Ironshore Data Privacy CE/CLE Seminar September 17, 2014 1.

Ironshore Data Privacy CE/CLE Seminar

September 17, 2014

1

Life Cycle of a Breach

Identification of the Threat or Security Incident What just happened?

Triggering the Incident Response Team Making sure the right people / partners are part of the team

Containment Have you stopped the “bleeding”?

Remediation Have you taken steps to prevent this type of event from occurring in

the future? Notification – and beyond

Overview

You are part of a company that operates retail stores throughout the United States. Payment-card and HR processing is handled by your corporate offices for all stores. The Company employees approximately 20,000 employees.

3

Cyber Attack!

4

ATTACK!

SQL Injection8/21/2014

Rafael Negron

SQL Demo

SQL Injection

What is SQL?

Web Application

Web Application

DatabaseDatabase

SQL

o SQL: Structured Query Language

o Used to store, edit, and retrieve database data

o Applications issue SQL commands that manage data

Change

sSQL

SQL Injection

Web Application

Web Application

o Malicious SQL statements are inserted into an entry field for execution

o Malicious SQL statements, are intended to do things, such as display,

“Username and Password”

Change

s

Insert Malicious Input

Insert Malicious Input

Database

Database

SQL Mini-Lesson

Table containing data

UserName

FirstName

LastName

Password

CJONES Cynthia Jones XXXXXX

BSMITH Bill Smith YYYYYY

SKING Susan King ZZZZZZZ

RSMITH Rob Smith AAAAA

Criteria rows must meet

"Users" Table

Query Results

Column data returnedSELECT UserName, Password

FROM Users

WHERE LastName = 'Smith'

Exploitation Methodology

Step 1 Scan

Step 1 Vulnerability Assessment

Step 3 Remote Exploitation

Step 3 Privilege Escalate

Windows Passwords

SQL Demonstration

Pass The Hash

Pass The Hash Demo

What Just Happened?

Your Company was the victim of a sql injection attack against a web application that provided information on customers who had purchased the Company’s services. The hacker appears to have gained access to a database that was serving the web application.

Question: What Do You Do?

19

Information Exposed

The initial investigation shows that the database contained

employees’ names, addresses, social security numbers, driver’s license numbers, position, and bank account information. The database has been operational for 5 years. The database appears to have stored cardholder information for repeat customers.

Question: Now what? Does this impact your initial plan of action?

20

Monkey Wrench #1

You just learned that Brian Krebs, an online reporter who is credited with breaking the story that Target had been breached, and is followed by thousands of other publications, posted a story on his blog that the Company appears to have been breached. The story mentions that the Company failed to return phone calls for two days.

21

Monkey Wrench #2

The CEO of the Company contacts you, and tells you that he just received an e-mail from an unknown e-mail address, informing him that this person has the personal information of the CEO and his daughter, provides his driver’s license as proof, and threatens to post it online unless the CEO pays a ransom.

22

Update From Investigation

The database contained a link to an application that was connected to the Company’s payment processing system, which is centrally located at the Company’s headquarters. The application automatically updated information for repeat customers, but also allowed the hacker to potentially access the payment card information of all customers, exposing over 2 million credit cards.

Monkey Wrench #3

The FBI has just showed up at your door, and wants access to your data center so it can image your computers and servers in order to investigate the cyber attack.

24

Money Wrench #4

In the midst of your investigation, you receive an Inquiry from regulatory agency requesting more information about the event, asking for policies and procedures, and seeking a meeting.

25

Summary

Responding Quickly, But Effectively Matters

Know Who Your “Team” Members Are Before You Have An Event - Internal And External

Training And Education Matters!

