Cyber Exposure for Credit Unions

Similar documents
Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Understanding the Business Risk

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Network Security & Privacy Landscape

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

CYBER RISK SECURITY, NETWORK & PRIVACY

Mitigating and managing cyber risk: ten issues to consider

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Rogers Insurance Client Presentation

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

What is Cyber Liability

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Managing Cyber Risk through Insurance

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Insuring Innovation. CyberFirst Coverage for Technology Companies

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

Insurance for Data Breaches in the Hospitality Industry

Cyber Risk State of the Art

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

ISO? ISO? ISO? LTD ISO?

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Network Security & Privacy Landscape

How To Cover A Data Breach In The European Market

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Cyber Insurance Presentation

Joe A. Ramirez Catherine Crane

Discussion on Network Security & Privacy Liability Exposures and Insurance

CAGNY Spring 2015 Meeting Fundamentals of Cyber Risk. Brad Gow June 9th, 2015 Endurance

Cyber-Crime Protection

Cyber/ Network Security. FINEX Global

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Managing Cyber & Privacy Risks

Data Breach and Senior Living Communities May 29, 2015

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services

CYBER INSURANCE. Cyber Insurance and Gaps in Traditional Insurance. Cyber and E&O Team Willis FINEX North America

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

Understanding. your Cyber Liability coverage

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

9/13/2011. Miscellaneous Current Topics in Healthcare Professional Liability. Antitrust Notice. Table of Contents. Cyber Liability.

Cyber and data Policy wording

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

cyber invasions cyber risk insurance AFP Exchange

CYBER SECURITY SPECIALREPORT

Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015

Cyber Liability. AlaHA Annual Meeting 2013

4/30/2015 CYBER LIABILITY AND AVIATION AGENDA LEARNING OBJECTIVES. Presented by Hal Hunt May 3, 2015

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

CSR Breach Reporting Service Frequently Asked Questions

Cyber Liability Insurance

Cyber Liability Insurance: It May Surprise You

Coverage is subject to a Deductible

Enterprise PrivaProtector 9.0

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

CYBER LIABILITY INSURANCE

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Data security: A growing liability threat

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Adding Cloud Solutions to Customer Contracts Robert J. Scott

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

How-To Guide: Cyber Security. Content Provided by

WFG Title Agents Insurance Program wfgagents.usi.biz

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Practical Cyber Law: Why the Standard of Care Requires Lawyers to Have a Basic Understanding of Cyber Insurance

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services

TechDefender SM. Tech E&O, Network Security, Privacy, Internet Media, and MPL Insurance Application

Cyber Liability. What School Districts Need to Know

PRODUCT HIGHLIGHTS CYBER SECURITY LIABILITY

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Privacy Law Basics and Best Practices

Specialty Risk Protector

Policy Considerations for Covering Special Exposures. Claire Lee Reiss Program Director National League of Cities Risk Information Sharing Consortium

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

CYBER BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIM & LEGAL GROUP

Cyber Risk Insurance for Agents. Frequently Asked Questions

Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Current Developments Concerning Cybersecurity. ICI General Membership Meeting Legal Forum Jillian Bosmann and Nancy O Hara Thursday, May 19, 2016

Internet Stolen: The Fastest Growing White Collar Crime

What Data? I m A Trucking Company!

Data Privacy & Security: Essential Questions Every Business Must Ask

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

Cyber Risks in Italian market

Tape Vaulting Audit And Encryption Usage Analysis

An Introduction to Cyber Liability Insurance. Catherine Berry Senior Underwriter

Transcription:

Cyber Exposure for Credit Unions What it is and how to protect yourself L O C K T O N 2 0 1 2 www.lockton.com

Add Cyber Title Exposure Here Overview #1 financial risk for Credit Unions Average cost of a data breach - $7.2 M up 7% from 2009 2011 6 th straight year costs of data breach have increased Most expensive data breach in 2010 - $35 M up $4.8 M from 2009 #1 reputational risk for Credit Unions Damage to reputation has a permanent impact to member relations Loss of customers after a breach is the largest cost for a 2 nd straight year #1 uninsured risk for Credit Unions Misperception that the Bond provides coverage Without a separate cyber policy, the credit union is mostly uninsured (maybe even unknowingly)

Add Data Title Breach: Here What are the Costs? There are significant compliance costs even if there is not a lawsuit: Ponemon Institute - per member cost Cost 2009 2010 Detection & Escalation $8 $13 Notification $15 $15 Response $46 $51 Lost Business $135 $134 Total $204 $214 Potential exposure by Credit Union: Small CU: 1,000 members = $ 214,000 potential exposure Medium CU: 10,000 members = $ 2,140,000 potential exposure Large CU: 50,000 members = $10,700,000 potential exposure Most data breach costs not currently insured

Presentation Overview What are my regulatory and compliance requirements as a data owner? What is the resultant exposure I have as a data owner in the event of a breach? For what areas is insurance coverage available?

Your Exposure: Am I a Data Owner? Data How many individuals personal information do you have in your care, custody or control? What kind of personal information do you have (name, address, CCN, email address, SSN, etc.)? Where Do you host your network and data? OR Do you outsource your network and /or data? Doesn t matter whether you host or outsource you are legally liable in both cases (data is under your care, custody or control) Legally Liable If Data applies to you you have exposure as you ARE a data owner You have the duty to notify in the event of a Data Breach You are legally responsible for how you: protect, collect, share, provide access to, the data

What is GLBA? Gramm Leach Bliley Act (GLBA) Federal law applies to all Credit Unions Applies to Nonpublic Personal Information (NPI) which is personally identifiable financial information Allows CU s to share NPI with non-affiliated entities IF they provide notice first and allow for opting-out CU s cannot disclose account or credit card numbers in marketing information GLBA sets the floor with respect to minimum requirements, does not preempt State laws that provide greater protection to privacy

GLBA: Where Does My Exposure Come From? Safeguards Rule Physical Security such as access management to data centers, servers, equipment, or off site storage Administrative Security such as access rights management to systems, equipment or data Technical Security such as Encryption, Intrusion Detection System, Data Leakage Prevention Privacy Rule FTC & Fed FI Regulators establish standards for Privacy Notices Can only share NPI with 3 rd parties for their own use if any exemption exists or NO opt out is received Ensure service providers do NOT use data for other purposes 6

Exposures Beyond GLBA: What Are They? Breach of Confidentiality (Tort) Duty to maintain the confidentiality of the member s information For example, it s an implied term of the contract between the CU and member that the credit union will not divulge NPI to third parties without consent by the member Negligence Duty of care and conduct by the entity falls below the applicable standard of care (i.e., breach of duty) which results in damages For example, a failure to provide reasonable security State Statutes VT Privacy of Consumer Financial and Health Information Regulation CA Financial Information Privacy Act (SB1) State SSN laws requiring special rules for SSNs

Don t Forget FCRA Fair Credit Reporting Act Amended by the Fair and Accurate Credit Transaction Act (FACTA) Why You furnish information to a Credit Reporting Agency You use consumer credit reports Red Flags Rule applies to Creditors and Financial Institutions What Consumer credit reports may only be used for permissible purposes 3 rd party data used for substantive decision making purposes must be accurate, current, and complete Member must receive notice when a consumer report is used to make an adverse decision $$$ FCRA creates liability for willful and negligent violations Provides for statutory damages for willful violations ($100 - $1k per person) plus any actual damages sustained by the member

What is my Exposure?

Resultant Types of Exposure Liability Suits from your members Member Class Action Suits Cyber Exposure Regulatory FTC and FI Regulators Privacy Regulatory Proceedings inc. Fines and Member Redress Funds Defense costs Privacy Event Expenses Notification Costs Forensics Legal and PR Credit Monitoring

Your Exposure Is More Than a Data Breach Did you give an initial and annual privacy notice to your members? Did you process the opt out requests by your members within 30 days? Whether you host your own network/systems/data or outsource to a 3 rd party you re still legally responsible Do you offer your members a mobile application? Business Practices Technology Is you Privacy Policy Clear and conspicuous means that a notice must be reasonably understandable and designed to call attention to the nature and significance of the information in the notice Privacy Policy Website Are you using tracking technologies on your website such as: Cookies, Flash Cookies, HTML5, CSS, Cache Cookies/Etags & disclosing them to your members, including what is collected & who you share it with?

Industry Incidents When What Company 2012 Debit & credit card breach ELGA Credit Union 2012 50,000 accounts compromised Global Payment Inc. 2012 Hack of member card accounts First Educators Credit Union 2012 Documents stolen from car Servus Credit Union 2011 Lost laptop containing member information CEFCU 2011 Malware attack to member accounts Pentagon Federal Credit Union 2009 Potentially over 100 million records hacked Heartland Payment Systems

Data Breach: Who, How and Things in Common Who? (causing them) How? (getting hacked) Things In Common 92% external 17% internal 9% multiple parties 1% vendors 50% hacking 49% malware 29% physical attacks 17% privilege misuse 11% social engineering 96% avoidable through internal controls 92% not very sophisticated 86% discovered by 3 rd party 76% were compromised on a server

Add Data Title Breach: Here What are the Costs? There are significant compliance costs even if there is not a lawsuit: Ponemon Institute - per member cost Cost 2009 2010 Detection & Escalation $8 $13 Notification $15 $15 Response $46 $51 Lost Business $135 $134 Total $204 $214 Potential exposure by Credit Union: Small CU: 1,000 members = $ 214,000 potential exposure Medium CU: 10,000 members = $ 2,140,000 potential exposure Large CU: 50,000 members = $10,700,000 potential exposure Most data breach costs not currently insured

Add Data Title Breach: Here Will My Bond Insure These Costs? As part of your Bond, there is coverage for Electronic Crime, however this insures the Credit Union for loss of monies, does not cover any of the cyber costs: Loss of data Any losses your members may suffer Any detection costs Notification and compliance costs Credit Monitoring Reputational & Crisis Management costs Loss of members and business Since the Bond is not designed to cover these cost, the development of a separate Cyber Policy is needed to provide these specialized coverages

Cyber Insurance Marketplace

Add Why Title Transfer Here Data Cyber Risk Through Cyber Insurance? Many functions are conducted by outside vendors and contractors who may lack insurance and assets to respond; what if the vendor makes a systemic mistake Traditional P&C insurance does not cover Network Security liability or adequately address Privacy Liability (and provides no 1 st party reimbursement of expenses) PCI (credit card industry security standards) compliant companies have had their security compromised from process lapse, human error, or criminal insider Member fallout from uncovered losses with large claim and class action potential and major impact on brand and reputation No system can be designed to eliminate the potential for loss, as people and process failures cannot be eliminated. Insiders may be perpetrators Responsibility rests with the data owner from a legal, regulatory perspective, and credit card association operating regulations

Add Cyber Title Coverages Here Cyber Coverages Network Security Liability Claim Expenses and Damages emanating from Network and non-network security breaches Media Liability Claim Expenses and Damages emanating from Personal Injury Torts and Intellectual Property Infringement (except Patent Infringement) Claim Expenses and Damages emanating from Electronic Publishing (web-site) and some will provide coverage for all ways in which a company can utter and disseminate matter Privacy Liability Claim Expenses and Damages emanating from violation of a Privacy Tort, Law or Regulation Claim Expenses and Damages emanating from a violation of a law or regulation arising out of a Security Breach Privacy Regulatory Proceeding and Fines Claim expenses in connection with a Privacy Regulatory inquiry, investigation or proceeding Damages/Fines (varies by market) Member Redress Fund Privacy Regulations Fines PCI Fines (varies by market)

Cyber Coverages (continued) Technology Liability and Miscellaneous Professional Liability (add-on) Claim Expenses and Damages emanating from a Wrongful Act (varies by market) in the performance of or failure to perform Technology Services or your MPL Services (tailored by definition in the policy) Claim Expenses and Damages emanating from your Technology Products failure to perform or serve the purpose intended Privacy Event Expense Reimbursement Expense reimbursement for 3rd party Forensics costs Public Relations costs Legal Mandatory Notification Costs (Comply with Security Breach Notification Laws) Voluntary Notification Costs Credit Monitoring Call Center Extortion Payments Reasonable and necessary expenses and any funds or property paid (varies by company)

1 st Party Cyber Coverages Data/Electronic Information Loss Covers the cost of recollecting or retrieving data destroyed, damaged or corrupted due to a computer attack Business Interruption or Network Failure Expenses Covers cost of lost net revenue and extra expense arising from a computer attack and other human-related perils. Especially valuable for computer networks with high availability needs Cyber-extortion Covers both the cost of investigation and the extortion demand amount related to a threat to commit a computer attack, implant a virus, etc. Reputational Harm (Lockton Exclusive)

Cyber Insurance Marketplace Tailored insurance solutions based on your exposures No coverage/policy uniformity in the marketplace Capacity $200M - $250M ($50 M 1st party network BI)

Cyber Insurance Marketplace: Two Different Approaches Indemnity Reimbursement policies allow the insured to hire vendors (with consent from the carrier) Will vary by carrier and range from recommending vendors who can manage a data breach response to providing a risk transfer solution (reimbursement of privacy event expenses) Privacy event expenses are typically subject to a sub-limit and will erode the policy aggregate limit Vendor Panels Automatic vendors provided by carriers established breach panels Some carriers offer notification costs outside of the aggregate limit Some carriers offer notification costs per affected individual rather than monetary sublimits

What Differentiates Lockton?

Lockton Differentiators Customized Approach References C-Suite Credibility Improved Coverage Forms Dedicated Team Risk Management Consultative Services Unique Wordings Expert Breach Security Panel 24

How Can We Help? Underwriting Briefing Investor style of IT security and privacy controls, rather than completing long applications Gap analysis of existing placements, combining performance failures (E&O), media, IP, and cyber Design, marketing, and placement full access to key U.S. and international markets Dedicated exclusive wordings only one in the marketplace with reputational harm coverage Support for risk management efforts: Risk Severity Analysis Contract analysis with clients and vendors Claims assistance security breach expert panel and assistance in designing a contingency plan

www.lockton.com 2012 Lockton, Inc. All rights reserved. Images 2012 Thinkstock. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information