CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Transcription

1 CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1

2 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become increasingly essential to safeguard data as well as to ensure compliance with global regulatory bodies. 5 Additionally, as of October of 2015, financial institutions that issue credit cards face a changing landscape with regards to the EMV technology liability shift. 2

3 CYBER INSURANCE/FINANCIAL INSTITUTIONS Financial institutions such as banks, independent broker/dealers, asset managers, insurance carriers, real estate companies and others are often in possession of and responsible for sensitive information in many forms. According to the 2015 Verizon Data Breach Investigations Report (Verizon DBIR), nearly half of the security incidents reported to Verizon that occurred in the financial services industry resulted in a confirmed data loss. This is the second highest percentage of any industry presented. 1 What is sensitive information? Technology advances like mobile app banking, information sharing via mobile devices, social media and big data analytics are transforming how financial institutions interact with their clients, business partners and regulators. However, these advances expose more sensitive data to the Internet, which increases information security risks. Additionally, according to the 2015 Verizon DBIR, finance companies are likely to be the victims of denial of service attacks. This was the cause of 184 incidents in the industry last year. 2 Sensitive information includes: Client credit card/debit card data Client financial account information, including account and PIN numbers Employee Personally Identifiable Information (PII), including Social Security Numbers and Personal Health Information (PHI) Corporate confidential information regarding transactions, mergers and acquisitions Individual names, addresses, addresses, passwords, telephone numbers and Social Security numbers Other non-public personal information as defined by regulatory frameworks including but not limited to the Payment Card Industry Data Security Standard (PCI DSS) and the Gramm Leach Bliley Act (GLBA), which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data Why are financial insitutions a target? Financial institutions are in possession of large amounts of personal client information with high monetary value, as well as volumes of valuable corporate confidential data. Financial institutions face significant exposure from network intruders quietly remaining within corporate networks for longer periods of time. With such large sets of data stored and potentially vulnerable including client, employee and corporation data financial institutions of all sizes face the risk of a catastrophic breach. What are financial institutions exposures? ACE has vast knowledge in handling these types of security related incidents, with an experienced claims staff who have intimate knowledge of the intricacies of data incidents impacting financial institutions. According to ACE s proprietary claims data, the presence of hacking in the financial institutions industry is escalating rapidly: % of claims were hacks % of claims were hacks % of claims were hacks 2015 YTD % of claims were hacks Claims Triggers for Financial Institutions 4 3% 12% Network Hack - 38% Lost Laptop - 13% Human Error 12% Lost or Misplaced Tapes/ CDs - 8% Privacy Policy Violations - 7% Employee Error 7% Lost/Stolen Paper Documents/ Records 3% Other 12% 7% 7% 8% 12% 13% 38% 3

4 CYBER INSURANCE/FINANCIAL INSTITUTIONS Financial Institutions Claims Scenarios: Scenario #1: Phishing Attack On Employees A group of employees were the target of a phishing attack by a group of cyber criminals. The employees clicked on the links contained in the s, inadvertently providing their access credentials to the bank s network. This gave hackers access to 15,000 client records containing personally identifiable information, including bank account numbers, PIN numbers, names, addresses and Social Security Numbers. The company was alerted to the attack when customers were notified that their accounts had been accessed from unusual access points. Associated Costs: $265,000 for forensics, legal fees, notification and call center services Scenario #2: Third Party Contractor Error A financial institution hired a third party contractor to integrate its systems following a recent merger. An employee of the contractor accidentally uploaded the information of 20,000 employees and clients to a personal laptop, which was subsequently lost. Associated Costs: $1.1 million for forensics, legal fees, liability costs, notification and call center services The number of financial firms reporting losses of $10 million to $19.9 million increased by a head-turning 141% over last year. 3 Scenario #3: Network Extortion Demand An individual gained access to a segment of a financial institution s network, which provided access to the bank account information and personally identifiable information of their high net worth clients. The individual alerted the bank of his position inside the company s network and made an extortion demand of $3.2 million, threatening to release the personal information if his demands were not met. Associated Costs: $3.2 million to satisfy the extortion demand to avoid the release of information 4