No Two Events Are Alike - Expect The Unexpected

26


September 17, 2014

27

CYBER RISKS THE BUCK STOPS WITH THE BOARD

Panelists:Anjali C. Das, Partner Wilson Elser, LLP

Ty R. Sagalow, President Innovation Insurance Group, LLC

William A. Boeck, SVP Lockton Companies

Lindsay B. Nickle, Partner Wilson Elser, LLP

Kristi Janicek, Ironshore

Brenda Barnat, Abernathy MacGregor Group

28


OVERVIEW

Corporate Exposures for a Data Breach Lack of Board Oversight for Data Privacy and

Security SEC Guidance and Enforcement Rise in Shareholder Litigation Against D&Os Corporate Governance and Cyber Risk

Management Cyber Insurance versus Other Insurance

29


DATA BREACHES IN THE NEWS

Target Neiman Marcus Advocate Healthcare Twitter Adobe Facebook Living Social Evernote Federal Reserve Bank

30


CORPORATE EXPOSURES FOR A DATA BREACH

31


Average Data Breach Response Costs

Avg. total organizational cost of breach ($5,403,644)

Avg. detection costs ($395,262) Avg. notification costs ($565,020) Avg. remediation costs ($1,412,548) Avg. lost business costs ($3,030,814) $200 a record

Note: Figures do not include mega breaches in excess of 100,000 breached records

Source: Ponemon Institute 2013 Cost of Data Breach Study32


Other Breach Related Costs

Litigation costsConsumer class actionsShareholder suitsGovernment investigations and proceedings

Impact on corporate financesCash flowLoan covenants and credit Shareholder valueReputational injury and loss of business

33


Adverse Impact on Target’s Corporate Financials

5.5% decrease in sales in 4Q 2013 “Meaningfully softer results” following news of

the breach 11% drop in stock price Reputational injury

34


Target Data Breach Related Costs

$88 million incurred for data breach response costs and related expenses to date

Amounts include internal investigation costs credit monitoring staffing call centers

$52 million in expected insurance recoveries $100 million in dedicated cyber liability insurance

35


Target Management Shake Up

CIO/CEO “resignations” CFO testifies before Congress Shareholder proxy advisor ISS recommends

ousting Board members Appointment of new Chief Information Security

Officer

36


LACK OF BOARD OVERSIGHT FOR DATA SECURITY

37


“Only a few executive officers understand security and the rest are clueless. . . . [T]his causes a big disconnect between the people performing information security to protect an organization’s data and the top-level executives at the organization.”

Source: Larry Ponemon, Founder of the Ponemon Institute

38


Many Boards are reassessing their skills in cyber risk management Experience in overseeing the growing threat of

cyber security risk is one of the key attributes Boards will consider when appointing new directors

IT expertise is now considered one of the top 5 attributes for today’s Board members

Only 11% of Boards are “very confident” of their ability to manage cyber risk

Source: NYSE 2014 Survey: What Directors Think

39


SEC GUIDANCE AND ENFORCEMENT FOR DATA

SECURITY AND PRIVACY

40


SEC Cyber Risk Disclosure Guidance

Discussion of aspects of business or operations that give rise to material cyber risks (costs and consequences)

Outsourced functions that may give rise to a cyber risk and how company manages that risk

Description of material cyber incidents to date (costs and consequences)

Risks related to cyber incidents that may remain undetected for an extended period

Description of relevant insurance coverage41


5/1/13 Letter from SEC Chair Mary Jo White to Senator Rockefeller highlights the SEC’s interest in cyber risk

Cybersecurity risks are an “increasing concern” for public companies and financial markets

Since 2012, the SEC has issued 50 comment letters to companies regarding their cyber risk disclosures

SEC continues to “prioritize” this issue SEC is evaluating the “efficacy” of its guidance Possibility that the SEC consider further action on

this topic

42


“Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”

SEC Commissioner Luis Aguilar speaking at the NYSE Conference:

Cyber Risks and the Boardroom (June 10, 2014)

43


SEC “Blueprint” of Cybersecurity Issuesfor Wall Street Firms

1. Inventory of information security assets2. Dedicated employees responsible for monitoring

and detecting cybersecurity threats3. Cyber liability insurance4. Security policies, practices, and internal controls5. Cybersecurity risks associated with third party

vendors, service providers, and business partners

44


D&O CYBER EXPOSURE:THE NEW FRONTIER FOR SHAREHOLDER SUITS

45


Securities Class ActionsWas there a stock drop following news of big

data breachDid the D&Os knowingly conceal a material

cyber risk (scienter)Were the stock losses caused by the bad news

or by a “corrective disclosure” (loss causation)Did company adequately disclose cyber risks in

its filings (per SEC guidance)

