CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES

Transcription

1 CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES

2 How can you better prepare and respond to cyber risks? ACE developed Loss Mitigation Services to help policyholders understand and gauge various areas of cyber and privacy exposures that are relevant to your business. Loss Mitigation Services can help your organization reduce the likelihood and impact of a cyber or data privacy incident, including early detection and remediation of cyber exposures. These services were developed based on ACE s claims experience, in-house cyber security expertise and strategic partnerships with industryleading cyber security firms. Loss Mitigation Services are part of ACE s three-prong approach to a comprehensive cyber risk management program with incident response and risk transfer completing the program. Since many companies struggle with organizing cyber risk exposures, ACE structured Loss Mitigation Services into three mitigation strategies to help you choose the right services for your organization: CORE The Fundamentals of Securing and Protecting Your Networks And Information Information Governance: Know where and what data to protect Cyber Readiness: Compare your company against security standards Incident Response: Evaluate your incident response plan and capabilities TACTICAL More Targeted Services to Address Your Specific Industry or Risk Profile Business Impact Calculation: Determine how much outages actually cost PCI Compliance Assessment: Comply with credit card security requirements HIPAA Compliance Assessment: Comply with U.S. healthcare regulations CULTURAL Services that Impact the Enterprise Creating a Cyber and Data Privacy Awareness Culture Security Awareness: Elevate employee awareness for protecting information Cyber Threat Blueprint: Gain new insight on current cyber threats Security Performance: Ongoing security ratings of your company Vendor Management: Determine contractual privacy and security exposures 2

3 How can you take advantage of Loss Mitigation Services? It all starts with the ACE Cyber Experience ( where policyholders have access to white papers, webinars, articles and other information to better understand the changing cyber and data privacy threat environment. Policyholders can take loss mitigation to the next level through independent assessments and security solutions delivered by leading industry experts. Further, to make these services available to policyholders of all sizes, industries and program maturity, Loss Mitigation Services have been structured to be scalable to fit your needs: Complimentary Self-Assessments This level of service was developed for risk managers that are interested in learning the basics of cyber risk management for any industry segment, smaller organizations, and those organizations that are just getting started in assessing their cyber risk posture. Fixed Rate of Service For those organizations seeking an independent assessment to better identify their cyber and privacy related exposures, ACE has worked with each independent vendor to structure a flat $3,000 loss mitigation service. Comprehensive Solution Services can be scaled to meet the specific requirements of organizations requiring additional mitigation services. These custom solutions are built upon in-depth analysis and are available for all industries. 3

4 Core Loss Mitigation Services Core services are designed to address the fundamentals of securing and protecting your information. Organizations of all sizes, industries and geograpies will benefit from these services. Information Governance Know where and what data to protect A consultative service to help identify the privacy and protection considerations related to your organization s information, which guides how it should be managed from creation to deletion. All companies handle sensitive data to varying degrees, ranging from social security numbers to trade secrets and company confidential information. This offering is tailored to what your company does and your relative risk profile. The resulting report will provide a high-level summary of your information governance risks and opportunities, accompanied by prioritized recommendations to reduce your risk and protect your brand. Huron Consulting Group: Cyber Readiness Compare your company against security standards A 360 degree enterprise view of your organization s cyber security posture based upon how your company compares against cyber security standards in your industry. All companies can benefit from this service. It is beneficial for companies to benchmark themselves against the latest security standards. The resulting assessment report shows possible risk areas (weak spots) and ways to align closer to standards for protecting information. Individual suggestions and/or recommendations for improvement will be offered in cases where specific potential/ confirmed gaps are identified. NetDiligence: Incident Response Evaluate your incident response plan and capabilities An expert review of your Incident Response Plan, accompanied by recommendations on how to improve the plan and your ability to respond quickly to minimize the impact of an incident. All companies benefit from this service. Data shows that the ability to respond quickly can significantly reduce the overall financial and reputational impact if an incident occurs. It is more effective to identify and address gaps in incident response processes before an actual incident occurs. Proper response can minimize the impact an incident has on your business operations and sensitive data. 4 Fidelis Cybersecurity:

