Personal Information Protection & Global Insurance Best Practices

Privacy Global Edge 2014

Murray Wood

Head of Financial Specialties

Aon Asia

Seoul

17 April 2014

Research Conclusions: Risk Maturity & Performance

1

Social Media

�Two distinct sources of risk: corporate and employee activity

�Network Security, Privacy. Social Engineering

�Defamation, product disparagement, IP infringement, harassment, and invasion of privacy.

International Laws and Regulations

Telematics, Device data collection, and location tracking, GPS.

Big Data Analytics

South Korea Specific Laws:(partial sample)

� Financial Services Commission: 2014 Enhanced Information Security Rules

� Personal Information Protection Act (Minister of Public Administration and Security)

� IT Network Protection Act

� Financial Supervisory Services financial institutions checklist and self-audit

� Act on Promotion of Information and Communications Network Utilization and Information Protection

Mobile Device Payment Apps

�Mobile payment hardware, software, and mobile wallet technology is exploding globally

�Juniper Research study predicts mobile transactions will hit $1.3 trillion worldwide by 2015

�PCI Council guidance addresses account data security, mobile devices; hardware, software, usage, and customer relationship

�How is risk affected for all participants in the payment value chain?

Cloud Computing

� What are the risk oversight and security controls of the cloud provider?

� Where will the data be stored and will the provider make a contractual commitment to obey privacy laws?

� How is our data segregated from other data?

� How can I recover my data if disaster strikes?

� What if the provider goes out of business? How can I get my data back?

� How is liability allocated?

Emerging Cyber Risks

2

Co

mm

erc

e

Co

nte

nt

Infr

astr

uctu

re

AccessE-commerce theft Customer behavior Jurisdiction/law Trust Confidentiality and identity Digital money Non-traceability of transactions Regulatory Tax Unfair trade practices Customer awareness Customer choice Quality of data Information protection Failure to provide promised services Security of data Privacy Consumer access Legitimate use Authenticity Non-reputability Business practice disclosure Transaction integrity/reliability Fraud and Identity theft Business design Technology obsolescence Snooping Corruption Misuse of information Personal threats Errors and Omissions

Inappropriate content on company servers Customer behaviour Domain name hijacking Trust Cybersquatting Confidentiality and identity Security Regulatory Loss of trade secrets Unfair trade practices Customer awareness Personal threats Jurisdiction/law Infringement of intellectual property Privacy Customer choice Quality of data Security of data Consumer access Linking and framing risk Meta-tag abuse Legitimate use Information protection Snooping Identity theft Corruption Misuse of information Errors and omissions Customer Information

Access Reliability Performance Jurisdiction/law Trust Security of data Privacy Regulatory Defective hardware/ software Legitimate use Business design Technology obsolescence Physical damage Efficacy

1 2 3

What Happens if You Get Hacked

3

� 2014 International Compendium of Data Privacy Laws – Mandates? Compulsory? http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/International-Compendium-of-Data-Privacy-

Laws.pdf

2005

2009

2011

2014

2013

2012

2010

Annual non-life premiums are in excess of USD 167 Billion

On-going legislation across the region

� Singapore� Malaysia

� China� Taiwan� Philippines� Hong Kong

� South Korea� India

� Japan

Year Gross Written Premium (USD)

2002 < 75 Million

2004 200 Million

2006 350 Million

2010 600 Million

2012 > 1 Billion(= 1/167 of P&C)

Cyber Insurance: Growth Correlated to Growth Laws & Regulations

4

� We are increasingly dependent on information technology systems and infrastructure; system inadequacies, operating failures, or security breaches could harm our business. We rely to a large extent on sophisticated information technology systems and infrastructure. The size and complexity of these systems make them potentially vulnerable to breakdown, malicious intrusion, and random attack. Likewise, confidentiality or data privacy breaches by employees or others with permitted access to our systems may pose a risk that valuable trade secrets, personal information, or other sensitive data may be exposed to unauthorised persons or to the public. Such information security breaches may be very difficult to detect. To date, system breakdowns and, to the extent we have been made aware of them, security breaches, have been infrequent in occurrence and their aggregate impact on our operations and expenses has not been material. While we have invested heavily in the protection of data and information technology, there can be no assurance that our efforts will prevent breakdowns or breaches in our systems that could adversely and materially affect our business.