46


Derivative ActionsBreach of fiduciary duties and lack of oversight

by BoardWeak internal controls for cyber risk Damages to company resulting from data

breach or other cyber threat

47


Target Shareholder Suits Shareholder derivative suits against Target’s D&Os for

breach of fiduciary duty related to the 2013 data breach

Suits filed in Minnesota federal court Suits name CEO, CFO, CIO and Board of Directors D&Os allegedly failed to: (1) promptly notify

customers of the data breach, and (2) implement internal controls to detect and prevent a data breach

Complaints highlight Company’s Privacy Policy Company allegedly failed to use the PCI Data Security

Standard for large retail companies

48


Company’s Purported Damages

1. Reputational injury and loss of business2. Loss of revenue and profits3. Costs of defending and/or settling consumer

class actions4. Costs incurred in response to government

investigations5. Costs incurred from Company’s internal

investigation6. Data breach remediation costs

49


Corporate Governance and Cyber Risk Management Best Practices

50


SEC Recommendations to Boards to Manage Cyber Risk

1. Use the NIST Framework as Guidance 2. Retain Directors with technical and security

expertise 3. Companies should have skilled employees to

manage cyber risk on a day-to-day basis4. Boards should make sure that companies have a

tested data breach response and recovery plan in place

51


National Institute of Standards & Technology Framework

1) Identify critical IT and electronic data assets2) Protect these assets3) Detect cybersecurity threats4) Respond to cyber attacks (breach response plan)5) Recover lost, stolen, or impaired assets (recovery plan)

52


Privacy Policy Due Diligence

Who is responsible for Privacy Policy (i.e., Chief Privacy Officer) What PII does the Company collect From which states/countries is PII collected Who has access to the PII (both inside and outside the Company)

Drafting the Privacy Policy Does it provide notice of the Company’s collection of PII Does it provide consumers with opt-in/opt-out for use of their information Is PII being protected through appropriate (industry standard) security Is the Policy prominently located on the Company’s Website

Compliance/Auditing Are employees trained on protecting PII Does the Company employ effective security measures to protect PII Does the Company periodically audit compliance with its Privacy Policy

53


Contracts with Vendors/Business Associates

ID type of data to be stored or processed (PHI, PII, etc.) Where will data be stored, transferred, access Specify baseline security standards that Vendor must adhere to Does Vendor have its own Privacy Policy Definition of a reportable security breach Who will be responsible for notifying consumers (Company or Vendor) Data disposal and deletion requirements and time-frame Company’s right to audit Vendor for compliance with data

security/privacy Address Vendor’s use of Subcontractors Who has to comply with what laws, and who is financially responsible

(Company or Vendor, or both)

54


More Data Security Policies and Procedures

Training employees Restricting users and access to network resources Implementing a process for managing IT assets Adopting a security policy that addresses mobile media Maintaining controls to secure portable media Maintaining protection against DDoS attacks Maintaining a written data destruction policy Maintaining a written cybersecurity breach response plan Testing computer backup systems Using data encryption Conducting periodic audits to ensure compliance with security

policies55

Carnegie Mellon’s Corporate Governance Best Practices Checklist

for Cyber Risk

Establish a Board Cyber Risk Committee Recruit directors with IT and security expertise Conduct an annual audit of security and breach

response programs and controls Require management to give periodic reports on

privacy and security risks Require the Board to conduct an annual review of

budgets for privacy and security risk management Evaluate potential liabilities and losses for cyber risk Review the adequacy of cyber risk insurance

coverage

56


Privacy and Security Risk Disclosures Privacy concerns relating to our technology could damage

our reputation and deter current and potential users from using our products and services.

In addition, as nearly all of our products and services are web-based, the amount of data we store for our users on our servers (including personal information) has been increasing. Any systems failure or compromise of our security that results in the release of our users’ data could seriously limit the adoption of our products and services, as well as harm our reputation and brand and, therefore, our business. We expect to continue to expend significant resources to protect against security breaches. The risk that these types of events could seriously harm our business is likely to increase as we expand the number of web-based products and services we offer, and operate in more countries.(Source: Google Form 10-Q 7/24/14)

57


Privacy and Security Risk Disclosures We experienced a significant data security breach in the fourth

quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.

We are currently subject to a number of governmental investigations and private litigation and other claims relating to the Data Breach, and in the future we may be subject to additional investigations and claims of this sort. These investigations and claims could have a material adverse impact on our results of operations or profitability.

Finally, we believe that the greatest risk to our business arising out of the Data Breach is the negative impact on our reputation and loss of confidence of our guests, as well as the possibility of decreased participation in our REDcards Rewards loyalty program which our internal analysis has indicated drives meaningful incremental sales. (Source: Target Form 10-K 3/14/14)

58


Don’t Count on Traditional Insurance to Respond to Cyber Exposures

CGL Coverage

D&O Insurance

Cyber Liability Insurance

59


CGL Policy

Coverage A: Bodily Injury or Property Damage Property damage means physical injury to

tangible property, including loss of use of property

Is electronic data physical or tangible property? Evolution of ISO standard form CGL Policies

Pre-2001: No exclusion for electronic data Post-2001: Electronic data excluded Post-2004: Exclusion for damages arising out of the loss of,

damage to, corruption of, or inability to access electronic data60


CGL Policy

Coverage B: Personal and Advertising Injury Includes “oral or written publication of material

that violates a person’s right to privacy” Coverage B might apply to theft of consumer data

or misuse of customer information Post-2001 ISO standard form CGL policy exclude

coverage for Internet-related activities

61


New ISO Exclusion for CGL Policies

1). Arising out of any access or disclosure of any person’s or organization’s confidential or personal information; OR2). Arising out of the loss of, damage to, corruption of, or inability to access or manipulate electronic data

62


Public Company D&O Policy

Coverage for shareholder suits Limited coverage for investigations Entity coverage limited to Securities Claims No specific cyber exclusions Bodily injury and property damage exclusion Personal injury exclusion Other insurance provision

63


Private Company D&O Policy

Duty to defend Broad entity coverage Could include claims for negligence for failure to reasonably

safeguard customer information Bodily injury / property damage exclusion that applies to

injury to physical or tangible property Personal injury exclusion that applies to claims for “invasion

of privacy” Courts have held that loss or theft of PII pursuant to a data

breach does not give rise to a typical tort claim for invasion of privacy

64


Cyber Liability Policy

1. First Party Coverage, including: Breach notification costs Forensic investigation Credit monitoring or identity theft Public relations / crisis management Call centers

2. Business Interruption Coverage3. Cyber Extortion Coverage4. Third Party Claims against Insureds5. Regulatory Investigations

65


D&O and Corporate Cyber Exposure Takeaways

The buck stops with the Board No companies are immune to a data breach If the Target shareholder suits gain traction, more

may follow Companies should have adequate cyber risk

management policies and procedures Boards should be well-informed of cyber risks Duty to disclose material cyber risks Boards should consider how insurance responds to

cyber-related claims

66


HYPOTHETICAL DATA BREACH SCENARIO

&

MOCK EMERGENCY BOARD MEETING

67


September 17, 2014

68

Imagine someone trying to break into your house. Now

imagine it 60,000 times a day.

http://www.ibm.com/smarterplanet/ie/en/business_resilience_management/overview/index.html?re=spf

69

Agenda

From a forensic, legal, and insurance perspective:

Bring Your Own Device (BYOD)

Vendor and Supply Chain Risks

What Data Do I Collect, Where Is My Data, Who Has Access To My Data

The Insider Threat

70

Thank You For Attending

Company Panel Participants:

71

Ironshore Data Privacy CE/CLE Seminar September 17, 2014 1.

Documents

Transcript of Ironshore Data Privacy CE/CLE Seminar September 17, 2014 1.