5 Tactical Loss Mitigation Services Tactical Loss Mitigation Services are more targeted than Core Loss Mitigation Services. These services are designed to address your specific risk profile. For example, these services are focused on industries with specific data privacy and regulatory responsibilities, such as retail, healthcare, and financial services. Business Impact Calculation Determine how much outages actually cost Model the probability of a business interruption caused by a cyber-attack to determine the estimated financial cost to your business. Companies with a significant online presence and/or online processes, such as retailers, payment processors, and cloud service providers. Determining the potential causes, effects and remedies, of business interruption events will help you sustain needed business functions and maintain your customer base. Navigant: PCI Compliance Assessment Comply with credit card security requirements A baseline assessment of your company s alignment with the compliance requirements of the Payment Card Industry Data Security Standard (PCI-DSS). Any business that accepts credit card payments from the major card brands. The report will identify major compliance gaps with PCI-DSS and what steps you need to take to obtain or maintain compliance with this standard. McGladrey: HIPAA Compliance Assessment Comply with U.S. healthcare regulations A baseline assessment of your company s alignment with the compliance requirements of the Healthcare Insurance Portability and Accountability Act (HIPAA). All companies that create, receive, maintain or transmit information that relates to physical or mental health, payment for health care, or identifying individual information. The report will identify major compliance gaps with HIPAA and what steps you need to take to obtain or maintain compliance with this regulation. Trustwave: 5

6 Cultural Loss Mitigation Services Implement cultural services designed to create a cyber-aware workforce both within your organization and with your third party vendors. Security Awareness Elevate employee awareness for protecting information A simulated attack (i.e., phishing) is sent to a target subset of employees to see which employees click on the link. Online training is then provided for those who fail the simulation. All companies can benefit from this service. It is critical to ensure that a company s workforce can identify and respond accordingly to the most common types of cyber-attacks. Individual behaviors are changed due to the interactive and engaging learning experience so employees are better prepared if a real phishing attack should occur. Wombat Security: Cyber Threat Blueprint Gain new insight on current cyber threats A customized technical seminar, personal meeting and assessment report for information security and technology professionals within your company based on the latest threat intelligence. Information security and technology specialists can leverage the assessment report to engage with industry leaders on specific threats related to their company. The seminar and report on threat intelligence will help information security and technology specialists develop better defense strategies against threat actors. FireEye: 6

7 Security Ratings for Data-Driven Risk Management Evaluate the security performance of any company Security ratings that provide continuous cyber security performance measurements of your company and up to three of your peer and/or third party vendors. Data is gathered from publicly accessible sources and no information is needed from the rated companies. All companies can benefit from this service. Having access to quantitative, objective metrics indicating how well the businesses of most interest to them are defending themselves against cyber threats and attacks can be beneficial to any company. A continuous monitoring solution for you and your vendors allows you to identify potential security issues throughout the duration of the relationship. It also provides insights to inform you of risks before entering into agreements and sharing your information. BitSight Technologies: Vendor Management Validate your contracts and address privacy and information security exposures Independent legal analysis and report of up to three agreements on how well they address basic privacy policy and information security exposures. All companies, but especially those dealing with outside vendors for technology services (e.g. cloud applications, web hosting, and external IT services). Having an ongoing monitoring solution for you and your vendors allows you to identify potential security issues before entering into agreements and sharing your information. Lewis Brisbois: 7

8 This brochure is intended as general information only. Loss Mitigation Services are designed to help policyholders assess and improve the risks we insure. While we believe the information we provide or facilitate is gathered from reliable sources, we make no guaranty that losses will be fewer or less severe. We also assume no responsibility to implement any resulting recommendations. Any loss mitigation inspection, assessment or audit purchased by a policyholder, and any report or recommendation resulting therefrom, will not constitute an undertaking at the behest of or for the benefit of ACE. All services may not be available in all jurisdictions. Product highlights are summaries only. Please see the actual policy for terms and conditions. Products may not be available in all locations, and remain subject to ACE Group s underwriting criteria. ACE USA is the U.S.-based retail operating division of ACE Group. ACE Group is a global leader in insurance and reinsurance, serving a diverse group of clients. Headed by ACE Limited (NYSE: ACE), a component of the S&P 500 stock index, ACE Group conducts its business on a worldwide basis, with operating subsidiaries in 54 countries. Additional information can be found at ACE /2015