Embed Size (px)
Citation preview
Cyber Liability InsuranceWhy we have it & How it works
DRAFT – Version 3
May 28, 2015
SBCTC – BAR Commission Meeting
Doug Selix, MBA, CISSP, CISM, PMPDES Office of Risk Management
2
• A Security Incident that results in the: – Loss of “Data Confidentiality”– Loss of “Data Integrity”– Loss of “Data Availability
Cyber LiabilityIT Security Context
3
• Loss of Data Confidentiality– Damages from a data breach
• Loss of Data Integrity– Damages from corrupt or destroyed data
• Loss of Data Availability– Damages from data we or our customers
cannot use or systems we cannot access
The “Liability” Comes From:
4
Incidents Happen - The Big PictureSignificant Data Breach Events
The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII).
Source: www.InformationisBeautiful.com
5
Incidents Happen - The Big PictureSignificant Data Breach Events
The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII).
6
Data BreachIncident Example – Deeper Dive
Idaho State University – August 2011• Direct Costs:
• $52,500 - Cost to notify (~$3/Name)• $36,750 - Cost to offer credit monitoring
(~$14/Name, 15% opt in) 2,625 @ $14/Ea. = $36,750
• $400,000 - HIPAA Fine• Indirect Costs:
• Effort to respond to the incident • ISU Worked with DHH/OCR for over a year
• Effort to gain compliance• Effort to correct underlying security problems that lead
to the breach• Root cause: Human Error
• System administrator turned off the firewall protecting a university server storing the ePHI.
7
Data BreachOther Incident Examples
Maricopa Community Colleges – as of April 20132.4 Million Student and Employee Records$12 Million costIT Director fired for dereliction of duty2 Lawsuits
University of Washington – 201390,000 patient records (HIPAA).email based attack
Eastern Washington University – 2009130,000 student records.Hack attack$750,000 Cost ($250K Direct)
8
Washington College Incidents
• Denial of Service Attack• Cyber Extortion• Point of Sale System Breach• Lost / Stolen Laptop Computers
9
• Cyber Liability Insurance covers:1st Party Damages
3rd Party Liabilities
Insurance Context
10
• 1st Party Damages – Common Insurable Losses– Cost for forensic investigation to find the
cause of the damage– Cost to figure out if/what data was breached – Cost to comply with Breach Notification
Regulations (RCW, HIPAA, FERPA, etc.)– Cost for customer Risk Mitigation Services
Insurance ContextCyber Liability Risks
11
• 1st Party Damages – Continued– Expert Legal Advice– Expert Public Relations Advice– Expert Crisis Management Advice– Cyber Extortion Payments– Cost to Restore Data Integrity or Availability– Lost Income and Extra Operating Cost due to
network interruption
Insurance ContextCyber Liability Risks
12
• 3rd Party Liability– 3rd party damage claims– 3rd party litigation– Web media damage claims (e.g. copyright or
trademark infringement, defamation, invasion of privacy)
– Regulatory defense and penalties
Insurance ContextCyber Liability Risks
13
Cyber Risk Exposure
How Much
Cyber Liability Insurance
do you need?
Switch Gears
14
Cyber Risk Loss Exposure is defined as:“Any condition that presents the possibility of financial loss to an organization from property, net income, or liability losses as a consequence of advanced technology transmissions, operations, maintenance, development, or support.”
Doug’s Version - Costs arising from 1st party damages and 3rd party liabilities resulting from the use of your computer systems.
Insurance Context
15
• Data that can cause financial harm to your agency “if” it is not kept secure, includes:
– Personally identifiable information (RCW 42.56.590)– Electronic personal health information (HIPAA Security Rule)– Credit card information (PCI Data Security Standard)– Bank account information used to process electronic fund transfers
or payments – IRS tax information (IRS 1075)– Student education information (FERPA)– Data protected by attorney client privilege– Criminal justice information (FBI CJIS standards)– Proprietary information (agreement, contract, or license)
Risk Exposure – Mostly About Data
16
Data BreachIncident Example – Deeper Dive
Idaho State University – August 2011• 17,500 individuals ePHI exposed • “On November 22, 2011, HHS notified ISU of its investigation
regarding ISU’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”).
• ISU did not conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process;
• ISU did not adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level; and
• ISU did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate.”
17
• SBCTC & Community College View
ORM 2014 Data Survey Results?
As of 6/3/2014
Data Types with Liability Risk "Yes" "No" TotalCredit Card Data at Rest in Agency 32 0 32Electronic Personal Health Information 24 8 32Bank Account Information 25 7 32Personally Identifiable Information 31 1 32IRS Tax Information 31 1 32Student Education Information 32 0 32Attorney-Client Privilege 28 4 32Criminal J ustice Information 14 18 32Proprietary Information 21 11 32
18
Risk Exposure – Cost Factors
• Example: Costs associated with breach notification $3 per record minimum cost – EWU 2009 breach actual cost ~$107 – Estimated public sector cost per record in data breach
(Ponemon Institute 2014 US Cost of a Data Security Breach Report)
Breach Response,
Analysis, and Forensics
Breach Notification
Regulatory Fines
Pre-Claim Loss
Control
Significant 3rd Party
Cost Claims
Post-Claim
Litigation
Cyber Extortion
Credit card information X X X X X X XElectronic personal health Information X X X X X XBank account information X X X X X X X XPersonally identifiable information X X X X X XIRS tax information X X X X X X XStudent education information X X X X X XData protected by attorney-client privilege X X X X X XCriminal justice information X X X X X XProprietary information X X X X X X
Sources of Data Breach Cost
Data Types with Liability Risk Loss of Reputation
19
• Quantify Your Confidential Data• Compute Cyber Liability Risk Exposure $$
Do You Know How MuchCyber Liability Risk You Have Today?
Sample - Data Breach Risk Exposure Worksheet
Type of Data Unique Records Data Source Data Location Data Shared WithApplicable Data
Security RegulationNotification
Root Cause Investigation
Regulatory Fines
Credit Monitoring for
3rd PartiesLegal Defense
Damages to 3rd Parties
Cost per Record to Notify
2014 Public Sector Market
Cost per Record (Note 1)
Regulatory Fine Cost (Note 2)
Min Cost Estimate Max Cost EstimateMost Likely Cost for full notification and
credit services
Notice Cost Limit(RCW
42.56.590.7c)(Note 3)
Regulatory FinesMost Likely Cost
(Net)Agency Budget
PEPIP Cyber Liability
Insurance
Cyber Liability Insurance AIG Layer
System 1 (PII) 0 RCW 42.56.590 Yes Yes No No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0System 2 (HIPAA) 0 HIPAA Yes Yes Yes No No No $3 $107 1,000,000 $1,000,000 $1,000,000 $1,000,000 $0 $1,000,000 $1,000,000 $100,000 $900,000 $0System 3(Credit Card) 0 PCI Yes Yes Yes Yes Yes Yes $3 $107 0 $0 $0 $0 $0 $0 $0 $0 $0 $0System 4 (Bank Accounts) 0 RCW 42.56.590 Yes Yes No No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0System 5( IRS Pub 1075) 0 IRS Publication 1075 Yes Yes Yes No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0System 6 (FERPA) 0 FERPA Yes Yes No No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0
Maximum Data Breach Risk Exposure
0 $1,000,000 $1,000,000 $1,000,000 $250,000 $1,000,000 $0
NOTES --->
Data Breach Impact Cost of a Data Breach Estimate Funding Source
NOTE - 2a) IRS Fine based on $25/recordb) HIPAA Fine - Arbitrary estimate based on HHS/OCR cases
NOTE - 3RCW 42.56.590 allows agencies to use mass media for notification if cost is over $250,000 or the number of notices exceed 5000,000. Estimate assumes we would use this provision in the event of a breach
UninsuredRisk Exposure if Agency is in the Master Property Insurance Program
Security Breach Risk Exposure if Agency is NOT in the Master Property Insurance Program
NOTE - 1The high estimate is based on $172 per record cost for the Public Sector that comes from the 2014 Ponemon Institute Cost of a Data Breach Study. That study also breaks down the elements of this cost. One element they include is "Lost Customer Business". We have removed this from the estimate above because the State is a monopoly. If we have a breach we will not loose business. Our planning number is $107.
Your Risk Manager & IT Manager have been asked to complete this spreadsheet.
See Handout
20
• All of you have PII / FERPA Data– All of the Colleges have significant amounts of this data– RCW 42.56.590 - Breach Notice Context– House Bill 1078 – 45 days to give notice– Substitute notice may be available
• Some of you have HIPAA Data (High Risk Data)
– HIPAA - Breach Notice Context– Must send notice to all individuals– 60 days to complete notice– Risk of regulatory penalties
• No College Should Have (High Risk Data)
– IRS FTI Data, PCI Data, or Bank Account Data
What we are learning about your Risk
21
• (IRS Pub 1075 Link) provides the following definition:
1.4.1 Federal Tax Information (FTI)
Safeguarding FTI is critically important to continuously protect taxpayer confidentiality
as required by the IRC 6103. FTI may consist of returns or return information and may
contain personally identifiable information (PII).
FTI is any return or return information received from the IRS or secondary source, such
as SSA, Federal Office of Child Support Enforcement or Bureau of Fiscal Service. FTI
includes any information created by the recipient that is derived from return or return
information.
• The highlighted part is what determines if you do or do not have IRS data.
• This standard applies to data received from the IRS not data sent to the
IRS.
• It is my belief that colleges do not have this class of data.
IRS FTI Data – IRS Publication 1075
22
• Credit Card Data (PCI)– All Credit Card Data should be outsourced to
third-party credit card processor– This is the view of the State Treasurer
• Bank Account Data– SBCTC holds records for electronic ACH
payments to vendors and employees– Colleges should sanitize data pulled from the
SBCTC systems – e.g. delete the bank account data from your local systems.
Other Data Types
23
What Happens if “it” Happens?
Security Event Incident Response
Switch Gears
24
• Think of an IT security incident like a house fire:– Call 911 and ask for help– Fire department puts out the flame– Property owner cleans up the mess
• If insured then there is help provided by the insurance company
– Resources to clean-up and reconstruct– Funds to pay out of pocket costs over the deductible up
to the policy limit
• If not, the property owner pays all costs.
Working Analogy
25
Follow Your Incident Response Plan, Right?
Incident Response Team Follows the Plan
Who’s Got The Plan?
26
• We can deal with whatever comes up…..
Or Maybe Not
27
Focus tends to be on putting out
the flame.
Most IT/IR Plans Stops Short
Was there a data security breach?
28
• It is rare to find a Cyber Security Incident Response Plan that includes steps to be taken in the event of a data security breach. Most organizations wing it…..
Our Working Assumption:
Fire is out, who cleans up the mess?
29
Insurance as a tool to
Clean Up the Mess
Switch Gears
30
Academic Point
• Insurance is about “Risk Finance”• Risks can be Avoided, Reduced, Accepted, or
Transferred.• Insurance is how we transfer Financial Risk
Exposure• Cyber Liability Insurance is not a Technology
Topic, it is a Finance Topic
31
• Current Policy (APIP) - “Alliant Property Insurance Program”
• Agency must be on the State Master Property Insurance Policy to have APIP Cyber Liability Insurance
Not All Colleges have this policy
• Aggregate limits apply
$25M for APIP Pool
$2M for State of Washington
• Cost < $24,000 for all state agencies in APIP Program
Cyber Liability InsuranceCleaning Up the Data Breach Mess
32
• Cyber Liability General Coverages($100K Deductible)
$2M Information Security & Privacy Liability
$500K Privacy Notification Cost, $1M if carrier's preferred vendors are utilized
$2M Regulatory Defense and Penalties
$2M Website Media Content Liability
$2M Cyber Extortion Loss
$2M Data Protection Loss and Business Interruption Loss
APIP Cyber Liability Insurance
33
APIP Details
• Look at the Handout
34
• APIP Cyber Liability Insurance Worked
• Response Services Worked• Rapid Response• Event/Crises Management• Forensic Analysis
– Root Cause– Determine Data Exposure
• Legal Services• Public Relations Services• Notification Production• Call Center Operation• Manage Internal Reporting (Gov)
Montana Lessons LearnedMay 2014 HIPAA Breach
1.3 Million Dept. of Health Patient Records.$5M Cost$3M InsuredNo HIPAA Fine To-Date
35
• Do you have data at your college that can produce expensive cyber liability events?– Student / Employee Data (Yes)– Credit Card Data (No)– IRS Data (No)– HIPAA Data (Yes)
• Nursing Programs (None So Far)• Dental Programs (Yes)• Counseling Centers (Yes)
Key Question:
36
• Risk Exposure Estimate Worksheets will help all of us have a better understanding of how much cyber liability risk we have among the colleges.
• This will in turn help us understand how much cyber liability insurance would be appropriate for Washington’s colleges to purchase.
Do You Have Enough Cyber Liability Insurance Today?
37
• Each Agency must decide how much is needed based on your Risk Exposure
• Agency completes an application • Get application from Office of Risk Management
(ORM)• Return to ORM, ORM Submits to Broker
• Broker will develop a quote• Advantages:
• No aggregate Limits• Lower retention possible• Sized to fit the agency risk exposure
Additional Cyber Liability Insurance is Available
38
• Recent Quotes $50K Retention:
$2M Limits - $21K Annual Premium
$3M Limits - $33K
$5M Limits - $44K• Aggregate Limits Equal Policy Limits
Cost for Additional Cyber Liability Insurance
39
• Recent Quotes $50K Retention• Annual Premium:
$2M Limits - $21K
$3M Limits - $33K
$5M Limits - $44K• Aggregate Limits Equal Policy Limits• Would be “Excess Insurance” over the
APIP Cyber Liability Insurance if it were available.
Cost for Additional Cyber Liability Insurance
40
• We can use the Risk Exposure information we are collecting to size a policy
• You would have to advise us:– Single incident limit, how much insurance is
enough? Max per breach.– Aggregate limits, Total insurance for all
colleges?– Retention, what size deductible?
What if – One Policy for all Colleges?
41
Questions
Thank you!
42
Doug Selix, CISM, CISSP, PMPCyber Liability Program Manager
Department of Enterprise Services
Office of Risk Management
Office Phone: 360-407-8081
Email: [email protected]
Cyber Liability Program
