Cyber Liability Insurance

Transcription

1 Cyber Liability Insurance John Buck Cyber Liability Specialist RP Ryan Insurance Inc N 40 th St. Suite 102 Phoenix, AZ Office: Cell: jbuck@rpryan.com

2 Cyber Liability What is Cyber Liability? Addresses the first- and third- party risks associated with the generation, storage or transmittal of digital information containing personally identifiable information (PII) or personal health records (PHI) as protected by various laws and regulations Does not cover Intellectual Property, Trademarks, Copyrights etc. that do not contain personal data protected by laws and regulations

3 What is Cyber Liability Insurance? (AKA Data Breach Insurance) Cyber Liability Insurance covers financial obligations due to the loss or theft of personal information from a first party information system Does not have to be the fault of the organization that the data is stolen from Can include fines and penalties assessed by government agencies Can include coverage for lawsuits brought by customers, clients, patients, employees, financial institutions and stockholders who are financially impacted by the breach of sensitive data

4 What Types of Companies Need Cyber Liability Insurance the Most? Health care providers Doctor office, Dentist office, Outpatient Clinics, Hospitals, Labs all generating and storing Personal Health Care Data protected by law

5 What Types of Companies Need Cyber Liability Insurance the Most? Retail Stores Stolen credit card numbers are the number one risk for retail stores One stolen credit card number can be sold and made into thousands of duplicate cards often sold on the Internet for as little as $5 each FBI, Banks and Merchant service providers have the software to trace stolen credit cards back to the source, thus holding the store liable

6 What Types of Companies Need Cyber Liability Insurance the Most? Telecommunications Service Providers Local and long-distance phone companies Internet service providers Cable and satellite television service providers Manufacturers Equipment used by service providers Some consumer devices Components

7 What Types of Companies Need Cyber Liability Insurance the Most? Software Prepackaged software Custom software Information Technology Services Consulting Programming services Data services (hosting, aggregation, etc.)

8 Types of cyber attacks that can lead to cyber breach penalties and lawsuits for your company POS System Attacks retail is highest risk Card Skimmers anyone who accepts credit cards for payment involving physical scanning of card Web Site Attacks anyone with a website Insider Misuse or Hacking anyone with employees, especially disgruntled ones Physical Theft/Loss employees and executives Miscellaneous Errors employees and executives Crimeware backdoors inserted by hackers Cyber Espionage inside and outside hackers from anywhere in the world

9 Typical Cyber Liability expenses that can be insured for Notification Expenses Customers must be notified of a breach of their sensitive information. May be voluntary or forced by laws and regulations Crisis Management/PR Expense Assuring your customers that you have taken steps to mitigate the breach Win back their confidence and/or loyalty Pay cyber extortion expense Million dollar extortion expenses have been paid to mitigate breach

10 Typical Cyber Liability expenses that can be insured for Continued from previous slide Payment of fines and penalties from government agencies Payment of awards from lawsuits from customers, patients, employees, stockholders as discussed in previous slide

11 Typical Retail Risk: POS Intrusions Point of Sale (POS) Intrusions: Remote attacks against the environments where retail transactions are conducted, specifically where card-present purchases are made, i.e., cards are physically scanned. POS Intrusions accounted for 14% of the cyber attacks reported in the Ponemon study. POS attacks are the greatest threat to retail establishments like department stores and restaurants but anyone accepting credit cards for payment is subject to attack e.g., ipad credit card scans

12 POS Intrusions Credit card transactions are regulated by PCI 3.0 Payment Card Industry Regulation which can impose heavy fines on any retail establishment whose customer credit card data is lost or stolen but government regulations will not prevent theft by hackers Lost or stolen credit card data is sold on the black market and is typically used to produce duplicate credit cards that can be sold and used all over the world Stolen customer data can be traced back to the source using forensic techniques by the FBI, Banks, and Credit Card Processors

13 Target Breach The cases against Target were consolidated in the US District Court for the District of Minnesota to consist of (as of May 2014, more to come): 81 class action suits brought by consumers 28 class action suits brought by financial institutions 4 shareholder derivative actions

14 Web Attacks on Your Website Web App Attacks any incident in which a web application was the target of the attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms Denial of Service Attacks (DoS) hackers take over thousands of PCs and use them to simultaneously request service from a targeted website. Legitimate customers can not access the website and the company loses revenue and credibility with their customers who may also sue the targeted company for loss of service during attack. Use of Website as a backdoor into the company network to steal data, plant viruses, etc.