� Reliance on third-party relationships and outsourcing arrangements could adversely affect our business. We utilise third parties, including suppliers, alliances with other pharmaceutical and biotechnology companies, and third-party service providers, for selected aspects of product development, the manufacture and commercialisation of certain products, support for information technology systems, and certain financial transactional processes. Failure of these third parties to meet their contractual, regulatory, or other obligations to us could adversely affect our business.

Cyber Exposure Trends: Sample US Listed Company 10–K (ADR)

5

$138

$182

$197 $202 $204

$214

$194$188

2005 2006 2007 2008 2009 2010 2011 2012

Average Total Organisational Cost of a Data Breach

Average Cost Per Capita of a Data Breach

$200

$150

$100

$50

$250

$1

$2

$3

$4

$5

$6

$7

$8

$4.54$4.79

$6.36 $6.66 $6.75$7.24

$5.50 $5.40

� A portion of the “cost” in this study = abnormal churn post-breach = uninsurable in Cyber policies � Study excludes data breaches in excess of 100,000 records � The percentage of malicious attacks grew from 12% in 2008 to 41% in 2012

Source: Ponemon 2013 Cost Of A Data Breach Study

Ave

rage

To

tal O

rga

nis

atio

nal C

ost (M

illio

ns U

SD

)A

vera

ge

Co

st P

er C

ap

ita(U

SD

)

Cyber Exposure Trends: Changing Cost of an Average Data Breach

6

All Values in USD

Averages

2011 Findings

(117 Claims Studied)

2012 Findings

(137 Claims Studied)

2013 Findings

(140 Claims Studied)

# of Records Exposed 1.7 Million 1.4 Million 2.3 Million

Cost Per Claim $2,400,000 $3,700,000 $3,500,000

Legal Defense $500,000 $600,000 $574,984

Legal Settlement $1,000,000 $2,100,000 $258,099

Crisis Services $800,000 $1,000,000 $737,473

� Forensics $170,000 $341,000 $104,740

� Notification $201,000 $180,000 $126,703

� Call Centre $15,000 $50,000 (not broken out)

� Credit Monitoring $253,000 $345,000 $55,865

� Legal Counsel $242,000 $66,000 $29,225

Source: NetDiligence Annual Cyber Liability & Data Breach Insurance Claims: A Study of Actual Claim Payouts

Cyber Exposure Trends: Break Down of Data Breach Expenses

Regulatory Fines

Crisis Services

Legal Defence

Legal Settlement

PCI Fines

Total Claim Payouts by Type of Cost:

7

Risk Management

Senior Management

InformationSecurity

Broker / Insurer

Law Department

Understand the top risks to your company and communicate to management the risks that are and are not insurable. If not insurable, then identify alternative options.

Know and meet regularly with your Information Security / IT Team. Understand incidents or “near misses”.

Understand your contracts with your customers and vendors. What risks are your company assuming? What insurance are you required to maintain?

Review your risks with your insurance broker and insurer continually. Insurance coverage is negotiable.

Cyber Risk Mitigation: Sustainability Risk Management

8

� Comprehensive Enterprise-wide Cyber Risk Mitigation Programme: Needs Management Support

� IT Security & Use policies are important, BUT IT IS MORE THAN AN IT ISSUE

� Engage inter-departmental coordination and cooperation

– CPO, CIO, CISO, IT Security

– Legal

– Risk Management

– Finance/Treasury

– Human Resources

– Compliance/Internal Audit

� Education on Legal Exposures: train & monitor employees & third parties

� Ensure Compliance with Organisation’s Privacy Policy regarding 3rd party Personally Identifiable Information

� Data Breach Management Policy – continuously update incident response plan

� Third Party Exposures

– Vendor/Supplier Management

– Contractual Considerations

– Vendor/Supplier Audits

Integrate Vendor Management Process with

Business Owners

Cyber Risk Mitigation

9

Cyber Risk Mitigation: 10 Sample Questions to Ask Your IT Expert

Question Service

Do you have an Information Security Policy?Most will say yes. If no, it would suggest a lack of awareness of the issues and therefore would be unlikely to be ready for the product.

Is it based on any Information Security Standard?

Ideal answer would be ISO27002 as this is well understood and recognised by the market.

What is the Governance Structure for management IS Risk & Controls?

Presence of a structure is an indicator of a mature organisation who understands and is looking to manage the risks.

How do you maintain assurance of your internal IT controls?

If there is an indication that a robust regime in place – a free scan should be positioned as additional assurance. No evidence is an opportunity for a free scan, but may also indicate a high risk.

Do you use third party suppliers? Need for the product is increased if yes; need to find out the scope of services –if critical, need for cyber risk transfer is increased.

Do you obtain assurance of their Data/Security Controls?

Ideal answer is yes via a recognised method i.e. SSAE 16/SAS 70 or other auditing standard. These will be readily accepted as evidence.

What is your approach to the management of mobile devices?

Every client will have this issue; Laptop and device encryption are key controls. Lack of an informed response is not a good indicator.

What are your key controls to determine if you are being subject to a cyber attack?

This provides an insight to the monitoring capability of the organisation. Most have poor levels of control unless they have outsourced a service.

Do you have a Cyber response team or plan?Key area for extra service sales – most do not and failure to response quickly enough drives up and final incident cost.

Have you ever needed to complete a forensic examination of your IT equipment?

As above – often key evidence is destroyed through lack of awareness

10

Factors that…

Decrease Breach Cost

� Have an incident response plan - $42

� Have a strong security posture - $34

� Appoint a Chief Information Security Officer - $53

� Outside consultant to contain/resolve breach - $13

Increase Breach Cost

� Trust third party vendors with data without protections + $43

� Notify customers ASAP + $37

� Lose a laptop (or other device) + $10

Ponemon 2013 Cost of a Data Breach Study

The Case for Risk Management

11

� Risk Assessments

– Identify, classify, qualify and quantify IT risks: prioritize (all vendors are not equal)

� Due Diligence and Selection of Service Providers

� Financial Condition

� Contract Provisions and Considerations

� Third-party reviews

� Third-party oversight

� Ongoing Monitoring requirements

� Business Continuity and Contingency Considerations

� Financial Statement Impact: Target Corporation = $200 MM+ damages• KT Mobile Data Breach 2014 and 2012

• 130K customers of Citibank/Standard Chartered Seoul breached (Dec 2013)

• MtGox faced 150,000 attacks per second before 2014 $500 MM breach

• Korea Credit Bureau 20 MM customers/105 MM files breach (Jan 2014)

• SK Communications operated social networking sites Nate and Cyworld / 35 million users’ personal information (July 2011)

• Hyundai Capital 420,000 customer records stolen via hackers (April 2011)

• SONY $280 MM+

Risk Mitigation: Cyber Risk Identification: Inventory All Vendors

12

PropertyGeneralLiability

Crime / Bond

Kidnap & Ransom

Errors & Omissions

Cyber / DataProtection

1st Party Privacy

Physical Damage to Data Only

Virus / Hacker Damage to Data Only

Denial of Service Attack

BI Loss From Security Event

Extortion Sabotage of Data Only

Employee Sabotage of Data Only

3rd Party Privacy

Theft / Disclosure of Private Information

Confidential Corporate Information Breach

Technology E&O

Media Liability (Electronic Content)

Privacy Breach Expense / Notification

Damage to 3rd Party Data Only

Regulatory Privacy Defence / Fines

Virus / Malicious Code Transmission

Coverage Provided

Coverage Possible

NoCoverage

For discussion purposes only, policy language and facts of claims will require further analysis

Gaps in Existing Coverage

13

Optimal Programme

Insurable RisksInsurable Risks

Contractual RequirementsContractual

Requirements

BudgetBudget

Risk Tolerance

Risk Tolerance

Maximum Probable Loss

Maximum Probable Loss

Peer Purchasing

Data

Peer Purchasing

Data

Scope of Coverage/

Control

Scope of Coverage/

Control

Market Limitations

Market Limitations

Cyber Insurance – Optimal Cyber Programme

14

0

1

2

3

4

5

6

7

8

9

10

Mil

lio

ns

US

DCyber Risk – Total Premiums by Industry

2009 2010 2011 2012 2013

Financial Institutions have the largest amount of premium associated with cyber risks

Source: Aon Global Risk Insight Platform™

Cyber Insurance – Purchasing Patterns

15

Exposure Consequences

Category Source Event Type Internal Costs External Costs Revenue Loss Brand / Reputation Third Parties

Commercial Sensitive –client data

Inadvertent release by employee

n/a � Professional fees –lawyers

� Media / advertising � Regulatory Fine

Rating – 1

� Lost opportunity / competitive advantage

Rating – 2

� Competitive Positioning

� Relationship

Rating – 2

n/a

Disclosure to contractor / supplier subsequently breached via their systems

n/a As above

Rating – 1

As above

Rating – 2

As above

Rating – 2

n/a

External hacker accessingdata

� Removal costs� Defence costs

Rating – 1

As above

Rating – 1

As above

Rating – 2

As above

Rating – 2

n/a

Commercially Sensitive –client data

Inadvertent release by employee

� Notification costs – customers / regulators

Rating – 1

� Professional fees –lawyers

� Media / advertising � Regulatory Fine

Rating – 1

� Lost opportunity / competitive advantage / loss of customer

Rating – 2

� CompetitivePositioning

� Relationship� Customer

confidence

Rating – 2

� Financial loss –cost / brand / revenue

Rating – 3

Disclosure to contractor / supplier subsequently breached via their systems

As above

Rating – 1

As above

Rating – 1

As above

Rating – 2

As above

Rating – 2

As above

Rating – 3

External hacker accessing data

As above, plus� Removal costs� Defence costs

Rating – 1

As above

Rating – 1

As above

Rating – 2

As above

Rating – 2

As above

Rating - 3

Aon’s Cyber Risk Profiling Solutions

16

Aon’s Cyber Risk Profiling Solutions

17

18

� Privacy and Security Liability: Any business that keeps sensitive data on customers or employees is liable for damages if that information is breached, regardless of the reason. If a breach happens and a third party sues, privacy and security liability insurance covers the business.

― Personal Data Liability

― Corporate Data Liability

― Outsourcing Liability

― Data Security Liability

� Data Administrative Procedures:

― Data Administrative Investigation

― Data Administrative Fines

� Data Breach Crisis Management: In the event of a data breach, a business needs to immediately hire a forensic team to find out what happened, plug the hole, and comply with federal and state notification requirements. Sub-limited coverage is available to address extortion threats for intentional computer attacks

against the insured.

Cyber & Data Privacy Risk Insurance

19

� Business Interruption or Data Loss: If a hacker breaks into a company’s computer network and launches a virus or denial of service attack, data and software may be damaged and the system may need to be shut down to make repairs. Cyber coverage covers online events that destroy intangible property such as data or software applications.

� Internet Media Liability: As more companies rely on their websites and social media to advertise to consumers or other businesses, they may want coverage to protect against possible libel, plagiarism, defamation and false

� Brand Restoration: Enables the business to restore brand value through appropriate and effective public relations and public affairs crisis management

� Cyber Extortion Liability: Insurer pay monies paid by an Insured to terminate or end a security threat that might otherwise result in the harm of the Insured

Cyber & Data Privacy Risk Insurance

20

21

Aon Cyber

Specialists

Aon Cyber

DiagnosticTool

Aon Asia Cyber

Exposures & Solutions Report

Asia

Murray Wood

Head of Financial Specialties, Asia

Phone: +65-6645-0116

Email: murray.wood@aon.com

https://www.aoncyberdiagnostic.com

http://view.aon.com/Korea_cyber_report_2014

Korea

Kevin (Kyoo Jung) Kim

Managing Director

Phone: +82-2-2260-2779

Email: kevin.kim@aon.com

Cyber & Data Privacy Risk & Insurance / Resources

Aon.com

22

Aon Korea Inc. 20th Floor, Kukdong Bldg.60-1, Chungmuro 3-ga, Jung-guSeoul, 100-705

www.aon.com

© Aon plc 2014. All rights reserved.

No part of this report may be reproduced, stored in a retrieval system, or transmitted in any way or by any means, including photocopying or recording, without the written permission of the copyright holder, application for which should be addressed to the copyright holder.