How To Protect Your Data From Hackers

Similar documents
Mitigating and managing cyber risk: ten issues to consider

CYBER RISK SECURITY, NETWORK & PRIVACY

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber Insurance Presentation

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Rogers Insurance Client Presentation

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Who s next after TalkTalk?

Managing Cyber Risk through Insurance

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

How To Cover A Data Breach In The European Market

Cybersecurity y Managing g the Risks

Cyber and data Policy wording

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Cyber-insurance: Understanding Your Risks

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Airmic Review of Recent Developments in the Cyber Insurance Market. & commentary on the increased availability of cyber insurance products GUIDE

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

Cyber/ Network Security. FINEX Global

Current trends in D&O liability and insurance in the United States. Kevin M. LaCroix, Executive Vice President, RT Pro Exec and Author, The D&O Diary

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Allianz Global Corporate & Specialty. Cyber Risks. Recent Trends. AIRMIC 15 th June 2015

CGI Cyber Risk Advisory and Management Services for Insurers

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

London Business Interruption Association Technology new risks and opportunities for the Insurance industry

ISO? ISO? ISO? LTD ISO?

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Embracing Cyber Risk: Insurance Solutions

Insurance implications for Cyber Threats

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

HCC International Information and Communication Technology

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Law Firm Cyber Security & Compliance Risks

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Think STRENGTH. Think Chubb. Cyber Insurance. Andrew Taylor. Asia Pacific Zone Product Manager Chubb Pro PI, Media, Cyber

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

The promise and pitfalls of cyber insurance January 2016

Network Security & Privacy Landscape

Cyber Threats and the Insurance Response

Understanding the Business Risk

Cyber security Building confidence in your digital future

Joe A. Ramirez Catherine Crane

Cyber and Data Security. Proposal form

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

National Corporate Practice. Cyber risks explained what they are, what they could cost and how to protect against them

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

Discussion on Network Security & Privacy Liability Exposures and Insurance

Insuring Innovation. CyberFirst Coverage for Technology Companies

cyber invasions cyber risk insurance AFP Exchange

Chartered Accountants Australia & New Zealand Professional Indemnity and Management Liability Proposal Form

Zurich Public Sector Solution

Directors and Officers Liability Insurance Guidance and Advice for Risk Managers

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

Cyber Insurance: How to Investigate the Right Coverage for Your Company

ISO/IEC Information Security Management. Securing your information assets Product Guide

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Credit Union Liability with Third-Party Processors

Cyber Insurance as one element of the Cyber risk management strategy

Specialty Risk Protector

Small businesses: What you need to know about cyber security

Cybercrime: risks, penalties and prevention

Cyber Risks in the Boardroom

NCUA LETTER TO CREDIT UNIONS

Cyber Risks in Italian market

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Surveyors Professional Liability Insurance Summary

Transcription:

Cyber Risk: What you need to know and what you can t afford to ignore! James Johnston Directors' and Officers' Insurance Underwriter Daniel Fletcher Cyber Insurance Underwriter Financial & Specialty Markets QBE Europe

The Cyber Threat There are only two types of companies: those that have been hacked and those that will be. Even that is merging into one category: those that have been hacked and will be again (Former FBI Director Robert Mueller 2012) This is a global threat. Cyber threats are of extraordinary and long term seriousness. They are first on the Division of Intelligence s list of global threats, even surpassing terrorism, and resources devoted to cyber-based threats are expected to eclipse resources devoted to terrorism (Mary Jo White, Chair of SEC 2014) The Cyber threat is one of the most serious economic and national security challenges we face as a nation...america s economic prosperity in the 21 st century will depend on cybersecurity. (President Obama 2013) 2

3 rd party Legal costs and compensatory damages via: Securities Class Action Derivative Litigation Regulators Peers - Industry common systems Professional Services companies Financial Institutions Customer 1 st party Regulatory Investigation Fines/Penalties Reputation/PR Extortion Technology Assets / I.P. Business interruption Credit/ Identity Monitoring Notification Expense Breach Response 3

Insurance Protection Cyber Liability Directors & Officers Crime (Bond) Electronic Crime Errors & Omissions Commercial General Liability Property 4

Legal costs and compensatory damages via: Securities Class Action Derivative Litigation Regulators Peers - Industry common systems Professional Services companies Financial Institutions Customer Cyber Regulatory Investigation Fines/Penalties Reputation/PR Extortion Technology Assets / I.P. Business interruption Credit/ Identity Monitoring Notification Expense Breach Response 5

Can you handle claims alone? In many cases, and especially with the upcoming EU directives, you are legally required to undertake notify citizens promptly Are you able to Have I.T. work out what went wrong and what was lost? Work out the legal requirements to notify each individual? Actually notify everyone affected? Set up a call centre to deal with the fall-out? 6

Can you handle claims alone? More to the point, can you do it in less than a week? Good insurers have vendors set up to undertake all this for you. 7

Cyber incident response 8

Insurance Protection Cyber Liability Directors & Officers Crime (Bond) Electronic Crime Errors & Omissions Commercial General Liability Property 9

D&O Legal costs and compensatory damages via: Securities Class Action Derivative Litigation Regulators Peers - Industry common systems Professional Services companies Financial Institutions Customer Regulatory Investigation Fines/Penalties Reputation/PR Extortion Technology Assets / I.P. Business interruption Credit/ Identity Monitoring Notification Expense Breach Response 10

D&O Coverage Designed to protect the individual Directors and Officers Defence Costs and compensatory damages Brought by customers, suppliers, competitors, regulators, shareholders Derivative Actions picked up Side A Suit brought in name of the company Side C Entity Cover pick up element of coverage against company Regulatory Investigations 11

Cyber Attacks Cost British Industry 34bn a year 18bn from lost revenues 16bn for increased spending on IT as companies improve their defences Utilities, energy and mining increased IT spending by 6% in past year and faced a 2.8% loss in revenue as a result of an attack Financial services increased IT spending by 7% in past year and faced a 1.5% loss in revenue as a result of an attack Manufacturing increased IT spending by 5% in past year and faced a 2.5% loss in revenue as a result of an attack Research by CEBT and Veracode 12

US Situation Legal & Regulatory environment Compulsory breach notification laws Federal Trade Commission (FTC) ongoing enforcement actions Securities & Exchange Commission Guidance issued to public companies disclosure obligations ensuring the adequacy of a company s cyber security measures needs to be part of a board of director s risk oversight responsibilities...boards that choose to ignore, or minimise the importance of cybersecurity oversight responsibility, do so at their own peril (Luis Aguilar, SEC Commissioner June 2014) Shareholder Derivative actions Active and aggressive Plaintiffs Bar Securities Class actions 13

US Situation High Profile Cases Target Group (Cyber USD100m, D&O USD65m) More than 80 separate lawsuits filed Two Derivative action vs Directors and Officers Failure to take reasonable steps to ensure security of customers information Failure to implement adequate information security policies Breach of fiduciary duty Wyndham Worldwide Corporation (Cyber?, D&O?) Derivative action vs Ds and Os Failure to take reasonable steps to safeguard customer data Home Depot (Cyber USD105m, D&O USD270m) Multiple lawsuits No derivative actions yet 14

Europe Situation Known EU Cases No real notification requirement so no necessity to tell Somerfield Theft of payroll data (100,000 staff) Originated inside company by a member of staff Greggs Logo replaced on website Swift resolution Zurich Insurance 46,000 clients personal records stolen ICO rebuke and FSA fine GBP 2,275,000 Sony Computer Entertainment Europe More than 60 lawsuits filed, cost USD 171,000,000 15 ICO penalty GBP 250,000

The Current Europe Situation Legal & Regulatory environment Disjointed, no uniformity Compulsory breach notification (currently just telecoms and internet service providers) UK ICO max fine GBP500,000 FSA fines 16

The Future Europe Situation Legal & Regulatory environment EU General Data Protection Regulation 2017/18??? Still being defined, so changing all the time Single set of rules Applies to organizations based outside the European Union too! Appointment of independent Data Protection Officer Business with more than 250 permanent staff Process personal data relating to "more than 5000 data subjects in any consecutive 12-month period Increase fines to greater of 2% or 1m of global turnover Compulsory breach notification 17

