CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Similar documents
Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Network Security & Privacy Landscape

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

Data Breach and Senior Living Communities May 29, 2015

Cyber Risks in the Boardroom

Cyber/ Network Security. FINEX Global

CYBER RISK SECURITY, NETWORK & PRIVACY

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Mitigating and managing cyber risk: ten issues to consider

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Specialty Risk Protector

Cyber Risks and Insurance Solutions Malaysia, November 2013

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

2010 Data Breach Investigations Report

Joe A. Ramirez Catherine Crane

Insuring Innovation. CyberFirst Coverage for Technology Companies

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

How To Cover A Data Breach In The European Market

Privilege Gone Wild: The State of Privileged Account Management in 2015

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber Liability & Data Breach Insurance Claims

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Into the cybersecurity breach

NZI LIABILITY CYBER. Are you protected?

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

CYBER/ NETWORK SECURITY

Privilege Gone Wild: The State of Privileged Account Management in 2015

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Cyber Insurance: How to Investigate the Right Coverage for Your Company

ANATOMY of a DATA BREACH DISASTER. Avoiding a Cyber Catastrophe. June, Sponsored by:

Cybersecurity. Are you prepared?

The promise and pitfalls of cyber insurance January 2016

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Cybersecurity The role of Internal Audit

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber Insurance as one element of the Cyber risk management strategy

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Cyber Liability. What School Districts Need to Know

Reducing Cyber Risk in Your Organization

October 24, Mitigating Legal and Business Risks of Cyber Breaches

CSR Breach Reporting Service Frequently Asked Questions

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

The Business Case for Security Information Management

WHITE PAPER BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION CYBER COVERAGES

Discussion on Network Security & Privacy Liability Exposures and Insurance

Understanding the Business Risk

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Data security: A growing liability threat

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

cyber invasions cyber risk insurance AFP Exchange

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

What Data? I m A Trucking Company!

Web Protection for Your Business, Customers and Data

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

ISO? ISO? ISO? LTD ISO?

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Updates within Network Security and Privacy Risk Management

Enterprise PrivaProtector 9.0

Rogers Insurance Client Presentation

Kim Decarolis Compliance and Security Specialist (248) Mark Wayne Vice President Compliance and Security Specialist

10 Smart Ideas for. Keeping Data Safe. From Hackers

Understanding Professional Liability Insurance

Cyber Liability & Data Breach Insurance Claims

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

MANAGED SECURITY SERVICES (MSS)

How To Transform Insurance Through Digital Transformation

Transcription:

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1

As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become increasingly essential to safeguard data as well as to ensure compliance with global regulatory bodies. 5 Additionally, as of October of 2015, financial institutions that issue credit cards face a changing landscape with regards to the EMV technology liability shift. 2

CYBER INSURANCE/FINANCIAL INSTITUTIONS Financial institutions such as banks, independent broker/dealers, asset managers, insurance carriers, real estate companies and others are often in possession of and responsible for sensitive information in many forms. According to the 2015 Verizon Data Breach Investigations Report (Verizon DBIR), nearly half of the security incidents reported to Verizon that occurred in the financial services industry resulted in a confirmed data loss. This is the second highest percentage of any industry presented. 1 What is sensitive information? Technology advances like mobile app banking, information sharing via mobile devices, social media and big data analytics are transforming how financial institutions interact with their clients, business partners and regulators. However, these advances expose more sensitive data to the Internet, which increases information security risks. Additionally, according to the 2015 Verizon DBIR, finance companies are likely to be the victims of denial of service attacks. This was the cause of 184 incidents in the industry last year. 2 Sensitive information includes: Client credit card/debit card data Client financial account information, including account and PIN numbers Employee Personally Identifiable Information (PII), including Social Security Numbers and Personal Health Information (PHI) Corporate confidential information regarding transactions, mergers and acquisitions Individual names, addresses, e-mail addresses, passwords, telephone numbers and Social Security numbers Other non-public personal information as defined by regulatory frameworks including but not limited to the Payment Card Industry Data Security Standard (PCI DSS) and the Gramm Leach Bliley Act (GLBA), which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data Why are financial insitutions a target? Financial institutions are in possession of large amounts of personal client information with high monetary value, as well as volumes of valuable corporate confidential data. Financial institutions face significant exposure from network intruders quietly remaining within corporate networks for longer periods of time. With such large sets of data stored and potentially vulnerable including client, employee and corporation data financial institutions of all sizes face the risk of a catastrophic breach. What are financial institutions exposures? ACE has vast knowledge in handling these types of security related incidents, with an experienced claims staff who have intimate knowledge of the intricacies of data incidents impacting financial institutions. According to ACE s proprietary claims data, the presence of hacking in the financial institutions industry is escalating rapidly: 2012-46.67% of claims were hacks 2013-28.57% of claims were hacks 2014-14.29% of claims were hacks 2015 YTD - 88.89% of claims were hacks Claims Triggers for Financial Institutions 4 3% 12% Network Hack - 38% Lost Laptop - 13% Human Error 12% Lost or Misplaced Tapes/ CDs - 8% Privacy Policy Violations - 7% Employee Error 7% Lost/Stolen Paper Documents/ Records 3% Other 12% 7% 7% 8% 12% 13% 38% 3

