Cyber, Technology, Media and Privacy Risks Annual...Jeanson James Ancheta, owner of the Rxbot botnet that controlled approximately 400,000 infected computers. He was arrested in …

Cyber, Technology, Media

and Privacy Risks: Risk Management and Insurance for Governmental Entities“Toolbox”

Presented by:

Daniel W. HoustonSenior Vice President, Enterprise Risk Management - Principal

The McCart Group 2405 Satellite Boulevard, Suite 200 Duluth, Georgia 30096

678.542.2652 [email protected]

September 29, 2014

2

“Cyber risks are more complex than traditional risks. They are more

international in scope and can cause multiple consequences, leading to both

first-party losses, third-party liability, and government action and fines.”

- Dan Houston

3

10 Cyber Questions

1. What is our data and what would we do if we lost it?2. What would happen if we experienced an outside

hack/crack, or an employee security break?3. What would happen if we released or breached

confidential or sensitive employee information?4. What would happen if we released or breached

confidential or sensitive customer/private citizen information?

5. How is our customer/private citizen information shared with others?

4

10 Cyber Questions

6. Is our cyber security “in house”, or is it outsourced? If outsourced, by Contract, who is holding whom harmless?

7. What is our comfort level with the extent of security in place?

8. In our Contracts, are we consciously not holding another party harmless, except for our own sole negligence?

9. What is our risk management?10. Do we have insurance coverage?

5

The Birth of the Internet – 1969

6

History of the Internet (ARPANet- The Net)

• Born in 1969 ‐ research tool conceived by the advanced research project agency, sponsored by the U.S. Defense Department

• www first appeared in 1991• PC spurred growth• Three basic applications ‐ electronic mail (e‐mail), file transfer and remote log in

7

Internet Structure

• Large number of “host” computers furnish access and routing over the Internet

• Host computers (host nodes) are computers with web pages (i.e. content)

• Host computers are repositories of services and are accessible to end users by other computers ‐ known as point of presence POPs)

• Computers that control traffic at the local network (e.g., a company's network) or at the local Internet Service Provider (ISP) are called gateway nodes

8

Internet Structure

• Each end user has a second‐level domain name ( that name given to others as the end user’s Internet address) and an Internet protocol (IP) address (a hidden numerical code representing a specific Internet address)

– U.S. users top‐level domain names commercial‐.com governmental‐.gov organization‐.org military‐.mil telecommunications‐.net Educational institution‐.edu

– Non‐U.S. Users United Kingdom‐.uk Bermuda‐.bn

9

Internet Structure

• Hypertext Transfer Protocol (http), allows words, graphics, video and sound to be transmitted by the Worldwide Web (www)

• http uses a language known as Hypertext Markup Language (HTML) allowing links between files giving access with the click of a mouse to other documents (a switch from one file to another)

• Domain names are part of a uniform resource locator (URL)• URL is the full address of a file accessible through the Internet• Some host Computers, Domain Naming System (DNS) maintain tables that translate the domain name to the applicable 32‐bit IP address used over the High‐Speed Lines of the Internet to route messages and documents

10

Internet Structure

http: //

Uses HypertextTransferProtocol

www .

URL is on the Internet (Worldwide Web)

standard‐pub .

Domain Name

com

Top Level Domain Name / Commercial

11

2014: The Five Gateways of Internet Vulnerability

• Instantaneous Action at a Distance• The Asymmetries of Cyberspace• Anonymity in Cyberspace• Lack of Borders• The Difficulty of Distinction

12

Some Methods of Attack

• Laptop Theft• Hacking• Malicious Code (such as Viruses and Worms) • Denial of Service Attacks• Theft of Information• Fraud• Corruption of Data• Insider Exploitation• Dumpster Diving• Socially Engineered

13

Statistics

• 89% COULD HAVE BEEN PREVENTED EASILY

• 31% DUE TO INSIDE THREATS• 21% PHYSICAL LOSS / THEFT• 76% WEAK OR STOLEN CREDENTIALS• 29% VIA SOCIAL ENGINEERING

14

The First Generation of Cybercriminals

“Why did I do it? To prove that I could.”

Steven Jobs and Blueboxes.

Sven Jaschan, author of the NetSky and Sasser worms that wreaked havoc in the spring of 2004. He was arrested the same year by German police

following a three‐month international investigation.

15

The Second Generation of Cybercriminals

“Show me the money!”

Jeanson James Ancheta, owner of the Rxbot botnet that controlled approximately 400,000 infected computers. He was arrested in late 2005 in

an elaborate FBI sting operation.

16

The Third Generation of Cybercriminals

“Cybercrime goes big time!”

Maria Zarubina and Timur Arutchev were part of a Russian cybercrime gang which attacked a number of British bookmakers, resulting in approximately

$3M in losses. Yaron Bolondi used a Trojan and help from bank insiders to attempt the

theft of £220M from the London branch of Japan’s Sumitomo Mitsui Bank.

17

The Fourth Generation of Cybercriminals

“Want to buy an exploit kit?”

Sites such as Dark0de serve as markets for buying and selling malware.*

* SecureWorks, Inc.

18


Malware Distribution Services, like the full‐service “pay‐per‐install” site installconverter.com, specialize in pushing out malware and infecting

thousands of computers in a short amount of time. Pay‐Per‐Install.org is a forum and marketplace for the PPI business where cybercriminals discuss the best “affiliate” PPI programs and how to make

money installing malware.

19


76Service.com is one of many cybercriminal websites designed for buying, selling and managing portfolios of

stolen identity data.

20

The Current Generation of Cybercriminals

“How can I serve you malware today?”

Nuclear RAT and Bondook RAT malware tools have been used in both the Better Business Bureau (BBB) and Internal Revenue Service (IRS) targeted email scams. Developed by the Nuclear Winter Crew, the tools boast a long

list of features, English interfaces and support forums.

21

Examples of Computer Related Losses

• Information from at least 94,000,000 credit and debit cards was stolen by hackers who accessed T.J. Maxx’s customer information in a security breach that spanned 2003 – January 2007. Cost: Over $1,000,000,000 customer costs, $57,530,000 in fines, $40,900,000 to Visa USA. Is ongoing.

• Code Red, a blended threat, launched DOS attacks, defaced net servers. And its variant, Code Red II, left Trojan horses behind for later execution. Code Red was processed in memory – not on a hard disk, allowing it to slip past many antivirus products. Cost: $2,620,000,000.

• A number of U.S. states are jointly investigating a data breach involving a subsidiary of Experian Plc that exposed the social security numbers of some 200 million people to potential criminal activity.

22

Examples of Computer Related Losses (Continued)

• A hacker changes the diagnosis on thousands of cancer‐related tests at the Mayo Clinic.• Class Action Suit Filed in L.A. Breach. Seeking Damages in Wake of Computer Theft

Incident A class action lawsuit has been filed against Los Angeles County and a vendor that handles patient billing and payment collections for the county's departments of health services and public health in the wake of a breach last month affecting 168,500 individuals. The breach was the result of a Feb. 5 theft of eight unencrypted desktop computers from the Torrance, Calif. office of Sutherland Healthcare Services, the billing and collections business .

• Auburn University’s College of Business’ computer network was hacked in the fall of 2013. While the cyber‐attack happened in the fall, it is only now just being announced. The university says it held off on making the breach public until administrators could determine that personal information was compromised. The computer system has been upgraded to prevent further access. The breach happened between October 21st and November 20th of 2013.

23


• In October, 2008, a logic bomb was discovered at American mortgage giantFannie Mae. The bomb was allegedly planted by Rajendrasinh Makwana, anIndian citizen and IT contractor who worked in Fannie Mae’s Urbana,Maryland facility. The bomb was set to activate on January 31, 2009 andcould have wiped out all of Fannie Mae’s 4,000 servers. Makwana had beenterminated around 1:00 on October 24, 2008 and managed to plant thebomb before his network access was revoked. Makwana was indicted in aMaryland court on January 27, 2009 for unauthorized computer access.

• Because of a hole in a firewall, The City of Savannah exposes personal information online for 7 months.

• Financial Aid Services, a consultant, misplaces applications for students of Berry College and 2,093 paper and digital applications are lost.

• An upgrade of software at the U.S. Department of Education in Atlanta results in loss of personal information on 21,000 student loan holders.

24


• In January, 2010, BlueCross BlueShield of Tennessee announced that it has spent more than $7,000,000 to respond to a security breach resulting from 57 hard drives having been stolen from its training facility, which may have compromised personal and health data of up to 500,000 members. The $7,000,000 tab does not appear to be the end of it. The insurer has notified 220,000 BlueCross members about the data theft. The company also is offering no‐cost credit‐monitoring services for affected members. In addition, BlueCross is working to notify attorneys general in 32 states about the breach (pursuant to the HITECH Act). BlueCross officials said 20,500 members already have signed up for the no‐cost credit‐monitoring services. In addition, the company has hired more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The insurer said it might need to spend significantly more money to evaluate the missing data and provide additional identity protection services.

25

Government Attacks

“Careto”

26

The Mask: Careto (Spanish Slang for ‘Ugly Face’ or ‘Mask’)

The main targets of the operation are government institutions; embassies and other diplomatic missions and also energy, oil and gas companies; research institutions; private equity firms and activists in 31 Countries.

27


• A very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on. That is why it is called Careto.

28


• The key motivation of The Mask attackers is to steal data from their victims. The malware collects a range of data from the infected system, including encryption keys, VPN configurations, SSH keys, RDP files and some unknown file types that could be related to bespoke / government‐level encryption tools.

• Security researchers do not know who is behind the campaign. • The very high degree of professionalism of the group behind this attack is unusual for cybercriminal groups – one indicator that “The Mask” could be a state‐sponsored campaign.

29


• This campaign underlines the fact that there are highly‐professional attackers who have the resources and the skills to develop complex malware – in this case, to steal sensitive information. It also highlights the fact that targeted attacks, because they generate little or no activity beyond their specific victims, can “fly under the radar”.

• The entry point of The Mask involves tricking individuals into doing something that undermines the security of the organization they work for – in this case, by clicking on a link or an attachment.

• Currently, all known C&C (Command‐and‐Control) servers used to manage infections are offline. But researchers believe that the danger has not been totally eradicated and that it is possible for the attackers to renew the campaign in the future.

30

Chinese Hackers Used G20 Summit to Spy on European Leaders

December 10, 2013

31

Who Initiates the Attacks?

• Thieves

• Hackers

• Crackers

• Cyberterrorists

• Cyber Smearers

• Phishers

• Competitors

• Industrial Spies

• Governments

• Employees

• Advertisers

• Politicians

• Us

• Many Others

32

Why Attack or Threaten Computer Systems/ Networks?

• Financial Gain

• Disclosure

• Curiosity

• Espionage

• Revenge

• Thrill Seeking

• Disruption

• Gain Trade Secrets

• Competition

• Publicity

• Extortion

• Malice

• Who Knows?

33

U.S. Espionage

• US government hacks its way into foreign governments and collects information off their networks‐ diplomatic, military, not commercial.

• Is this “undeclared war” or a “covert action” ?• Legal issue is that in U.S. law it is a covert action when the president says it’s a covert action.

• If you are on the receiving end of a covert action, is it an act of war?

• Law of Armed Conflict. Government lawyers want to make sure that they very much limit the effects of the action, so that there is no collateral damage.

34

Espionage Against the U.S.

• Commercial. Every major company in the United States has been penetrated by China implanting “logic bombs”, trapdoors, trojan horses, etc.(e.g. China hacked into Boeing and gave or sold Airbus Boeing’s secrets)‐ “death of a thousand cuts”.

• Military Intelligence/ Loss of Power. 1996 President Clinton rushed two carrier battle fleets to Taiwan Straits to warn China against an invasion of Taiwan‐ “war games”. Was the invasion “threat” for real or was it Chinese cyber‐intervention aimed at blinding or paralyzing our defense.

• Geopolitical. Diplomatic strategy must be comprehensively reconceived.

35

Dissecting the Stuxnet Worm: “WeaponizedMalware- The First Cyber Guided Missile

• “Stuxnet” ghostly cyber‐worm created to attach the nuclear centrifuges of the rogue nation Iran ‐which then escaped from the targeted country Iran, replicated itself in thousands of computers throughout the world.

• It may be lurking in yours right now harmlessly inactive… or awaiting further orders.

• Computer worm discovered in June 2010. Was around before that.

• Was a one‐hot weapon that targeted Iran nuclear facilities‐uranium enrichment facility at Natanz and the Bushehr Nuclear Plant. Both were shut‐down many times by the worm.

• Possible origins both Israel and US or other Western nations, working separately or together.

36

Stuxnet- Who Did It?

Us/ US

37

More “Cuts”

• Possible cyber‐attack that could bring down the nation’s entire electronic superstructure, including the power‐grid, banking and telecommunications, and even our military command center.

• There are billions of portals, trap‐doors, “exploits” ready to be hacked.

38

Top 10 Breach Questions

1. Was personal data compromised from our systems?

2. Did a data breach really occur?

3. Is the intrusion or data breach still occurring? Are we still under attack?

4. Have we created a defensible and diligent plan to remediate the intrusion?

5. Is/was the data breach accidental or malicious?

39

Top 10 Breach Questions

6. Have we alerted outside counsel?

7. Do we understand our legal obligation for breach notification?

8. How effective is our crisis communications plan?

9. Is/was our data breach response plan effective in responding to this incident?

10. How can we avoid a data breach in the future?

40

Plan Fundamentals

• Create and Empower a Team• 24/7 “First Responders”• Develop Vendor and Law Enforcement Relationships• Create and Document a Plan• Create a Notification “Tree”• Create Communication Templates and Scripts• Develop On‐Call Resources and Remedies• Employee Training• Regulatory an Legal Review• Funding• Ongoing Critique

41

Cyber Litigation

“Cyber Risk‐Related Litigation Involves Complex Technical and Legal Issues”

‐ Dan Houston

42

U.S. Privacy Laws

• United States privacy law embodies several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into his or her private affairs, discloses his or her private information, publicizes him or her in a false light, or appropriates his or her name for personal gain. Public figures have less privacy, and this is an evolving area of law as it relates to the media.

• The essence of the law derives from a right to privacy, defined broadly as "the right to be let alone." It usually excludes personal matters or activities which may reasonably be of public interest, like those of celebrities or participants in newsworthy events. Invasion of the right to privacy can be the basis for a lawsuit for damages against the person or entity violating the right. These include the Fourth Amendment right to be free of unwarranted search or seizure, the First Amendment right to free assembly, and the Fourteenth Amendment due process right, recognized by the Supreme Court as protecting a general right to privacy within family, marriage, motherhood, procreation, and child rearing.

43

U.S. Privacy Laws- Modern Tort Law

In the United States today, "invasion of privacy" is a commonly used cause of action in legal pleadings . Modern tort law includes four categories of invasion of privacy:1. Intrusion of solitude : physical or electronic intrusion into one's

private quarters.2. Public disclosure of private facts: the dissemination of truthful

private information which a reasonable person would find objectionable

3. False light: the publication of facts which place a person in a false light, even though the facts themselves may not be defamatory.

4. Appropriation: the unauthorized use of a person's name or likeness to obtain some benefits.

44

Some Laws, Regulations and Executive Orders

• Privacy Act of 1974• Telephone Consumer Protection Act of 1991 (TCPA)• Health Insurance Portability & Accountability Act (HIPAA) of 1996• Gramm‐Leach‐Bliley Act (Financial Services Modernization Act of

1999)• Federal Information Security Management Act of 2002• Sarbanes‐ Oxley Act of 2002 (SOX) • Federal Information Security Management Act of 2002 (FISMA)• Homeland Security Presidential Directive• Critical Infrastructure Identification, Prioritization and Protection• Fair and Accurate Credit Transactions Act of 2003 (FACTA)• The Red Flags Rule 2008• Genetic Information Nondiscrimination Act of 2008 (GINA)• The Health Information Technology for Economic and Clinical Act

(HITECH Act) – 2009 • Other Exposures (e.g. Employment Law)• Identity Theft Laws• Other and Pending Federal, State and Local Laws

45

Cyber Exposures

• Sabotage, Defacement and Electronic Vandalism• Electronic Fraud ‐ Identity Theft• Denial of Service Attacks• Privacy Liability• Online Extortion• Transmission of Malicious Code Losses• Network Security Liability• Theft of Laptops, Drives, Servers, etc.• Errors and Omissions• Failure to Deliver• Internet Media Activities Liability• Denial of Service Attacks• Electronic Fraud – Identity Theft• Laws and Administrative/Regulatory Proceedings• Laws and Legal Proceedings• Crisis Management and Expenses

46

10 Tips When Considering Insurance

• Assess the risks of data breach.

• Determine your organizations financial resources available for an effective breach response.

• Understand your current insurance coverage.

• Evaluate policy options carefully.

• Perform a risk assessment.

• Find a knowledgeable broker.• Take advantage of value‐added services provided.

• Get preferred vendor approval before the policy is finalized.

• Understand how to integrate insurance claims process with internal breach response‐before an attack!

47

Insurance Carriers and Market Conditions

• Carriers have developed very different products to address what they think Cyber Risk customers need.

• Privacy Coverage is driving the market.• Rates for Cyber Risk are still showing signs of softening.

48

Coverage Provided- Three Categories

Coverages fall into four categories varying widely between the carriers:• Liability – defense and settlement costs for the liability of the insured arising out of its failure to properly care for private data.

• Remediation – response costs following a data breach, including investigation, public relations, customer notification, and credit monitoring.

• Fines and/or Penalties – the costs to investigate, defend, and settle fines and penalties that may be assessed by a regulator; most carriers do not provide this coverage, although there can be coverage for defense costs and

• Our “stuff”.

49

Coverage Triggers

Coverage can be triggered by:• Failure to secure data • Loss caused by an employee• Acts by persons other than insureds• Loss resulting from the theft or disappearance of private property (such as data that resides on a stolen laptop or missing data storage media)

50

Types of Data Covered

Some carriers specify the types of data covered, others do not. Specific types covered can include:• An individual’s personally identifiable information• Nonpublic data, such as corporate information• Non‐electronic data, such as paper records and printouts.

51

Modules

CYBER INSURANCE COVERAGE

Module 1: Loss of DataModule 2: Denial of ServiceModule 3: Privacy LiabilityModule 4: Cyber ExtortionModule 5: Transmission of VirusModule 6: Unauthorized AccessModule 7: Unauthorized UseModule 8: Physical Theft of Hardware, Laptops, Servers, Etc.Module 9: Errors and OmissionsModule 10: Failure to DeliverModule 11: Copyright

52

Modules

CYBER INSURANCE COVERAGE

Module 12: Breach, Theft or Use of your Copyright or Software Code

Module 13: Defamation, Invasion or other violation of a right of Publicity, Libel, Invasion or other violation by you of a right to Privacy, Product Disparagement, Slander, Trade Libel

Module 14: Business Interruption LossModule 15: Period of RestorationModule 16: Administrative/Regulatory ProceedingsModule 17: Legal Proceedings Against YouModule 18: Crisis Management Fund

53

The Major Exposures

• Electronic Fraud - Identity Theft– Notification costs (letters, P.R., credit monitoring)

– Cost shifting claims from merchant banks

– Liability resulting from invasion of privacy suits• Online Extortion

– Cost to remediate security vulnerability

– Cost to investigate event

– Extortion demand• Transmission of Malicious Code Losses

– Cost to remediate security vulnerability

– Cost to investigate event

– Liability to customers and other third parties

54

The Major Exposures

• Internet Media Activities Liability– Intellectual property infringement, trademark

infringement, and copyright infringement.– Plagiarism or the misappropriation of

advertising ideas or materials.– Disparagement of products or services, libel,

slander, defamation, and privacy.

55

Major Exposures

• Network Security Liability– Unauthorized Access– Theft or Destruction of Data of Others– Hacker Attacks against Third Parties– Privacy Breach– Denial of Service– The Failure to Prevent the Transmission of

Malicious Code

56

Major Exposures

• Denial of Service Attacks

– Lost income due to a network interruption

– Extra expense to restore the network

– Cost to remediate website and other content

– Liability to customers who are contracted to use your e-

service

• Sabotage, Defacement and Electronic Vandalism

– Cost to remediate website and other content

– Hourly income while offline

57

Major Exposures

• Privacy Liability

-Privacy coverage subject to a network security event-Unauthorized access by hacker-Unauthorized use

58

Major Exposures

• Identity Theft Public Relations Expense Fund

-Crisis Management Expense

59

Why Traditional Insurance (Forms Vary) Cannot Be Relied Upon to Effectively Cover Cyber Risk

Traditional Insurance Specific Cyber Risk Insurance

Commercial General Liability "Cyber Liability" Forms

1. Basic scope of coverage is for "bodily injury liability", "property damage liability"; and "personal/advertising liability" as defined (rather narrowly) within the form.

The coverage is designed to address the emerging exposures for "e-business" (or "e-commerce"), with related coverage extensions.

2. "Property damage" (liability) defined as "….physical damage to tangible property…”. Damage to property generally not restricted to "tangible property". 3. No coverage for liability arising out of the "tying up" of a web site connection (also a

"cyber property" exposure). "Denial of Service" is covered by many "cyber liability" coverage forms.

4. Although coverage is afforded for "advertising liability", a usual exclusion exists for "….an offense committed by an insured whose business is advertising, broadcasting, publishing or telecasting….". Also, it is clear that there is no coverage for hacking, breach of confidentiality or breach of security. ISO has also added exclusionary language for hosting chat rooms and/or bulletin boards.

Generally, no similar restrictions in many "cyber liability" coverage forms.

5. No coverage for "errors/omissions" liability. Many e-business operations have at least some exposure to "basic E&O" exposures (which may or may not be addressed in cyber liability forms).

6. No coverage for liability of an insured for "breach of security". "Breach of security" and/or "breach of confidentiality" are usually included for coverage.

7. Generally, there is only limited coverage for copyright/trademark infringement, and never coverage for patent infringement.

A basic tenet for most cyber liability policy forms.

8. Policy territory is U.S., its territories/possession and Canada. Policy territory is global, worldwide, or "anywhere". 9. Bankruptcy is generally excluded. Generally, no exclusion for bankruptcy.

10. Financial loss liability (to a customer, for example) is usually excluded. The focus of coverage is usually on the financial impact responsibility of the insured to a third party, and arising out of e-business activities.

11. No coverage for allegations of “breach of confidentiality”. However, there may be limited coverage for “publication of information which violates an individuals right to privacy.”

A basic tenet of most cyber liability forms.

60



Commercial Property "Cyber Property" Forms

1. Generally requires physical damage to tangible property to trigger coverage. No tangible property damage is required to trigger coverage.

2. BI/EE must be the result of a covered direct physical damage loss. Many forms do not require direct physical damage to activate coverage for BI/EE.

3. No specific coverage for damage as a result of a "computer virus". Many forms provide for specific coverage for "computer virus" damage.

4. Limited coverage (if any) afforded for "information assets". Generally, coverage is provided for loss as a result of "malicious code", "unauthorized instructions" and related exposures.

5. Contingent business interruption not covered unless specifically endorsed. Generally, a basic limit is provided for contingent business interruption, which may be increased.

6. No specific coverage for damage done by "hackers" (damage to web sites is the most easily anticipatable, and to date, most frequently reported, property loss exposure).

Damage caused by hackers is generally covered by "cyber property" coverage forms (which is also a "cyber liability" exposure).

7. There is difficulty in valuing non-tangible property losses. Valuation is established by policy language in many forms.

8. There are limited coverage perils. Even if "all risk except for excluded perils" is provided, the breadth of coverage is not sufficient for e-business exposures.

Coverage perils are generally provided in anticipation of e-business exposures, such as programming error damage, unauthorized use, repudiation of access, and the like.

9. No coverage for web site extortion-type claims. Web site extortion is covered under several "cyber property" coverage forms.

10. Policy territory relates to actual location of tangible property. Policy territory is global, worldwide, or "anywhere".

61



Crime Liability "Cyber Crime" Forms

1. Typically covers loss of or damage to money, securities, and/or “other property” (generally required to be tangible in order for coverage to apply).

Tangibility of property is generally not required in order to trigger coverage.

2. Valuation of covered losses is a problem (for example, employee dishonesty involving theft of customer records).

Valuation problems anticipated in many coverage forms.

3. "Loss of income" exclusion is normal. No "loss of income" exclusion in many coverage forms.

4. Damage to "tangible property" is usually required to trigger coverage. No "tangible property" damage requirement in many coverage forms.

5. Generally, coverage afforded for first party losses (unless third party coverage specifically provided).

Many forms provide both third party as well as first party coverage.

6. Computer Fraud: theft is generally the basis of coverage. Much broader approach to "computer fraud" issues under most coverage forms.

7. Computer Fraud: no coverage for defense expenses. Expenses can be provided for under most coverage forms.

8. No coverage, generally, for "crisis control". "Crisis management" coverage may be provided.

9. Policy territory is generally the same as property/general liability. Much broader coverage territory aspects.

10. Generally, no coverage for loss of trade secrets/confidential information. Not excluded, and may be specifically covered.

11. EDP Media is usually valued at the cost of blank materials. Many insurers provide for specific valuation of intellectual property.

62



Errors/Omissions Liability “Cyber Liability” Forms Generally coverage is designed for technology companies or professional service

firms, not retail and manufacturing sector.

Can be adapted for e-business operations of any type.

A specific exclusion is usually present for “breach of security” (unless the product of insured is designed to provide security

Breach of security coverage is usually provided.

Bankruptcy/insolvency is usually excluded. Not generally excluded and may be specifically afforded in many forms.

Delay in performance of contracts is usually excluded. Delay in performance is not usually excluded.

Intellectual property theft is almost always excluded.

Usually not excluded – may be the focus of the coverage form, in many instances.

“Piracy” is almost always excluded. Piracy can be specifically covered.

Software design is not covered, unless specifically provided for in policy coverage descriptions.

Software design related to the business of the insured is usually covered (although not by every form).

Policy territory usually limited to U.S., its territories, possessions or Canada.

Policy territory is global, worldwide, or “anywhere”.

Generally, coverage is provided for services rendered to others for a fee. Many Internet-provided services are “free of charge” and/or utilize alternate business development models.

63

Cyber Risk Evaluation

Cyberrisk Probability

Estimate L/M/H

Financial Impact L/M/H

Risk Quadrant

Possible Loss Scenario

Potentially Insurable?

Computer Fraud: Wrongful taking of tangibles (money, securities, and other property) and intangibles (services, intellectual property and data) carried out by employees or non-employees.

Part-time accounting department employee used computer system to siphon off inventory and deposits.

Theft of Electronic Information and Electronic Information Assets:

Wrongful taking of software code, supplier information, confidential or proprietary information, including intellectual property, source code, customer data, electronic information as a result of unauthorized access or unauthorized use of computer networks.

Financial institution has a major loss due to theft of proprietary information, including investment, trading, and trust information.

Theft of Computer System Resources: Computing or telecommunications resources are used for other than official, approved business purposes.

Telecommunications company found that an employee had successfully taped long-distance service to run a private illegal enterprise.

Threats/Extortion: Threat to commit a computer crime or to use information gained from a computer crime in exchange for money or personal gain or to embarrass the company.

An outside, unknown group with a political message threatens that it would put an embarrassing message and graphics on the Web site home page, unless the group's manifesto is published. Site is taken down to examine security issues.

Malicious Acts (Attacks): Modification or damage to systems or data for the purpose of nuisance, sabotage, malicious acts, revenge, political or social motivation, pranks, or entertainment.

Part-time programmer is terminated. That evening was able to enter the building and log successfully onto the system. An entire critical database was deleted causing significant overtime and data reconstruction costs.

64



Estimate L/M/H


Risk Quadrant


Potentially Insurable?

Disclosure of Electronic Information and Electronic Information Assets:

Unauthorized disclosure of proprietary or confidential information stored in an electronic form, as a result of a computer crime, malicious act (attack), or unintentional mistake made by authorized IT/IS personnel in the normal performance of their jobs.

A company has a system penetration, which results in details of its software product/code being published on a hacker Web site. Significant loss of competitive edge and future revenues.

Damage To Electronic Information and Programs By Human Error:

Damage to computer programs and electronic data caused by an unintentional act or mistake made by authorized IT/IS personnel in the normal performance of their jobs.

Accounting application upgrade insufficiently tested resulted in duplicate records posted to customer's accounts and inaccurate balances. Compensatory payments and extra expense to correct problems.

Mechanical Breakdown: Electrical or mechanical breakdown that causes damage to computer equipment, electronic programs or data, and possible network disruption.

Company's only web server suddenly fails due to a malfunctioning internal part, causing loss of data and downtime.

Physical Loss: Damage to computer equipment, media, and data due to a physical peril such as fire, water damage, vandalism, etc. Catastrophe perils are earthquake, windstorm, and flood.

Data center severely damaged by a hurricane that requires immediate activation of an alternative "hot site". Significant damage to data center, equipment, data, and restoration/extra expenses related to the disaster.

65


CyberriskProbability

EstimateL/M/H

FinancialImpactL/M/H

RiskQuadrant


PotentiallyInsurable?

Harmful Code:Implantation, introduction, and spread of computer viruses,logic bombs, Trojan horses, and other forms of malicious code.

Virus infects hundreds of thousands of computers causingwidespread damage and destruction of data, and total lossesto the computer's motherboard.

Denial of Service:Attack causes a degradation of performance or loss of service(outage or interruption) to a web site or network application.

Unwanted electronic e-mail (spamming) took so much of acompany's web server handling e-mail that it resultedinitially in a degradation of service, followed by a systemscrash. .

Loss of Service:Computer system outage, "crash," degradation of performancecaused by an unintentional mistake or error made by authorizedIT/IS personnel in the normal performance of their jobs.

Financial services Web business grew beyond initial designexpectations. Additional capacity was required and anupgrade was installed that malfunctioned and causedseveral hours of outage of the Web site. Significantliability, loss of revenues, loss of market cap, and regulatorconcerns.

Off Premises Service Interruption:Physical perils (such as hurricane and fire), attacks, accidents,and malfunctioning of network communications infrastructure,including satellites, telephone lines, cable, electrical lines, andfiber-optic cable.

