1 RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION October 23, 2015
2 THREAT ENVIRONMENT Growing incentive for insiders to abuse access to sensitive data for financial gain Disgruntled current and former employees exploit back-doors Theft of Intellectual Property Security compromise loss of sensitive client data Infrastructure downtime may lead to Dependent Business Interruption claim Intent is to disrupt and/or embarrass a target Motivations are fickle and unpredictable Massive DDoS attack Cloud or 3 rd party Compromise Hacktivists Malicious Insider Exposures that lead to a potential Data Breach Criminal Hackers Access controls and behavior monitoring insufficient to detect insider threats Negligent Insider Unwary insiders susceptible to attacks that exploit traditional security controls (e.g. spear phishing) Users who fail to embrace culture of security will find ways to circumvent inconvenient security controls Patience is a virtue. Tactics have evolved from hit and run to infiltrate and stay. Industrialization - Black markets exist for all types of personal information Proliferation of mobile platforms and BYOD policies creates new vectors
3 THREAT ENVIRONMENT Verizon 2015 Data Breach Investigation Report
4 INCIDENTS vs. BREACHES Verizon 2015 Data Breach Investigation Report
5 Frequency of Data Disclosures by Incident Patterns and Victim Industry Verizon 2015 Data Breach Investigation Report
6 CONDENSED DATA BREACH TIMELINE 1. Discovery 2. Initial Response and Evaluation After suffering an intrusion or breach, an entity may become aware of the situation through a number of different ways. Some are more preferable than others: Discovery: 1. Self Discovery 2. Customer Inquiry or Vendor Awareness 3. Notification and Communication from Law Enforcement or Regulators Upon becoming aware of the situation, the breached entity will put their internal incident response plan into action. The key individuals on the Internal Response Team will actively address their designated responsibilities in an attempt to mitigation negative consequences. Outside Legal and Forensics may be determined necessary: 1. Forensics to determine the extent of the event 2. Legal/Data Breach Coaching (Obligations/Options, etc.) 3. External Response Notification (Obligatory and/or Voluntary) Credit Monitoring and Identity Theft related offerings Public Relations and Media Facing 4. Continuing Ramifications Income Loss and Damage to Brand Reputation Regulatory Actions and Fines/ Penalties, PCI Fines & Penalties, Consumer Redress Civil Litigation
7 POTENTIAL COSTS OF A DATA BREACH Willis Estimated Data Breach Costs (based on number of affected individuals compromised) 1,000 10, , ,000 1,000,000 10,000, ,000,000 PRIVACY EXPENSES Privacy Expense (Forensics/Crisis) $35,000 $140,000 $270,000 $530,000 $1,050,000 $1,750,000 $3,500,000 Forensics Investigation $25,000 $100,000 $200,000 $400,000 $750,000 $1,000,000 $2,000,000 Data Breach Coach $10,000 $20,000 $30,000 $50,000 $100,000 $250,000 $500,000 Public Relations $0 $20,000 $40,000 $80,000 $200,000 $500,000 $1,000,000 Privacy Expense (Notice/Credit Monitoring) $8,500 $80,000 $800,000 $3,625,000 $4,800,000 $40,000,000 $325,000,000 Customer Notification $2,000 $15,000 $150,000 $625,000 $1,000,000 $9,000,000 $50,000,000 Call Center $1,000 $10,000 $100,000 $500,000 $800,000 $5,000,000 $20,000,000 Credit Monitoring $4,500 $45,000 $450,000 $2,250,000 $2,500,000 $25,000,000 $250,000,000 Identity Fraud Remediation $1,000 $10,000 $100,000 $250,000 $500,000 $1,000,000 $5,000,000 Privacy Expense Total: $43,500 $220,000 $1,070,000 $4,155,000 $5,850,000 $41,750,000 $328,500,000 (Privacy Expense Cost per record) $43.50 $22.00 $10.70 $8.31 $5.85 $4.18 $3.29 PRIVACY LIABILITY Regulatory Defense/Fines $0 $0 $350,000 $750,000 $1,500,000 $6,000,000 $15,000,000 State Regulatory (AG) $0 $0 $250,000 $250,000 $500,000 $1,000,000 $5,000,000 Federal Regulatory (FTC) $0 $0 $100,000 $500,000 $1,000,000 $5,000,000 $10,000,000 PCI Fines/Penalties $0 $10,000 $20,000 $100,000 $500,000 $1,000,000 $2,000,000 Civil Liability $9,000 $180,000 $900,000 $3,900,000 $7,000,000 $45,000,000 $330,000,000 Legal Defense/Damages/Class Actions $0 $100,000 $300,000 $900,000 $2,000,000 $5,000,000 $30,000,000 Card Reissuance Liability $9,000 $80,000 $600,000 $3,000,000 $5,000,000 $40,000,000 $300,000,000 Privacy Liabilty Total: $9,000 $190,000 $1,270,000 $4,750,000 $9,000,000 $52,000,000 $347,000,000 Total Data Breach Cost: $52,500 $410,000 $2,340,000 $8,905,000 $14,850,000 $93,750,000 $675,500,000 Per Record Cost: Retail $52.50 $41.00 $23.40 $17.81 $14.85 $9.38 $6.76 Assumptions: Credit Monitoring: $15 per individual (10%-15% take-up rate) Identity Fraud Remediation: $100-$500 per affected individual (less than 1% typically require fraud remediation)
8 CYBER INSURANCE COVERAGE Network Security Liability: Provides defense and liability coverage for claims resulting from the compromise of computer security ( -i.e. unauthorized access or use, denial of service attacks, receipt or transmission of malicious code) Privacy Liability: Provides defense and liability coverage for claims resulting from your failure to maintain the privacy of information entrusted to you. Examples of Sensitive Information: Protected Health Information; Personally Identifiable Information; or a Third Party s Confidential Corporate Information that you are required to keep confidential.
9 CYBER INSURANCE COVERAGE Online Media Liability: Provides coverage for claims resulting from advertising and other on-line media content disseminated by the insured (i.e. copyright infringement, commercial misappropriation of another s name, persona or likeness, defamation, libel, slander, trade libel or product disparagement.) Regulatory Defense Fines and Penalties: Provides coverage for proceedings brought by a government agency for an alleged violation of privacy regulations resulting from a breach of personal information. Coverage includes, defense, consumer redress, fines and penalties (where allowable by law).
10 CYBER INSURANCE COVERAGE Breach Event Costs: Provides coverage for costs incurred due to a breach of individuals personally identifiable information or protected health information for: public relations; notification (Voluntary notification available from some carriers) of individuals; credit monitoring; call centers; obtaining legal counsel; and forensic experts to determine what information was breached and for any other expenses approved by the insurer, to respond to a breach. PCI Fines and Penalties: Provides coverage for a monetary assessment of a fine or penalty by a Card Association or Acquiring Bank due to insured s non-compliance with a PCI Data Security Standard, resulting from a breach.
11 CYBER INSURANCE COVERAGE Cyber Extortion: Coverage for Costs to Investigate and terminate a threat to commit an intentional attack against your Computer System. Network Business Interruption: Covers Business Income Loss and Extra Expense coverage resulting from a Material Interruption of your network, caused by unauthorized use or access to your systems. Broad System Failure trigger is available with select carriers.
12 CYBER INSURANCE COVERAGE Data Restoration: Coverage for Costs of Restoration of Electronic Data that is damaged or lost due to a virus, malicious code or other failure of computer security. Technology Errors and Omissions: Covers liability triggered by negligence in the performance of covered technology professional services.
13 Privacy/Network Security Risk Gaps in Traditional Insurance Property General Liability Crime/Bond E&O Privacy/ Network 1 st Party Privacy/Network Risks Physical damage to Data Virus/Hacker damage to Data Denial of Service attack B.I. Loss from security event Extortion or Threat Employee sabotage 3 rd Party Privacy/Network Risks Theft/disclosure of private info Confidential Corporate Info breach Technology E&O Media Liability (electronic content) Privacy breach expense/notification Damage to 3 rd party s data Regulatory Privacy Defense/Fines Virus/malicious code transmission Coverage Provided Limited Coverage No Coverage
14 CYBER MARKET UPDATE Pricing* Market is firming and in some cases, is hard Most companies, including the Education sector, will experience a premium increase of 5% or greater. Healthcare and Retailers should expect the greatest premium increases and limits may be difficult to obtain. Markets For certain industries, some insurers have exited the market London Market is expanding its offerings in tough classes of business. Certain carriers have very stringent underwriting processes. Coverage How coverage/ limits are purchased managed services vs. no panel requirements Increased sublimits System Failure Coverage Resulting BI/PD exposures Manufacturers First Party Business Interruption Issues Frequency of losses POS Risk Encryption in transit and at rest Third Party Exposures *Based on favorable claims experience and not material changes in exposure
15 CYBER CONCERNS FOR EDUCATION Privacy Student and Guardian Records PII PHI Minors Credit Card Exposures Response Planning Incident Response Plan (Internal) Vendor Identification Budgeting
16 CONTACT INFORMATION John O Donnell, Vice President WILLIS FINEX North America Cyber and E&O Direct: Web: