Best practices and insight to protect your firm today against tomorrow s cybersecurity breach



Similar documents
Understanding the Business Risk

Data Breach and Senior Living Communities May 29, 2015

Cyber Liability Insurance: It May Surprise You

Managing Cyber & Privacy Risks

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Data Privacy & Security: Essential Questions Every Business Must Ask

Joe A. Ramirez Catherine Crane

Network Security & Privacy Landscape

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Mitigating and managing cyber risk: ten issues to consider

Cyber Insurance: How to Investigate the Right Coverage for Your Company

plantemoran.com What School Personnel Administrators Need to know

Managing Cyber Risk through Insurance

CYBER RISK SECURITY, NETWORK & PRIVACY

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Top Ten Technology Risks Facing Colleges and Universities

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

Data Privacy, Security, and Risk Management in the Cloud

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Altius IT Policy Collection Compliance and Standards Matrix

Beazley presentation master

Enterprise PrivaProtector 9.0

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

What Data? I m A Trucking Company!

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Logging In: Auditing Cybersecurity in an Unsecure World

Security & Compliance, Sikich LLP

Cyberinsurance: Insuring for Data Breach Risk

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Cyber Insurance Presentation

CSR Breach Reporting Service Frequently Asked Questions

What would you do if your agency had a data breach?

Cyber Risks and Insurance Solutions Malaysia, November 2013

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Attachment A. Identification of Risks/Cybersecurity Governance

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Rogers Insurance Client Presentation

THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Cyber/ Network Security. FINEX Global

CYBER-LIABILITY COVERAGE: The $ 45 Million Dollar Exposure

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Big Data, Big Risk, Big Rewards. Hussein Syed

Zurich Security And Privacy Protection Policy Application

Brief. The BakerHostetler Data Security Incident Response Report 2015

CyberSecurity for Law Firms

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

FINRA Publishes its 2015 Report on Cybersecurity Practices

Cyber Liability. What School Districts Need to Know

ACE Advantage PRIVACY & NETWORK SECURITY

TechDefender SM. Tech E&O, Network Security, Privacy, Internet Media, and MPL Insurance Application

ISO? ISO? ISO? LTD ISO?

CYBERSECURITY INVESTIGATIONS

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Updates within Network Security and Privacy Risk Management

FINAL May Guideline on Security Systems for Safeguarding Customer Information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

AHLA. N. HIPAA Security Breaches: What Should We Be Doing to Keep Us Out of the Headlines? Diane E. Felix Armstrong Teasdale LLP Saint Louis, MO

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Discussion on Network Security & Privacy Liability Exposures and Insurance

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber Risk and the Utility Industry

Transcription:

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Real life examples firm 1 Data security is an issue for firms regardless of size. Source: Maryland Injury Lawsuit Information Center 5

Real life examples firm 2 Cyber criminals attack domestically and internationally. Source: Bloomberg Business 6

Real life examples firm 3 If your firm was being hacked, would you know what to do? Source: PC Magazine 7

What information does your firm need to secure? Personal information > Personally Identifiable Information (PII) Key data elements describing an individual client, employee, or interested party: name, address, date-of-birth, telephone, e-mail address, Social Security number, ZIP code, biometric data (thumb prints, retina scans, etc.) > Protected Health Information (PHI) Healthcare-based treatment information, medical history, health insurance information, including many elements of PII included in such records Corporate information > Intellectual property > Business strategy > Merger and acquisition (M&A) documents > Blueprints > Contracts 9

What information does your firm need to secure? (cont.) Payment Cardholder Information (PCI) > Credit/debit card data Includes account numbers, expire dates, security codes, etc., insurance account information, etc. Cyber-based data > Web browser history > Cookie information > Meta data > IP addresses 10

Insuring against data breaches Cyber risk is increasingly prevalent and costly and cannot be completely eliminated through policies, procedures, and technology. > Several dozen insurers now offer cyber insurance specifically tailored for law firms > As competition has increased, coverage has broadened and prices have come down > Purchasers of cyber insurance need to read the policies carefully or get assistance from their broker There is little consistency between cyber policies and great variability in breach prevention/response services offered 11

Insuring against data breaches (cont.) > Too often firms believe they can self-insure, but consider all the possible exposures: First party: Loss of data, loss of income, forensic expenses, PR costs, notification, credit monitoring, reputational damage, extortion expenses Third party: Regulatory investigations, penalties, civil fines, legal expenses, judgments/settlements arising from data breaches cause by a firms failure of security 12

Insuring against data breaches (cont.) Which of my insurance policies will respond to a cyber loss? 13

Coverage enhancements Aim to secure the following coverage enhancements: > Choice of Panel Counsel > Coordinated Retention Endorsements (use Cyber Policy Retention on Mixed LPL/Cyber Policy claims) > Amend Other Insurance clause to coordinate with professional liability insurance and any other relevant policies > Prior Acts coverage > Privacy regulatory fines/penalties (not included under all standard forms) 14

Coverage enhancements (cont.) Aim to secure the following coverage enhancements (cont.): > 1 st Party Business Interruption (not standard under all forms) > 1 st Party coverage for insured s negligence that cause system interruption resulting in loss of income Sometime termed system failure > Cyber Terrorism Coverage and carve back to war exclusion > Tight control group (management committee, CFO, GC) around intentional acts exclusion to ensure rogue employees are covered > A few insurers provide coverage for reputational harm, to include reimbursement of lost revenue resulting from a client deciding to no longer use the firm after a breach/cyber incident 15

Coverage limitations Coverage limitations to avoid: > Narrow definition of confidential information > Narrow definition of Personally Identifiable Information Does it just cover name, DOB, and SSN? Or, other such as Driver s IS, credit or bank information, passwords, PINs, unique biometric data, etc.? > Encryption exclusion Laptops, mobile devices, data in transit, etc. > Limitation on coverage for data outside of an insured s network or premises (cloud providers or other outsource vendors) > Limitations on voluntary notification (i.e. only where required by law) or credit monitoring costs > Lack of coverage for physical theft of hardware from insured s premises > No coverage for breaches caused by rouge employees 16

Best practices Getting Secure - Where To Start? > Perform a penetration test against your firm External versus internal testing > Choose and adopt a security framework National Institute of Standards and Technology (NIST) Control Objectives for Information and Related Technology (COBIT) International Organization for Standardization (ISO) 17

Best practices (cont.) Getting Secure - Where To Start? > Perform a risk assessment (gap analysis) against security framework > Prioritize remediation of gaps Consider criticality of data (where are your firm s crown jewels stored?) > Third party vendor assessment > Review controls over disbursement of funds Consider various ways that funds leave your firm 18

Best practices (cont.) Security Low Hanging Fruit > Firm Policies: Information Security Policy Acceptable Use of Technology Policy > Information Security Training Who gets trained?» Lawyers» Support staff > Physical Security Secure your firm (lock doors, etc.) Physical files 19

Best practices (cont.) Cybersecurity Top 10 1. Network security 2. Wireless security 3. Mobile device security 4. Vendors / Contractors 5. Data encryption 6. People / Training 7. Identity management controls 8. Disaster recovery (data backup, restore plans) 9. Incident response plans 10. Logging and monitoring 20

Disclosures The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2015 Baker Tilly Virchow Krause, LLP. 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information