5 CYBER INSURANCE/FINANCIAL INSTITUTIONS HOW CAN YOU PROTECT YOUR DATA? ACE introduced Loss Mitigation Services to help policyholders understand and gauge various areas of cyber security that are relevant to your business. Through early identification and remediation of cyber exposures, Loss Mitigation Services can help your organization reduce the likelihood and impact of a cyber incident. These services are available to all policyholders at any time as part of ACE s comprehensive cyber insurance solution. All ACE policyholders benefit from access to a variety of free services, including self-assessments, white papers and webinars. ACE s portal, a webbased prevention resource, houses these materials to help policyholders manage their privacy and network risk. Seasonal webinars are broadcast to bring the latest threat intelligence to the entire policyholder community. Loss Mitigation Services Available to Financial Institutions Additional Loss Mitigation Services were created based on ACE s claims handling experience and in-house cyber security expertise. Here are just a few that are designed to meet the needs of financial institutions: Information Governance Know Where and What Data to Protect A consultative service to help identify the privacy and protection considerations related to your organization s information, which guide how it should be managed from creation to deletion. All companies handle sensitive data to varying degrees, ranging from social security numbers to trade secrets and company confidential information. This offering is tailored to what your company does and your relative risk profile. PCI Compliance Assessment Comply with Credit Card Security Requirements A baseline assessment of your company s alignment with the compliance requirements of the Payment Card Industry Data Security Standard (PCI-DSS). This service is great for any business that accepts credit card payments from the major card brands. The report identifies major compliance gaps with PCI-DSS and what steps you need to take to obtain or maintain compliance with this standard. Security Awareness Elevate Employee Awareness for Protecting Information A simulated attack (i.e., phishing) is sent to a target subset of employees to see which employees click on the link. Online training is then provided for those who fail the simulation. The benefit? Ensuring your workforce can identify and respond accordingly to the most common types of cyber-attacks. Security Ratings for Data-Driven Risk Management Evaluate the Security Performance of Any Company This service includes security ratings that provide continuous cyber security performance measurements of your company and up to three of your peer and/or third party vendors. The data is gathered from publicly accessible sources; no information is needed from the rated companies. Having access to quantitative, objective metrics indicating how well the businesses of most interest to them are defending themselves against cyber threats and attacks can be beneficial to any company. Vendor Management Validate Your Contracts Address Privacy and Information Security Exposures Independent legal analysis and reporting of up to three agreements, identifying how well they address basic privacy policy and information security exposures. All companies benefit from this service, but especially those dealing with outside vendors for technology services, such as cloud applications, web hosting and external IT services. 5

6 Post-Breach Response: ACE s Data Breach Team Privacy and network security risks are constantly evolving, and each breach is unique. As a result, law firms, forensic companies and other service providers cannot single-handedly meet the unique challenges of each exposure. ACE s Data Breach Team, an integrated and complementary team of independent third-party specialists, bridges the gap between risk transfer and purchased loss control, creating a comprehensive risk management program for privacy, data breach and network security risk. ACE s Data Breach Team members specialize in their particular areas of expertise and seamlessly work with other team members to tailor an effective response to each incident. ACE s Privacy Protection policyholders have access to independent panel firms at pre-negotiated rates, including the following services: CONTACT ACE provides coverage capabilities and limit capacity targeted to financial institutions of various sizes, and we employ experts from a variety of fields to service the needs of our clients. From white hat hackers holding CISSP certification, to highly specialized underwriters experienced in personalizing coverage to meet policyholder needs, to experienced claim staff deftly skilled at handling complex claims - ACE s accomplished team is adept at managing the challenging exposures of financial institutions. For additional information, [email protected]. Legal Credit monitoring Computer forensics Fraud consultation Notification and call center Identity restoration Public relations Crisis communications Unless otherwise referenced, all data is derived from ACE s proprietary claims data as of July Verizon (April 2015) Verizon 2015 Data Breach Investigations Report. Retrieved from 2 Ibid. 3 PwC (September 2014), Global State of Information Security Survey Retrieved from 4 ACE North American Claims, Claims Data as of May PwC (September 2014), Global State of Information Security Survey Retrieved from The claim scenarios described here are hypothetical and are offered solely to illustrate the types of situations that may result in claims. These scenarios are not based on actual claims and should not be compared to an actual claim. The precise coverage afforded by any insurer is subject to the terms and conditions of the policies as issued. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law. Loss Mitigation Services are designed to help policyholders assess and improve the risks we insure. While we believe the information we provide or facilitate is gathered from reliable sources, we make no guaranty that losses will be fewer or less severe. We also assume no responsibility to implement any resulting recommendations. Loss Mitigation Services are available to purchase from the specific vendor for a fee. The vendors are not providers of insurance services and are not affiliated with ACE. ACE USA is the U.S.-based retail operating division of ACE Group. ACE Group is a global leader in insurance and reinsurance, serving a diverse group of clients. Not all products are available in all states. Surplus lines products are only written through licensed surplus lines brokers. Headed by ACE Limited (NYSE: ACE), a component of the S&P 500 stock index, ACE Group conducts its business on a worldwide basis, with operating subsidiaries in 54 countries ACE /2015