Privacy & Cyber Risk The Changing Landscape › wp-content › uploads › 2015 › 06 ›...

L O C K T O N C O M P A N I E S

Privacy & Cyber Risk

The Changing Landscape June, 2015

Agenda

1. Introductions

2. How secure is your network? Carl Filpo (CM Technology Group)

3. A Risk Manager’s perspective: Andrew Wait (Lockton)

4. Insurable cyber and privacy protection: Michael Ussher (DUAL)

5. Q&A’s

How secure is your network?

Carl Filpo, CM Technology Group

https://prezi.com/login/



A Risk Manager’s Perspective

Andrew Wait, Lockton Companies Australia

Who is Lockton?

Lockton Companies Australia Pty Ltd is a corporate insurance broker providing clients with the

comfort and security of a major international broker, together with the highest levels of service and

client centricity that come from the service team being local owners of the business.

Our Mining industry practice offers clients a unique level of service from a highly experienced

team. Specialist products give peace of mind for mining project risks such as:

A comprehensive package covering exploration activities

Professional exposures associated with raising finance

Physical loss or damage in the construction phase including advance loss of profits

Physical loss or damage during the operational phase including business interruption

Comprehensive Contractors Plant & Equipment including business interruption

Public and Environmental liability

Directors’ and Officers’ liability

Employee All Risks Protection including Expatriate Medical & Evacuation, Personal Accident and Tropical

Disease Death Cover, Kidnap & Ransom

Workers Compensation

Aviation

Cargo and Marine exposures including Protection and Indemnity

Political Risk, Terrorism, Riots, Strikes, Civil Commotion and Malicious Damage

Bonding and Reclamation.

Cyber and Privacy Protection

Beyond the Media Headlines

Whitehaven Coal hoax wipes $300m

off market value in minutes (Jan 2013)

WestNet cyber attack could lead to

30,000 personal records stolen (Jun

2015). Potential cost estimate $4.35m.

Bundestag (May 2015) &

Stuxnet (Jun 2010) proved cyber

viruses can lead to physical hardware

damage and service interruption

Divided opinions of the real exposure – reality is very different

2014 - a year of far reaching changes.

Recognised trends:

Attackers are moving faster but defenses are not

(e.g. zero day vulnerability & watering holes).

Malware used in mass attacks increases and quickly adapts.

Digital extortion on the rise (e.g. ransomware & cryptolocker)

Leveraging social networks and Apps to find vulnerability.

(Source: Symantec, ISTR 20, April 2015)

The Only Constant is Change

“There are two types of companies, those who’ve been hacked and

those who don’t know they’ve been hacked” John Chambers, CEO CISCO

WARNING - Gratuitous facts to follow …

Globally in 2014 …..

17% of all android apps (>1 million) were actually malware in disguise.

1,000,000 new pieces of malware were released each day.

76% of scanned websites had vulnerabilities. 20% of which were critical.

496,657 web attacks blocked per day.

60% of attacks were directed against small and medium size companies.


By the Numbers

Australia in 2014 …..

Average cost of a breach is $2.8m.

5 million Australians affected.

Cost of $1.06 billion (what is the indirect cost??).

Probability of a >10,000 personal record breach in next 24 months is

18%; the chance of a fire is 0.5%.

Average cost of a stolen laptop is $49,000 rising to $115,000 if

undiscovered for more than a week.

(Source: Ponemon Institute, 2014 Cost of Data Breach Study: Australia, May 2014)

By the Numbers

Employee breaches are the leading cause but receive the least

attention. 59% of incidents in 2013 were from internal employees

Focusing on the causes …..


Ratio of Spear Phishing Email Attacks by Industry

Spear Phishing targets

individuals or companies to

steal information for sale.

Mining industry most targeted

with 44% (1 in 2.3) companies.

African countries are often

identified as sources and target

due to lower awareness,

security and ability to make

larger amounts of money.

(Angola and Mozambique

named)


Targeted Attacks

Security Breach

Understand the key risk drivers and consequences

1. Failure of Internal Processes

Accidental Act of Employee

2. Malicious Insider Threat

Acts of Disgruntled Employee

3. Unauthorised Access - Cyber Attack

Malicious Internal or External Threat

LEVEL 1Damage to Digital Assets - First Party Loss

(Software & Data)

LEVEL 2Network Interruption (BI) - First Party Loss

(System Outage)

LEVEL 3Privacy Breach - Stolen Data - First Party Loss

Third Party Liabilities

3 Potential Outcomes

3 Root Causes

Cyber Resilience

Cyber Resilience is the ability to prepare for, respond to, operate during and

recover from an incident.

NIST Framework provides a process

to build resilience.

Risk based methodology applied

proportionately to business context.

Outer ring highlights need to focus

on external interactions and

sources.

Inner process of governance defines

the process for building resilience. (Source: ASIC Report 429, Cyber Resilience, Mar 2015)

“building resistance is the key as prevention is now impossible!”

Practical Examples of Risk Control

Establish clear security standards.

Areas of concern may include …

- file encryption - passwords requirements & sharing

- hardware testing & installation - hardware access ports

- software installation & updates - data records management

- removable media - credit card compliance (PCI/DSS)

- Wi-Fi access & traveling - mobile devices (personal use/company)


Practical Examples of Risk Control

Backup and restoration, reliable hardware usage and offsite storage (DRP)

Monitor network incursion attempts and vulnerabilities

Standards for internet access, social media, email, downloading/streaming

Data breach response plans linked to BCP’s & media communication plans

Incident handling and response procedures

Vendor assessments and relationship management

Power supply controls

Employee training, positive behaviour and culture development


Privacy

Cyber is the primary mechanism for privacy breach

Australian Privacy Principles – personally identifiable and sensitive:

APP 11: security of personal information from misuse, interference, loss,

unauthorised access, modification or disclosure

Federal government introducing mandatory notification scheme for late 2015

Need to consider:

1) the sensitivity;

2) the potential harm to individuals & organisations; and

3) how the company stores, processes and transmits personal

information.

What questions should you be asking yourself?

Develop a clear risk profile to build the best response plan

1. What types of data do

you hold? 2. Where is this data

stored? 3. Who has access to it?

4. What security is in place to protect it?

5. How will your business operate if you cannot

access your data?

6. What steps are in place to restore lost data?

7. Does the continuity plan address cyber threat

and data recovery?

8. What is the exposure? (financial, operational, legal &

reputational)

9. How can you mitigate the impact?

(financially, contractually & operationally)

Who’s at risk?

In a nutshell everyone!!

If the business …

1. has a key activity dependency on computers systems;

e.g. electronic billing systems, documentation issuance (e.g. engineering

reports), inventory management, remote control systems for mobile plant.

1. has a mobile workforce with laptops, tablets and phones storing

sensitive data;

2. has a critical supplier dependency with computer based systems;

3. collects, stores and transacts with customer credit card information;

4. collects, stores and uses personally identifiable information;

5. uses internet connections and especially cloud computing systems.

Take-aways

4 Key Messages:

1. What matters most to your business (identify the exposure)?

2. Understand the threat and exposure (assess the risks).

3. Create an enduring framework (embed the processes).

4. Incident planning and preparation (prepare for the worst).

USEFUL RESOURCES:

1. Symantec, Internet Security Threat Report (ISTR20), April 2015

2. ASIC Report 429, Cyber Resilience: Health Check, March 2015

3. Office of Australian Information Commissioner, Data Breach Notification Guide, August 2014

4. Office of Australian Information Commissioner, Privacy Regulatory Action Policy, March 2014

5. LMI Group, Cyber Security and Insurance, 2014

Insurable Risks

Cyber Liability & Privacy Protection

Michael Ussher, DUAL Australia

o The opportunity

o 3 simple reasons to buy

o Everyone has an exposure

o What’s covered

o Scary Facts

o Claims Scenarios

o Cyber Offer

http://www.youtube.com/watch?v=jSpvmMrCkAo

21 I

Agenda



o $2bn market in the USA (was $800m in 2012)

o The opportunity in Australia

o New product = new revenue

o <1% take up

o Every client has an exposure!!

Cyber – The Opportunity

1. New Privacy Act – fines & penalties up to $1.7M for company, $340k for

individuals

2. Miami Gold Coast Medical Centre – Russian hackers

3. Lost iPad/ laptop – we’ve all done it!

3 Simple Reasons to Buy

Security Breach … A Risk Manager’s Perspective








(Software & Data)


(System Outage)



Data Restoration (internal & external costs)

Software Restoration (purchase of new licenses)

Crisis Management (internal & external costs)

Forensic Costs

Network Security Restoration

Gross Profits


Forensic Costs

Private Data Liability / Regulations

Media Content Liability


Forensic Costs

Defence Costs

Notification Costs

Credit Monitoring

PCI DSS Liability

Contractual obligations

Cyber Extortion Costs


3 Root Causes

What is insurable on a Cyber Policy?

Security Breach … A Risk Manager’s Perspective








(Software & Data)


(System Outage)




3 Root Causes

Other insurance responses

Tangible Property - ISR COVER

Personal Injury or Death - WC COVER

Arising from employment practices - EML COVER

Arising from claim against Director or Officer - D&O COVER

Hardware failure from manufacturer fault - NO COVER

Arising from a betterment of the system - NO COVER

Violation of sanctions or fraudulent acts- NO COVER

Arising out of disruption from utility, telecommunications, satellites

or external services not under direct control of Insured

3rd PARTY RECOVERY

Not “online” = no risk

Electronic files / records

Every business uses a computer or network

Only big businesses at risk

SME’s are easy targets, they lack security measures of larger businesses

Simple mistakes

Ever left your company phone, memory stick or laptop out at a bar or in a

cab?

Unanticipated breaches

Did you know photocopiers contain a chip that records scanned and printed

data?

Everyone Has an Exposure

o Includes cover for:

Claims for compensation

Investigations

Fines & Penalties (New Privacy Act)

Defence Costs

Legal Representation Expenses

o Common claim:

Lose your iPad containing confidential client information.

The client sues you for breach of privacy, and

Privacy Commissioner launches an investigation, and issues a fine

What’s Covered: Third Party Claims

o The Insured’s own costs, including:

Credit Monitoring Costs

Cyber Extortion Costs

Data Restoration Costs

Forensic Consultant Costs

Notification Costs

Public Relations Costs

Legal Representation Expenses

o Common claim:

Your systems are hacked, client credit card data is stolen. We will pay:

Reimbursement of ransom payment to a hacker

Costs to notify all affected clients, and monitor their credit cards

Costs to repair your systems

What’s Covered: First Party Cover

o Reimbursement for lost profits, and

o Necessary expenses to maintain business operations

Common claim:

o Online retailers systems are hacked and the business is unable to trade, we

will cover:

o Lost profits from the interruption

o Additional expenses such as additional call centre staff to handle telephone

enquiries from clients trying to buy online

What’s Covered: Business Interruption

Stand Alone v. Policy Extension

o $2.8m average cost of a Data Breach Ponemon Institute Report 2014

o 56% Australian businesses experience Cyber Crime in 2013 CERT survey

o 48% increase in reported Cyber Security incidents 2013 PwC information

security survey

o 59% of businesses were unaware of the Privacy Act Changes McAfee

Survey

o $145 average cost of each lost or stolen record Ponemon Institute Report

2014

Scary Facts

The new Privacy Act

What’s changed?

A new set of privacy principles that covers the handling of personal

information by businesses has been introduced.

Enhanced Powers for the Privacy Commissioner

More power to conduct compliance audits to private organisations;

Can apply to the Federal Court or Federal Magistrates Court to

compel an entity to comply with an undertaking or to pay compensation

for breach of undertakings;

New civil penalties of up to $340,000 for individuals and $1.7 million for

companies.

Privacy Legislation

Since then…

Privacy breach: Medical records kept in garden shed - Tuesday, 15 July

2014

The Australian Privacy Commissioner, Timothy Pilgrim, has found a medical

centre in Melbourne in breach of the Privacy Act 1988 by failing to take

reasonable steps to secure sensitive medical records.

Privacy breach: 254,000 Australian online dating profiles hacked -

Wednesday, 25 June 2014

The Australian Privacy Commissioner, Timothy Pilgrim, has found that

Cupid Media Pty Ltd (Cupid) breached the Privacy Act 1988 by failing to

take reasonable steps to secure the personal information held on its dating

websites.

The Privacy Commissioner

Profile: $18M turnover / 80 staff

Background:

Insured targeted with a denial of service (DoS) attack in last few days of a

fundraising campaign. Donators unable to make donations for a day while the

website down.

What’s a DoS attack?

Hacker floods a targeted system with incoming web traffic until it is virtually

crippled

Outcome:

$1,500,000 paid

Lost donations

Rectifying damage to website

Claims Scenario: Charity


Background:

Insured’s website was defaced and included a link to a competing retailer’s

website when hackers gained access to personal information of their customers

and overtook their website

Outcome:

$800,000 paid

Loss of income

Costs to repair website

Defence costs for regulatory actions by the Privacy Commissioner

Cost of notifying the affected individuals & credit monitoring services

Claims Scenario: On Line Retailer


Background:

Server and client records locked by Ransomware software.

Only able to get the files released after paying a ransom of $50,000 to hackers.

Outcome:

$150,000 paid

Loss of income

Ransom demand & consultants costs to handle & negotiate ransom

Costs to restore network as hackers refused to release files despite ransom

payment

Claims Scenario: Law Firm

37 I

Questions

Our Mission

To be the worldwide value and service leader in insurance brokerage, employee benefits, and risk management

Our Goal

To be the best place to do business and to work

www.lockton.com

© 2014 Lockton, Inc. All rights reserved.

Images © 2014 Thinkstock. All rights reserved.

Privacy & Cyber Risk The Changing Landscape › wp-content › uploads › 2015 › 06 ›...

Documents

Transcript of Privacy & Cyber Risk The Changing Landscape › wp-content › uploads › 2015 › 06 ›...