Upload
the-guardian
View
220
Download
0
Embed Size (px)
Citation preview
8/11/2019 Security and privacy current cover and risk management services
1/12
Security & Privacy
Current cover andRisk ManagementServices
8/11/2019 Security and privacy current cover and risk management services
2/12
2
Information risk management is recognised as being oneof the fastest emerging risks facing all organisations today.Unlike IT (hardware, systems etc.) this most commonly relatesto the platforms in which information is held and exchanged.Exposure to Information Risk will vary depending on anorganisations business. Some of the potential costs incurred aretangible, such as fines or penalties whilst others are reputational,both of which can result in considerable financial costs:
The Information Commissioners Office (ICO) confirmedthat public sector authorities have now paid over 4min fines for breaches of the Data Protection Act sincethey have had the ability to levy fines from April 2011(V3.co.uk 2nd September 2013)
And;
The average cost of a data breach for a UK organisationis in excess of 2m (source: Ponemon Institute).
Added to this is the cost of mitigation, which can beapproximately three times the cost of the original fine.
But where is the greatest risk coming from?One of the greatest risks is the lack of clarity and understandingof the term, information risk. There is a misconception that it ispurely an IT issue with organisations trusting in technology tomitigate this risk, when in fact, in broad terms, over 70% of anorganisations information risk exposure comes from their ownemployees, be it by negligence or malice.
The purpose of this document is to provide you with a
variety of scenarios where a loss can happen. It highlightswhat consequences it could lead to and the remedies thatare currently available under your Zurich policy wording andthe Risk Management solutions that we can also provide.
The impact from a data loss incident or a data breach can leadto serious repercussions for an organisation, whether it is thefines levied by the Information Commissioners Office or thedamage to reputation that it will inevitably bring within the
media. As pending EU legislation is designed to supersedethe existing Data Protection Act, organisations should makethemselves even more aware and have solutions in place to tryto mitigate data losses and breaches.
As detailed within this document Zurich already provides coverfor the key concerns related to information risk and publicsector information.
Technological advancement has enabled greater working flexibility and increased methods of communications.However, new technology brings about new risks with one of the most commonly reported thefts being that ofpersonal data.
Introduction
8/11/2019 Security and privacy current cover and risk management services
3/12
3
We think of Information Risk Management as being:
an organisations ability to identify business critical data,its inherent value to the business and others and to
subsequently protect the confidentiality, integrity and
availability of that information proportional to the risk to
customers, the business and the extended enterprise.
Information Risk Management enables organisations to inform and
prioritise decisions on the deployment of valuable resources anddirect improvements in the protection of that critical information.
Information risks can be broadly categorised into threeoverarching themes:
1. Accidental data loss, source organisation, customer and partner/supplier
2. Physical system failures, which also includes infrastructure failuresand breaches
3. Direct malicious cyber-attacks
In mitigating these, an organisation needs to know its information flows,
understanding what the information is to be used for; how and whenis itto be shared; having assurance that its retention and disposal procedures areeffective and compliant with regulatory and industry standards.
What is Information Risk Management?
once risks are classified they can be
measured, once risks are measured
they can be managed
(Jorion, P. 2002)
8/11/2019 Security and privacy current cover and risk management services
4/12
4
CONSEQUENCES ZURICH POLICY RESPONSE
CONSEQUENCES
INTRODUCTION
Data Breach
Private informationyou hold about a ThirdParty is made public.Examples of how thiscan occur include:a lost laptop or hardcopies of data, anattack from hackers ormalicious persons andinformation sent tothe incorrect recipient
The following sections provide examples of scenarios where a loss could happen as well as highlighting whatconsequences it could lead to, as well as identifying the remedies that are currently available under your Zurich policy.
Affected people suffer a loss and aClaim is bought against you for abreach of confidence
Affected people suffer a loss and aClaim is bought against you for abreach of the Human Rights Act
If the Claim relates to bodily injury,illnessor financial losssufferedby a member of the public, Public
Liability cover will protect againstlegal costs and damages awardedagainst you. If the Claim relates toinjury to an employee then yourEmployers Liability cover will apply
Affected people suffer a loss and aClaim is bought against you for
breach of the Data Protection Act
If the Claim relates to compensationunder Section 13 of the DataProtection Act, Legal Expenses
will protect against this
8/11/2019 Security and privacy current cover and risk management services
5/125
CONSEQUENCES ZURICH POLICY RESPONSECONSEQUENCESINTRODUCTION
Business Interruption
Your ability to tradeonline is disruptedas a result of
computer equipmentbeing damaged orbreaking down
An extension under BusinessInterruption cover will protect againstboth lost revenueand increases inoperating costsduring a disruptionto your computer networks
You incur additional coststomaintain your computer systemsand services until normal functioningis restored (no hacker/malware/virus involvement)
Your revenue streams are reduced
(no hacker/malware/virus involvement)
8/11/2019 Security and privacy current cover and risk management services
6/12
6
CONSEQUENCES ZURICH POLICY RESPONSECONSEQUENCESINTRODUCTION
Wrongful Publishing
Content that ispublished on yourwebsite infringes therights of a Third Party.The content may belibellous or mayrepresent a breach ofintellectual propertysuch as plagiarism,breach of copyrightor trademark
Our Libel and Slander sectionwill cover defence costs andindemnify against legal costs anddamages awarded as a result of
libellous publications on theorganisations website
Content published on your websiteis accused of being libellous and a
Third Party sues for damages
Claims made against you forfinancial losses arising frombreaches of intellectual propertywill be covered under our PublicLiability section under the financial
loss extension
Content published on your website isaccused of breaching a Third Partysintellectual property(plagiarism,breach of copyright or trademark) anda Third Party suffers a financialloss and sues for damageswhichthey claim against you
8/11/2019 Security and privacy current cover and risk management services
7/12
7
CONSEQUENCES ZURICH POLICY RESPONSECONSEQUENCESINTRODUCTION
Damage to Computer Records
Your computer systemssuffer a breakdownor physical damagewhich causes computer
records and data to bedamaged, or your dataor software is erased,destroyed or distorted
Our All Risks section includes 5,000cover for computer equipmentwhich breaks or burns out frommechanical or electrical defect.
Our Material Damage sectionincludes 10,000 cover for damageto computer records
Your computer systems break
downor suffer physical damage
Data or Software is erased,destroyed, corruptedor distorted
Our Business Interruption sectionincludes cover up to 5,000 forlossor damage to data or informationwhich isnt accompanied by visibleand identifiable damage to the datacarrying media
8/11/2019 Security and privacy current cover and risk management services
8/12
8
How can Zurich support you?
As this diagram illustrates, the key is for organisationsto take a holistic approach to the management ofinformation-related risk.
The end-to-end information lifecycle consists of six interlinkedcomponents, visually represented in the diagram, all of whichneed to be understood and given the appropriate level ofownership. An organisation needs to risk assess each element to:
Furthermore, employees and where applicable Board andCommittee Members, must understand the risks associated witheach phase of the information flow, being held accountable towhy they create, store, use and share information. They needto understand and adhere to their organisations archive anddisposal procedures. They must appreciate that they are notpassive recipients to this risk and that they share ownership andresponsibility with their organisations IT department to protectboth their organisations and their customers information.
We understand that information managementconsists of both physical and electronic forms.
To be able to mitigate the risks associated withthe use of these modes an organisation mustunderstand the information lifecycle, irrespectiveof the information source.
Determine the correct strategy and approach, ensuringits information management approach supports theattainment of organisational objectives
Understand the value of the information in the lifecycleand any one time
Know the sequence and interaction of the informationflow, ensuring that all of the six elements effectivelyoperate from end to end
Respond to regulatory and customer requirements
Determine budget allocation, being able to optimiseinformation security investments in support ofbusiness objectives
Assess and respond to incidents, being able to shareunderstanding of the risk profile and what needs tobe done
Risk Management Services
USE
CREATE STORE RETAIN/
ARCHIVEDISPOSE/DELETE
SHARE
8/11/2019 Security and privacy current cover and risk management services
9/12
9
Whatever your concern, Zurich is dedicated to working directly with you, to produce organisation-wide benefits.Some of our services in helping you improve your security & privacy precautions are outlined below:
The results of the Corporate Diagnostic will help us work with you to draw up an action plan for future development, consisting of the following elements:
This process acts as a health check of existing data securitystrategy and processes against the organisations core objectives,business plans, regulatory environment and industry best practice
Corporate Diagnostic
A tool to enable a deep-dive diagnostic into an identifiedservice area, partnership, contract etc.
Service-specific Diagnostic
A pragmatic framework developed using insight from Zurichswide sector knowledge, and their own experience of information
risk management
Information Governance Assurance
Framework
Exploring information management and communication supplychain across key partners and suppliers, such as IT providers,contractors etc. to gain assurance that information is being managed,shared and disposed of properly
Third Party Assessment and Mapping
Addressing cultural and behavioural issues to mitigate the threat ofnegligence and error and to increase the level of information riskawareness across employees, Board, Members etc.
Awareness and Training
Critical friend review of business continuity and disaster recoveryarrangements, to ensure that recovery plans adequately reflectactual and planned outage, and that IT arrangements can supportrecovery requirements
Resilience Review
8/11/2019 Security and privacy current cover and risk management services
10/12
10
This publication provides general information
and is not intended, and should not be relied
on, as a substitute for specific advice relevant to
particular circumstances.
Neither Zurich Insurance plc, nor any company in
the Zurich group of companies, will accept any
responsibility for any actions taken or not taken on
the basis of this publication.
Because we speak from experience. As a wider organisationwe faced an incident which incurred a large penalty,leading to us greatly improving and refining our internalinformation security arrangements. This, combined with
our in-depth knowledge of our customers issues andexperiences, gives us unique insight into information riskand we have developed bespoke tools to mitigate it.
Why Zurich?
For more information on how wecan help you, or to arrange for a
free consultation, please contactyour Risk & Insurance Consultant.
8/11/2019 Security and privacy current cover and risk management services
11/12
11
8/11/2019 Security and privacy current cover and risk management services
12/12
716401001
(03/14)RRD
Zurich Insurance plc
A public limited company incorporated in Ireland. Registration No. 13460.
Registered Office: Zurich House, Ballsbridge Park, Dublin 4, Ireland.
UK Branch registered in England and Wales Registration No. BR7985.
UK Branch Head Office: The Zurich Centre, 3000 Parkway, Whiteley, Fareham, Hampshire PO15 7JZ.
Zurich Insurance plc is authorised by the Central Bank of Ireland and subject to limited regulation by the Financial Conduct Authority.
Details about the extent of our regulation by the Financial Conduct Authority are available from us on request. These details can bechecked on the FCAs Financial Services Register via their website www.fca.org.uk or by contacting them on 0800 111 6768.
Our FCA Firm Reference Number is 203093.
Communications may be monitored or recorded to improve our service and for security and regulatory purposes.
Copyright Zurich Insurance plc 2014. All rights reserved. Reproduction, adaptation, or translation without prior written permission
is prohibited except as allowed under copyright laws.
The pulp used in the manufacture of this paper is from renewable timber produced on a fully sustainable basis. The pulp used in the
manufacture of this paper is bleached without the use of chlorine gas (ECF Elemental Chlorine Free). The paper is suitable for recycling.