CYBER-LIABILITY COVERAGE: The $ 45 Million Dollar Exposure

Transcription

1

2 CYBER-LIABILITY COVERAGE: The $ 45 Million Dollar Exposure

3 CYBER-LIABILITY COVERAGE: The $ 45Million Dollar Exposure Today s Presenters: Mark J. Camillo, MBA, BS Head of Network Security and Privacy Products AIG Jill Haynes Gidge, CPCU, CIC, CISR, CRIS, AAI, AAM, AIT, CPIW, AIS, BSN, RN Independent Insurance Education Consultant /Trainer Insure-Ed Brad Vatrt, BA, JD Complex Claim Director for Network Security/Media/Technology Group AIG

4 DATA BREACH * Number of Breaches 825+ and rising Number of People Exposed 13,498,996+ and rising Location of Breaches Educational facilities Banking, credit / financial Government / military Healthcare facilities and companies Data / information companies Utilities / hospitality / retail * Federal Trade Commission Are you and your clients protected?

5 DATA BREACH (2) Average cost per data breach loss $ 203,000- $ 591,000 (42% increase)* 30-40% growth in overall data breach / cyber security claims Cyber-liability no longer a back burner issue 17% of firms had Enterprise-wide risk approach in % of firms have Enterprise-wide risk approach in 2012 *Ponemon Institute Research Report 2012

6 WHAT CONSTITUTES A DATA BREACH? The intentional or unintentional release of secure information (data leak, data spill) to an unsecure or non-trustworthy environment "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so * * Wikipedia

7 Overview of Key Federal & State Laws Impacting Data Breach/Cyber-Liability Health Insurance and Accountability Act Drivers Privacy Protection Act Fair Credit Reporting Act Gramm-Leach-Bliley Cyberspace Electronic Security Act USA Patriot Act Cyber Security Enhancement Act Standards for Safeguarding Customer Information Fair and Accurate Credit Transaction Act Red Flags File Transfer Compliance Massachusetts 201 CMR 17

8 Health Insurance & Accountability Act Health Insurance & Accountability Act Protections for individuals Use, disclosure and transmission PHI Privacy Rule Protect confidentiality Security Rule Safeguards to protect the confidentiality, integrity and availability

9 Drivers Privacy Protection Act DMV & MVRs Personal Information Photograph Social security # Name Address Telephone number Medical / disability information PFI

10 Fair Credit Reporting Act Individuals only Protect privacy & assure accuracy Collection & dissemination of information, redress More PFI

11 Gramm-Leach-Bliley: Financial Services Modernization Act Protection of consumer s non-public personal financial information Includes information utilized by agents and brokers Compliance mandatory!

12 Cyberspace Electronic Security Act Protection Standards set for Privacy Security Safety Encryption Symmetric key Asymmetric key

13 USA Patriot Act Investigation of Terrorism Ensure domestic security Surveillance Money Laundering Increase of Power 4 th amendment

14 Cyber-Security Enhancement Act of 2002 Set sentencing Guidelines Relative to certain computer crimes

15 Regulation 173 Standards for Safeguarding Customer Information Risk assessment required Manage and control cyber-risk Oversee service provider arrangements Evaluate, monitor and adjust the program

16 Fair and Accurate Credit Transaction Act Free credit reports annually from each reporting agency without harm to credit score Fraud alerts Ability to opt-out of affiliate marketing Protection against unauthorized access Requirement to exercise due diligence

17 Red Flags Written Identity Theft Prevention Program Detects warning signs ( red flags ) of ID theft Step 1: Identifying relevant red flags Step 2: Detecting red flags Step 3: Responding to red flags Step 4: Administering the Program

18 File Transfer Compliance 201 CMR 17 Establishes a minimum standard for the protection of Massachusetts residents personal information (PFI and PHI) both in electronic and paper form Written security program required Other states may follow!

19 Who Has A Cyber-Liability Exposure? Any person or business with web site Size is immaterial here! Can be subject to claims for Damage caused to another computer when interfacing or downloading Damage to data or software Remember: Electronic data is not tangible property (ISO forms)

20 Where Is Cyber-Liability Coverage Available If At All? ISO Commercial General Liability Coverage Form CG Definitions 17. Property Damage Damage to, loss of, destruction of tangible physical property including its loss of use electronic data is NOT tangible property Exclusions j. Damage to property o. Personal & advertising injury p. Electronic Data

21 Where Is Cyber-Liability Coverage Available If At All? (2) Coverage B Personal and Advertising Injury Liability (ISO CGL) Definitions 14. Personal and advertising injury 17. Property damage Exclusions Especially i and j Chatrooms, bulletin boards, web hosts, webmasters, etc.

22 Where Is Cyber-Liability Coverage Available If At All? (3) ISO Electronic Data Liability Endorsement CG Buy back liability coverage (for negligence in data damage, etc.) Loss of electronic data now a category of property damage (direct damage) C. Definitions Data STILL not tangible property

23 Where Is Cyber-Liability Coverage Available If At All? (4) ISO Electronic Data Liability Coverage Form CG Broader coverage Actual loss of data covered No need for physical injury to tangible property Claims made format!!!! Covers loss caused by electronic data incident

24 Where Is Cyber-Liability Coverage Available If At All? (5) ISO Businessowners Policy Electronic Data Liability Limited Coverage Endorsement BP Similar to CGL version for direct damage to data of others due to insured s negligence Electronic Data Liability Broad Coverage Endorsement BP Similar to ISO Electronic Data Liability Coverage Form, but as an endorsement

25 Where Is Cyber-Liability Coverage Available If At All? (6) Cyber-Liability Insurance First & third party risks Privacy Infringement of intellectual property Virus transmission E-business, internet, networks Who needs it??

26 Where Is Cyber-Liability Coverage Available If At All? (7) Network Risk Insurance Private and Public companies Exposures covered vary What does it do? Protection against unauthorized access to data Theft of data (crime) Computer viruses (direct damage, loss of use) Distributed Denial of Service (DDoS) attacks Loss/Corruption of Data

27 Where Is Cyber-Liability Coverage Available If At All? (8) Network Risk Insurance ( cont d) Protection against unauthorized access to data (cont d) Business Interruption Liability Cyber-Extortion Public Relations Criminal Rewards Cyber-Terrorism Identity Theft

28 Cyber-Liability 2013 Most Common Internal Security Threats Mark Camillo Most Common Reasons for Data Breach Litigation Brad Vatrt OMG!

29 Cyber-Liability 2013 (2) Costs of cyber-risk Approaches to cyber-risk Carrier perspectives

30 Cyber-Liability Risk Management Physical security Privacy policies Established procedures Employee training Encryption Firewalls Passwords Anti-virus, anti-spyware software Cyber-hygiene function Copyright review

31 Cyber-Liability Risk Management (2) Shred! (cross-cut best) Awareness of operations / activities involving data Be proactive prevent / reduce risk potential before loss happens Duplication and segregation of data (Cloud, recovery and storage vendors, etc.) Question what s done, why Assess risk On a personal note: Know your score

32 Cyber-Liability Risk Management (3) Password expirations Password history Password length (8-11 characters) Password composition (upper, case, lower case, symbols, numbers)

33 It s A Wrap! Thank you for attending our presentation! Please complete an evaluation Have a great rest of your day, and CONGRATULATIONS to all the new designees!

34 Session Feedback Please rate this session using the mobile app