10 Important Questions Directors should ask 1) Is the responsibility and accountability for the creation, implementation, enforcement and updating of an integrated and company-wide cyber risk management clearly defined at the executive level? 2) Does the management team which addresses cyber risks include Board representation, senior executives from IT, legal, risk management, compliance/audit? 3) Is the overall cyber risk management programme periodically reviewed by the Board? 4) Does a Board member have designated oversight responsibility for the cyber risk management programme? 18

10 important questions continued 5) What are the firm s biggest cyber risks and how are those risks being anticipated, managed and mitigated? 6) Is each component of the cyber risk management programme documented, tested and periodically audited by independent experts, and what are the results of that testing and audit? 7) Are procedures for reacting to a cyber risk hack/event when it happens well defined and understood? 8) Are all employees required to participate in regular education and training programmes relating to cyber security and cyber risks? 19

10 important questions continued? 9) What is your company s budget and staffing for cyber risk management? Do you know how this compares to your organisations peer group? 10) What, if any, insurance coverage does the company maintain for cyber risks and is that coverage adequate in scope and limit? 20

Survey results Does your company manage and review cyber risk at board level? 20% Is mitigation for Cyber risk designated to the Risk Management function? 14% Has your company assessed the estimated financial impact of a cyber attack? 32% Does your company have a Data Breach Response Plan? 73% Is it regularly updated? 37% Does your company buy cyber insurance? 14% Is your company going to obtain a cyber insurance quote in the next 12 months? Over 50% 21

Things to bear in mind. Cyber claims come from unexpected places Humans make mistakes Nothing is or stays secure Heartbleed / Bash / Poodle Uncontrollable factors / systemic events It s either your error so you are liable Or it s your data so you are liable Even if you have not been negligent Our policy triggers regardless of negligence The Information Commissioner s Office Controller / Processor 22

Myths and facts Computers are covered by the property policy What about the intangible? We buy business interruption insurance Has physical damage occurred? Isn t this covered by our general liability policy? Absolutely not. Our BCP and DRP are well tested with named 3rd party responders Are your responders costs covered? Do they include cyber responders? We ve invested heavily in our network security What about physical security and rogue employees? No on-line activities so we don t need a policy Back-end inter-connected systems and your supply chain? 23

The connected supply chain You 24

Other reasons to purchase a robust cyber policy. Third-party claims: Blanket Defamation (not just from hacks) Blanket Infringement of IP (not just from hacks) First-party claims: Financial transfer Withdrawal of content Financial transfer Less common: It s affordable Is it worth taking the risk? Legislation is about to change Pricing will follow suit Get on-board now & build up that claims free record Meet an underwriter Business Interruption (not just from hacks) Unexplained breakdown/malfunction Your suppliers hacks Asset Restoration Costs (not just IT equipment) Reputational damage PCI fines 25

Practical tips. Ensure that mitigation of cyber risk is designated to the RM function Consideration for appointment of a CISO / DPO Establish how the GDPR applies to your business Measure your compliance Make policies and begin to change Ensure cyber security is part of any due diligence undertaken for any target acquisitions Undertake an insurance gap analysis Seriously consider insuring Cyber, D&O, Crime (and PI) with the same carrier 26

Conclusion If your company has not suffered a data breach it may well suffer one shortly it us a matter of when not if you are hacked As FBI Director Robert Mueller said: There are only two types of companies: those that have been hacked and those that will be. The lines between physical security and cyber security are becoming increasingly blurred Try to ensure the main board take cyber risk seriously. Ask questions and test systems Cyber claims come from unexpected places 27

QBE global footprint 2,900 6,600 1,100 1,200 4,400 Australia Asia Pacific Europe North America Latin America 28

QBE claims record Claims Supply Team Winner Best Business Press Advertisement Business Campaign of the Year Post Underwriting Service Awards Joanne Taylor Rising Star Kelly Potter Outstanding Individual Achievement Award - Rosie Hewitt 360 Business Insurers Insight Report 2009-10 2010 Best Claims Handling Team of the Year Reinsurance Company Team of the Year, Casualty 29

Questions 30

Thank you

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information