Transformer fire -- as a result of mistakes during amaintenance operation at a substation -- causes widespreadpower outages, affecting computer systems in a largemetropolitan area.

Dependent Businesses:All perils listed can occur to a critical supplier, vendor orcustomer, resulting in contingent business interruption andextra expense.

Security of a router at a web hosting company is disabledby mistake resulting in a successful malicious attack.

66



Estimate L/M/H


Risk Quadrant



Liability Errors and Omissions: Most of the direct risks listed above may also trigger litigation if third-party electronic information, systems, and revenues are involved. Errors and Omissions exposures are created by the use of, connective nature of, and dependence on Internet technologies that cause financial harm to third parties without bodily injury or tangible property damage. Overall exposure will depend on the role and level of involvement, as well as the scope and nature of the contractual relationship. Likely plaintiffs include consumers, business partners, business customers, vendors, e-merchants, and financial institutions.

A financial institution's network security was breached and hackers stole information on the institution's high-net-worth customers. Customers filed lawsuits regarding the unauthorized disclosures. An unknown hacker stole the credit card information of cardholders from a credit card processing center. The issuing bank sued for all its processing and administrative costs to reissue the series of card numbers. A computer virus was spread from the e-mail system of a supplier to its customer, which resulted in the deletion of thousands of files in its purchasing system. The customer sued for its lost revenues and extra expenses.

Intellectual Property Infringement (Direct and Contributory):

Patent infringement (especially software and business process patents) Copyright infringement (examples: plagiarism and framing) Trademark infringement including trade dress (examples: use of domain names, "cyber-squatting," meta tags) Misappropriation of trade secrets (i.e., research and marketing studies, processes, customer lists, undisclosed new products or services offerings, etc.)

A company's use of domain name constituted trademark infringement of another company. Defendant web site was sued for using the plaintiff's name within HTML codes embedded in its Web page so that a search engine will be tricked and call up the defendant's site when the plaintiff's name is used in a search string. A business process patent is the source of litigation regarding use of a process that provides ease of use to customers visiting the site.

67



Estimate L/M/H


Risk Quadrant



Content and Advertising Related Offenses: Defamation, especially online commentary and discussion, including employee statements made over the Internet about third parties. Trade libel and product disparagement. Pornography/obscenity/hate sites. Use of testimonials/ endorsements. Invasion of privacy, cyber stalking. Misappropriation of publicity rights. Misappropriation of ideas under implied contract. Unfair competition (i.e., comparative claims, passing off, false or deceptive advertising/trading, Lanham Act 43 (a), trademark dilution, etc.) Editorial errors and omissions (i.e., harmful imitation and reckless inducement).

Names and images of famous persons are used without permission in the advertising and content of an Internet game site. Statements regarding the competitor's products are deemed to be false and constitute trade libel and disparagement.

Yes

Privacy: Privacy issues concern utilizing information that identifies a person or an entity for a purpose that was not intended and for which permission was not received. Major differences among privacy regulations exist throughout the world; the most significant variation is between the European Data Directive (effective 10/98) and privacy regulations in the United States. In addition, there are specific state privacy protection laws (ex. Virginia Privacy Protection Act). Also refer to the Child Online Privacy Protection Act of 1998. Inadequate privacy policy on Web site (failure to disclose information being collected; use made of this information; failure to allow consumers a mechanism to view and modify the information collected), unauthorized release of confidential information (i.e., financial, medical, etc.), and failure to allow the consumer to "opt-out" of the use of private information relating to such consumer). Violation of a stated privacy policy may result in regulatory action or litigation. Many more have followed.

FTC enforcement action is directed at a Web site that promised not to share any optional information without the customer's permission. The owner of the Web site is alleged to have marketed and sold to third parties all the information, including that deemed optional and information collected from children. These parties, in turn, used this information to target the members with unsolicited e-mail ads.

Possibly

68

In Summary, Six Things You Can Do Immediately to Improve Your Security and Privacy Posture and Reduce Your Overall Risk:

1. Know Your Data2. Know Your Organization3. Know Your People4. Know Your Providers5. Know the Law6. Manage Your Risks

Improve Your Security and Privacy Posture and Reduce Your Overall Risk

69

Summary & Questions

Documents

Cyber, Technology, Media and Privacy Risks Annual...Jeanson James Ancheta, owner of the Rxbot botnet that controlled approximately 400,000 infected computers. He was arrested in …