CYBER INSURANCE/FINANCIAL INSTITUTIONS Financial Institutions Claims Scenarios: Scenario #1: Phishing Attack On Employees A group of employees were the target of a phishing email attack by a group of cyber criminals. The employees clicked on the links contained in the emails, inadvertently providing their access credentials to the bank s network. This gave hackers access to 15,000 client records containing personally identifiable information, including bank account numbers, PIN numbers, names, addresses and Social Security Numbers. The company was alerted to the attack when customers were notified that their accounts had been accessed from unusual access points. Associated Costs: $265,000 for forensics, legal fees, notification and call center services Scenario #2: Third Party Contractor Error A financial institution hired a third party contractor to integrate its systems following a recent merger. An employee of the contractor accidentally uploaded the information of 20,000 employees and clients to a personal laptop, which was subsequently lost. Associated Costs: $1.1 million for forensics, legal fees, liability costs, notification and call center services The number of financial firms reporting losses of $10 million to $19.9 million increased by a head-turning 141% over last year. 3 Scenario #3: Network Extortion Demand An individual gained access to a segment of a financial institution s network, which provided access to the bank account information and personally identifiable information of their high net worth clients. The individual alerted the bank of his position inside the company s network and made an extortion demand of $3.2 million, threatening to release the personal information if his demands were not met. Associated Costs: $3.2 million to satisfy the extortion demand to avoid the release of information 4

CYBER INSURANCE/FINANCIAL INSTITUTIONS HOW CAN YOU PROTECT YOUR DATA? ACE introduced Loss Mitigation Services to help policyholders understand and gauge various areas of cyber security that are relevant to your business. Through early identification and remediation of cyber exposures, Loss Mitigation Services can help your organization reduce the likelihood and impact of a cyber incident. These services are available to all policyholders at any time as part of ACE s comprehensive cyber insurance solution. All ACE policyholders benefit from access to a variety of free services, including self-assessments, white papers and webinars. ACE s portal, www.acecyberrisk.com, a webbased prevention resource, houses these materials to help policyholders manage their privacy and network risk. Seasonal webinars are broadcast to bring the latest threat intelligence to the entire policyholder community. Loss Mitigation Services Available to Financial Institutions Additional Loss Mitigation Services were created based on ACE s claims handling experience and in-house cyber security expertise. Here are just a few that are designed to meet the needs of financial institutions: Information Governance Know Where and What Data to Protect A consultative service to help identify the privacy and protection considerations related to your organization s information, which guide how it should be managed from creation to deletion. All companies handle sensitive data to varying degrees, ranging from social security numbers to trade secrets and company confidential information. This offering is tailored to what your company does and your relative risk profile. PCI Compliance Assessment Comply with Credit Card Security Requirements A baseline assessment of your company s alignment with the compliance requirements of the Payment Card Industry Data Security Standard (PCI-DSS). This service is great for any business that accepts credit card payments from the major card brands. The report identifies major compliance gaps with PCI-DSS and what steps you need to take to obtain or maintain compliance with this standard. Security Awareness Elevate Employee Awareness for Protecting Information A simulated email attack (i.e., phishing) is sent to a target subset of employees to see which employees click on the link. Online training is then provided for those who fail the simulation. The benefit? Ensuring your workforce can identify and respond accordingly to the most common types of cyber-attacks. Security Ratings for Data-Driven Risk Management Evaluate the Security Performance of Any Company This service includes security ratings that provide continuous cyber security performance measurements of your company and up to three of your peer and/or third party vendors. The data is gathered from publicly accessible sources; no information is needed from the rated companies. Having access to quantitative, objective metrics indicating how well the businesses of most interest to them are defending themselves against cyber threats and attacks can be beneficial to any company. Vendor Management Validate Your Contracts Address Privacy and Information Security Exposures Independent legal analysis and reporting of up to three agreements, identifying how well they address basic privacy policy and information security exposures. All companies benefit from this service, but especially those dealing with outside vendors for technology services, such as cloud applications, web hosting and external IT services. 5

Post-Breach Response: ACE s Data Breach Team Privacy and network security risks are constantly evolving, and each breach is unique. As a result, law firms, forensic companies and other service providers cannot single-handedly meet the unique challenges of each exposure. ACE s Data Breach Team, an integrated and complementary team of independent third-party specialists, bridges the gap between risk transfer and purchased loss control, creating a comprehensive risk management program for privacy, data breach and network security risk. ACE s Data Breach Team members specialize in their particular areas of expertise and seamlessly work with other team members to tailor an effective response to each incident. ACE s Privacy Protection policyholders have access to independent panel firms at pre-negotiated rates, including the following services: CONTACT ACE provides coverage capabilities and limit capacity targeted to financial institutions of various sizes, and we employ experts from a variety of fields to service the needs of our clients. From white hat hackers holding CISSP certification, to highly specialized underwriters experienced in personalizing coverage to meet policyholder needs, to experienced claim staff deftly skilled at handling complex claims - ACE s accomplished team is adept at managing the challenging exposures of financial institutions. For additional information, email ProfessionalRiskEOProducts@acegroup.com. Legal Credit monitoring Computer forensics Fraud consultation Notification and call center Identity restoration Public relations Crisis communications www.acegroup.com/us/privacyprotection Unless otherwise referenced, all data is derived from ACE s proprietary claims data as of July 2015. 1 Verizon (April 2015) Verizon 2015 Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/dbir/2015/. 2 Ibid. 3 PwC (September 2014), Global State of Information Security Survey 2015. Retrieved from http://www.pwc.com/gsiss2015. 4 ACE North American Claims, Claims Data as of May 2015. 5 PwC (September 2014), Global State of Information Security Survey 2015. Retrieved from http://www.pwc.com/gsiss2015. The claim scenarios described here are hypothetical and are offered solely to illustrate the types of situations that may result in claims. These scenarios are not based on actual claims and should not be compared to an actual claim. The precise coverage afforded by any insurer is subject to the terms and conditions of the policies as issued. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law. Loss Mitigation Services are designed to help policyholders assess and improve the risks we insure. While we believe the information we provide or facilitate is gathered from reliable sources, we make no guaranty that losses will be fewer or less severe. We also assume no responsibility to implement any resulting recommendations. Loss Mitigation Services are available to purchase from the specific vendor for a fee. The vendors are not providers of insurance services and are not affiliated with ACE. ACE USA is the U.S.-based retail operating division of ACE Group. ACE Group is a global leader in insurance and reinsurance, serving a diverse group of clients. Not all products are available in all states. Surplus lines products are only written through licensed surplus lines brokers. Headed by ACE Limited (NYSE: ACE), a component of the S&P 500 stock index, ACE Group conducts its business on a worldwide basis, with operating subsidiaries in 54 countries. 2015 ACE 617550 09/2015

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information