The Time for Cyber Coverage is Now October 8, 2014 The Time for Cyber Coverage is Now Your insureds and clients Are Not Immune October 8, 2014 Kevin Ribble

The Time for Cyber Coverage is The Time for Cyber Coverage is NowNow Your insureds and clients Are Not Immune October 8, 2014October 8, 2014

Kevin Ribble

E.V.P. Edgewater Holdings

President, EPRMA.org

[email protected]

(214) 676-8662 (office)

(312) 431-1766 (fax)

Texas License # 1682508

Today’s Agenda

Introduction to Panel

Cyber Crime statistics

Why are mid-market accounts considered to Be at High-Risk?

Types of Threats

What is the potential harm to your insureds and client’s businesses?

Overview of Data Breaches

Overview of a cyber-attach

Case Studies

Risk Transfer & Risk Management

Cyber coverages recommended & broker coverage check list

Summary

Q&A

Cyber Crime Statistics Data Under Siege

Global Cyber Event Heat Map

Cyber Event Type Composition by Year

Cyber Events by Company Size

Number of Employees

Event Count

Percentage

0 - 25 1,626 15.9%25 - 50 571 5.6%50 - 100 570 5.6%

100 - 250 761 7.5%250 - 500 515 5.0%500 - 1,000 544 5.3%

1,000 - 5,000 1,427 13.9%5,000 - 10,000 638 6.2%

10,000+ 3,595 35.1%Total 10,247 100.0%

Cyber Litigation Frequency Index

Data Under Siege:

Malicious Threats Hackers, extortionists, disgruntled employees, fraudsters Malware, spyware, spam,

Malware, short for malicious (or malevolent) software, is software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software.[1] 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. [2]

Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software and other malicious programs; the majority of active malware threats are usually worms or trojans rather than viruses.[

Phishing, pharming A: Both pharming and phishing are methods used to steal personal information from

unsuspecting people over the Internet.

Phishing typically involves fraudulent bulk e-mail messages that guide recipients to legitimate-looking but fake Web sites and try to get them to supply personal information like account passwords.

Pharming tampers with the domain-name server system so that traffic to a Web site is secretly redirected to a different site altogether, even though the browser seems to be displaying the Web address you wanted to visit.

http://en.wikipedia.org/wiki/Portmanteau

http://en.wikipedia.org/wiki/Source_code

http://en.wikipedia.org/wiki/Script_(computing)

Data Under Siege

1992 – 2007, 2M unique malicious programs

2007 – 2009, 33.9M unique malicious programs

2010 hit new record 1.5 Billion (ump)

31% of IT specialist were unaware of most deadly (ump)

87%, of system vulnerabilities were due to 3rd party applications, Microsoft, Java, IT infrastructure

“U.S. Code Cracking Agency Works as if Compromised” – Reuters News 12 16 2010

Global IT Security Risks Report, Kaspersky Lab 2012

Cyber Crime and Small Businesses

ATM skimming generates losses of $50 million each year1

One in 20 adults is at risk of identity theft One in 465 is a victim of identity theft Average cost per compromised document: $214

• Not including civil damages and/or defense costs)

1 Electronic Funds Transfer Agency

www.efta.org

Why are Small & Mid-market Businesses considered to be at High Risk?

Cyber Crime and Small Businesses

Over 20% of small businesses have suffered a data breach1

Number of attacks on rise, breach size declining, indicating cybercriminals go after smaller targets e.g. small enterprises (less security = easier attacks)

Malicious attacks (hacking or inside theft) constitute 40% of recorded breaches in 2011

Visa reports 80% all card breaches arise from Level 4 merchants (those with fewer than 50 employees)

Each year, more than 10 million individual identity thefts

1 Poneman Institute Study on Cyber Crime

Small Business Data Theft Risk Management Study

Threats: Not “If” but “When”

Non-Malicious Threats Employee mistakes: Lost / stolen laptops and

portable devices Application glitches Network operation and “sharing” trends Points of failure are now multiplied due to

outsourcing Dependencies & data-sharing between biz

partners including cloud servers Upstream & down stream vendors (ASPS,

partners, ISPs)

Methods of Fraud

What Are Thieves Looking For?

PII & Cardholder Data

Social security numbers, names and addresses Health insurance applications

• Primary Account Number (PAN)

• CID number (this must never be stored)

• Sensitive authentication data = card use and cardholder’s identity

Methods Include

• Compromised card readers

• Papers stored in unlocked filing cabinets

• Data held in a payment system database

• Hidden camera recordings entry of authentication data

• Secret “tap” on your company’s wired or wifi network

The Risk to Your Insureds

Disgruntled employees – non-disclosure

Loss of revenue, System crashes from hackers

Data Breach: Auto customer data, patient PII,

Your e-mail infects customers

Businesses utilize social media, e-marketing materials, company blogs

Lack of knowledge & resources to respond to breach, timely

The High Risk to Small and Mid-size Accounts (under 50 employees & < 10MM Gross Revenue)

Why are Small & Mid-market Businesses considered to be at High Risk?Hackers and thieves are targeting Small Businesses, because:

• Small businesses typically lack the resources and expertise to successfully fend-off – or even respond to – attacks

• Lack of a formal IT department means that Payment Card Industry (PCI) Data Security compliance is particularly challenging for small organizations The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that

process, store or transmit credit card information maintain a secure environment.

An attack or error of negligence could prove catastrophic for the typical small business

“Over 20% of small businesses had already suffered a data breach…. small businesses do not have adequate measures or remedies in place to protect themselves.”

- Larry PonemonPonemon Institute

Small Business Data Theft Risk Management Study

Potential for Business Harm to Your Insured’s Enterprise

What is the potential harm to your client’s enterprise?

Business fall-out can be severe (including negligence and breach)

Agency E&O / D&O

• Failing to meet Payment Card Industry (PCI) rules or negligently managing PII data

State statutory notification, fines and penalties Fines and Penalties (liquidated damages) Termination of ability to accept payment cards Reduction in business, lost customers (20% likely) Cost of reissuing payment cards ($100 per card VISA) Fraud losses (see civil damages) Legal costs, settlements, and judgments Increase in compliance costs Going out of business (i.e., breach exceeds net worth of company)

18

Cyber Breaches and Liability

Joseph F. Bermudez, Esq.

Scott D. Sweeney, Esq.

Wilson Elser, LLP

October 8, 2014

© 2014 Wilson Elser. All rights reserved.

19


Overview

• Data Breach Overview• Data Breaches in the News• Life Cycle of a Breach• Are you Ready?

20


Data Breach Overview

• How do breaches occur?

• Costs of a data breach

• Legal liability for breaches

• Data breach response and mitigation

21


Data BreachesWho Are the Victims?

• Financial institutions • Retail and restaurant industries • Manufacturing, transportation, utilities • IT and professional services firms • Health Care organizations• Impact on larger organizations

22


Data BreachesWho Is Perpetrating Breaches?

• Outsiders of the organization • Insiders of the organization • Business partners • Multiple parties • State (government) affiliated actors

23


Data BreachesHow Do Breaches Occur?

• Hacking • Insider wrongdoing• Human error• Network intrusion exploiting stolen credentials • Use of malware • Physical attacks • Leveraged social tactics such as phishing • Privilege misuse and abuse, including theft of IP

and corporate espionage

24


Data Breach Response Costs

• Avg. total organizational cost of breach ($5.8M)• Avg. detection costs ($417,700)• Avg. notification costs ($509,237)• Avg. remediation costs ($1,599,996)• Avg. lost business costs ($3,324,959)• $201 a record

Note: Figures do not include mega breaches in excess of 100,000 breached records

Source: Ponemon Institute 2014 Cost of Data Breach Study

25


Other Breach Related Costs

• Litigation costs– Consumer class actions– Shareholder suits– Government investigations and proceedings

