Presentation on theme: "Travelers CyberRisk for Insurance Companies"— Presentation transcript:
1 Travelers CyberRisk for Insurance Companies Heather Coelho - March 2015
2 Important NoticeThis presentation is not a representation that coverage does or does not exist for any particular claim or loss under any insurance policy.This presentation is not intended as legal advice. A company should always seek the advice of a qualified attorney when evaluating legal or statutory considerations.This presentation is not intended as insurance advice. A company should always seek the advice of a qualified insurance agent or broker when considering their insurance coverage.
3 Cyber Liability“There are only two types of companies. Those that have been hacked and those that will be.”— Robert Mueller, FBI Director, 2012
4 Agenda Reasons to think about Cyber Risk Management Techniques Costs Associated with Cyber exposuresDispel Risk Management Myths
5 New Cyber Threat Ransomware: Examples: Takes user information hostage and requires payment for its returnExamples:CryptoLockerCryptoWallKovter
6 Risk Management Evaluation What loss control initiatives do you have in place?Have you implemented regular audit procedures of all information security protocols and systems?Do you have a formal:business continuity plan?disaster recovery plan?information security policy?procedure for handling a data breach incident?Who is responsible for information security?Are employees trained on all policies relating to information security?What is your company policy for employee usage of company assets (computers, mobile devices, etc.)?
7 Top Five Types of Security Risks Network SecurityVirus, SQL Injection, Malware, Trojan Horses, etc.Physical Loss or TheftLost or stolen laptop; physical file securityCyber ExtortionGaining access to sensitive data and threatening to release itEmployee MistakesIT professionals can’t prevent these types of lossesDenial of Service AttackTargeted attack to slow or stop a network
8 Cyber LiabilityThe average cost per record of a data breach increased to $201 in from $188 in 2013.- Ponemon 2014 Cost of Data Breach: Global Analysis
9 Information Security Policy Safeguard Privacy of InformationEstablish Password ManagementGovern Internet UsageManage UsageGovern Company-owned mobile devicesEstablish Approval Process for Employee Owned DevicesGovern Social Media UsageOversee Software Copyright & LicensingReport Security Incidents
10 Network Security Strategies Set clear administrative privilegesSecure your private networkSecure endpoints by configuring DMZMonitor the networkMaintain firewallsEstablish intrusion detection and prevention systemsProtect remote accessIsolate guest WLANUse encryption programsDefine and practice continuity plans/disaster recovery
11 Cyber LiabilityIncident response plans reduced the per record cost of a breach by an average of $12.77- Ponemon 2014 Cost of Data Breach: Global Analysis
12 Incident Response Plan Develop and test it!Key Steps:Assemble your incident teamDecide on effective outside helpValidate the breachManage the evidenceTake action to mitigate the impactClean your network of malicious codeNotify data ownersConduct “lessons learned”
13 Lost Laptops (and other Mobile Information Devices) A 2008 Ponemon Institute study indicates that business travelers are losing over 10,000 laptops every week at U.S. AirportsOnly 1/3 of them are reclaimedLaptops not reclaimed are often sold at auction or donated to charity after 30 daysMore than 53% of business travelers polled say their laptops contain private or confidential informationFurther, 65% admit they do not take precautions to secure the information on their laptop
14 “Costs” of a Lost Device Average value of a lost laptop is around $50,000 and of a lost smartphone is $37,000Replacement cost, detection, forensics, data breach, lost IP costs, lost productivity, and legal, consulting and regulatory expensesWhen data breach is possible, this exposure represents 80% of the costs$20,000 less costly when encrypted
15 Cyber Liability31% of all breaches have occurred in organizations of 2,500 or fewer employees and 30% in organizations of fewer than 250 employees.- Symantec 2014 Internet Security Threat Report
16 Risk Management Myth #1I Don’t Need to Consider Insurance Coverage: I’ve Never Had a Problem and I Don’t Know Anyone Who’s Had a LossThe legal landscape addressing the Internet is still developingRecent legal and statutory changes are requiring disclosure of security breaches– State Departments of Insurance, State Attorney Generals, FCCThe requirement of insurance protection for data liability is beginning to be included in many customer contractsCan a company afford to handle all aspects of a data breach on its own?Traditional insurance products were not designed for current exposures.Insurance products continue to develop in response to the need.
17 Risk Management Myth #2Only High Profile Companies Have Exposure To Internet Liability Types Of ClaimsThe nature of the exposure is changing“Hacking” moving from thrill-seekers to the criminal realmCriminals are targeting small to midsize businesses because their security is easier to penetrateHacking large corporations and government entities makes “news” but most data breaches involve companies with fewer than employees (Verizon 2013 Data Breach Investigations Report)Virus attack and transmission is blind to size or prominence of company
18 Risk Management Myth #3 Risk Management Will Eliminate Exposures Good risk management reduces exposure and helps in defense of a claim but does not eliminate the exposure.High profile cases of large companies damaged by computer viruses and hacked by outsiders.Do you have better data security than each of these companies and government agencies?Dept. of Defense, FBI, NASA, Apple, Amazon, CIA, Google, etc. All of these companies have been hacked since the start of 2011.Firewalls, virus protection, intrusion detection, etc. are good…but they can be compromised, both externally and internally.Almost half of all data breach incidents are caused by staff mistake, lost device or rogue employee.
19 References Follows Us /company/travelers @travelers /travelers Contact MeThe SANS Institute:Ponemon Institute:NetDiligence: