Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1
Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies Security & Privacy Coverage - Coverage Parts - Gaps in Traditional Coverage - Pre-Breach & Risk Management Approach Chartis Inc. All rights reserved. 2
Data Security Not Just an IT Problem Information security viewed as an IT Problem vs. Enterprisewide risk management issue - Misconception that IT alone can safeguard the organization - Failure to address the human element and not just the technology Negligence is the leading cause of a data breach, at 41% of all reported cases Sources: Ponemon Institute Cost of a Data Breach Report 2010 & Verizon Business 2011 Data Breach Investigations Report 3
Some Quick Stats $214 per record is the average cost of a data breach, with an average total per-incident cost of $7.2 million in 2011 96% of breaches could have been avoided if reasonable data security controls had been in place at the time of incident - 85% of hacking cases have had a patch available to fix the vulnerability for 18+ months 86% of Clients identify cyber insurance as their top concern Sources: Carnegie Mellon Governance of Enterprise Security: CyLab 2010 Report, Ponemon Institute Cost of a Data Breach Report 2010, NetReaction, LLC, October 2012 AIG Study of 250 brokers & clients 4
What Can Cause a Breach Storage of prohibited / unnecessary data (magnetic stripe, secret PIN, old data) Malware impacting computer systems Employee / Contractor privileged access misuse Vendor default settings and passwords Physical security breach Phishing, Spear Phishing, Vishing, etc. 5
Regulatory Environment Increased industry, regulatory and legislative focus on security due to high profile data compromises - Massachusetts 201 CMR 17 + State Notification Laws - Payment Card Industry Data Security Standards (PCI DSS) - Revised Health Insurance Portability and Accountability Act (HIPAA) HITECH act for Protected Health Information (PHI) to include business associates doing business with healthcare organizations - Red Flag Rules imposed by Federal Trade Commission 6
State Notification Laws Only 4 states do not have notification provisions: Alabama, Kentucky, New Mexico and South Dakota Most states define a breach as unauthorized access to unencrypted, computerized personal information which varies by state Massachusetts law criminalizing data breaches Coverage pitfall of where required by law language or limited definition of confidential information Source: NCSL State Security Breach Notification Laws; http://www.ncsl.org 7
PCI-DSS (Payment Card Industry Data Security Standard) Pressure to enforce tighter standards due to recent breaches - Payment processors are held to higher standards by VISA, MasterCard - Estimated that less than 10% of Level 4 merchants are compliant Level / Tier 1 2 3 4 Merchant Criteria Any merchant processing over 6M transactions Any merchant processing 1M to 6M transactions Any merchant processing 20,000 to 1M e-commerce transactions Any merchant processing less than 1 million transactions (20,000 e-commerce) Validation Requirements Annual report on Compliance Quarterly scan by ASV Annual self assessment Quarterly scan by ASV Annual Self-assessment Quarterly scan by ASV Recommended self-assessment Scan requirement set by acquirer 8
HIPAA & The FTC Red Flag Rules HITECH act altered HIPAA - Privacy and Security rules implemented under HIPAA to cover business associates (legal, accounting, claim, data aggregation, finance, benefits management) - A business associate is someone on behalf of a covered entity, performs activity involving Protected Healthcare Information (PHI) Red Flags & the FTC: - FTC requires a financial institution or creditor to protect against identity theft by implementing policies and procedures to detect suspicious activity - Red Flag is a pattern, practice or specific account activity that indicates possibility of Identity theft on covered account 9
Case Study Hacking The Incident: An online gaming company s POS software was hacked and credit card information was obtained on roughly 12,500 individuals. The intruders were able to steal information from approximately a month before the breach was discovered. How to Apply This to You: 1. No such thing as impenetrable IT systems 2. Often times you don t even know you ve been hacked 3. What is your response plan? Who is your first call? Source: http://privacyrights.org/data-breach/new 10
Case Study Employee Negligence The Incidents: 1. An employee of an HR consulting firm accidentally posted personal information of nearly 400 current and former client s employees. Names and social security numbers were disclosed. 2. Approximately 2,000 patient records including names, Social Security numbers, addresses and more were found in a trash can. They were traced to medical case manager. The boxes were auctioned off after the owner failed to pay the rental fee on a storage unit. How to Apply This to You: 1. Employee training matters CyberEdge Risk Tool can help 2. Monitor employee access to sensitive data Source: http://privacyrights.org/data-breach/new 11
Case Study Stolen Portable Media The Incident: A laptop was stolen from health and human services company with over 2,000 people s confidential data on it. Two men distracted the receptionist, while a third stole the laptop from down the hallway. Names, dates of birth, medical records, insurance numbers and Medicaid numbers were disclosed. How to Apply This to You: 1. Physical controls & employee training 2. Remote wipe capabilities 2. Encryption (whole disk) for sensitive data on portable media Source: http://privacyrights.org/data-breach/new 12
Case Study Rogue Employee The Incidents: 1. A rogue employee at medical center was accessing and stealing patient information including names, Social Security numbers, address, dates of birth, driver s license numbers, health insurance cards and other information. Around 500 people were affected. 2. A retail cashier used a skimming device to steal credit card information and selling them to a third party. Only 50 numbers were stolen, which amounted to $181,000 in fraudulent purchases. How to Apply This to You: 1. Rogue employees can circumvent your IT security 2. Large black market for personal information with growing connection to organized crime Source: http://privacyrights.org/data-breach/new 13
Case Study Mailing / Vendor Error The Incident: A mailing error at the state Treasurer's Office led to the social security numbers of over 36,000 people to be visible from the outside of envelopes mailed to the public. The sensitive data was printed on the wrong part of the letter. How to Apply This to You: 1. Know your vendors and your responsibilities in the event of a loss 2. Contractual indemnity language is important Source: http://privacyrights.org/data-breach/new 14
Cost Variation- Dependent on Vendor Selection Healthcare breach of approx 50,000 records, including social security numbers Two years of credit monitoring services provided to victims Insured's Vendor Cost AIG Preferred Vendor Cost Savings Legal Assistance with Notification Letters $24,190 $10,000 $14,190 Print/Mail Letters $63,551 $56,341 $7,209 Call Center Services $118,642 $66,852 $51,790 Identity Monitoring Services $683,996 $317,297 $336,698 Totals $885,379 $450,490 $439,888 15
What are the Consequences of a Breach? Breach Notification Costs - Average industry consumer notification cost approx $12 per person Identity Monitoring - Estimated approx $40 per person per year Regulatory Actions - Always changing - Costs to defend and fines/penalties Lawsuits & Defense Cost - Liability for damages - Costs of defense are rising Unbudgeted Expenses - Lost man hours and resources Reputational Damage - Lost customers/revenues 66% of financial impact on a company Source: Ponemon Institute Cost of a Data Breach Report 2010 16
Security & Privacy Insurance Security and Privacy Liability (3 rd party requires a demand/litigation) - A successful computer attack against an insured that causes harm to a third party - A wrongful disclosure or breach of private/confidential data Event Management (1 st party no demand/litigation required) - Notification costs (including legal assistance) - Identity Monitoring/Consumer ID Protection - Forensic investigation - Public relations to restore the insured's reputation - Call center services Other Coverages Media, Network Interruption, Extortion 17
Risk Management Tools: The AIG Difference Autoshun Device - Hardware device placed between network & internet to shun bad IP addresses CyberEdge Risk Tool - Web portal to manage training, compliance and regulatory risk management AIG CyberEdge App - AIG claims narratives, hot spot map of recent breaches, breach calculator, industry news 18
Questions and Answers Greg Garijanian (770) 671-2366 Greg.Garijanian@AIG.com www.aig.com/us/cyberedge 19