Network Security & Privacy Risk: Are you prepared?
Transcript of Network Security & Privacy Risk: Are you prepared?
Network Security & Privacy Risk:
Are you prepared?
Wells Fargo Insurance
2015
Products and services are offered through Wells Fargo Insurance Services USA, Inc. and Wells Fargo Insurance Services of West Virginia, Inc., non-bank insurance agency affiliates of Wells Fargo & Company. Products and services are underwritten by unaffiliated insurance companies except crop and flood insurance, which may be underwritten by an affiliate, Rural Community Insurance Company. Some services require additional fees and may be offered directly through third-party providers. Banking and insurance decisions are made independently and do not influence each other. ©2014 Wells Fargo Insurance Services USA, Inc. All rights reserved. Confidential. For discussion and general information purposes only.
1
What is a breach?
2
What is a privacy breach / security breach?
Privacy breach:
The theft, loss or unauthorized disclosure of personally identifiable non-public information (PII) or third party corporate confidential information that is in the care, custody or control of the organization or an agent or independent contractor that is handling, processing, sorting or transferring such information on behalf of the Organization.
Computer security breach:
The inability of a third party, who is authorized to do so, to gain access to an organization’s systems or services;
The failure to prevent unauthorized access to an organization’s computer systems that results in deletion, corruption or theft of data;
A denial of service attack against an organization’s internet sites or computer systems; or
The failure to prevent transmission of malicious code from an organization’s systems to a third party computers and/or systems.
3
How do data breaches occur?
Lost devices and inadvertent
publication of data
Hackers and unsecured websites
Vendors and subcontractors
Disgruntled employees
Accidental Intentional
Inte
rnal
Exte
rnal
4
The C-Suite
Balancing the Needs
Legal &
regulatory
Business &
financial
CIO / CTO
Technology
CLO / CRO
CFO / COO
CEO and Board
5
Statistics
6
Verizon 2014 data breach investigations report
35% web app attacks
22% cyber espionage
9% card skimmers
14% POS intrusions
1,367 confirmed data breaches (up from 621 in 2013)
63,437 reported security incidents (up from 47,000 in 2013)
95 countries represented
(up from 27 in 2013)
Verizon: 2014 Data Breach Investigations Report using 50 contributing global organizations.
By the numbers
7
Verizon 2014 data breach investigations report
1,367 confirmed breaches – top 3 industry classes 63,437 incidents – how did they occur?
Confirmed data breach by industry
8
NetDiligence 2014 claims study
Data Sample size – 120 insured claims
Company size Micro/Nano-cap (under $300 million) organizations experienced the most incidents (47%
combined). Mid-Cap organizations ($2-$10 billion) lost the most records
Preliminary findings
Data type Cause of loss Business sectors
PII - - 41% PHI - 21% PCI - 19%
Hackers - 30% Staff mistakes - 14% Malware virus – 12% *In 2013, stolen laptops were #1
Healthcare sector - 23% Financial services - 22% Retail – 10%
9
NetDiligence 2014 claims study
Percentage of breaches by data type
•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2014 Study (Sample size = 120 insured claims)
10
NetDiligence 2014 claims study
Percentage of breaches by cause of loss
•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2014 Study (Sample size = 120 insured claims)
11
In the headlines…..
AvMed Health March 2014
“Recent Litigation Has Been More Favorable to the Plaintiff’s Bar”
Class action settlement for $3 million offered to 460,000 individuals whose
personal information was contained on two stolen unencrypted laptops.
State of South Carolina October 2012
Approximately 5.7 million Social Security numbers and 387,000 credit card numbers
were compromised via a compromised server.
At last report, the state is earmarking $27 million for the event in total.
Texas Health and Human Services November 2014
A vendor failed to return computer equipment as well as paper records of 2 million Medicaid recipients putting the
Department out of compliance with federal regulations and at risk of fines.
The department made notification to the individuals.
Concentra April 2014
”Concentra, HCA Health Plan HIPAA Settlements Emphasize HHS’ Focus on Breach Risks Relating to Unencrypted
Laptops”
$1.7 million fine plus $250,000 to resolve OCR investigation.
12
Events happen every day
April 2015: Damariscotta (ME) County Sherriff’s Department; Extortion
April 2015: Grapevine Policy Department (TX); Hack to dashboard cam
November 2014: Texas Department of Health and Human Services; unsecured vendor hardware
November 2014:State Compensation Insurance Fund (CA); vendor data breach of Fund records
November 2014: US Weather System (DC); hack to satellite (China)
November 2014: US Postal Service (SC); hack to employee data (China); 800,000 employee records compromised
October 2014: Oregon Employment Department (OR); hack to employment records; 850,000 records compromised
October 2014: Georgia Department of Behavioral and Developmental Disabilities (GA); stolen employee laptop; 3,397 records compromised
October 2014: Department of Human Services Office of Behavioral Health of Denver (CO); postcards for survey included PHI; 15,000 records compromised
September 2014; Health and Human Services Agency; (CA); lost thumb drive containing PHI
13
Current Regulatory and Legal Environment
14
Legal issues and the regulatory environment
Legally mandated:
47 states with privacy breach notification laws ‒ Recent federal executive
orders – will federal legislation finally be passed? Will it preempt?
HIPAA/HITECH regulations
FTC ‒ Federal Trade Commission
Act Section 5, Red Flags
State Consumer Protection Laws ‒ California’s Song-Beverly
Credit Card Act
Foreign laws and regulations ‒ EU Privacy Directive –
Broader than US laws
Other federal laws ‒ SEC Guidance, COPPA, FCRA,
FACTA, etc.
Industry standard:
PCI DSS compliance
‒ Required if storing, processing or transmitting payment card data
‒ Significant fines, penalties and costs assessed
Contractual obligations
‒ Increasingly included in insurance provisions of customer/vendor contracts
15
State regulations: notice
47 states and 4 U.S. jurisdictions require notice to customers after unauthorized access to PII
Follow timing requirements for notifying resident consumers ‒ “without unreasonable delay” but not
later than 45 days
Notify State Attorneys General, law enforcement, consumer protection agencies and credit reporting agencies
Follow timing requirements for notifying regulators and credit reporting agencies ‒ 48 hours; fourteen days; before
notice to residents
16
Lawsuits and actions
Banks Subrogation/
Indemnity PCI
Single plaintiff
Government action
Class action
17
Network Security & Privacy Insurance
18
Network security and privacy insurance
Continue to see insurers grow their loss prevention and loss mitigation services for midsize companies
Network security risk is not going away
For any market that has pulled capacity, or has been hesitant to enter, another has stepped in
Most organizations looking to transfer the risk to an insurance product
19
Network security and privacy GAP analysis
Property General Liability
Crime K&R E&O Network Security & Privacy
1st Party Privacy / Network Risks
Physical damage to data only x x
Virus/hacker damage to data only x x x
Denial of service (DOS) attack x x x
Business interruption loss from security event x x x x
Extortion or threat x x x x
Employee sabotage of data only x x x
3rd Party Privacy / Network Risks
Theft/disclosure of private information x x x
Confidential corporate information breach x x x
Technology E&O x x x x x
Media liability (electronic content) x x x
Privacy breach expense and notification x x x x
Damage to 3rd party’s data only x x
Regulatory privacy defense / fines x x x x
Virus/malicious code transmission x x x
x - No Coverage - Possible Coverage - Coverage
20
Network security and privacy liability
Different names depending on who you talk to…
Cyber Risk, Cyber Security, Data Security, Privacy Liability, Security Liability, Network Risk, etc.
They all essentially refer to the same thing.
Combines third party liability with first party reimbursement insurance, and first party business interruption and data asset loss.
Over 30+ markets with primary policy forms - which carriers will be around 5 years from now?
21
Insurance solutions
Privacy liability
Network security
Media liability
Regulatory action* (sub-limit may apply)
Third party liability coverage
Privacy notification costs
Crisis management expenses
Credit monitoring costs
Forensic investigation
Regulatory Expenses, Notification Expenses, Credit Monitoring and other Crisis Management Expenses are generally offered on a sub-limited basis and varies by carrier.
First party reimbursement
coverage
Cyber extortion
Business interruption
Data Restoration
Other first party reimbursement
coverages
22
Recent shareholder actions have followed closely upon the heels of a disclosed data breach
In the context of a company failing to manage a business risk and then failing to properly disclose it: D&O 101
The D&O policy will respond just as it would had the event not been a “cyber” incident
Network security risk and directors and officers liability (D&O)
23
Managing the risks
24
The digital shadow
Age
Plan ID
Assets schedule
Credit card number
Bank routing
DOB
SSN
City
Race
Can you answer the following questions:
1. What information is being captured?
2. Where is information being captured?
3. What is the value of our information set?
4. With whom is our information shared?
5. How do we protect it?
6. What do we do if it is compromised?
25
Where is the payroll file?
Dropbox
Thumb drives, external portable hard drives
Printer
System servers
Text messaging services
Laptops
Payroll
Cloud
26
Managing the risks
Response:
Discovery of data event/ timing
Incident Response Plan
Facts
Law
Vendors
Regulatory investigation
Overreact or underreact?
Quick responders spend 54% more than slow responders.
but…
Response can factor into lawsuits and reputational
harm!
Source: Ponemon Institute
27
Managing the risks
Limit online access to
data storage servers
Destruction of hard drives to remove all PII
Mock breaches –
aka “tabletop exercises”
Limit data maintained or
made available
Encrypting laptops,
smartphones, etc.
Education
Awareness of exposure of “internal”
data
Handheld devices
BYOD
Policies not enough
Managing the risks
28
Wells Fargo Insurance
Dena L. Magyar Tel: (704) 553-6002 Email: [email protected]
Lou Ann Dent Tel: (202) 416-2520 Email: [email protected]
29
Thank you
This material is provided for informational purposes only based on our understanding of applicable guidance in effect at the time of publication, and should not be construed as being legal advice or as establishing a privileged attorney-client relationship. Customers and other interested parties must consult and rely solely upon their own independent professional advisors regarding their particular situation and the concepts presented here. Although care has been taken in preparing and presenting this material accurately, Wells Fargo Insurance disclaims any express or implied warranty as to the accuracy of any material contained herein and any liability with respect to it, and any responsibility to update this material for subsequent developments. Products and services are offered through Wells Fargo Insurance Services USA, Inc. a non-bank insurance agency affiliate of Wells Fargo & Company. Products and services are underwritten by unaffiliated insurance companies except crop and flood insurance, which may be underwritten by an affiliate, Rural Community Insurance Company. Some services require additional fees and may be offered directly through third-party providers. Banking and insurance decisions are made independently and do not influence each other. ©2014 Wells Fargo Insurance Services USA, Inc. All rights reserved. Confidential.