Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Transcription

1 Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

2 Real life examples firm 1 Data security is an issue for firms regardless of size. Source: Maryland Injury Lawsuit Information Center 5

3 Real life examples firm 2 Cyber criminals attack domestically and internationally. Source: Bloomberg Business 6

4 Real life examples firm 3 If your firm was being hacked, would you know what to do? Source: PC Magazine 7

5 What information does your firm need to secure? Personal information > Personally Identifiable Information (PII) Key data elements describing an individual client, employee, or interested party: name, address, date-of-birth, telephone, address, Social Security number, ZIP code, biometric data (thumb prints, retina scans, etc.) > Protected Health Information (PHI) Healthcare-based treatment information, medical history, health insurance information, including many elements of PII included in such records Corporate information > Intellectual property > Business strategy > Merger and acquisition (M&A) documents > Blueprints > Contracts 9

6 What information does your firm need to secure? (cont.) Payment Cardholder Information (PCI) > Credit/debit card data Includes account numbers, expire dates, security codes, etc., insurance account information, etc. Cyber-based data > Web browser history > Cookie information > Meta data > IP addresses 10

7 Insuring against data breaches Cyber risk is increasingly prevalent and costly and cannot be completely eliminated through policies, procedures, and technology. > Several dozen insurers now offer cyber insurance specifically tailored for law firms > As competition has increased, coverage has broadened and prices have come down > Purchasers of cyber insurance need to read the policies carefully or get assistance from their broker There is little consistency between cyber policies and great variability in breach prevention/response services offered 11

8 Insuring against data breaches (cont.) > Too often firms believe they can self-insure, but consider all the possible exposures: First party: Loss of data, loss of income, forensic expenses, PR costs, notification, credit monitoring, reputational damage, extortion expenses Third party: Regulatory investigations, penalties, civil fines, legal expenses, judgments/settlements arising from data breaches cause by a firms failure of security 12

9 Insuring against data breaches (cont.) Which of my insurance policies will respond to a cyber loss? 13

10 Coverage enhancements Aim to secure the following coverage enhancements: > Choice of Panel Counsel > Coordinated Retention Endorsements (use Cyber Policy Retention on Mixed LPL/Cyber Policy claims) > Amend Other Insurance clause to coordinate with professional liability insurance and any other relevant policies > Prior Acts coverage > Privacy regulatory fines/penalties (not included under all standard forms) 14

11 Coverage enhancements (cont.) Aim to secure the following coverage enhancements (cont.): > 1 st Party Business Interruption (not standard under all forms) > 1 st Party coverage for insured s negligence that cause system interruption resulting in loss of income Sometime termed system failure > Cyber Terrorism Coverage and carve back to war exclusion > Tight control group (management committee, CFO, GC) around intentional acts exclusion to ensure rogue employees are covered > A few insurers provide coverage for reputational harm, to include reimbursement of lost revenue resulting from a client deciding to no longer use the firm after a breach/cyber incident 15

12 Coverage limitations Coverage limitations to avoid: > Narrow definition of confidential information > Narrow definition of Personally Identifiable Information Does it just cover name, DOB, and SSN? Or, other such as Driver s IS, credit or bank information, passwords, PINs, unique biometric data, etc.? > Encryption exclusion Laptops, mobile devices, data in transit, etc. > Limitation on coverage for data outside of an insured s network or premises (cloud providers or other outsource vendors) > Limitations on voluntary notification (i.e. only where required by law) or credit monitoring costs > Lack of coverage for physical theft of hardware from insured s premises > No coverage for breaches caused by rouge employees 16

13 Best practices Getting Secure - Where To Start? > Perform a penetration test against your firm External versus internal testing > Choose and adopt a security framework National Institute of Standards and Technology (NIST) Control Objectives for Information and Related Technology (COBIT) International Organization for Standardization (ISO) 17

14 Best practices (cont.) Getting Secure - Where To Start? > Perform a risk assessment (gap analysis) against security framework > Prioritize remediation of gaps Consider criticality of data (where are your firm s crown jewels stored?) > Third party vendor assessment > Review controls over disbursement of funds Consider various ways that funds leave your firm 18

15 Best practices (cont.) Security Low Hanging Fruit > Firm Policies: Information Security Policy Acceptable Use of Technology Policy > Information Security Training Who gets trained?» Lawyers» Support staff > Physical Security Secure your firm (lock doors, etc.) Physical files 19

16 Best practices (cont.) Cybersecurity Top Network security 2. Wireless security 3. Mobile device security 4. Vendors / Contractors 5. Data encryption 6. People / Training 7. Identity management controls 8. Disaster recovery (data backup, restore plans) 9. Incident response plans 10. Logging and monitoring 20

17 Disclosures The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International Baker Tilly Virchow Krause, LLP. 22