• Impact on corporate finances– Cash flow– Loan covenants and credit – Shareholder value– Reputational injury and loss of business

Data Breaches in the News

26


27


Target Data Breach Overview

• Hackers used stolen credentials from a third party vendor

• Inserted malware into the company’s computerized payment systems

• Malware scraped credit card data • Data breach compromised 40 million credit and

debt accounts• Personal data of 110 million customers was

compromised

28


Company’s Public Disclosures

12/19/13 • Company announced that hackers gained

unauthorized access to payment card data• Affected credit and debit card transactions in

U.S. stores from 11/27/13 to 12/15/13• Internal investigation of the data breach• Retention of outside forensics firm• Company also alerted authorities and financial

institutions

29


Company’s Public Disclosures

1/13/14• CEO and Chairman apologized to customers• Provided status update on internal investigation• Malware removed• Company hired data security experts to investigate

causes of the breach• Company was working with law enforcement• Assured customers they would have “zero liability” for

fraudulent charges• One year of free credit monitoring services

30


Impact on Company’s Financials

• 5.5% decrease in sales in 4Q 2013• “Meaningfully softer results” following news of

the breach• 11% drop in stock price • Reputational injury

31


Data Breach Response Costs

• $61 million incurred in 4Q 2013 for data breach response costs

• Amounts include – internal investigation costs – credit monitoring – staffing call centers

• Company’s insurers agreed to pay $44 million • Company will continue to incur breach related

costs for the foreseeable future

32


Data Breach Lawsuits

• 80 civil lawsuits filed against company• Suits by customers • Suits by payment card issuing banks • Shareholder litigation against D&Os• Government investigations

– Federal Trade Commission– SEC and DOJ– 30 State Attorney Generals

33


CFO Testifies Before U.S. Senate

• 2/4/14 – Company’s CFO testified before senate committee

• On 12/12/13, DOJ alerted Company to “suspicious activity”

• Internal investigation confirmed installation of malware and potential theft of credit card data

• Company invested $5 million in a public education campaign regarding cybersecurity

• Company launched a retail industry Cybersecurity and Data Privacy Initiative

34


Other Recent Data Breaches

• Home Depot• Neiman Marcus• Advocate Healthcare• Twitter• Adobe • Facebook• Living Social• Evernote• Federal Reserve Bank

Life Cycle of a Breach

• Triggering the Incident Response Team• Making sure the right people / partners are part of the team

• Containment• Have you stopped the “bleeding”?

• Remediation• Have you taken steps to prevent this type of event from

occurring in the future?

• Identification of the Threat or Security Incident• What just happened?

Notification – and beyond

Overview


You are part of a company that operates retail stores throughout the United States. Payment-card and HR processing is handled by your corporate offices for all stores. The Company employees approximately 20,000 employees.

Cyber Attack!


ATTACK!

What Just Happened?


•Your Company was the victim of a sql injection attack against a web application that provided information on customers who had purchased the Company’s services. The hacker appears to have gained access to a database that was serving the web application.

•Question: What Do You Do?

Information Exposed


oThe initial investigation shows that the database contained employees’ names, addresses, social security numbers, driver’s license numbers, position, and bank account

information. The database has been operational for 5 years. The database appears to have stored cardholder information for repeat customers.

oQuestion: Now what? Does this impact your initial plan of action?

Monkey Wrench #1


You just learned that Brian Krebs, an online reporter who is credited with breaking the story that Target had been breached, and is followed by thousands of other publications, posted a story on his blog that the Company appears to have been breached. The story mentions that the Company failed to return phone calls for two days.

Monkey Wrench #2


The CEO of the Company contacts you, and tells you that he just received an e-mail from an unknown e-mail address, informing him that this person has the personal information of the CEO and his daughter, provides his driver’s license as proof, and threatens to post it online unless the CEO pays a ransom.

Update From Investigation


The database contained a link to an application that was connected to the Company’s payment processing system, which is centrally located at the Company’s headquarters. The application automatically updated information for repeat customers, but also allowed the hacker to potentially access the payment card information of all customers, exposing over 2 million credit cards.

Monkey Wrench #3


The FBI has just showed up at your door, and wants access to your data center so it can image your computers and servers in order to investigate the cyber attack.

Money Wrench #4


In the midst of your investigation, you receive an Inquiry from regulatory agency requesting more information about the event, asking for policies and procedures, and seeking a meeting.

Summary


Responding Quickly, But Effectively Matters

Know Who Your “Team” Members Are Before You Have An Event - Internal And External

Training And Education Matters!

No Two Events Are Alike - Expect The Unexpected

Cyber Stress Test

Are you Prepared?

How many of the following does your company have?

1. Do you process or store credit cards for payments?

2. Have you had a PCI compliance audit conducted or have you had any external assessment to confirm you are compliant with the PCI standards?

3. Do you store any of the following information about your customers or employees: social security number, name and address, credit card or bank details?

4. Do you maintain an active presence on any major social media sites (e.g.? Facebook, Twitter, YouTube, Trip Advisor, etc.)?

5. Do you store any business critical data or information on your systems (e.g. financial / accounting records, client lists, claim data, etc.?)

6. Do you use a voice over IP telephony system (VoIP)?

7. Do you have any individuals within the business that can authorize online payments of more than $5,000?

8. Do you rely on any technology systems in order to collect payments from customers?

9. Do you encrypt all data delivered to credit card vendor?

10. Do you rely on any third party systems in order to secure bookings


Mid-Markeet Business Owners Cyber Stress Test

How many of the following does your company have?Do you process or store credit cards for payments?

This function captures PII and exposes to hacking PII = contract damages ($100 per replaced card) ($214 credit monitoring etc. per customer)

Have you had a PCI compliance audit conducted or have you had any external assessment to confirm you are compliant with the PCI standards?

This is the legal test to legal liability if hacked. The vendor can hold credit equal to the potential legal exposure and hold until issue resolved, includes charges for replacement of credit card

Do you store any of the following information about your customers or employees: social security number, name and address, credit card or bank details?

HIPPA exposure – hurricane

Do you maintain an active presence on any major social media sites (e.g? Facebook, Twitter, YouTube, Trip Advisor, etc.)?

Copyright Violations, Reputation damages – not covered by GL

Stress Test continued

Do you store any business critical data or information on your systems (e.g. financial / accounting records, customer lists, customer reservations, etc?)

Release of business personal information without consent and PII

Do you use a voice over IP telephony system (VoIP)?

Easy access point for hackers, increase exposure to privacy violations

Do you have any individuals within the business that can authorize online payments of more than $5,000?

Security control requirements are much greater if this is in practice

Do you rely on any technology systems in order to collect payments from customers?

Another method for hackers to access PII exposing owner to breach and contract damages

9. Do you encrypt all data delivered to credit card vendor?

This is an automatic violation of PCI standards and most state codes

10. Do you rely on any third party systems in order to secure bookings (e.g. Open Table?)

Up-stream data retention facilities / clouds, if breached by your stored data can infect others data = legal exposure to large number of PII that are not your clients.

Best Solution

Risk Transfer & Risk Management

How to Protect Your Company’s Data

Comply with the golden 12 Rules

Goal Rule

Build and Maintain a Secure Network

Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults for system passwords and other security

parameters

Protect Cardholder and HIPPA Data

Protect stored data Encrypt transmission of cardholder data and sensitive information across

public networks

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder data Regularly test security systems and processes

Maintain an Information Security Policy

Maintain – and update – a policy that addresses information security

How to Protect Your Company’s Data

Comply with the golden 12 Rules

Goal Rule

Build and Maintain a Secure Network

Install and maintain a firewall configuration to protect data

Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder and HIPPA Data

Protect stored data Encrypt transmission of cardholder data and sensitive

information across public networks

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Maintain an Information Security Policy

Maintain – and update – a policy that addresses information security

Recommended Cyber Coverage

What does System Damage & Interruption cover?

This is first party cover that protects companies against their own losses resulting from damage to data caused either deliberately by a malicious employee or hacker, or totally accidentally (the infamous “fat finger”). The system interruption cover stems directly from this but is restricted to malicious employees, hackers or com puter viruses. This provides protection against loss of profits arising directly from these perils.

What does Cyber & Privacy Liability cover? (includes PCI fines and penalties)

This provides liability coverage – including legal defense costs and in demnity payments – for claims brought against you arising from a data security breach, whether through electronic means or otherwise. This is provided on an “all risks basis”. The coverage is also extended to include liability protection against claims arising from you spreading a computer virus or from your systems being used to hack a third party.

What does Breach Response cover?

This provides first party cover for the cost of complying with breach notification laws. Coverage is also included for voluntary security breach notification, where this helps to mitigate adverse impact upon the company’s brand or reputation. The coverage itself will pay for the legal costs of drafting a breach letter, the cost of printing and posting the letter, credit monitoring costs, and forensic costs that may be required to identify the extent of the breach.

What does Media Liability cover? (limited to web site unless add endorsement) PL & GL duplicate cover

This provides comprehensive liability coverage including legal defense costs as well as indemnity for damages and fines (where insurable). Essentially, this coverage protects against claims for intellectual property rights infringement (excluding patent) and defamation arising from content published by the company or on its behalf. This coverage also extends to social media and user generated content, including company and employee blogs.

What does regulatory privacy cover?

This provides coverage for the costs associated with defending yourself against a regulatory action brought against you as a direct result of a privacy breach. This includes actions brought by federal regulators such as the FTC and similar state or industry bodies. Coverage is also extended to include fines and penalties that are issued as a result, where these are insurable by law.

Recommended Cyber Coverage Limits

System Damage & Interruption - (minimum $250k)

Regulatory Fines & Penalties – $1M limits

Privacy Breach Notification – $250k / $1M limits

Media Liability - $1M limits

PCI Fines & Penalties – $250k, $1M limit

Policy Review Questions

First & Third-Party Liability

Coverage for transmission of virus to third party and 3rd party to others

Copyright infringement from website

Forensic investigation covered as part of breach notification?

Coverage applies to both electronic and physical data breaches e.g. paper, laptop, disks, PDA etc. ?

Coverage applies to both personal and company information? (IFI 1st Co)

Coverage applies to employee and customer information

Information in care custody or control of insured’s vendors include cloud servers and paper records being transported?

Policy apply to accidental losses and leaks?

Does application require PCI compliance or encryption?

No insider exclusion?

Direct intentional attacks are covered is “wild viruses” those not specifically targeting insured?

Liquidated damages and fines and penalties? Know position, provable court damages and fines are covered

Policy Review Questions

Media liability Media Liability is valid anywhere in world? Coverage extend to include social networking , emails, twitter? (PL & GL) Coverage apply to user-generated content (opinion boards for feedback)

Extortion – no limit to threat method

Breach Response – Crisis Management Policy apply to attorney fees to draft response to breach and related deliver costs? Is credit monitoring included for individuals? (employees? ) Will policy provide options to notification methods? Coverage include forensic investigation?

First Party business interruptionForensic Investigation covered?Do they offer contingent period after system restored? Based on time system is down or a stated time period? Wild & targeted viruses included ?Loss of Reputation ?

Summary

Questions?

58


59


Contact

Melissa VentroneWilson Elser LLP (Chicago)Phone: 312-821-6105Email: [email protected] Joseph F. Bermudez, Scott D. SweeneyWilson Elser LLP (Denver)Phone: 303-572-5310; 303-572-5324Email: [email protected]

[email protected]

Questions?

Documents

The Time for Cyber Coverage is Now October 8, 2014 The Time for Cyber Coverage is Now Your insureds and clients Are Not Immune October 8, 2014 Kevin Ribble