DATA BREACH: hy you should care!

Transcription

1 DATA BREACH: hy you should care! Bob Gregg CEO 1

2 Overview Defining the cyber security and Data breach problem The threat source- surprising Potential business impact No one is immune Before/during & after a Data Breach strikes Cyber security insurance-the wild west! 2

3 Data Breaches are Big News 3.3 million victims 1 million victims 5 million victims 3

4 Data Breach Perfect Storm Hacker Sophistication Declining Economy Technology Advancement Increased Outsourcing Shrinking IT Budgets Realization of the Value of Data Government Regulations 4

5 Faces of Cybercrime 5 5

6 Cyber Threats 6

7 2011 Cyber Security Study Amazingly Found an inverse relationship between the amount spent to protect against cyber hacks and the loss of data! 7

8 The Threat Source Outside Intruder (Hacker) Well meaning insider Insider with mal-intent 3 rd party with your data 8

9 Data Breach Threat Sources (Not where you think?) PII Data Leakage Business with SENSITIVE PII DATA PII Data Leakage 9

10 Data Breaches in 2011 By the Numbers 855* 174,000,000* Estimated incidents (excluding healthcare) Number of affected individuals $33.7 billion** Estimated economic impact * Verizon 2012 Data Breach Investigations Report ** Derived from Ponemon Institute 2011 Cost of Data Breach Study, March

11 Data Breach Business Impact Average Cost $5.5 million Remediation Detection Reputation Damage Lost Business Shareholder Value Abnormal Churn Source: 2011 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC. 11

12 DATA BREACHES: No One is Immune Source: 2011 Annual Study: Cost of a Data Breach, Ponemon Institute, LLC. 12

13 Breach Management: Complete an Annual Risk Assessment Data Inventory Before a Breach Regulatory Assessment Technology Assessment Business Associate Assessment Consider the Reputational, Legal and Financial impacts of a breach Prepare a Data Breach Response Plan 13

14 Common Gaps Breach Management: Before a Breach Need to update Policies and Procedures, particularly for customer service personnel Need to update training and systems to monitor Need to improve technology Need to test your breach response plan Need to develop systems to systematically assess and document breach incidents 14

15 Breach Management: When a Breach Occurs Follow a prescribed approach, such as the ID Experts YourResponse Method (below) YourResponse Graphic and Method. Copyright ID Experts All Rights Reserved 15

16 Timely Notification Critical 16 16

17 Breach Management: During a Breach Determine what you know and don t know What are the facts of the incident? Who and how many involved? Privilege or not with forensics? Determine if the incident is a breach Analyze the facts What data? Was it exposed? Is there an exception (safe harbor) that applies? Is there a risk of harm? 17

18 Breach Management: During a Breach Pull out your plan and follow it Assemble the Incident Response Team (internal/external) Begin documenting your actions and why Put insurance carrier on notice 18

19 Breach Management: During a Breach Formulate a risk proportionate response What was the nature of the event Type of data lost Needs of breach population Sensitivity of organizational reputation Industry or stakeholder expectations Applicable laws and regulations Real and/or perceived risk of lawsuit 19

20 Breach Management: After a Breach Continue to manage the risk Monitor results of the response Monitor status of the affected group Take action to close existing gaps Assess your cyber liability coverage or the potential benefits of coverage Go after the root cause 20

21 Breach Management: After a Breach Be prepared for investigative inquiry Thoroughly document every decision Review/file most recent security/privacy risk assessment Maintain/file breach enrollment statistics and (if available) any identity theft cases 21

22 22 22

23 Cyber Liability Insurance- The Wild West

24 Public Relations Expenses Cyber Liability Policies: Crisis Management Consumer Notification Expenses Credit / Identity/Medical Monitoring / Restoration Investigative/Forensic Expenses Cyber Extortion Regulatory Claim Expenses Class Action Lawsuit Coverage 24

25 Cyber Liability Policies: Crisis Management Every Policy is Different What is/isn t covered? Watch for limits/sub-limits Flexibility in out-sourcing your response Covers the correct type of identity monitoring? Get references from someone who has had to use it. 25

26 Who is buying Cyber Liability Insurance? Financial Institutions Banks, Insurers, Investment, other financial services Technology Service providers Combining E&O / Cyber Healthcare MCOs, TPAs, hospitals, physicians, insurers Retail/Hospitality PII / privacy key issue Mfg/Wholesale/Distribution supply chain management Public Entities Data Availability vs. Privacy Universities Liability to alumni/endowment Media/TelCom Combining E&O and Cyber How Much Does It Cost?? 26

27 Summary Breaches are happening at an ever increasing rate The risk are growing rapidly, as is the cost No one is immune from this risk Execute your data breach plan When it comes to insurance, know exactly what is covered 27

28 Questions? Bob Gregg CEO ID Experts (800) www2.idexpertscorp.com 28