publishing Liability2. Security Breach Liability3. Programming Errors and Omissions Liability4. Replacement or Restoration of Electronic Data5. Extortion Threats6. Business Income and Extra Expense7. Public Relations Expense8. Security Breach Expense
ISO E-Commerce Policy (EC 00 10)
Exclusions• Natural causes of loss• War• Biological, chemical or nuclear• Destruction of tangible property or bodily injury and
property damage• Insufficient capacity in computer systems• Impairment of the internet• Failure, reduction or surge of power
ISO E-Commerce Policy (EC 00 10)
Exclusions• RICO losses• Satellite failure• Intentional damage by “insured”• Publication of material with knowledge of falsity• Contractual liability• Patent or trade secret violations• Pollution
ISO E-Commerce Policy (EC 00 10)
Exclusions• Pending claims, suits or processed prior to “policy
period”• Employment practices• “Loss” prior to retroactive date• “Loss” reported under prior policies with the same
insurer• Criminal acts of “insured” alone or in collusion
ISO E-Commerce Policy (EC 00 10)
Exclusions• “Loss” determination expenses• Governmental action including seizure or destruction• Computer upgrade expenses• Insured v. insured• “Electronic data” input errors• Territory – Worldwide “wrongful acts”, US suits
ISO E-Commerce Policy (EC 00 10)
Endorsements• Nonbinding Arbitration (EC 10 03)• Binding Arbitration (EC 10 04)• Supplemental Extended Reporting Period (EC 20 01)• Include Specified Individuals as Employees (EC 20 02)• Amend Territory Condition for Wrongful Acts or Suits
(EC 20 03)– Exclude scheduled territories– Include scheduled territories
Professional Liability
Coverage limitations
Other Insurance Clause
Considerations
• Types of Coverage needed• Terminology/Definitions• Available Limits• Coverage Provided• Coverage Triggers• Types of Data Covered• Remediation Costs Covered• Remediation Coverage Services
Coverage ComparisonAggregate Limit $1,000,000 $1,000,000 $1,000,000
Retention $5,000 $5,000 $10,000
Premium (Not including policy fee or taxes) $3,157 $3,498 $4,402
Privacy/Network Security Liability $1m limit within the agg. $1m limit within the agg. $1m limit within the agg.
Breach Response Costs/Notification Costs
100,000 notified individuals; cost is separate from and in addition
to the aggregate limit.
250,000 notified individuals; cost is separate from and in addition
to the aggregate limit.
$250k included within the agg. ($5k retention)
Business Interruption Aggregate $1m limit ; $250,000 hourly; $1m limit ; $250,000 hourly; $250k included within the agg.
Privacy Regulatory Defense and Penalties $1m limit within the agg. $1m limit within the agg. $500k included within the agg.
PCI Fines and Costs $500,000 limit within the agg. $500,000 limit within the agg. Unclear; no specific mention
Cyber Extortion $1m limit within the agg. $1m limit within the agg. $250k included within the agg. ($5k retention)
Media Liability
$1m limit within the agg. Covers media on insured's website and
media created by insured on a third party website.
$1m limit within the agg. Covers media on insured's website and
media created by insured on a third party website.
$1m limit within the agg.
Credit Monitoring Included Included Included
$1m included within the agg. $1m included within the agg. $250k included within the agg. ($5k retention)
Crisis Management $250k included within the agg. $250k included within the agg. $250k included within the agg. ($5k retention)
Funds Transfer Fraud N/A N/A $250k included within the agg. ($5k retention)
Computer Forensic Costs $250k included within the agg. $250k included within the agg. Included within notification costs limit
Loss Prevention and Risk Management Services
Yes - Policyholders are enrolled in NoDataBreach.com for pre claim
risk management services; in-house claims team that assist along with
selected vendors post claim.
Yes - Policyholders are enrolled in NoDataBreach.com for pre claim
risk management services; in-house claims team that assist along with
selected vendors post claim.
Yes - Insured has access to a third party vendor to provide guidance
pre claim and post claim.
Minimum Earned Premium
What we need to Know
Applications First party Coverage Third Party Coverage Business Income Risk Management Claims Services How to Handle Objections
Applications
• Application interpretations• Application is a warranty• Information requested:
General information Revenue Information Management of Privacy Exposures Computer System Controls Content Controls Prior InsurancePrior Claims or complaints
Coverage Overview
• First Party Coverage (differs greatly among carriers)
• Third Party Coverage
• Risk & Crisis Management Services (not all carriers)
First Party CoverageDirect loss to your organization. Can Include:
Forensic analysis and remediation of breach Damage to computer systems and networks Notification Expenses (including VOLUNTARY Notification) Data Restoration Business Income (eCommerce) Contingent Business Income Regulatory Fines and Penalties PCI Fines and Penalties Cyber Extortion Crisis Management – Legal, Public Relations Credit Monitoring Intellectual Property – Copyright, Trademarks, other
Third Party CoverageLiability imposed due to negligence• Breach or Privacy Liability• Advertising Injury/Personal Injury • Professional Liability – “in the business of”
Software development Network maintenance Security Services
Cyber Risk Insurance – Coverage Options
Media LiabilityAll media activities or just online media (including social
media)• Facebook• Twitter• Blogs• YouTube
Intellectual Property liability coverage:• Copyright infringement – can be included• Trade or Service Mark infringement – can be included• Patent infringement – cannot be included in most forms
Additional concerns• Application interpretations• Application is a warranty• Coverage trigger – suspected or confirmed breach?• Does it cover social media?• Is defense inside or outside the limit?• Sublimit reduction of aggregate?• First Party – expenses included?• Voluntary notification (not just minimum legal
requirements)
Additional concerns
• Encryption requirements• Transmission of computer viruses• Third party – i.e.: the cloud• Contractual Liability• Intentional acts• Other than electronic data (paper)• Package or ala carte• Pricing• Capacity
Carrier & Coverage Trends Notification on number of records breached vs.
dollar limit (aggregate issues) Notification expenses separate from limit of liability Sublimits part of the aggregate Liability for loss of personally identifiable information
Not just electronic, but all types of data, including paper Corporate information, not just individuals All types of data, not just financial Some cover loss of data when in the possession of a 3rd party such as a
vendor
Carrier & Coverage Trends
Risk Management Services
More carriers are entering the market including mutual insurers and small regionals – often backed by an established cyber liability insurers
Risk & Crisis Management
Web based training and risk assessment tools
Vulnerability analysis
Cyber Coach
Claims management
Post Claim Risk & Crisis Management Services
1. Notification of affected individuals2. Credit monitoring if required3. Call center if needed4. Forensic experts to determine the cause of the
breach as well as help identify financial loss (Business Income, Data Loss)
5. Assistance with data and system restoration6. Public relations to help manage reputational risk7. Legal Assistance
Underwriting and Pricing Considerations
Underwriting Considerations Type of data stored Types of controls in place
Firewalls Encryptions Detection Systems Risk Management Plans Vendors
Type of exposure (retail, public entity, medical, financial, etc) Type of web presence (interactive vs. informational) Claims History
Underwriting and Pricing Considerations
Primary Rating and Premium FactorsIndustryRevenueNumber of records storedLimits purchasedRetention
Main Reasons for NOT Purchasing Cyber Insurance
52% Premiums too expensive44% Too many exclusions, restrictions & uninsurable risks38% Property & Casualty Policies are sufficient26% Unable to get insurance underwritten because of
current risk profile26% Coverage is inadequate based on exposure 9% Risk does not warrant insurance 6% Executive management does not see the value of this
Insurance
Resource: Ponemon Institute, August 2013 (Respondents were asked to choose top two reasons)
Overcoming Objections
• Not if but when• National Small Business Association • Fire insurance even though you take
precautions• Claims that hit home• Educate the business owner• Applications
Resources• The Betterley Report – Cyber/Privacy Insurance Market
Survey – 2014: “Maybe Next Year” Turns into “I need it Now”http://www.irmi.com/online/betterley-report-free/cyber-
privacy-media-liability-summary.pdf
• IRMI – Whitepaper – What Every Insurance Professional Should Know about Network Security and Privacy Liabilityhttp://www.irmi.com/online/privacy-liability/network-security-and-privacy-liability.pdf
• Ponemon Institute http://www.ponemon.org/index.php
• IRMI “Analyzing Nonstandard Cyber and Privacy Insurance Policies”
http://www.irmi.com/expert/articles/2014/austin10-commercial-property-insurance.aspx?cmd=print
• Verizon 2014 Data Breach Investigations Report www.verizonenterprise.com/DBIR/2014
Resources
• Experian Data Breach Report 2014http://www.experian.com/data-breach/data-breach-industry-forecast.html
• Advisen Cyber Risk Networkhttp://www.cyberrisknetwork.com/data/
• Symantec Internet Security Threat Report 2014http://www.techrepublic.com/resource-library/whitepapers/symantec-internet-security-threat-report-copy1/
Resources
• Insurance Information Institute – Cyberliability: The Growing Threat
http://www.iii.org/white-paper/cyber-risks-the-growing-threat
• Net Diligencehttp://netdiligence.com/services.php
Resources
• Legis.sd.gov22-40-8 Identity Theft – Felony
• Atg.sd.gov - Identity Theft
Questions?