15 Insider and Privilege Misuse to Guard Against in Your Business Any unapproved or malicious use of your organizational resources Too many people in your company have access to too much data Limit access and change passwords frequently to help mitigate insider threats

16 Miscellaneous Errors by Your Employees Incidents where unintentional actions directly compromised a security attribute of an information asset-e.g., phishing to get passwords from unsuspecting and/or untrained employees Target breach was due to air conditioning vendor gaining access to privileged information and planting a back door into the system for later retrieval of customer data took several months to get the data There are now huge networks of hackers working in teams to gain access to high value systems- anyone can buy hacking software on the Internet and make a good living from their grandmother s basement (aka script kiddies mostly having fun) but most big jobs are for big financial payoffs from Russia and places where the FBI can t operate until it s too late

17 Crimeware Any malware incident that did not fit other patterns like espionage or POS (Point of Sale) attacks Covers a wide variety of incidents involving malware of various types and purposes

18 Payment Card Skimmers Involves POS skimming devices physically placed on or near devices that read credit card magnetic strips to accept payment ATMs, gas pumps, POS terminals are big sources of hidden (implanted) credit card magnetic strip readers Placed by someone like a maintenance worker, employee or hacker and usually removed at a later date to avoid detection Hackers walk around stores like Walmart or sit in restaurants with skimmers that work when they are there and are not found by anyone making a search

19 Cyber-Espionage Defined as unauthorized network or system access linked to stateaffiliated hackers and/or exhibiting the motive of espionage Usually hard core criminal organizations operating in Russia and East Europe where the FBI can t get at them They target corporations, governments, NGO s, etc., but also small to medium businesses as well to steal personal data, trade secrets, government secrets, etc.

20 Physical Theft and Loss Missing assets containing sensitive data Laptops, ipads, thumb drives left in unlocked cars, restaurants, etc. Can include paper assets left in cars, boxes of paper data in storage lockers, etc.

21 Key Questions for all owners and C-suite personnel who must manage financial risk How much personal data do you store on employees, customers, clients, etc.? What is your plan for minimizing your risk of losing sensitive data? How much can you afford to spend on penalties and lawsuits in the event of a data breach that gets traced back to your company?

22 Key Questions cont. What would happen if customer and employee private information is stolen from your company? How many paper and electronic records containing sensitive information do you have stored (file cabinets, storage sheds, PCs) Do you have written agreements (contract liability) concerning privacy and protection of data with outside vendors? Document storage and destruction, janitorial, air conditioning, etc., etc.

23 Key Questions cont. What type of social media is your business using? Are their restrictions to its administration? Risks include invasion of privacy, copyright and trademark liability, defamation and slander-usually covered by other liability insurance policies Are you aware of the exclusions in your existing P&C and GL policies? Most cyber liability claims such as social media liabilities, electronic data and cost to recreate, outages caused by viruses or hackers will not be covered under existing policies Are you aware of the most recent privacy and data breaches in your industry for evaluation of your potential risks? Good sources of information pertinent to your industry can be found on Google or privacyrights.org (an excellent database of actual breaches)

24 Key Questions cont. Are you aware that the average 1 st party cost for a data breach claim is $206 per record Costs include notification and credit monitoring for customers as well as public relations and call centers Are you familiar with all state regulations that you do business in (not just your home state) for notification in the event of a privacy breach? Look on for state regulations

25 Key Questions cont. Do any of your employees access your system from a mobile device? The Ponemon study shows that 81% of employees have access to PII (Personally Identifiable Information) on ipads, smart phones and employee laptops the is referred to as the BYOD (Bring your own device) problem Have you considered the Third-Party costs to your business in the event of a Privacy Breach? Intellectual property infringement, reputation injury, customer s systems being unavailable and the cost to defend your business against numerous lawsuits 50% of small to medium businesses shut down after a major breach if they can t cover the expense (Target is self insured are you?)

26 Questions from a typical Cyber Liability Questionnaire for an insurance quote 1. Do you control who has access to your computer network? 2. Do you have a firewall between your information system and the Internet? 3. Do you have firewall protections on each of your individual workstations? 4. Do you have a virus protection program in place? 5. Do you outsource any part of your internal networking/computer system or Internet access to others? 6. Do you have a person responsible for IT security?

27 Typical quote questions cont. 7. Does your hiring process include criminal background checks? 8. Do you have a written security policy that covers both physical (premise) and information security? 9. Do you test your policy s security or privacy controls? 10. Have you ever experienced a privacy or data breach? 11. Do you allow employees to download personal client information or other confidential information onto laptops or other data files? (If yes, is the data encrypted?)

28 Typical quote questions cont. 12. What personal client or employee information is held in your company s information system or employee devices? Social Security Numbers Driver s License Numbers Financial Account Numbers Credit Card Numbers Personal Health Information Customer Information Other (please specify) don t hide anything so that you get a realistic quote that represents your real risk 13. Have you ever filed a Privacy/Data Breach claim? (If yes, please note date of incident and provide brief explanation)

29 Why Get a Quote (or several quotes)? It doesn t cost anything to have a qualified insurance agent prepare a quote for your cyber liability insurance needs By getting quotes from several insurance carriers you will get the expertise of several underwriters who can help you navigate the complex waters of cyber liability insurance, which is still in its early phase of development Before or after you get a quote for cyber liability insurance have a qualified outside security expert do an evaluation of your physical and network security system and provide a written report that can be passed on to the insurance agent and his underwriters for proper evaluation of your premium and coverage requirements

30 10 Reasons to buy Cyber Liability Insurance 1. High cost of breach notification in the event of a breach 2. Loss of third-party (your customers and employees) data results in class action lawsuits that can put you out of business if you aren t protected by cyber liability insurance 3. The data in your network is not covered by standard commercial property & casualty policies yet it is the most valuable asset you have (how much to replace lost or stolen data versus the cost to replace a computer network?) 4. Information Systems (IT systems) are critical to operating your day to day business but their downtime is not usually covered by standard business policies-check your current policy

31 10 Reasons to Buy cont. 5. Cyber crime is the fastest growing crime in the world, but most attacks are not covered by standard commercial insurance policies 6. Retailers face severe penalties if they lose their customer credit card data Global credit card crime is worth over $7.5billion and this risk is increasingly being transferred from the credit card service providers to the business owners Retailers can be held liable for forensic investigation costs, credit card reissuance costs and the actual fraud (purchases) conducted on stolen cards Cyber liability insurance can offset many of these costs

32 10 Reasons to Buy cont. 7. Your reputation is your number one asset, so why not insure it? Cyber liability insurance can insure your reputation in the event of a cyber security breach It can pay for costs of engaging a PR firm to help restore your reputation, but also for the loss of future sales that arise as a direct result of customers switching to your competitors You can t claim that a cyber breach is not your fault and therefore you should not have to bear the expense you are the one your customers and government agencies will hold liable no matter the cause of the breach 8. Social media usage is at an all time high and claims are on the rise Cyber liability insurance can help provide coverage for claims arising from leaked information, defamatory statements or copyright infringements

33 10 Reasons to Buy cont. 9. Portable devices increase the risk of loss or theft of information Cyber liability insurance can cover the costs associated with a data breach should a portable device be lost, stolen or fall victim to a virus 10. It s not just big businesses being targeted by hackers, but lots of small ones too, often part of a massive hack attack Hackers often practice on many small businesses to learn the techniques and pathways into the larger businesses. The small businesses suffer the same damage as the large ones A third of global cyber attacks were aimed at businesses with less than 250 employees

34 Cyber Liability Risk Applies to all sectors of the e-commerce and Internet world e-professionals those who provide traditional services over the Internet Information Technology (Internet) Professionals website developers, systems/computer consultants, etc. E-Commerce Companies companies existing only on the net, clicks & mortar companies, and content providers such as portals, search engines and specialty providers of content Internet Advertisers traditional organizations utilizing the Internet for marketing

35 Examples of Cyber Liability Claims Extortion 1 Entire database of publicly traded corporation was encrypted by a disgruntle employee Ransom note demanded $1 million for the password to unlock the data The company paid the ransom!!

36 Examples of Cyber Liability Claims Extortion-2 Accounting firm upgrades their computers and scrubs old hard drives before tossing them out Hacker gets ahold of discarded hard drives and restored the data which included financial records of clients Firm bought back the hard drives for $1 million

37 Examples of Cyber Liability Claims Mischievous Hacking Repeated Denial of Service attacks by a hacker have virtually shut down a state s Public Access Network Computer This is an example of mischievous behavior that shuts down an system but there is no ransom involved Hacker typically brags to his friends of his accomplishment

38 Examples of Cyber Liability Claims Mischievous Hacking An Internet Service Provider (ISP) was hacked The hacker planted swastikas and racist messages on web pages while masquerading as the provider s administrator, erased data on two computers and shut down the system The ISP was shut down for 12 hours and files created in the several days prior to the attack were lost

39 Examples of Cyber Liability Claims Loss of Data A personal laptop computer was stolen from a data processing center The laptop contained the account numbers for over 300,000 credit card customers

40 Examples of Cyber Liability Claims Loss of Data A technical instruments manufacturer had a disgruntled employee delete their entire database It cost the company $7.8 million in lost revenues and $3.2 million to replace the lost data

41 Statistics of Cyber Liability Losses 24% of data breaches occur in retail environments and restaurants The average total cost of a cyber security breach is estimated at $5.4 million 50% of small businesses who must bear the cost of a breach are out of business within 6 months There are 46 different state laws and another set of federal laws and regulations governing the collection and storage of data and the prevention and reporting of a breach From Don t be a Cyber-Thief s Next Victim by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

42 Reduction of Cyber Security Losses It takes a team of cyber security consultants, IT experts, insurance, security and law firms to deal with the extensive and increasing cyber threat to US businesses Cyber security concerns are now part of doing business, and general counsel and C-Suite executives must be ready to guide their companies through these complex issues Prevention is the first step to minimizing cyber security liability From Don t be a Cyber-Thief s Next Victim by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

43 Reduction of Cyber Security Losses The following steps can help minimize the cost and likelihood of security breaches: Security measures before a breach Have an incident response plan Establish a strong security infrastructure Appoint a Chief Information Security Officer Cyber-security audits Businesses should conduct regular cyber-security audits and limit access to sensitive data by third parties and employees From Don t be a Cyber-Thief s Next Victim by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

44 Reduction of Cyber Security Losses Cyber-security insurance Businesses should review insurance policies to determine whether and to what extent they are covered for cyber-security threats Encryption If a data breach occurs, encryption can help minimize liability From Don t be a Cyber-Thief s Next Victim by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

45 Notification in the Event of a Breach Health Insurance Portability and Accountability Act (HIPPA) and Health Information Technology for Economic and Clinical Health Act (HITECH) requires covered entities to protect against reasonably anticipated threats or hazards to security The HITECH Act requires covered entities and business associates to notify the individuals whose protected health information was accessed no later than 60 days after the breach was discovered From Don t be a Cyber-Thief s Next Victim by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

46 Notification in the Event of a Breach If the breach affects more than 500 individuals, the law also requires notification within 60 days after the breach was discovered to the US Department of Health and Human Services and the media From Don t be a Cyber-Thief s Next Victim by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

47 Notification in the Event of a Breach Gramm-Leach-Bliley Act requires financial institutions to publicize their privacy policies and establish internal safeguards and procedures to protect consumer information Related guidelines require covered financial institutions to notify customers whose personal information has been subject to unauthorized access or use if misuse of the customer s information has occurred or is reasonably possible, unless law enforcement determines that notification will interfere with a criminal investigation From Don t be a Cyber-Thief s Next Victim by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

48 Notification in the Event of a Breach Securities & Exchange Commission (SEC) has issued guidance stating that publicly traded companies should report certain cyber instances State Law Currently 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws requiring notification of security breaches involving personal information From Don t be a Cyber-Thief s Next Victim by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

49 Potential Litigation Potential claims by private parties and the government include: State-law claims filed under individual states consumer protection laws, tort and contract law, fiduciary requirements, and other cyber security rules FTC Safeguards Rule the FTC has brought numerous enforcement actions to address whether businesses security systems are reasonable and appropriate to protect consumer information From Don t be a Cyber-Thief s Next Victim by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

50 Potential Litigation SEC Enforcement Actions. The SEC s Division of Corporate Finance has taken the position that public companies should disclose their risk of cyber incidents Failure to disclose cyber security breaches or risks could lead to actions on security anti-fraud provisions like Rule 10b-5 or books and records violations under Rule 13b2-2 From Don t be a Cyber-Thief s Next Victim by Leon Silver and Gabe Zorogastua of the Polsinelli Law Firm, Phoenix, AZ

51 Do You Really Need Cyber Liability Insurance? LinkedIn, eharmony, DropBox, Paypal and Yahoo have all been hacked and millions of customer records have been lost This list does not even include the big retailers like Target and Home Depot that have been hacked with hundreds of thousands of credit card data lost Liability for loss of customer data or employee data is not typically covered under normal corporate insurance policies From Do You Really Need Cyber Liability Insurance?, white paper from ManageEngine

52 Do You Really Need Cyber Liability Insurance? Be careful when evaluating your existing business insurance policy since some policies that offer general liability coverage and directors and officers liability may provide some limited cyber liability coverage but may not provide all that is required Analyze your existing policy in detail with the help of experts before you have a cyber breach because after the breach it is too late A recent survey by the Chubb Group of Insurance Companies found that 65% of public companies forego cyber insurance even though they consider cyber risk as their number one concern From Do You Really Need Cyber Liability Insurance?, white paper from ManageEngine

53 Do You Really Need Cyber Liability Insurance? 25% of those companies surveyed are expecting a cyber breach in the coming year and 71% have cyber breach response plans in place but only 35% have cyber liability insurance It is not only high-profile and high-risk companies that are at risk of cyber breaches Small to medium sized companies are at equal risk of cyber breaches 72% of all data breaches occurred in Small to Medium (SMB) businesses according to studies by the Secret Service and Verizon Communications Inc. From Do You Really Need Cyber Liability Insurance?, white paper from ManageEngine

54 Do You Really Need Cyber Liability Insurance? So why do only 35% of companies invest in cyber liability insurance? For one, many executives don t know it exists, and even if they do they probably don t think an attack will happen to them, or they are not overly worried about the potential fallout of such a breach Premiums are still high since so few companies are buying cyber liability insurance and the payouts can be in the millions of dollars The premiums for e-commerce companies are high because these companies are considered high risk since they acquire and store large amounts of credit card data for purchases from their site From Do You Really Need Cyber Liability Insurance?, white paper from ManageEngine

55 Do You Really Need Cyber Liability Insurance? The other high risk companies are medical related institutions hosting data, such as date of birth information, social security numbers and medical records You can reduce your cyber liability premiums by reinforcing your security practices before you apply-like a good driver discount In other words, having a lower risk factor for data breaches lowers your insurance premium One easy way to lower your risk of a data breach is to have strong password protection on your system by using encryption and changing passwords regularly From Do You Really Need Cyber Liability Insurance?, white paper from ManageEngine

56 Do You Really Need Cyber Liability Insurance? When your system consists of multiple units of servers, apps, cloud services, databases, tablets and laptops you can purchase affordable password management solutions to help offset the cost of cyber liability premiums Other actions that can reduce the cost of cyber liability premiums are: Regular risk assessments by outside cyber security analysts A written cyber security policy that identifies and lists critical assets and defines policies for physical security, account management, and backup and recovery of critical data among other areas Leverage firewalls, virtual private networks, anti-virus and anti-spam software and secure mobile solutions to secure network access and mobile devices From Do You Really Need Cyber Liability Insurance?, white paper from ManageEngine

57 Types of Commercial Liability Insurance Don t Expect Your Existing Commercial General Liability Insurance to Cover Cyber Liability Losses! Commercial General Liability (GL) Coverage Exclusions (aka, will not pay!): Personal and Advertising Injury Electronic Data applies to damages arising out of the loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data Illegal Distribution applies to telemarketing and anti-spam laws

58 Now that you know the potential threat to your business due to cyber attacks it s time to take action!! Click the Quote Request Button and let me get you several quotes from reputable insurance companies to protect you from extensive financial losses due to cyber attacks on your company. The cyber liability policy can be standalone or combined with the rest of your business insurance. John Buck, Cyber Liability Insurance Specialist RP Ryan Insurance Inc N 40 th St Suite 102 Phoenix AZ Phone: x 252 Cell: jbuck@rpryan.com