RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Similar documents
CYBER READINESS FOR FINANCIAL INSTITUTIONS

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

CYBER INSURANCE. Cyber Insurance and Gaps in Traditional Insurance. Cyber and E&O Team Willis FINEX North America

Cyber/ Network Security. FINEX Global

Data Breach and Senior Living Communities May 29, 2015

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

CYBER RISK SECURITY, NETWORK & PRIVACY

Joe A. Ramirez Catherine Crane

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

ISO? ISO? ISO? LTD ISO?

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Discussion on Network Security & Privacy Liability Exposures and Insurance

Rogers Insurance Client Presentation

Embracing Cyber Risk: Insurance Solutions

Cyber Risk Insurance for Agents. Frequently Asked Questions

How To Cover A Data Breach In The European Market

Cyber Insurance Presentation

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

NZI LIABILITY CYBER. Are you protected?

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Cyber Threats: Exposures and Breach Costs

Managing Cyber Risk through Insurance

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Cyber Insurance as one element of the Cyber risk management strategy

Network Security & Privacy Landscape

Cyber and data Policy wording

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Senate Committee on Commerce, Science, and Transportation March 19, 2015, Hearing Examining the Evolving Cyber Insurance Marketplace

Mitigating and managing cyber risk: ten issues to consider

CYBER/ NETWORK SECURITY

Cyber Threats and the Insurance Response

Managing Cyber & Privacy Risks

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Retail Roundtable: Payment System Cyber Attacks Preparing, Protecting, and Responding. June 11, 2014

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Specialty Risk Protector

Enterprise PrivaProtector 9.0

How To Protect Yourself From Cyber Threats

Cyber-Crime Protection

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Updates within Network Security and Privacy Risk Management

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Privacy and Data Breach Protection Modular application form

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

What would you do if your agency had a data breach?

Zurich Security And Privacy Protection Policy Application

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

CYBER SECURITY SPECIALREPORT

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Data security: A growing liability threat

Understanding the Business Risk

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

cyber invasions cyber risk insurance AFP Exchange

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

Insurance implications for Cyber Threats

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

Cyberinsurance: Insuring for Data Breach Risk

Cyber-insurance: Understanding Your Risks

Transcription:

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION October 23, 2015

THREAT ENVIRONMENT Growing incentive for insiders to abuse access to sensitive data for financial gain Disgruntled current and former employees exploit back-doors Theft of Intellectual Property Security compromise loss of sensitive client data Infrastructure downtime may lead to Dependent Business Interruption claim Intent is to disrupt and/or embarrass a target Motivations are fickle and unpredictable Massive DDoS attack Cloud or 3 rd party Compromise Hacktivists Malicious Insider Exposures that lead to a potential Data Breach Criminal Hackers Access controls and behavior monitoring insufficient to detect insider threats Negligent Insider Unwary insiders susceptible to attacks that exploit traditional security controls (e.g. spear phishing) Users who fail to embrace culture of security will find ways to circumvent inconvenient security controls Patience is a virtue. Tactics have evolved from hit and run to infiltrate and stay. Industrialization - Black markets exist for all types of personal information Proliferation of mobile platforms and BYOD policies creates new vectors

THREAT ENVIRONMENT Verizon 2015 Data Breach Investigation Report

INCIDENTS vs. BREACHES Verizon 2015 Data Breach Investigation Report

Frequency of Data Disclosures by Incident Patterns and Victim Industry Verizon 2015 Data Breach Investigation Report

CONDENSED DATA BREACH TIMELINE 1. Discovery 2. Initial Response and Evaluation After suffering an intrusion or breach, an entity may become aware of the situation through a number of different ways. Some are more preferable than others: Discovery: 1. Self Discovery 2. Customer Inquiry or Vendor Awareness 3. Notification and Communication from Law Enforcement or Regulators Upon becoming aware of the situation, the breached entity will put their internal incident response plan into action. The key individuals on the Internal Response Team will actively address their designated responsibilities in an attempt to mitigation negative consequences. Outside Legal and Forensics may be determined necessary: 1. Forensics to determine the extent of the event 2. Legal/Data Breach Coaching (Obligations/Options, etc.) 3. External Response Notification (Obligatory and/or Voluntary) Credit Monitoring and Identity Theft related offerings Public Relations and Media Facing 4. Continuing Ramifications Income Loss and Damage to Brand Reputation Regulatory Actions and Fines/ Penalties, PCI Fines & Penalties, Consumer Redress Civil Litigation

POTENTIAL COSTS OF A DATA BREACH Willis Estimated Data Breach Costs (based on number of affected individuals compromised) 1,000 10,000 100,000 500,000 1,000,000 10,000,000 100,000,000 PRIVACY EXPENSES Privacy Expense (Forensics/Crisis) $35,000 $140,000 $270,000 $530,000 $1,050,000 $1,750,000 $3,500,000 Forensics Investigation $25,000 $100,000 $200,000 $400,000 $750,000 $1,000,000 $2,000,000 Data Breach Coach $10,000 $20,000 $30,000 $50,000 $100,000 $250,000 $500,000 Public Relations $0 $20,000 $40,000 $80,000 $200,000 $500,000 $1,000,000 Privacy Expense (Notice/Credit Monitoring) $8,500 $80,000 $800,000 $3,625,000 $4,800,000 $40,000,000 $325,000,000 Customer Notification $2,000 $15,000 $150,000 $625,000 $1,000,000 $9,000,000 $50,000,000 Call Center $1,000 $10,000 $100,000 $500,000 $800,000 $5,000,000 $20,000,000 Credit Monitoring $4,500 $45,000 $450,000 $2,250,000 $2,500,000 $25,000,000 $250,000,000 Identity Fraud Remediation $1,000 $10,000 $100,000 $250,000 $500,000 $1,000,000 $5,000,000 Privacy Expense Total: $43,500 $220,000 $1,070,000 $4,155,000 $5,850,000 $41,750,000 $328,500,000 (Privacy Expense Cost per record) $43.50 $22.00 $10.70 $8.31 $5.85 $4.18 $3.29 PRIVACY LIABILITY Regulatory Defense/Fines $0 $0 $350,000 $750,000 $1,500,000 $6,000,000 $15,000,000 State Regulatory (AG) $0 $0 $250,000 $250,000 $500,000 $1,000,000 $5,000,000 Federal Regulatory (FTC) $0 $0 $100,000 $500,000 $1,000,000 $5,000,000 $10,000,000 PCI Fines/Penalties $0 $10,000 $20,000 $100,000 $500,000 $1,000,000 $2,000,000 Civil Liability $9,000 $180,000 $900,000 $3,900,000 $7,000,000 $45,000,000 $330,000,000 Legal Defense/Damages/Class Actions $0 $100,000 $300,000 $900,000 $2,000,000 $5,000,000 $30,000,000 Card Reissuance Liability $9,000 $80,000 $600,000 $3,000,000 $5,000,000 $40,000,000 $300,000,000 Privacy Liabilty Total: $9,000 $190,000 $1,270,000 $4,750,000 $9,000,000 $52,000,000 $347,000,000 Total Data Breach Cost: $52,500 $410,000 $2,340,000 $8,905,000 $14,850,000 $93,750,000 $675,500,000 Per Record Cost: Retail $52.50 $41.00 $23.40 $17.81 $14.85 $9.38 $6.76 Assumptions: Credit Monitoring: $15 per individual (10%-15% take-up rate) Identity Fraud Remediation: $100-$500 per affected individual (less than 1% typically require fraud remediation)

CYBER INSURANCE COVERAGE Network Security Liability: Provides defense and liability coverage for claims resulting from the compromise of computer security ( -i.e. unauthorized access or use, denial of service attacks, receipt or transmission of malicious code) Privacy Liability: Provides defense and liability coverage for claims resulting from your failure to maintain the privacy of information entrusted to you. Examples of Sensitive Information: Protected Health Information; Personally Identifiable Information; or a Third Party s Confidential Corporate Information that you are required to keep confidential.

CYBER INSURANCE COVERAGE Online Media Liability: Provides coverage for claims resulting from advertising and other on-line media content disseminated by the insured (i.e. copyright infringement, commercial misappropriation of another s name, persona or likeness, defamation, libel, slander, trade libel or product disparagement.) Regulatory Defense Fines and Penalties: Provides coverage for proceedings brought by a government agency for an alleged violation of privacy regulations resulting from a breach of personal information. Coverage includes, defense, consumer redress, fines and penalties (where allowable by law).

CYBER INSURANCE COVERAGE Breach Event Costs: Provides coverage for costs incurred due to a breach of individuals personally identifiable information or protected health information for: public relations; notification (Voluntary notification available from some carriers) of individuals; credit monitoring; call centers; obtaining legal counsel; and forensic experts to determine what information was breached and for any other expenses approved by the insurer, to respond to a breach. PCI Fines and Penalties: Provides coverage for a monetary assessment of a fine or penalty by a Card Association or Acquiring Bank due to insured s non-compliance with a PCI Data Security Standard, resulting from a breach.

CYBER INSURANCE COVERAGE Cyber Extortion: Coverage for Costs to Investigate and terminate a threat to commit an intentional attack against your Computer System. Network Business Interruption: Covers Business Income Loss and Extra Expense coverage resulting from a Material Interruption of your network, caused by unauthorized use or access to your systems. Broad System Failure trigger is available with select carriers.

CYBER INSURANCE COVERAGE Data Restoration: Coverage for Costs of Restoration of Electronic Data that is damaged or lost due to a virus, malicious code or other failure of computer security. Technology Errors and Omissions: Covers liability triggered by negligence in the performance of covered technology professional services.

Privacy/Network Security Risk Gaps in Traditional Insurance Property General Liability Crime/Bond E&O Privacy/ Network 1 st Party Privacy/Network Risks Physical damage to Data Virus/Hacker damage to Data Denial of Service attack B.I. Loss from security event Extortion or Threat Employee sabotage 3 rd Party Privacy/Network Risks Theft/disclosure of private info Confidential Corporate Info breach Technology E&O Media Liability (electronic content) Privacy breach expense/notification Damage to 3 rd party s data Regulatory Privacy Defense/Fines Virus/malicious code transmission Coverage Provided Limited Coverage No Coverage

CYBER MARKET UPDATE Pricing* Market is firming and in some cases, is hard Most companies, including the Education sector, will experience a premium increase of 5% or greater. Healthcare and Retailers should expect the greatest premium increases and limits may be difficult to obtain. Markets For certain industries, some insurers have exited the market London Market is expanding its offerings in tough classes of business. Certain carriers have very stringent underwriting processes. Coverage How coverage/ limits are purchased managed services vs. no panel requirements Increased sublimits System Failure Coverage Resulting BI/PD exposures Manufacturers First Party Business Interruption Issues Frequency of losses POS Risk Encryption in transit and at rest Third Party Exposures *Based on favorable claims experience and not material changes in exposure

CYBER CONCERNS FOR EDUCATION Privacy Student and Guardian Records PII PHI Minors Credit Card Exposures Response Planning Incident Response Plan (Internal) Vendor Identification Budgeting

CONTACT INFORMATION John O Donnell, Vice President WILLIS FINEX North America Cyber and E&O Direct: 212.915.8584 Email: john.odonnell@willis.com Web: www.willis.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information