Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance

Network Security & Privacy Liability Assessing the Risk

Steve Yesko, ARMLowers & Associates

Jeff KulikowskiAXIS Pro

Meredith SchnurWells Fargo

Insurance Services

New Jersey Chapter

June 14, 2011 Chapter Meeting

Risk Mitigation Agenda• Cyber Risk vs. Data Breach

• Types of Breach

• Evolution of the Exposure

• Top 10 Incidents of 2010

• Top 10 Unsolved Crimes

• Today Risk Landscape

• Organizational Risk Trends

• 2011 Forecast

• IT Security Testing - 3 Prong Approach

• IT Risk Mitigation Measures - Be Prepared• Information Resources

Cyber Risk vs. Data Breach• Cyber Risk Coverage

– Addresses hazards such as unauthorized website access, on-line libel, data loss and repairs to databases after system failures.

• Data Breach or Privacy Coverage– Covers the cost of notification and credit monitoring

services for affected persons, PR expense to address reputational harm, breach investigation, legal fees and compensatory damages, judgments and settlements.

Types of Breach

• Theft or Loss• Inappropriate Handling• Inadvertent Exposure• Misuse of Access (Insider Threat)• Unauthorized Access (External Attack)• System Compromise (Malware)

Evolution of the Exposure• From a kid in the basement of parents home to

highly sophisticated organized crime networks• From IT/computer related to Internet/web-based• From theft of money to theft of information• From outside / in to inside / out• From legal action brought by consumers to

legal action by regulators• From expenses to secure network/servers to

expenses for state notification laws• From an IT issue to a Boardroom issue• From a national to an international problem

The Biggest Information Security Incidents of 2010

#10. Affinity Health PlanBreach, involving 409K records, occurred when copier was returned w/o hard disk erasure; Reported by AHP to comply w / HHS mandates

#9. WellPoint/Anthem BlueCross Company’s insurance application website was compromised w / faulty authentification code upgrade putting 470K applicant records at risk

#8. CitiGroup Approximately 600K customers were sent annual tax documents w / SSN printed on outside of envelope (mimicked mail routing number)

#7. Ohio State University Server housing 760K unencrypted PII records of current/former students, faculty, staff, contractors exposed during hack; No evidence of data theft

#6. South Shore Hospital Three boxes of tapes, containing 800K records containing PII, PHI, financial info of hospital community, were lost while being transported for destruction

#5. Lincoln National Financial Securities Portfolio management system, housing data for 1.2M customers, compromised when actual user name/password were printed in brochure and on public site

#4. AvMed Health Plans 1.2M records of current and former subscribers and their dependents compromised when two unencrypted laptops were stolen from corporate HQ

#3. Gawker 1.3M user email address and passwords stolen in hack; 250k cracked IDs/passwords posted on-line, most common among them, 123456

#2. Education Credit Management Corp. Safes stolen from ECM offices containing unencrypted portable media (later recovered by police) with 3.3M student loan recipient/applicant info

#1. NetflixData sets containing anonymized movie rating and preference information for over 100M subscribers is voluntarily released to contest participants

Source: Software, Information & Network Security News

Top 10 Unsolved Computer Crimes

#10. The WANK Worm (Oct. 89; first hacktivist attack) #9. UK Ministry of Defense Satellite Hack (Feb. 99) #8. CDUniverse Credit Card Breach (Jan. 00)#7. USN Military Source Code Theft (Dec. 00)#6. Anti-DRM Hack (Oct. 01; Windows Media)#5. Dennis Kucinich on CBSNews.com (Oct. 03)#4. Hacking your MBA App (Mar. 06)#3. The 26,000 Site Hack Attack (Winter 08)#2. Hannaford/Sweetbay Breach (Feb. 08)#1. Comcast/Network Solutions Redirect (May 08)

Source: PC Magazine

Today's Risk Landscape• Data breaches increased significantly in 2010

– ITRC's 2010 Breach Report cited 662 reported breaches– An increase of 33% over 2009– Paper Breaches: 20% (no mandatory reporting requirement)– Insider Theft: 15.4% (doubled since 2007)– Hacking: 17% (up 3%)– Data on the Move, Accidental, Subcontractor: 34.3%

• Threat Volumes are on the Rise– 2005 - 330,000 unique malware samples;

38 web threats per hour– 2008 - 16,495,000 unique malware samples;

1,883 web threats per hour• Threat Vectors are Internet-Based

– 92% now arrive via the Internet (Websites, Links, Email)– 8% arrive via file transfer (removable media)

Today's Risk Landscape (cont'd)

• The Underground Economy is More Profitable– $100 billion per year marketplace– Malware: $50 - $3,500– Email Addresses: $0.001 per Address– An hour of usage on a Botnet of 8,000 to 10,000 computers:

$200• Email Threats Continue to Increase

– 115 billion spam messages per day– Targeted Phishing Attacks (Spearphishing, Whaling)

• Web and Application Threats are Growing– 450,000 SQL/XSS Injection Attempts per Day– DNS Changers Re-Directing Users to Malware

• Mobile Threats Being Introduced– With PC-like Vectors

• Botnets are Proliferating– In 2008, 34.3 million PCs were infected with bot-associated

malware

Phishing

Source: IBM X-Force 2010 Trend Statistics Country of Origin for Embedded Web Links

• Phishing = Deceptive emails• Spearphishing = Targeted phishing• Pharming = DNS based phishing• SMiShing = Targets cellular texting• Bluesnarfing = Bluetooth

connections

Country of Origin of Phishing Emails

• Phishing targets by Industry:

– Financial Institution

50%– Credit Card

19%– Auction

11%– Government

7.5%– On-line Payment

5.7%– On-line Shop

4.9%

The Cyber Crime Black Market

Discover Vulnerability

Create Exploit

Create Propagation/Attack Vector

Attack Target

Retrieve Information

Monetize Information

Launder Money

Vulnerability Marketplace

Discover Vulnerability Discover Vulnerability Discover Vulnerability Discover Vulnerability

Create Exploit Create Exploit Create Exploit Create Exploit

Toolkit Marketplace





Botmasters (Collectors & Brokers)

Attack Target


Attack Target


Attack Target


Attack Target


Information/Identity/Intellectual Property Auctions


Launder Money


Launder Money


Launder Money


Launder Money

Financing/Money Laundering

Organizational Risk Trends

• Advanced Persistent Threats New!

• Strong Rising Threats– Unstable Third Party Providers – Insecure Trading Partners

• Rising Threats– Malicious/Disgruntled Insiders– Careless/Overworked Employees– Reduced Security Budgets

• Steady Threats– Remote Workers– Software Downloading

Why Risk Management?

• IT + Business + Financial Risk

• Part of broader governance, risk or compliance initiative

• IT => Information Security focus

• Regulatory Compliance

• Measuring threats and costs

Mitigating Cyber Risk

• Avoid it

• Ignore it (we are not a target)

• Accept it as part of doing business

• Manage it (controls/processes)

• Transfer it (insurance, escrow)

Risk Mitigation Measures• IT/Information Security Risk Assessments• Internal / External and Independent Testing:

– Vulnerability (Scan) Analysis (network, application, database)– Penetration Testing (same, plus client-side)– Controls Testing (SAS-70, ISO-2700n, CoBIT, PCI, BITS FISAP)

• Implement, Test, and Continuously Improve:– Data Classification & Protection Measures– Training & Awareness– Logging & Monitoring– Patch/Configuration Management– Network, Server, and Endpoint DLP– AV, IDS/IPS, Proxies & Filters, DSRA

• Develop WISP - BR Team, BR Plan, COOP Approach• Compliance Audits

IT Security TestingA Three-Pronged Approach

2011 Forecast• Sophisticated, blended, APTs for the FIs• More smaller, reported breaches elsewhere• Social networking policy implementation rises• Ransomware and ransom attacks will grow• Data minimization and cloud solutions advance• Mobile data is ripe for the picking• Low-tech theft of data/devices increases• Alternative O/S attacks will increase• Microsoft still targeted; Web 2.0 is here to stay

2011 Forecast• More prevalent/deceptive social engineering methods• Privacy awareness / breach preparedness advances• Third-party data collection faces greater scrutiny• The underground economy will continue to flourish• Identity theft and spam will increase worldwide• Continuing exposure due to lost devices• Data encryption seen as means to compliance ends• Federal breach notification legislation comes in 2012?• Collaboration + Openness = Vulnerability to breach

Information Resources• PGP/Ponemon Study (www.ponemon.org) • Verizon Data Breach Investigations Report

(www.verizonbusiness.com)• IBM X-Force Trend & Risk Report (www.ibm.com) • Betterley Report (www.betterley.com) • U.S. Dept. of Health & Human Services (www.hhs.gov) • Privacy Rights Clearinghouse (www.privacyrights.org)• ePlace (www.eplacesolutions.com)• Sedona Conference Working Group on eDiscovery

(www.thesedonaconference.org) • BITS FISAP (www.bitsinfo.org) • Identity Theft Resource Center (ITRC) Report (www.idtheftcenter.org)• Internet Crime Complaint Center (IC3) Report (www.ic3.gov)• Center for Strategic & International Studies (CSIS) (www.csis.org) • Forrester Research (www.forrester.com)

Stephen Yesko, ARMVA Office: (540) 338-7151NY Office: (718) [email protected]

www.lowersrisk.com

Security/Privacy Coverage- An Underwriting PerspectiveJeff Kulikowski: Axis Pro

Vice President, Regional Underwriting Manager

AXIS Capital Holdings Limited

Security/Privacy Coverage- An Underwriting Perspective

Agenda

Security/Privacy Coverage Components and Coverage Triggers

Known Breach Events Underwriting Overview Q&A

What Does The Coverage Provide?

Proactive coverage grants and carrier support services that assist an Insured at the outset of a data breach, including:

Public Relations assistance Costs to issue notification letters to affected (actual or

potential)individuals Credit Monitoring capabilities to affected individuals

If a breach escalates into claim for actual damages, then the policy provides reimbursement for defense costs and damages, subject to policy provisions

Coverage is also available for the Insured’s loss of income, or costs to recreate/repair/replace data lost in the case of a Security Event

Security/Privacy Coverage- Common Insuring Agreements

Base Form Coverage- access to full aggregate limit Security and Privacy Liability Media Liability (online/offline) Computer System Extortion

Sublimited Coverage Crisis Management Expense Regulatory Action Coverage Crisis Fund PCI-DSS Fines and Penalties Coverage

First Party Coverage Business/Network Interruption Data Recovery/Information Asset Coverage

Understanding the Coverage- 1st Party v 3rd Party

First Party Coverage: direct reimbursement to the Insured for costs they incur for the following

- Crisis Management Expenses

- Data Restoration/Information Asset

- Business/Network Interruption

- Regulatory Defense/Fines and Penalties

- Cyber Extortion

Third Party Coverage: defense costs and damages resulting from the following, which cause a 3rd Party financial loss

- Security Liability

- Privacy Liability

Security/Privacy Insurance- Coverage Triggers

Accidental release or unauthorized disclosure of Personally Identifiable Information, Corporate Confidential Information or other confidential data

Unauthorized Access to or Unauthorized Use of Protected Data on an Insured’s Computer System that directly results in theft, alteration, destruction, deletion, corruption or damage of Protected Data

failure to prevent a party from accessing a computer or network system under the control of the Insured, when the party has the intent to deny or disrupt service, cause network functionality to fail, transmit malicious code via the Insured’s networks, or deny/disrupt access to online services or computer system

Transmitting or receiving Malicious Code via the Insured’s Computer system

Commonly Used Policy Terms

Personally Identifiable Information (PII): SSN, Medical/Healthcare data, Driver’s License #/State ID, Financial Information(Credit Card#, Debit Card#), other non-public information

Corporate Confidential Information: info subject to a confidentiality agreement/NDA

Malicious Code: computer virus, Trojan horse, or other code, script or software program designed to damage, harm if infect a computer

Privacy Regulations: HIPAA, Gramm-Leach-Bliley, etc

Data Breach: a loss of PII or Corporate Confidential Information, regardless of medium or method

Typical Policy Provisions

Common Carvebacks to Policy Exclusions and Definitions Rogue Employee Coverage Carveback to the

fraudulent/intentional acts exclusion Misappropriation of Trade Secrets Carveback Employee Retirement Income Security Act of 1974 Carveback Employee Carveback to the Insured vs Insured Exclusion Consumer Redress Fund to be included in the definition of

Damages

Common Exclusions Infringement of Patent Employment Practices Liability Unsolicited faxes, email, or other communication Unlawful collection or acquisition of Protected Data

Known Breach Events

TJX Companies- 94,000,000 Affected Individuals States Attorneys General V. TJX Companies- total of $9.5M spend

establishing Discretionary Funds, data security Funds, and reimbursement of Plaintiff Attorney Fees

$40M settlement Pending with VISA $13.5M Consumer Class Action Settlement in Massachusetts

Heartland Payment Systems- 130,000,000 Affected individuals Numerous cases and settlements pending through the US with

Consumers, Financial Institutions, Vendors, Payment Processors, etc

Notable Costs to date include $60M settlement with VISA, $3.5m settlement with American Express

Known Breach Events- continued

CardSystems 40,000,000 credit card numbers lost as a result of security

breach/hacking incident Class Action suit filed in 2005, but case was eventually

closed as CardSystems filed Chapter 11 on 5/12/2006

T-Mobile/Deutsche Telekom 17,000,000 Customers’ data affected due to lost disk drive

BNY Mellon Shareowner Services 12,500,000 affected individuals due to lost backup tape

American Honda Motor Company 4,900,000 names, addresses, e-mail addresses, user

names and VINs exposed from email list

SOURCE:www.DataLossDB.com

How is Security/Privacy Coverage Underwritten?

