Presentation on theme: "Travelers CyberRisk for Insurance Companies Heather Coelho - March 2015 1."— Presentation transcript:
Travelers CyberRisk for Insurance Companies Heather Coelho - March
2 Important Notice ●This presentation is not a representation that coverage does or does not exist for any particular claim or loss under any insurance policy. ●This presentation is not intended as legal advice. A company should always seek the advice of a qualified attorney when evaluating legal or statutory considerations. ●This presentation is not intended as insurance advice. A company should always seek the advice of a qualified insurance agent or broker when considering their insurance coverage.
3 Cyber Liability “There are only two types of companies. Those that have been hacked and those that will be.” — Robert Mueller, FBI Director, 2012
Agenda Reasons to think about Cyber Risk Management Techniques Costs Associated with Cyber exposures Dispel Risk Management Myths 4
New Cyber Threat Ransomware : –Takes user information hostage and requires payment for its return Examples: –CryptoLocker –CryptoWall –Kovter 5
Risk Management Evaluation ●What loss control initiatives do you have in place? ●Have you implemented regular audit procedures of all information security protocols and systems? ●Do you have a formal: –business continuity plan? –disaster recovery plan? –information security policy? –procedure for handling a data breach incident? ●Who is responsible for information security? ●Are employees trained on all policies relating to information security? ●What is your company policy for employee usage of company assets (computers, mobile devices, etc.)? 6
7 Top Five Types of Security Risks ●Network Security –Virus, SQL Injection, Malware, Trojan Horses, etc. ●Physical Loss or Theft –Lost or stolen laptop; physical file security ●Cyber Extortion –Gaining access to sensitive data and threatening to release it ●Employee Mistakes – IT professionals can’t prevent these types of losses ●Denial of Service Attack –Targeted attack to slow or stop a network
8 Cyber Liability The average cost per record of a data breach increased to $201 in 2014 from $188 in Ponemon 2014 Cost of Data Breach: Global Analysis
Information Security Policy Safeguard Privacy of Information Establish Password Management Govern Internet Usage Manage Usage Govern Company-owned mobile devices Establish Approval Process for Employee Owned Devices Govern Social Media Usage Oversee Software Copyright & Licensing Report Security Incidents 9
Network Security Strategies Set clear administrative privileges Secure your private network Secure endpoints by configuring DMZ Monitor the network Maintain firewalls Establish intrusion detection and prevention systems Protect remote access Isolate guest WLAN Use encryption programs Define and practice continuity plans/disaster recovery 10
Cyber Liability 11 Incident response plans reduced the per record cost of a breach by an average of $ Ponemon 2014 Cost of Data Breach: Global Analysis
Incident Response Plan Develop and test it! Key Steps: –Assemble your incident team –Decide on effective outside help –Validate the breach –Manage the evidence –Take action to mitigate the impact –Clean your network of malicious code –Notify data owners –Conduct “lessons learned” 12
Lost Laptops (and other Mobile Information Devices) 13 ●A 2008 Ponemon Institute study indicates that business travelers are losing over 10,000 laptops every week at U.S. Airports ●Only 1/3 of them are reclaimed –Laptops not reclaimed are often sold at auction or donated to charity after 30 days ●More than 53% of business travelers polled say their laptops contain private or confidential information ●Further, 65% admit they do not take precautions to secure the information on their laptop
14 “Costs” of a Lost Device ●Average value of a lost laptop is around $50,000 and of a lost smartphone is $37,000 –Replacement cost, detection, forensics, data breach, lost IP costs, lost productivity, and legal, consulting and regulatory expenses ●When data breach is possible, this exposure represents 80% of the costs ●$20,000 less costly when encrypted
15 Cyber Liability 31% of all breaches have occurred in organizations of 2,500 or fewer employees and 30% in organizations of fewer than 250 employees. - Symantec 2014 Internet Security Threat Report
Risk Management Myth #1 16 I Don’t Need to Consider Insurance Coverage: I’ve Never Had a Problem and I Don’t Know Anyone Who’s Had a Loss ●The legal landscape addressing the Internet is still developing ●Recent legal and statutory changes are requiring disclosure of security breaches – State Departments of Insurance, State Attorney Generals, FCC ●The requirement of insurance protection for data liability is beginning to be included in many customer contracts ●Can a company afford to handle all aspects of a data breach on its own? –Traditional insurance products were not designed for current exposures. –Insurance products continue to develop in response to the need.
Risk Management Myth #2 17 Only High Profile Companies Have Exposure To Internet Liability Types Of Claims ●The nature of the exposure is changing –“Hacking” moving from thrill-seekers to the criminal realm ●Criminals are targeting small to midsize businesses because their security is easier to penetrate ●Hacking large corporations and government entities makes “news” but most data breaches involve companies with fewer than 100 employees (Verizon 2013 Data Breach Investigations Report) ●Virus attack and transmission is blind to size or prominence of company
Risk Management Myth #3 18 Risk Management Will Eliminate Exposures ●Good risk management reduces exposure and helps in defense of a claim but does not eliminate the exposure. ●High profile cases of large companies damaged by computer viruses and hacked by outsiders. –Do you have better data security than each of these companies and government agencies? Dept. of Defense, FBI, NASA, Apple, Amazon, CIA, Google, etc. All of these companies have been hacked since the start of ●Firewalls, virus protection, intrusion detection, etc. are good…but they can be compromised, both externally and internally. ●Almost half of all data breach incidents are caused by staff mistake, lost device or rogue employee.
References Follows Us – /company/travelers – /travelers – Contact Me – The SANS Institute: Ponemon Institute: NetDiligence: 19