Upload
joella-glenn
View
216
Download
1
Embed Size (px)
Citation preview
The Time for Cyber Coverage is The Time for Cyber Coverage is NowNow Your insureds and clients Are Not Immune October 8, 2014October 8, 2014
Kevin Ribble
E.V.P. Edgewater Holdings
President, EPRMA.org
(214) 676-8662 (office)
(312) 431-1766 (fax)
Texas License # 1682508
Today’s Agenda
Introduction to Panel
Cyber Crime statistics
Why are mid-market accounts considered to Be at High-Risk?
Types of Threats
What is the potential harm to your insureds and client’s businesses?
Overview of Data Breaches
Overview of a cyber-attach
Case Studies
Risk Transfer & Risk Management
Cyber coverages recommended & broker coverage check list
Summary
Q&A
Cyber Crime Statistics Data Under Siege
Global Cyber Event Heat Map
Cyber Event Type Composition by Year
Cyber Events by Company Size
Number of Employees
Event Count
Percentage
0 - 25 1,626 15.9%25 - 50 571 5.6%50 - 100 570 5.6%
100 - 250 761 7.5%250 - 500 515 5.0%500 - 1,000 544 5.3%
1,000 - 5,000 1,427 13.9%5,000 - 10,000 638 6.2%
10,000+ 3,595 35.1%Total 10,247 100.0%
Cyber Litigation Frequency Index
Data Under Siege:
Malicious Threats Hackers, extortionists, disgruntled employees, fraudsters Malware, spyware, spam,
Malware, short for malicious (or malevolent) software, is software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software.[1] 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. [2]
Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software and other malicious programs; the majority of active malware threats are usually worms or trojans rather than viruses.[
Phishing, pharming A: Both pharming and phishing are methods used to steal personal information from
unsuspecting people over the Internet.
Phishing typically involves fraudulent bulk e-mail messages that guide recipients to legitimate-looking but fake Web sites and try to get them to supply personal information like account passwords.
Pharming tampers with the domain-name server system so that traffic to a Web site is secretly redirected to a different site altogether, even though the browser seems to be displaying the Web address you wanted to visit.
Data Under Siege
1992 – 2007, 2M unique malicious programs
2007 – 2009, 33.9M unique malicious programs
2010 hit new record 1.5 Billion (ump)
31% of IT specialist were unaware of most deadly (ump)
87%, of system vulnerabilities were due to 3rd party applications, Microsoft, Java, IT infrastructure
“U.S. Code Cracking Agency Works as if Compromised” – Reuters News 12 16 2010
Global IT Security Risks Report, Kaspersky Lab 2012
Cyber Crime and Small Businesses
ATM skimming generates losses of $50 million each year1
One in 20 adults is at risk of identity theft One in 465 is a victim of identity theft Average cost per compromised document: $214
• Not including civil damages and/or defense costs)
1 Electronic Funds Transfer Agency
www.efta.org
Why are Small & Mid-market Businesses considered to be at High Risk?
Cyber Crime and Small Businesses
Over 20% of small businesses have suffered a data breach1
Number of attacks on rise, breach size declining, indicating cybercriminals go after smaller targets e.g. small enterprises (less security = easier attacks)
Malicious attacks (hacking or inside theft) constitute 40% of recorded breaches in 2011
Visa reports 80% all card breaches arise from Level 4 merchants (those with fewer than 50 employees)
Each year, more than 10 million individual identity thefts
1 Poneman Institute Study on Cyber Crime
Small Business Data Theft Risk Management Study
Threats: Not “If” but “When”
Non-Malicious Threats Employee mistakes: Lost / stolen laptops and
portable devices Application glitches Network operation and “sharing” trends Points of failure are now multiplied due to
outsourcing Dependencies & data-sharing between biz
partners including cloud servers Upstream & down stream vendors (ASPS,
partners, ISPs)
Methods of Fraud
What Are Thieves Looking For?
PII & Cardholder Data
Social security numbers, names and addresses Health insurance applications
• Primary Account Number (PAN)
• CID number (this must never be stored)
• Sensitive authentication data = card use and cardholder’s identity
Methods Include
• Compromised card readers
• Papers stored in unlocked filing cabinets
• Data held in a payment system database
• Hidden camera recordings entry of authentication data
• Secret “tap” on your company’s wired or wifi network
The Risk to Your Insureds
Disgruntled employees – non-disclosure
Loss of revenue, System crashes from hackers
Data Breach: Auto customer data, patient PII,
Your e-mail infects customers
Businesses utilize social media, e-marketing materials, company blogs
Lack of knowledge & resources to respond to breach, timely
The High Risk to Small and Mid-size Accounts (under 50 employees & < 10MM Gross Revenue)
Why are Small & Mid-market Businesses considered to be at High Risk?Hackers and thieves are targeting Small Businesses, because:
• Small businesses typically lack the resources and expertise to successfully fend-off – or even respond to – attacks
• Lack of a formal IT department means that Payment Card Industry (PCI) Data Security compliance is particularly challenging for small organizations The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that
process, store or transmit credit card information maintain a secure environment.
An attack or error of negligence could prove catastrophic for the typical small business
“Over 20% of small businesses had already suffered a data breach…. small businesses do not have adequate measures or remedies in place to protect themselves.”
- Larry PonemonPonemon Institute
Small Business Data Theft Risk Management Study
Potential for Business Harm to Your Insured’s Enterprise
What is the potential harm to your client’s enterprise?
Business fall-out can be severe (including negligence and breach)
Agency E&O / D&O
• Failing to meet Payment Card Industry (PCI) rules or negligently managing PII data
State statutory notification, fines and penalties Fines and Penalties (liquidated damages) Termination of ability to accept payment cards Reduction in business, lost customers (20% likely) Cost of reissuing payment cards ($100 per card VISA) Fraud losses (see civil damages) Legal costs, settlements, and judgments Increase in compliance costs Going out of business (i.e., breach exceeds net worth of company)
18
Cyber Breaches and Liability
Joseph F. Bermudez, Esq.
Scott D. Sweeney, Esq.
Wilson Elser, LLP
October 8, 2014
© 2014 Wilson Elser. All rights reserved.
19
© 2013 Wilson Elser. All rights reserved.
Overview
• Data Breach Overview• Data Breaches in the News• Life Cycle of a Breach• Are you Ready?
20
© 2014 Wilson Elser. All rights reserved.
Data Breach Overview
• How do breaches occur?
• Costs of a data breach
• Legal liability for breaches
• Data breach response and mitigation
21
© 2014 Wilson Elser. All rights reserved.
Data BreachesWho Are the Victims?
• Financial institutions • Retail and restaurant industries • Manufacturing, transportation, utilities • IT and professional services firms • Health Care organizations• Impact on larger organizations
22
© 2014 Wilson Elser. All rights reserved.
Data BreachesWho Is Perpetrating Breaches?
• Outsiders of the organization • Insiders of the organization • Business partners • Multiple parties • State (government) affiliated actors
23
© 2014 Wilson Elser. All rights reserved.
Data BreachesHow Do Breaches Occur?
• Hacking • Insider wrongdoing• Human error• Network intrusion exploiting stolen credentials • Use of malware • Physical attacks • Leveraged social tactics such as phishing • Privilege misuse and abuse, including theft of IP
and corporate espionage
24
© 2014 Wilson Elser. All rights reserved.
Data Breach Response Costs
• Avg. total organizational cost of breach ($5.8M)• Avg. detection costs ($417,700)• Avg. notification costs ($509,237)• Avg. remediation costs ($1,599,996)• Avg. lost business costs ($3,324,959)• $201 a record
Note: Figures do not include mega breaches in excess of 100,000 breached records
Source: Ponemon Institute 2014 Cost of Data Breach Study
25
© 2014 Wilson Elser. All rights reserved.
Other Breach Related Costs
• Litigation costs– Consumer class actions– Shareholder suits– Government investigations and proceedings
• Impact on corporate finances– Cash flow– Loan covenants and credit – Shareholder value– Reputational injury and loss of business
Data Breaches in the News
26
© 2014 Wilson Elser. All rights reserved.
27
© 2014 Wilson Elser. All rights reserved.
Target Data Breach Overview
• Hackers used stolen credentials from a third party vendor
• Inserted malware into the company’s computerized payment systems
• Malware scraped credit card data • Data breach compromised 40 million credit and
debt accounts• Personal data of 110 million customers was
compromised
28
© 2014 Wilson Elser. All rights reserved.
Company’s Public Disclosures
12/19/13 • Company announced that hackers gained
unauthorized access to payment card data• Affected credit and debit card transactions in
U.S. stores from 11/27/13 to 12/15/13• Internal investigation of the data breach• Retention of outside forensics firm• Company also alerted authorities and financial
institutions
29
© 2014 Wilson Elser. All rights reserved.
Company’s Public Disclosures
1/13/14• CEO and Chairman apologized to customers• Provided status update on internal investigation• Malware removed• Company hired data security experts to investigate
causes of the breach• Company was working with law enforcement• Assured customers they would have “zero liability” for
fraudulent charges• One year of free credit monitoring services
30
© 2014 Wilson Elser. All rights reserved.
Impact on Company’s Financials
• 5.5% decrease in sales in 4Q 2013• “Meaningfully softer results” following news of
the breach• 11% drop in stock price • Reputational injury
31
© 2014 Wilson Elser. All rights reserved.
Data Breach Response Costs
• $61 million incurred in 4Q 2013 for data breach response costs
• Amounts include – internal investigation costs – credit monitoring – staffing call centers
• Company’s insurers agreed to pay $44 million • Company will continue to incur breach related
costs for the foreseeable future
32
© 2014 Wilson Elser. All rights reserved.
Data Breach Lawsuits
• 80 civil lawsuits filed against company• Suits by customers • Suits by payment card issuing banks • Shareholder litigation against D&Os• Government investigations
– Federal Trade Commission– SEC and DOJ– 30 State Attorney Generals
33
© 2014 Wilson Elser. All rights reserved.
CFO Testifies Before U.S. Senate
• 2/4/14 – Company’s CFO testified before senate committee
• On 12/12/13, DOJ alerted Company to “suspicious activity”
• Internal investigation confirmed installation of malware and potential theft of credit card data
• Company invested $5 million in a public education campaign regarding cybersecurity
• Company launched a retail industry Cybersecurity and Data Privacy Initiative
34
© 2014 Wilson Elser. All rights reserved.
Other Recent Data Breaches
• Home Depot• Neiman Marcus• Advocate Healthcare• Twitter• Adobe • Facebook• Living Social• Evernote• Federal Reserve Bank
Life Cycle of a Breach
• Triggering the Incident Response Team• Making sure the right people / partners are part of the team
• Containment• Have you stopped the “bleeding”?
• Remediation• Have you taken steps to prevent this type of event from
occurring in the future?
• Identification of the Threat or Security Incident• What just happened?
Notification – and beyond
Overview
© 2014 Wilson Elser. All rights reserved.
You are part of a company that operates retail stores throughout the United States. Payment-card and HR processing is handled by your corporate offices for all stores. The Company employees approximately 20,000 employees.
Cyber Attack!
© 2014 Wilson Elser. All rights reserved.
ATTACK!
What Just Happened?
© 2014 Wilson Elser. All rights reserved.
•Your Company was the victim of a sql injection attack against a web application that provided information on customers who had purchased the Company’s services. The hacker appears to have gained access to a database that was serving the web application.
•Question: What Do You Do?
Information Exposed
© 2014 Wilson Elser. All rights reserved.
oThe initial investigation shows that the database contained employees’ names, addresses, social security numbers, driver’s license numbers, position, and bank account
information. The database has been operational for 5 years. The database appears to have stored cardholder information for repeat customers.
oQuestion: Now what? Does this impact your initial plan of action?
Monkey Wrench #1
© 2014 Wilson Elser. All rights reserved.
You just learned that Brian Krebs, an online reporter who is credited with breaking the story that Target had been breached, and is followed by thousands of other publications, posted a story on his blog that the Company appears to have been breached. The story mentions that the Company failed to return phone calls for two days.
Monkey Wrench #2
© 2014 Wilson Elser. All rights reserved.
The CEO of the Company contacts you, and tells you that he just received an e-mail from an unknown e-mail address, informing him that this person has the personal information of the CEO and his daughter, provides his driver’s license as proof, and threatens to post it online unless the CEO pays a ransom.
Update From Investigation
© 2014 Wilson Elser. All rights reserved.
The database contained a link to an application that was connected to the Company’s payment processing system, which is centrally located at the Company’s headquarters. The application automatically updated information for repeat customers, but also allowed the hacker to potentially access the payment card information of all customers, exposing over 2 million credit cards.
Monkey Wrench #3
© 2014 Wilson Elser. All rights reserved.
The FBI has just showed up at your door, and wants access to your data center so it can image your computers and servers in order to investigate the cyber attack.
Money Wrench #4
© 2014 Wilson Elser. All rights reserved.
In the midst of your investigation, you receive an Inquiry from regulatory agency requesting more information about the event, asking for policies and procedures, and seeking a meeting.
Summary
© 2014 Wilson Elser. All rights reserved.
Responding Quickly, But Effectively Matters
Know Who Your “Team” Members Are Before You Have An Event - Internal And External
Training And Education Matters!
No Two Events Are Alike - Expect The Unexpected
Cyber Stress Test
Are you Prepared?
How many of the following does your company have?
1. Do you process or store credit cards for payments?
2. Have you had a PCI compliance audit conducted or have you had any external assessment to confirm you are compliant with the PCI standards?
3. Do you store any of the following information about your customers or employees: social security number, name and address, credit card or bank details?
4. Do you maintain an active presence on any major social media sites (e.g.? Facebook, Twitter, YouTube, Trip Advisor, etc.)?
5. Do you store any business critical data or information on your systems (e.g. financial / accounting records, client lists, claim data, etc.?)
6. Do you use a voice over IP telephony system (VoIP)?
7. Do you have any individuals within the business that can authorize online payments of more than $5,000?
8. Do you rely on any technology systems in order to collect payments from customers?
9. Do you encrypt all data delivered to credit card vendor?
10. Do you rely on any third party systems in order to secure bookings
© 2014 Wilson Elser. All rights reserved.
Mid-Markeet Business Owners Cyber Stress Test
How many of the following does your company have?Do you process or store credit cards for payments?
This function captures PII and exposes to hacking PII = contract damages ($100 per replaced card) ($214 credit monitoring etc. per customer)
Have you had a PCI compliance audit conducted or have you had any external assessment to confirm you are compliant with the PCI standards?
This is the legal test to legal liability if hacked. The vendor can hold credit equal to the potential legal exposure and hold until issue resolved, includes charges for replacement of credit card
Do you store any of the following information about your customers or employees: social security number, name and address, credit card or bank details?
HIPPA exposure – hurricane
Do you maintain an active presence on any major social media sites (e.g? Facebook, Twitter, YouTube, Trip Advisor, etc.)?
Copyright Violations, Reputation damages – not covered by GL
Stress Test continued
Do you store any business critical data or information on your systems (e.g. financial / accounting records, customer lists, customer reservations, etc?)
Release of business personal information without consent and PII
Do you use a voice over IP telephony system (VoIP)?
Easy access point for hackers, increase exposure to privacy violations
Do you have any individuals within the business that can authorize online payments of more than $5,000?
Security control requirements are much greater if this is in practice
Do you rely on any technology systems in order to collect payments from customers?
Another method for hackers to access PII exposing owner to breach and contract damages
9. Do you encrypt all data delivered to credit card vendor?
This is an automatic violation of PCI standards and most state codes
10. Do you rely on any third party systems in order to secure bookings (e.g. Open Table?)
Up-stream data retention facilities / clouds, if breached by your stored data can infect others data = legal exposure to large number of PII that are not your clients.
Best Solution
Risk Transfer & Risk Management
How to Protect Your Company’s Data
Comply with the golden 12 Rules
Goal Rule
Build and Maintain a Secure Network
Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder and HIPPA Data
Protect stored data Encrypt transmission of cardholder data and sensitive information across
public networks
Maintain a Vulnerability Management Program
Use and regularly update anti-virus software Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data Regularly test security systems and processes
Maintain an Information Security Policy
Maintain – and update – a policy that addresses information security
How to Protect Your Company’s Data
Comply with the golden 12 Rules
Goal Rule
Build and Maintain a Secure Network
Install and maintain a firewall configuration to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder and HIPPA Data
Protect stored data Encrypt transmission of cardholder data and sensitive
information across public networks
Maintain a Vulnerability Management Program
Use and regularly update anti-virus software Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy
Maintain – and update – a policy that addresses information security
Recommended Cyber Coverage
What does System Damage & Interruption cover?
This is first party cover that protects companies against their own losses resulting from damage to data caused either deliberately by a malicious employee or hacker, or totally accidentally (the infamous “fat finger”). The system interruption cover stems directly from this but is restricted to malicious employees, hackers or com puter viruses. This provides protection against loss of profits arising directly from these perils.
What does Cyber & Privacy Liability cover? (includes PCI fines and penalties)
This provides liability coverage – including legal defense costs and in demnity payments – for claims brought against you arising from a data security breach, whether through electronic means or otherwise. This is provided on an “all risks basis”. The coverage is also extended to include liability protection against claims arising from you spreading a computer virus or from your systems being used to hack a third party.
What does Breach Response cover?
This provides first party cover for the cost of complying with breach notification laws. Coverage is also included for voluntary security breach notification, where this helps to mitigate adverse impact upon the company’s brand or reputation. The coverage itself will pay for the legal costs of drafting a breach letter, the cost of printing and posting the letter, credit monitoring costs, and forensic costs that may be required to identify the extent of the breach.
What does Media Liability cover? (limited to web site unless add endorsement) PL & GL duplicate cover
This provides comprehensive liability coverage including legal defense costs as well as indemnity for damages and fines (where insurable). Essentially, this coverage protects against claims for intellectual property rights infringement (excluding patent) and defamation arising from content published by the company or on its behalf. This coverage also extends to social media and user generated content, including company and employee blogs.
What does regulatory privacy cover?
This provides coverage for the costs associated with defending yourself against a regulatory action brought against you as a direct result of a privacy breach. This includes actions brought by federal regulators such as the FTC and similar state or industry bodies. Coverage is also extended to include fines and penalties that are issued as a result, where these are insurable by law.
Recommended Cyber Coverage Limits
System Damage & Interruption - (minimum $250k)
Regulatory Fines & Penalties – $1M limits
Privacy Breach Notification – $250k / $1M limits
Media Liability - $1M limits
PCI Fines & Penalties – $250k, $1M limit
Policy Review Questions
First & Third-Party Liability
Coverage for transmission of virus to third party and 3rd party to others
Copyright infringement from website
Forensic investigation covered as part of breach notification?
Coverage applies to both electronic and physical data breaches e.g. paper, laptop, disks, PDA etc. ?
Coverage applies to both personal and company information? (IFI 1st Co)
Coverage applies to employee and customer information
Information in care custody or control of insured’s vendors include cloud servers and paper records being transported?
Policy apply to accidental losses and leaks?
Does application require PCI compliance or encryption?
No insider exclusion?
Direct intentional attacks are covered is “wild viruses” those not specifically targeting insured?
Liquidated damages and fines and penalties? Know position, provable court damages and fines are covered
Policy Review Questions
Media liability Media Liability is valid anywhere in world? Coverage extend to include social networking , emails, twitter? (PL & GL) Coverage apply to user-generated content (opinion boards for feedback)
Extortion – no limit to threat method
Breach Response – Crisis Management Policy apply to attorney fees to draft response to breach and related deliver costs? Is credit monitoring included for individuals? (employees? ) Will policy provide options to notification methods? Coverage include forensic investigation?
First Party business interruptionForensic Investigation covered?Do they offer contingent period after system restored? Based on time system is down or a stated time period? Wild & targeted viruses included ?Loss of Reputation ?
Summary
Questions?
58
© 2014 Wilson Elser. All rights reserved.
59
© 2014 Wilson Elser. All rights reserved.
Contact
Melissa VentroneWilson Elser LLP (Chicago)Phone: 312-821-6105Email: [email protected] Joseph F. Bermudez, Scott D. SweeneyWilson Elser LLP (Denver)Phone: 303-572-5310; 303-572-5324Email: [email protected]
Questions?