Industry/Class of Business

Security Controls and Procedures

Privacy Policy/Internal Controls

Other Risk Controls

Litigation Review

Financial Analysis

Industry and Litigation Potential Analysis

High Risk Industries include:

- Healthcare

- Finance

- Retail

- Leisure/Entertainment

- Secondary and Higher Education

- Utilities

All other Industries still at risk, depending on the PII or Confidential Data held

Security/Privacy Risk Control Analysis

Information Security and Privacy Policy

Business Continuity/Disaster Recovery Plan

Security/Privacy Compliance with Industry Standards

Employee Restrictions for Data Access, and Data Classification Schemes

User Profile Management

Physical Security Controls

Encryption methodology

Data Storage Methodology

Use of 3rd party applications(Firewall/IPS/IDS)

Other Risk Controls

Vendor management

- Identification of outsourced activities

- Indemnification/Hold Harmless provisions

- Vendor Selection and Auditing Procedures

- Insurance Requirements

Regulatory Compliance

Recent Changes to Management or Auditors

Other Risk Management Controls

Litigation Review

Past Claims History

Public Search of Breach History

Claims within the Insured’s Industry

State Requirements for Privacy Breach Response

Review of Pending Industry Regulations

Financial Review

Revenues Levels and Projections

Income statement

Balance Sheet

Cash Flow Statement

Were any key accounting conventions changed?

Axis Capital Holdings Ltd.

Founded in November 2001 ($1.7b start-up capital) Strong balance sheet - $5.6 Billion of Shareholders Equity $3.5 Billion in Premium for the FYE 2010 No legacy exposures

IPO July 2003 – NYSE: AXS

Rated A XV (AM Best) ; A+ Strong (S&P) (Upgrade February 2009)

Specialty Lines Insurance and Treaty Reinsurance

AXIS website: www.axiscapital.com

Wells Fargo Insurance Services


NJ RIMS Meeting – June 14, 2011

Network Security & Privacy Liability

Presented by:

Meredith Schnur

Professional Risk Group


Agenda

Regulatory Environment

What Should You Be Asking?

Vendor Management

Gaps in Traditional Insurance

Resources

eRisk Hub

Primary Markets

Marketing & Underwriting Process


Legal Issues & The Regulatory Environment

Gramm Leach-Bliley Act: Requires financial institutions to safeguard customers’ records and information against unauthorized access. Imposes major privacy and security requirements on financial services companies

Health Insurance Portability and Accountability Act (HIPAA): Healthcare organizations required to safeguard individually identifiable health information. Imposes penalties on organizations that violate HIPAA (further amended by the HITECH Act)

California SB1386: A California law requiring companies to notify their CA customers and employees of computer security breaches. The law applies to any business that stores customer and employee information electronically even if the company is not based in the Golden State.

Privacy Breach Notification Laws: Spreading of California SB 1386; adopted by 46 states as of December 2010. Duty to notify customers where consumer/customer information has been compromised (electronic or non-electronic means, state legislation varies)

Massachusetts Privacy Law 201 CMR 17.00: This law is the first state law to require specific technology when protecting personal information. If you do business with residents in MA or have employees that reside in MA, compliance is mandatory by March 1, 2010.

Legislation has now imposed affirmative duties on companies as to how they handle data, principally client/customer information:


Legal Issues and The Regulatory Environment

PCI Security Standards: The standards globally govern all merchants and organizations that store, process or transmit cardholder data. PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council (PCI fines not generally covered under insurance policies).

FACTA (Fair and Accurate Credit Transactions Act): Prohibits businesses from printing more than 5 digits of any customer’s credit card number or card expiration date on any receipt issued at a point of sale. For machines in use before 1/1/05, the merchant has 3 years to comply. For machines in use after 1/1/05, the merchant has one year to comply.

Red Flag Rules: Established by FACTA, requires financial institutions or creditors to develop and implement an Identity Theft Prevention Program in connection with both new and existing accounts. The program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft.

