Presentation is loading. Please wait.

Presentation is loading. Please wait.

September 18, 2018.

Published byRosamund Atkins Modified over 6 years ago

Similar presentations

Presentation on theme: "September 18, 2018."— Presentation transcript:

1 September 18, 2018

2 Where to Find the Risks Technology
Viruses, SQL Injections, DDoS attacks Structural vulnerability Social Media / Networking Phishing Internal Rogue employees Careless staff Regulatory SEC, FTC, state attorneys general 47 State Breach notification laws NIST Cybersecurity Framework HHS, HIPAA & HIPAA HITECH Identity Theft Red Flags Rule Foreign Laws General Data Protection Regulation Old School Laptop theft Dumpster diving External Customers Authors, producers, publishers, competitors Business associates Vendors / Suppliers Foreign and domestic organized crime Hackers / Hacktivists 2

3 Threat Vectors Simplified
3

4 The Value of Your Data Of the following, which is the least valuable type of data on the black market? Healthcare information (names, birth dates, insurance policy numbers, diagnosis codes) Credit card data Twitter username and password Social Security Number and date of birth (but no name) 4

5 The Value of Your Data Of the following, which is the least valuable type of data on the black market? Healthcare information (names, birth dates, insurance policy numbers, diagnosis codes) Credit card data Twitter username and password Social Security Number and date of birth (but no name) 5

6 Third Party Coverages Description
Coverage Overview Coverage Part Third Party Coverages Description Privacy Liability Defense and liability for failure to keep information private or for failure of others that you have entrusted with information to keep it private (ex. pension actuary, data storage facility, credit card processor). Also includes liability for not properly notifying of a privacy breach. Coverage has expanded to include corporate confidential information and non-computer related information. Likely Claimants: Customers, employees Security Liability Defense and liability for failure of systems to prevent spread of virus or a denial of service to those that rely on systems due to a failure in network security. Likely Claimants: Customers Media Liability Online or Full Media? Defense and liability for libel, slander, disparagement, misappropriation of name or likeness, plagiarism, copyright infringement, negligence in content to those that relied on content. Likely Claimants: Authors, producers, publishers, competitors Technology Errors & Omissions Defense and liability for failure of technology products to perform their intended purpose or the failure to render technology services as intended. 6

7 First Party Coverages Description
Coverage Overview Coverage Part First Party Coverages Description Breach Response Costs The following costs resulting from a privacy breach: To hire computer forensics investigator To hire a law firm to identify statutory obligations to notify affected individuals/regulators To provide notifications To setup a call center To offer of fraud monitoring to those impacted individuals Crisis Management / Public Relations Expenses Costs of public relations firm due to privacy or security incident. Regulatory Defense / Fines & Penalties Costs Costs to defend an action by Attorneys General, FTC, Office of Civil Rights or other regulators due to a privacy breach. Can also include associated fines & penalties. Likely Claimants: Attorneys General, FTC, OCR PCI-DSS Assessments A written demand you receive from a card association or acquiring bank for a monetary assessment of a fine or penalty due to your non-compliance with PCI Data Security Standards. 7

8 First Party Coverages Description
Coverage Overview Coverage Part First Party Coverages Description Business Interruption / Extra Expense Loss of income or extra expense due to system shut down from security failure. Waiting period applies. Coverage extension also available for accidental outages or unplanned outages. Dependent Business Interruption An entity not owned, operated or controlled by you that you depend on to conduct your business. Data Restoration Costs incurred to replace, restore, or recollect digital assets from written records or from partially or fully matching electronic data records due to their alteration, corruption or destruction from a network operations security failure. Cyber Extortion Costs of consultants and extortion monies for threats related to interrupting systems and releasing private information. 8

9 First Party Coverages Description
Other Insurance and Cyber Risk Coverage Part First Party Coverages Description Crime/Fidelity Coverage Coverage for first party funds stolen as a result of a hacking incident or social engineering. Directors and Officers Liability Shareholder suit as a result of harm to a company from a network security incident. Property Damage Coverage/Bodily Injury/General Liability A hacking incident that results in physical damage or bodily harm. 9

10 Data Breach Timeline Discovery First Response External Issues
Actual or alleged theft, loss, or unauthorized collection/disclosure of confidential information that is in the care, custody or control of the Insured, or a 3rd for whom the Insured is legally liable. Discovery can come about several ways: Self discovery: usually the best case Customer inquiry or vendor discovery Call from regulator or law enforcement Forensic Investigation and Legal Review Forensic tells you what happened Legal sets out options/obligations First Response Public Relations Notification Remedial Service Offering External Issues Income Loss Damage to Brand or Reputation Regulatory Fines, Penalties, and Consumer Redress Civil Litigation Long-Term Consequences 10

11 A GROWING THREAT ENVIRONMENT
Companies Continue to be Exposed to Cyber Risks Sony suffered a breach in its video game online network exposing names, addresses and possibly credit card data belonging to 77 million user accounts in what is one of the largest-ever Internet security break-ins. JP Morgan Chase was subject to 76 million Data Records breached and Staples reported over 1 million payment cards were stolen. Criminals access the personal details and Social Security numbers of more than 70 million people—the biggest health-care data theft to date. Wells Fargo, Bank of America, Citi Group and JP Morgan Chase were affected in a series of cyber security attacks that affected millions of customers. Target reported a major data breach and warned that up to 110 million records, including debit / credit card info were compromised. Ebay was subject to 145 million User Data Records breached TJX Companies was hacked, exposing credit cards and transaction details for 94 million records. A flaw in Pinterest site’s API exposed users’ addresses – 70 million records were affected. July 2008 January 2012 March 2013 October 2013 January 2014 April 2014 September 2014 December 2014 January 2007 September 2011 September 2012 March 2013 December 2013 May 2014 October 2014 February 2015 1.1 million payment cards exposed A data breach targeting Michaels – a national chain of arts and crafts stores – impacted more than 3 million customers. Over 24 million customers were impacted in massive security breach. Zappos CEO issues letter and urges all customers to change their passwords. Adobe announces that a hack of company systems exposed customer names, IDs, encrypted passwords, and debit/credit card info impacting 152 million records. Sony reported over 47,000 employee records, personal s and documents were breached. Facebook experienced a glitch during testing of a new design that exposed 80 million records of users’ birth dates. Evernote is hacked and requests 50 million users to change their passwords. Multiple breaches impacting millions of payment cards and store locations, 56 million Payment cards and over 1,500 locations breached among this group of companies. Marsh FINPRO Cyber Practice

12 Breach Scenario Hackers are able to exploit a weakness in Big Box’s system through a facilities management vendor with less sophisticated controls and IT. Hackers install in Memory-Scraping Malware at many of Big Box’s POS terminals designed to capture unencrypted, plain text, credit card data prior to it being encrypted. Malware is designed to target Track 1 and Track 2 data – includes: a cardholder's name, card number, expiration date, and the card's three-digit security code (enough information to replicate a credit card) 12

13 Breach Scenario CEO to Risk Manager: What type of costs (1st party) and liability (3rd party) could we incur as a result? How will we pay for it all? Big Box’s direct 1st party costs: -Investigation: Computer forensics -Legal: Regulatory requirement ; Managing PCI investigation -Notify affected customers -Public relations firm, to deal with PR fallout -Overtime for Big Box employees -Possible lost sales due to consumer backlash. Do we have Insurance for this? -Yes, under a typical Security & Privacy insurance policy (aka Cyber insurance) the above is typically covered except for employee overtime and lost sales. 13

14 Breach Scenario What type of liability (3rd party) could we incur as a result? How will we pay for it all? PCI Assessments: (Specific PCI coverage under Cyber policy) a. “Fines “for non-compliance with PCI DSS b. Case Management Fee/Investigation c. “Assessments”: Cost of heightened fraud monitoring; card reissuance. Consumer class action: (Covered under privacy liability portions of a Cyber insurance policy) Regulatory action: investigation/defense of a regulatory action, resulting from an alleged violation of a Privacy Law. 14

Download ppt "September 18, 2018."

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,

Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.

1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Responding to a Data Security Breach

Responding to a Data Security Breach
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Overview of Identity Theft, Data Breaches and Cyber/Privacy Liability Insurance October 6, 2009.

Overview of Identity Theft, Data Breaches and Cyber/Privacy Liability Insurance October 6, 2009.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
INFORMATION SECURITY & PRIVACY OVERVIEW September 23, 2014.

INFORMATION SECURITY & PRIVACY OVERVIEW September 23, 2014.
Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.

Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.
2 3 4 5 6 www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.

Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius 4444 50% Hiscox 33 50% to May 2010, replaced.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.

Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Northern Insuring Agency 1. 2 Important Notice ●This presentation is not a representation that coverage does or does not exist for any particular claim.

Northern Insuring Agency 1. 2 Important Notice ●This presentation is not a representation that coverage does or does not exist for any particular claim.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Similar presentations

Ads by Google