Cyber Exposure for Credit Unions What it is and how to protect yourself L O C K T O N 2 0 1 2 www.lockton.com
Add Cyber Title Exposure Here Overview #1 financial risk for Credit Unions Average cost of a data breach - $7.2 M up 7% from 2009 2011 6 th straight year costs of data breach have increased Most expensive data breach in 2010 - $35 M up $4.8 M from 2009 #1 reputational risk for Credit Unions Damage to reputation has a permanent impact to member relations Loss of customers after a breach is the largest cost for a 2 nd straight year #1 uninsured risk for Credit Unions Misperception that the Bond provides coverage Without a separate cyber policy, the credit union is mostly uninsured (maybe even unknowingly)
Add Data Title Breach: Here What are the Costs? There are significant compliance costs even if there is not a lawsuit: Ponemon Institute - per member cost Cost 2009 2010 Detection & Escalation $8 $13 Notification $15 $15 Response $46 $51 Lost Business $135 $134 Total $204 $214 Potential exposure by Credit Union: Small CU: 1,000 members = $ 214,000 potential exposure Medium CU: 10,000 members = $ 2,140,000 potential exposure Large CU: 50,000 members = $10,700,000 potential exposure Most data breach costs not currently insured
Presentation Overview What are my regulatory and compliance requirements as a data owner? What is the resultant exposure I have as a data owner in the event of a breach? For what areas is insurance coverage available?
Your Exposure: Am I a Data Owner? Data How many individuals personal information do you have in your care, custody or control? What kind of personal information do you have (name, address, CCN, email address, SSN, etc.)? Where Do you host your network and data? OR Do you outsource your network and /or data? Doesn t matter whether you host or outsource you are legally liable in both cases (data is under your care, custody or control) Legally Liable If Data applies to you you have exposure as you ARE a data owner You have the duty to notify in the event of a Data Breach You are legally responsible for how you: protect, collect, share, provide access to, the data
What is GLBA? Gramm Leach Bliley Act (GLBA) Federal law applies to all Credit Unions Applies to Nonpublic Personal Information (NPI) which is personally identifiable financial information Allows CU s to share NPI with non-affiliated entities IF they provide notice first and allow for opting-out CU s cannot disclose account or credit card numbers in marketing information GLBA sets the floor with respect to minimum requirements, does not preempt State laws that provide greater protection to privacy
GLBA: Where Does My Exposure Come From? Safeguards Rule Physical Security such as access management to data centers, servers, equipment, or off site storage Administrative Security such as access rights management to systems, equipment or data Technical Security such as Encryption, Intrusion Detection System, Data Leakage Prevention Privacy Rule FTC & Fed FI Regulators establish standards for Privacy Notices Can only share NPI with 3 rd parties for their own use if any exemption exists or NO opt out is received Ensure service providers do NOT use data for other purposes 6
Exposures Beyond GLBA: What Are They? Breach of Confidentiality (Tort) Duty to maintain the confidentiality of the member s information For example, it s an implied term of the contract between the CU and member that the credit union will not divulge NPI to third parties without consent by the member Negligence Duty of care and conduct by the entity falls below the applicable standard of care (i.e., breach of duty) which results in damages For example, a failure to provide reasonable security State Statutes VT Privacy of Consumer Financial and Health Information Regulation CA Financial Information Privacy Act (SB1) State SSN laws requiring special rules for SSNs
Don t Forget FCRA Fair Credit Reporting Act Amended by the Fair and Accurate Credit Transaction Act (FACTA) Why You furnish information to a Credit Reporting Agency You use consumer credit reports Red Flags Rule applies to Creditors and Financial Institutions What Consumer credit reports may only be used for permissible purposes 3 rd party data used for substantive decision making purposes must be accurate, current, and complete Member must receive notice when a consumer report is used to make an adverse decision $$$ FCRA creates liability for willful and negligent violations Provides for statutory damages for willful violations ($100 - $1k per person) plus any actual damages sustained by the member
What is my Exposure?
Resultant Types of Exposure Liability Suits from your members Member Class Action Suits Cyber Exposure Regulatory FTC and FI Regulators Privacy Regulatory Proceedings inc. Fines and Member Redress Funds Defense costs Privacy Event Expenses Notification Costs Forensics Legal and PR Credit Monitoring
Your Exposure Is More Than a Data Breach Did you give an initial and annual privacy notice to your members? Did you process the opt out requests by your members within 30 days? Whether you host your own network/systems/data or outsource to a 3 rd party you re still legally responsible Do you offer your members a mobile application? Business Practices Technology Is you Privacy Policy Clear and conspicuous means that a notice must be reasonably understandable and designed to call attention to the nature and significance of the information in the notice Privacy Policy Website Are you using tracking technologies on your website such as: Cookies, Flash Cookies, HTML5, CSS, Cache Cookies/Etags & disclosing them to your members, including what is collected & who you share it with?
Industry Incidents When What Company 2012 Debit & credit card breach ELGA Credit Union 2012 50,000 accounts compromised Global Payment Inc. 2012 Hack of member card accounts First Educators Credit Union 2012 Documents stolen from car Servus Credit Union 2011 Lost laptop containing member information CEFCU 2011 Malware attack to member accounts Pentagon Federal Credit Union 2009 Potentially over 100 million records hacked Heartland Payment Systems
Data Breach: Who, How and Things in Common Who? (causing them) How? (getting hacked) Things In Common 92% external 17% internal 9% multiple parties 1% vendors 50% hacking 49% malware 29% physical attacks 17% privilege misuse 11% social engineering 96% avoidable through internal controls 92% not very sophisticated 86% discovered by 3 rd party 76% were compromised on a server
Add Data Title Breach: Here What are the Costs? There are significant compliance costs even if there is not a lawsuit: Ponemon Institute - per member cost Cost 2009 2010 Detection & Escalation $8 $13 Notification $15 $15 Response $46 $51 Lost Business $135 $134 Total $204 $214 Potential exposure by Credit Union: Small CU: 1,000 members = $ 214,000 potential exposure Medium CU: 10,000 members = $ 2,140,000 potential exposure Large CU: 50,000 members = $10,700,000 potential exposure Most data breach costs not currently insured
Add Data Title Breach: Here Will My Bond Insure These Costs? As part of your Bond, there is coverage for Electronic Crime, however this insures the Credit Union for loss of monies, does not cover any of the cyber costs: Loss of data Any losses your members may suffer Any detection costs Notification and compliance costs Credit Monitoring Reputational & Crisis Management costs Loss of members and business Since the Bond is not designed to cover these cost, the development of a separate Cyber Policy is needed to provide these specialized coverages
Cyber Insurance Marketplace
Add Why Title Transfer Here Data Cyber Risk Through Cyber Insurance? Many functions are conducted by outside vendors and contractors who may lack insurance and assets to respond; what if the vendor makes a systemic mistake Traditional P&C insurance does not cover Network Security liability or adequately address Privacy Liability (and provides no 1 st party reimbursement of expenses) PCI (credit card industry security standards) compliant companies have had their security compromised from process lapse, human error, or criminal insider Member fallout from uncovered losses with large claim and class action potential and major impact on brand and reputation No system can be designed to eliminate the potential for loss, as people and process failures cannot be eliminated. Insiders may be perpetrators Responsibility rests with the data owner from a legal, regulatory perspective, and credit card association operating regulations
Add Cyber Title Coverages Here Cyber Coverages Network Security Liability Claim Expenses and Damages emanating from Network and non-network security breaches Media Liability Claim Expenses and Damages emanating from Personal Injury Torts and Intellectual Property Infringement (except Patent Infringement) Claim Expenses and Damages emanating from Electronic Publishing (web-site) and some will provide coverage for all ways in which a company can utter and disseminate matter Privacy Liability Claim Expenses and Damages emanating from violation of a Privacy Tort, Law or Regulation Claim Expenses and Damages emanating from a violation of a law or regulation arising out of a Security Breach Privacy Regulatory Proceeding and Fines Claim expenses in connection with a Privacy Regulatory inquiry, investigation or proceeding Damages/Fines (varies by market) Member Redress Fund Privacy Regulations Fines PCI Fines (varies by market)
Cyber Coverages (continued) Technology Liability and Miscellaneous Professional Liability (add-on) Claim Expenses and Damages emanating from a Wrongful Act (varies by market) in the performance of or failure to perform Technology Services or your MPL Services (tailored by definition in the policy) Claim Expenses and Damages emanating from your Technology Products failure to perform or serve the purpose intended Privacy Event Expense Reimbursement Expense reimbursement for 3rd party Forensics costs Public Relations costs Legal Mandatory Notification Costs (Comply with Security Breach Notification Laws) Voluntary Notification Costs Credit Monitoring Call Center Extortion Payments Reasonable and necessary expenses and any funds or property paid (varies by company)
1 st Party Cyber Coverages Data/Electronic Information Loss Covers the cost of recollecting or retrieving data destroyed, damaged or corrupted due to a computer attack Business Interruption or Network Failure Expenses Covers cost of lost net revenue and extra expense arising from a computer attack and other human-related perils. Especially valuable for computer networks with high availability needs Cyber-extortion Covers both the cost of investigation and the extortion demand amount related to a threat to commit a computer attack, implant a virus, etc. Reputational Harm (Lockton Exclusive)
Cyber Insurance Marketplace Tailored insurance solutions based on your exposures No coverage/policy uniformity in the marketplace Capacity $200M - $250M ($50 M 1st party network BI)
Cyber Insurance Marketplace: Two Different Approaches Indemnity Reimbursement policies allow the insured to hire vendors (with consent from the carrier) Will vary by carrier and range from recommending vendors who can manage a data breach response to providing a risk transfer solution (reimbursement of privacy event expenses) Privacy event expenses are typically subject to a sub-limit and will erode the policy aggregate limit Vendor Panels Automatic vendors provided by carriers established breach panels Some carriers offer notification costs outside of the aggregate limit Some carriers offer notification costs per affected individual rather than monetary sublimits
What Differentiates Lockton?
Lockton Differentiators Customized Approach References C-Suite Credibility Improved Coverage Forms Dedicated Team Risk Management Consultative Services Unique Wordings Expert Breach Security Panel 24
How Can We Help? Underwriting Briefing Investor style of IT security and privacy controls, rather than completing long applications Gap analysis of existing placements, combining performance failures (E&O), media, IP, and cyber Design, marketing, and placement full access to key U.S. and international markets Dedicated exclusive wordings only one in the marketplace with reputational harm coverage Support for risk management efforts: Risk Severity Analysis Contract analysis with clients and vendors Claims assistance security breach expert panel and assistance in designing a contingency plan
www.lockton.com 2012 Lockton, Inc. All rights reserved. Images 2012 Thinkstock. All rights reserved.