Federal HITECH Act – health plans, health care providers and health care clearinghouses (ie. Covered entities), among other things, must review and update their business associate agreements, as well as their privacy and security policies and procedures. Requires that any data breach event exceeding 500 records be reported to the Department of Health and Human Services.


What Should You Be Asking? Have we analyzed our cyber liabilities?

What legal rules apply to the information we maintain or that is kept by vendors, partners and other third parties? The laws surrounding breaches are complex.

Have we assessed our legal exposure to governmental investigations?

Have we assessed our exposure to suits by our customers, vendors or suppliers?

Have we protected our organization in contracts with vendors?

What laws apply in different states and countries in which we conduct business?

Do we have adequate staffing to reasonably maintain and safeguard our important assets and processes?

Have we prepared an incident response plan and business continuity plan?

Do we have a documented, proactive crisis communications plan?

It is critical to have a solid incident response plan in place prior to any security or privacy breach.

** Questions supplied by the “The Financial Impact of Cyber Risk” Publication – American National Standards Institute (ANSI) and Internet Security Alliance.


Vendor Management & Requirements

IT/Software Companies

Request Tech E&O to include network security/privacy coverage

Some Tech E&O policies have security/privacy exclusions

Other Business Services – Payroll, Auditors

Request appropriate E&O coverage to include network security/privacy

Credit Card Processors/Acquiring Banks

Request Network Security/Privacy Coverage

Other Vendors that interact with your systems or sensitive information, or handle information on your behalf

Request Network Security/Privacy Coverage


Gaps in Traditional Insurance

Commercial General Liability Insurance: Typically covers bodily injury and property damage to “tangible” property. Data and software are considered to be “intangible”

Property Insurance: Typically responds to “direct physical loss” by a covered peril (ie. fire, windstorm). Intangible property is not covered under Business Interruption and Extra Expense coverage.

Fidelity/Crime Insurance: Typically provides coverage to the organization for losses resulting from the theft of money, securities and “other tangible property.” Information theft is not covered under a standard fidelity bond. “Other property” does not include proprietary information, confidential information or copyrights, trademarks, etc.

Professional Errors & Omissions: Typically only covers financial loss arising out of professional services to others. Computer attacks do not fall within the provision of “professional services,” and some E&O policies will exclude coverage caused by “unauthorized access.”

Technology Errors & Omissions: Covers only financial loss arising out of technology services performed for others. If in the provision of technology services, your negligence leads to an unauthorized access or transmission of a virus, coverage would apply. However, if an employee commits an intentional act or if an outside hacker, unrelated to services provided by you, causes a customer to suffer a financial loss, no coverage would apply under a typical technology errors & omissions policy. Most Technology E&O policies can be extended to cover network security and privacy related exposures.

Why is this not covered elsewhere?


www.privacyrights.org – data breach chronology recorded by year and by industry class

www.ponemon.org – updated statistics on privacy breaches (see following page)

www.hhs.org – regulations and breaches in excess of 500 records as mandated by HITECH

www.eriskhub.com – information portal for WFIS clients

Resources


Learning Center

News Center

Incident Road Map

Free Breach Coach

Resource Directory

Risk Manager Tools

eRisk Hub


Primary Markets

Markets* Best Rating

ACE USA “A+” XV

Allied World/Darwin Group “A” XV

Arch “A” XV

Axis “A” XV

Beazley USA “A” VIII

Chartis “A” XV

Chubb Group “A++” XV

CNA “A” XV

Digital Risk Managers (MGA writing on Lloyds paper – Brit, Kiln, ACE) “A” XV

Hartford “A” XV

Hiscox USA “A” VIII

Ironshore “A-” XIII

London Markets (Beazley, Hiscox, Brit, Kiln, ACE, Barbican, CFC) “A” XV

One Beacon “A” XV

Philadelphia “A” XV

RLI “A+” X

Zurich North America “A” XV

XL “A” XV

* - Many additional carriers will offer this coverage on an excess basis


Marketing & Underwriting Process

Step 1: Evaluation of Exposures:

Consultation to determine exposures – First Party, Third

Party and/or Privacy

Step 3: Marketing Process: Submit

application to selected markets to solicit proposals

Step 2: Required Applications and/or

Assessment Completed

Step 4: Proposal Analysis and Discussions

Step 6: Binding the Coverage

Step 5: On-line Security Assessment and/or Conference Call with

Insurer

Documents

Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance