Security and privacy current cover and risk management services

8/11/2019 Security and privacy current cover and risk management services

1/12

Security & Privacy

Current cover andRisk ManagementServices


2/12

2

Information risk management is recognised as being oneof the fastest emerging risks facing all organisations today.Unlike IT (hardware, systems etc.) this most commonly relatesto the platforms in which information is held and exchanged.Exposure to Information Risk will vary depending on anorganisations business. Some of the potential costs incurred aretangible, such as fines or penalties whilst others are reputational,both of which can result in considerable financial costs:

The Information Commissioners Office (ICO) confirmedthat public sector authorities have now paid over 4min fines for breaches of the Data Protection Act sincethey have had the ability to levy fines from April 2011(V3.co.uk 2nd September 2013)

And;

The average cost of a data breach for a UK organisationis in excess of 2m (source: Ponemon Institute).

Added to this is the cost of mitigation, which can beapproximately three times the cost of the original fine.

But where is the greatest risk coming from?One of the greatest risks is the lack of clarity and understandingof the term, information risk. There is a misconception that it ispurely an IT issue with organisations trusting in technology tomitigate this risk, when in fact, in broad terms, over 70% of anorganisations information risk exposure comes from their ownemployees, be it by negligence or malice.

The purpose of this document is to provide you with a

variety of scenarios where a loss can happen. It highlightswhat consequences it could lead to and the remedies thatare currently available under your Zurich policy wording andthe Risk Management solutions that we can also provide.

The impact from a data loss incident or a data breach can leadto serious repercussions for an organisation, whether it is thefines levied by the Information Commissioners Office or thedamage to reputation that it will inevitably bring within the

media. As pending EU legislation is designed to supersedethe existing Data Protection Act, organisations should makethemselves even more aware and have solutions in place to tryto mitigate data losses and breaches.

As detailed within this document Zurich already provides coverfor the key concerns related to information risk and publicsector information.

Technological advancement has enabled greater working flexibility and increased methods of communications.However, new technology brings about new risks with one of the most commonly reported thefts being that ofpersonal data.

Introduction


3/12

3

We think of Information Risk Management as being:

an organisations ability to identify business critical data,its inherent value to the business and others and to

subsequently protect the confidentiality, integrity and

availability of that information proportional to the risk to

customers, the business and the extended enterprise.

Information Risk Management enables organisations to inform and

prioritise decisions on the deployment of valuable resources anddirect improvements in the protection of that critical information.

Information risks can be broadly categorised into threeoverarching themes:

1. Accidental data loss, source organisation, customer and partner/supplier

2. Physical system failures, which also includes infrastructure failuresand breaches

3. Direct malicious cyber-attacks

In mitigating these, an organisation needs to know its information flows,

understanding what the information is to be used for; how and whenis itto be shared; having assurance that its retention and disposal procedures areeffective and compliant with regulatory and industry standards.

What is Information Risk Management?

once risks are classified they can be

measured, once risks are measured

they can be managed

(Jorion, P. 2002)


4/12

4

CONSEQUENCES ZURICH POLICY RESPONSE

CONSEQUENCES

INTRODUCTION

Data Breach

Private informationyou hold about a ThirdParty is made public.Examples of how thiscan occur include:a lost laptop or hardcopies of data, anattack from hackers ormalicious persons andinformation sent tothe incorrect recipient

The following sections provide examples of scenarios where a loss could happen as well as highlighting whatconsequences it could lead to, as well as identifying the remedies that are currently available under your Zurich policy.

Affected people suffer a loss and aClaim is bought against you for abreach of confidence

Affected people suffer a loss and aClaim is bought against you for abreach of the Human Rights Act

If the Claim relates to bodily injury,illnessor financial losssufferedby a member of the public, Public

Liability cover will protect againstlegal costs and damages awardedagainst you. If the Claim relates toinjury to an employee then yourEmployers Liability cover will apply

Affected people suffer a loss and aClaim is bought against you for

breach of the Data Protection Act

If the Claim relates to compensationunder Section 13 of the DataProtection Act, Legal Expenses

will protect against this


5/125

CONSEQUENCES ZURICH POLICY RESPONSECONSEQUENCESINTRODUCTION

Business Interruption

Your ability to tradeonline is disruptedas a result of

computer equipmentbeing damaged orbreaking down

An extension under BusinessInterruption cover will protect againstboth lost revenueand increases inoperating costsduring a disruptionto your computer networks

You incur additional coststomaintain your computer systemsand services until normal functioningis restored (no hacker/malware/virus involvement)

Your revenue streams are reduced

(no hacker/malware/virus involvement)


6/12

6


Wrongful Publishing

Content that ispublished on yourwebsite infringes therights of a Third Party.The content may belibellous or mayrepresent a breach ofintellectual propertysuch as plagiarism,breach of copyrightor trademark

Our Libel and Slander sectionwill cover defence costs andindemnify against legal costs anddamages awarded as a result of

libellous publications on theorganisations website

Content published on your websiteis accused of being libellous and a

Third Party sues for damages

Claims made against you forfinancial losses arising frombreaches of intellectual propertywill be covered under our PublicLiability section under the financial

loss extension

Content published on your website isaccused of breaching a Third Partysintellectual property(plagiarism,breach of copyright or trademark) anda Third Party suffers a financialloss and sues for damageswhichthey claim against you


7/12

7


Damage to Computer Records

Your computer systemssuffer a breakdownor physical damagewhich causes computer

records and data to bedamaged, or your dataor software is erased,destroyed or distorted

Our All Risks section includes 5,000cover for computer equipmentwhich breaks or burns out frommechanical or electrical defect.

Our Material Damage sectionincludes 10,000 cover for damageto computer records

Your computer systems break

downor suffer physical damage

Data or Software is erased,destroyed, corruptedor distorted

Our Business Interruption sectionincludes cover up to 5,000 forlossor damage to data or informationwhich isnt accompanied by visibleand identifiable damage to the datacarrying media


8/12

8

How can Zurich support you?

As this diagram illustrates, the key is for organisationsto take a holistic approach to the management ofinformation-related risk.

The end-to-end information lifecycle consists of six interlinkedcomponents, visually represented in the diagram, all of whichneed to be understood and given the appropriate level ofownership. An organisation needs to risk assess each element to:

Furthermore, employees and where applicable Board andCommittee Members, must understand the risks associated witheach phase of the information flow, being held accountable towhy they create, store, use and share information. They needto understand and adhere to their organisations archive anddisposal procedures. They must appreciate that they are notpassive recipients to this risk and that they share ownership andresponsibility with their organisations IT department to protectboth their organisations and their customers information.

We understand that information managementconsists of both physical and electronic forms.

To be able to mitigate the risks associated withthe use of these modes an organisation mustunderstand the information lifecycle, irrespectiveof the information source.

Determine the correct strategy and approach, ensuringits information management approach supports theattainment of organisational objectives

Understand the value of the information in the lifecycleand any one time

Know the sequence and interaction of the informationflow, ensuring that all of the six elements effectivelyoperate from end to end

Respond to regulatory and customer requirements

Determine budget allocation, being able to optimiseinformation security investments in support ofbusiness objectives

Assess and respond to incidents, being able to shareunderstanding of the risk profile and what needs tobe done

Risk Management Services

USE

CREATE STORE RETAIN/

ARCHIVEDISPOSE/DELETE

SHARE


9/12

9

Whatever your concern, Zurich is dedicated to working directly with you, to produce organisation-wide benefits.Some of our services in helping you improve your security & privacy precautions are outlined below:

The results of the Corporate Diagnostic will help us work with you to draw up an action plan for future development, consisting of the following elements:

This process acts as a health check of existing data securitystrategy and processes against the organisations core objectives,business plans, regulatory environment and industry best practice

Corporate Diagnostic

A tool to enable a deep-dive diagnostic into an identifiedservice area, partnership, contract etc.

Service-specific Diagnostic

A pragmatic framework developed using insight from Zurichswide sector knowledge, and their own experience of information

risk management

Information Governance Assurance

Framework

Exploring information management and communication supplychain across key partners and suppliers, such as IT providers,contractors etc. to gain assurance that information is being managed,shared and disposed of properly

Third Party Assessment and Mapping

Addressing cultural and behavioural issues to mitigate the threat ofnegligence and error and to increase the level of information riskawareness across employees, Board, Members etc.

Awareness and Training

Critical friend review of business continuity and disaster recoveryarrangements, to ensure that recovery plans adequately reflectactual and planned outage, and that IT arrangements can supportrecovery requirements

Resilience Review


10/12

10

This publication provides general information

and is not intended, and should not be relied

on, as a substitute for specific advice relevant to

particular circumstances.

Neither Zurich Insurance plc, nor any company in

the Zurich group of companies, will accept any

responsibility for any actions taken or not taken on

the basis of this publication.

Because we speak from experience. As a wider organisationwe faced an incident which incurred a large penalty,leading to us greatly improving and refining our internalinformation security arrangements. This, combined with

our in-depth knowledge of our customers issues andexperiences, gives us unique insight into information riskand we have developed bespoke tools to mitigate it.

Why Zurich?

For more information on how wecan help you, or to arrange for a

free consultation, please contactyour Risk & Insurance Consultant.


11/12

11


12/12

716401001

(03/14)RRD

Zurich Insurance plc

A public limited company incorporated in Ireland. Registration No. 13460.

Registered Office: Zurich House, Ballsbridge Park, Dublin 4, Ireland.

UK Branch registered in England and Wales Registration No. BR7985.

UK Branch Head Office: The Zurich Centre, 3000 Parkway, Whiteley, Fareham, Hampshire PO15 7JZ.

Zurich Insurance plc is authorised by the Central Bank of Ireland and subject to limited regulation by the Financial Conduct Authority.

Details about the extent of our regulation by the Financial Conduct Authority are available from us on request. These details can bechecked on the FCAs Financial Services Register via their website www.fca.org.uk or by contacting them on 0800 111 6768.

Our FCA Firm Reference Number is 203093.

Communications may be monitored or recorded to improve our service and for security and regulatory purposes.

Copyright Zurich Insurance plc 2014. All rights reserved. Reproduction, adaptation, or translation without prior written permission

is prohibited except as allowed under copyright laws.

The pulp used in the manufacture of this paper is from renewable timber produced on a fully sustainable basis. The pulp used in the

manufacture of this paper is bleached without the use of chlorine gas (ECF Elemental Chlorine Free). The paper is suitable for recycling.

Documents

Security and privacy current cover and risk management services