GRC/Cyber Insurance. February 18, Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London. Join the conversation: #ISSAWebConf

Transcription

1 GRC/Cyber Insurance February 18, 2014 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London Join the conversation: 1

2 Generously sponsored by: 2

3 Welcome Conference Moderator Allan Wall ISSA Web Conference Committee, Session Moderator 3

4 Agenda Speakers JD Sherry Vice President, Technology and Solutions, Trend Micro, Inc. Michael Schmitt Assistant Vice President, Lockton Companies Simon Milner Partner, Financial Risks, JLTS Open Panel with Audience Q&A Closing Remarks 4

5 GRC/Cyber Insurance JD Sherry VP, Technology & Solutions Trend Micro, 5

6 70 6 6

7 Offense Informs Defense: Stages of Attack 1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. C&C 6. Lateral Movement 7. Exfiltration 8. Maintenance 7

8 Today s Attacks: Social, Sophisticated, Stealthy! Gathers intelligence about organization and individuals Extracts data of interest can go undetected for months! Attackers $$$$ Targets individuals or public assets Establishes link to Command & Control server Moves laterally across network seeking valuable data 8 Employees/Assets Copyright 2014 Trend Micro Inc.

9 Enable a Complete Lifecycle Detect malware, communications and behavior invisible to standard defenses Analyze the risk and characteristics of the attack and attacker Adapt security automatically (IP black lists, custom signatures ) Respond using the insight needed to respond to your specific attackers Network-wide Detection Custom Sandboxes Threat Intelligence Advanced Threat Analysis Automated Security Updates Threat Services Custom Defense Threat intel Security 9 Copyright 2014 Trend Micro Inc. Network Admin

10 Incident Response Fundamentals Create & empower an incident response team Who are your 24/7 First Responders? Develop vendor and law enforcement relationships Create & document a plan-preferably manage it via SaaS Create a notification tree Create communication templates & scripts Develop on-call resources & remedies Employee training Regulatory & legal review Ongoing review Purchase cyber/data breach insurance 10

11 Risk Management-Prior to Applying Conduct a Risk Assessment Identify the types of data your business collects Are you collecting sensitive data? Are you encrypting data at rest or in motion? Learn what types of threats your business may be vulnerable to and the risk levels of your data Take proactive steps to secure your data and manage and mitigate risks 11

12 Question and Answer JD Sherry VP, Technology & Solutions Trend Micro, 27 12

13 Cyber Security/Cyber Liability/ Data Privacy: Insurance Option Michael Schmitt Assistant Vice President Lockton Companies 13

14 Motivation to Buy: Notification Requirements State Notification Laws Notification Costs IT Forensics Legal Guidance (Breach Coach) Credit / ID Monitoring HIPAA Notification Requirement 14

15 Motivation to Buy: Legal Trends Claridge v. RockYou, Inc., 785 F. Supp. 2d. 855 (N.D. Cal. 2011) Amnesty Int l USA v. Clapper, 638 F.3d 118 (2 nd Cir. 2011) Harris v. comscore, Inc., No. 11-C-5807 (N.D.Ill., Apr. 2, 2013) Low v LinkedIn, Corp., No. 11-CV LHK 2012 WL (N.D. Cal. July 12, 2012) Resnick v. AvMed, Inc., 693 F.3d 1317 (11 th Cir. 2012) 15

16 Motivation to Buy: Contractually Required CONTRACTUAL REQUIREMENTS Standard contract clause Limits Indemnification Length of Coverage 16

17 Coverage Features Definition of Privacy Injury Unauthorized Collection Violation of Own Privacy Policy Unfair Competition, Deceptive Trade, Consumer Fraud Contractual Coverage Vicarious Liability Regulatory Coverage Retroactive Date (first time buyers) 17

18 Developing Issues National Institute of Standards and Technology Cybersecurity Framework SEC Guidance Disclosure re: Cybersecurity Risks & Cyber Incidents 18

19 Question and Answer Michael Schmitt EVP Engineering and Products ThreatTrack Security Inc 27 19

20 Cyber Risks JLTS 2014 Simon Milner Partner Financial Risks JLTS 20

21 Cyber Risk JLTS 2014 Simon Milner Partner Financial Risks 21 Distinctive. Choice.

22 What coverage is available from Specialist Cyber Insurers? First Party Loss of Electronic Data & Software Resultant loss of business income Cyber Extortion Reputational Harm Brand Protection expenses Computer crime (including theft of intellectual property) Cyber terrorism Caused by: Virus, worms, logic bombs and Trojan Horses Unauthorised access to the computer system Unauthorised use when authorised access is permitted Seizure, destruction or damage to the computer system Denial of service attack Accidental damage Data entry or malfunction Ongoing maintenance Errors in software Theft of Intellectual Property 22

23 What coverage is available from Specialist Cyber Insurers? Third Party Professional Services (including miscellaneous services) Technology Professional services Multimedia Liability Security Liability Breach of Privacy including breach of privacy regulations Downstream virus Denial of access Causing: Unintentional breach of contract Defamation, product disparagement Libel and Slander Plagiarism Invasion of privacy Infringement of copyright and other Intellectual Property) Caused by: Failure to prevent unauthorised access Failure to allow authorised access Negligence Failure to prevent physical theft of hardware Theft of data including employee or customer data Unintentional breach of contract Failure to prevent transmission of virus to a third party network Breach of privacy regulations 23

24 Privacy Risks? Notification expenses Credit file monitoring expenses Forensic costs Public Relations costs Call Centre costs Legal cost (to defend a claim brought by a third party) Privacy Regulatory Legal Defence Privacy Regulatory Fines and Penalties 24

25 Can traditional Insurance protect you? No! (except Professional Indemnity) Damage to data is not physical damage and therefore not covered by property insurance Commercial crime money, property and securities General Liability / Public and Products requires BI/PD Professional Indemnity affords some cover 25

26 Who are the Lloyd s insurers in London? Ace Aegis ANV Ascent Aspen Barbican Beazley Brit Chubb Clickforcover (coverholder) Hiscox Navigators (Millennium coverholder) Novae Principia (coverholder) 26

27 Who are the non- Lloyd s insurers in London? AIG Allianz C N A Liberty QBE Swiss Re XL Zurich 27

28 Question and Answer Simon Milner Partner Financial Risks JLTS 28

29 Open Panel with Audience Q&A JD Sherry Vice President, Technology and Solutions, Trend Micro, Inc. Michael Schmitt Assistant Vice President, Lockton Companies Simon Milner Partner, Financial Risks, JLTS 29

30 Closing Remarks Thank you to our Sponsor Thank you to Citrix for donating this Webcast service Online Meetings Made Easy 30

31 CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On-Demand Viewers Quiz Link: Web-Conference-GRC-Cyber-Insurance-February