© 2012 ARTHUR J. GALLAGHER & CO. Agricultural Co-Ops: The Challenges of Protecting Data Today...
-
Upload
kirk-gunnell -
Category
Documents
-
view
215 -
download
0
Transcript of © 2012 ARTHUR J. GALLAGHER & CO. Agricultural Co-Ops: The Challenges of Protecting Data Today...
© 2012 ARTHUR J. GALLAGHER & CO.
Agricultural Co-Ops:The Challenges of Protecting Data Today
Cyber, Privacy & Network Security
GALLAGHER CYBERRISK SERVICESAPRIL, 30, 2013
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
Your Presenters
© 2012 ARTHUR J. GALLAGHER & CO.
Your Presenters
3
Joe is the CyberRisk Services Practice Leader at Arthur J. Gallagher. He is responsible for management, business development, marketing and consulting within the products and services related to Cyber Risk. These specifically include Cyber Liability, Privacy Liability, Network Security Liability, Media Liability & Patent Liability.
© 2012 ARTHUR J. GALLAGHER & CO.
4
• What is Cyber Risk?
• Trends
• Costs
• Who is looking at Cyber?
• How we can assist
• Coverage
AGENDA
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
What is Cyber Risk?
© 2012 ARTHUR J. GALLAGHER & CO.
6
The CONVERGENCE of TECHNOLOGY with INFORMATION
Information & Data is Valuable: Advancements in technology has enabled organizations to capitalize on the value of Information & Data
Ease of Business: Technology has made storing and removing data easy and convenient (Laptops, back-up drives, thumb drives, recordable CD’s, PDA’s, smart phones, ipads, etc.)
WHAT IS CYBER RISK? NETWORK SECURITY & PRIVACY
The most vigilant Network Security and Privacy Policies are Vulnerable to Hackers, Rogue Employees, Independent
Contractors, and Human Error!
© 2012 ARTHUR J. GALLAGHER & CO.
7
WHAT IS CYBER RISK?
According to the FBI Identity Theft is the
fastest growing white collar crime in America!
OUTSIDE THE NETWORK:Where PII & PHI data (Electronic/Non-Electronic) is stored outside of the Network
THE NETWORK: Where PII & PHI
data is stored Electronically
© 2012 ARTHUR J. GALLAGHER & CO.
6
© 2012 ARTHUR J. GALLAGHER & CO.
9
PERSPECTIVES – IT/EMPLOYEE
IT DepartmentsChallenge = Balancing demands of safeguarding the network/data while adapting to ever-changing technologies and business needs
Encryption Servers are porous and need
constant care Patches to software Lack of tested back-up processes More data often collected than
needed Data often stored for too long Tools that help hackers are
readily available and shared on the Internet at no cost to malicious attackers
Limited Resources $$/Budgets
EmployeesChallenge = Balancing work flow
needs with safeguarding the confidential information used to perform their job
Rogue Employees, social engineering, hacker sophistication, and human error (Societe Generale)
Private records disposed of improperly (dumpster)
Many employees lack computer common sense
Employees choose easy to decipher passwords
Clean Desk policy Training
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
Trends
© 2012 ARTHUR J. GALLAGHER & CO.
HIGH FREQUENCY INDUSTRIES
Source: Identity Theft Resource Center
2012 2011 2010 2009 2008 2007
447 Published Breaches as of
12/31/12
414 Publicized Breaches
Reported Annually
662 Publicized Breaches
Reported Annually
498 Publicized Breaches
Reported Annually
656 Publicized Breaches
Reported Annually
448 Publicized Breaches
Reported Annually
17,317,184 Records Exposed
22,945,773 Records Exposed
16,167,542 Records Exposed
222,477,043 Records Exposed
35,691,255 Records Exposed
127,000,000 Records Exposed
(Heartland incident) (94 Million from
TJX incident)
2012 Breaches by Industry:
2011 Breaches by Industry:
2010 Breaches by Industry:
2009 Breaches by Industry:
2008 Breaches by Industry:
2007 Breaches by Industry:
Financial Banking
3.8% of Breaches2.7% of Records
7.0% of Breaches2.7% of Records
8.2% of Breaches 30% of Records
11.4% of Breaches0% of Records
11.9% of Breaches52.5% of Records
7% of Records6.9% of Records
Educational
13.6% of Breaches13.3% of Records
14.3% of Breaches3.6% of Records
9.8% of Breaches9.9% of Records
15.7% of Breaches0.4% of Records
20% of Breaches2.3% of Records
24.9% of Breaches1% of Records
Govt./Military
11.2% of Breaches44.4% of Records
11.4% of Breaches43.7% of Records
15.7% of Breaches7.5% of Records
18.1% of Breaches35.7% of Records
16.8% of Breaches8.3% of Records
24.7% of Breaches6.4% of Records
Medical/Healthcare
34.5% of Breaches12.9% of Records
16.3% of Breaches20.5% of Records
24.2% of Breaches11.6% of Records
13.7% of Breaches5.1% of Records
14.8% of Breaches20.5% of Records
14.5% of Breaches3.1% of Records
All Other Business
36.9% of Breaches26.7% of Records
46.9% of Breaches33.7% of Records
42% of Breaches 41% of Records
41.2% of Breaches58.9% of Records
36.6% of Breaches16.5% of Records
28.9% of Breaches 82.6% of Records
11
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
• 50 State Privacy Laws (County/Local) - Laws or Regulation• Foreign Privacy Laws – UK ICO – Information Commissioner’s Office & many others (trans-
border privacy issues)• Federal Trade Commission • FACTA Regulation 114: Red Flags Rule• FERPA/DPPA• HIPAA / HITECH
• Standard for smooth, consistent, and secure electronic transmission of health care data.
• PII/PHI – personally identifiable information/health information about individuals - PII includes drivers license #’s, SS #’s, Credit Card #’s, address, account numbers & PIN’s
• PHI includes written documents, electronic files, and verbal information. (Even information from an informal conversation can be considered PHI.)• Examples of PHI include:
• Completed health care claims forms• Detailed claim forms• Explanations of benefits• Notes documenting discussions with plan participants
• SEC• PCI/DSS
The REGULATORY LANDSCAPE is…complex, challenging and growing
12
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
Industry & Region Comparison Table: Boards NOT Reviewing Cyber Insurance Coverage
BOARD REVIEW OF CYBER??Even though risk management is a high priority, most boards are not reviewing their company’s insurance for cyber related risks.
Carnegie Mellon University – CylabGovernance of Enterprise Security:Cylab 2012 Report
Board reviews cyber insurance coverage
North America
Europe Asia Energy/Utilities
Financial
IT/Telecom
Industrials
No 58% 56% 57% 79% 52% 77% 44%
Although cyber incidents are not covered by general liability policies, 57% of the respondents indicated that their boards are not reviewing insurance coverage for cyber related risks, compared with 65% in 2010. This slight improvement, however, is due to the increase in respondents in 2012 that said they did not know. This response was consistent across geographical regions.
It was surprising that a much higher percentage of respondents from the two “consequential” infrastructure sectors 18 – energy/utilities and IT/telecom – indicated that their boards did not review insurance coverage of cyber risks: Seventy-nine percent (79%) of the energy/utilities respondents indicated that their boards do not review coverage and 77% of the IT/telecom sector respondents said the same.
13
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
TRENDS
Some of the Numbers
• Ponemon Institute LLC 2011 Cost of Data Breach Study• The study found the average … cost per data breach was $5.5
million in 2011. Additionally, the cost per compromised record was $194 per record.
• Ponemon Institute LLC 2012 Cost of Cyber Crime Study • Average annualized cost of cybercrime incurred by a benchmark
sample of U.S. organizations was $8.9 million. • Organizations experiencing an average of 102 successful attacks
per week.• Net Diligence Cyber Liability and Data Breach Insurance Claims
• The average number of records exposed per incident was 1.4 million.
• The average cost per incident was $3.7 million
14
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
2012 had a significant number of large breaches.
• Global Payments (1.5 million records)• Yahoo! (400 thousand passwords)• Wyndham Hotels (600 thousand credit cards)• eHarmony (1.5 million passwords)• LinkedIn (6.5 million passwords)• Zappos (24 million records)• Gamigo (3 million records)• Texas Attorney General’s Office (6.6 million records)• South Carolina Department of Revenue (3.6 million SS #’s,
387,000 CC #’s)
TRENDS
15
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
Largest data breaches of all time.TRENDS
16
© 2012 ARTHUR J. GALLAGHER & CO.
HAS THE NEXT BIG LITIGATION TREND ARRIVED?
Social Media & Privacy
What is your responsibility to safeguard, monitor and
take down information?
17
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
WHAT ABOUT THE CLOUD?
Things to think about.
• Where is the data really stored?
• How is the data protected?• What about the provider?• Is the provider transferring
data or moving your data around?
18
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
U.S. public companies perceptions of risk and their risk management strategies.
19
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
U.S. public companies perceptions of risk and their risk management strategies.
20
© 2012 ARTHUR J. GALLAGHER & CO.
SOURCES OF SECURITY AND PRIVACY BREACHES
41% Negligence
31% Malicious or Criminal Acts
28% System Failure
Source: 2011 Annual Study: U.S. Cost of a Data Breach – by The Ponemon Institute, LLC; Sponsored by Symantec.
2011 Results
21
© 2012 ARTHUR J. GALLAGHER & CO.
22
WHO ARE THE STAKEHOLDERS?
LeadershipTeam / Board
Customers/MembersEmployees
CFO
Information
Technology
General CounselChief Security Officer Risk
Management
Who do you see as the key risk stakeholders within your organization and what have been the challenges in bringing them on board?
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
Costs
© 2012 ARTHUR J. GALLAGHER & CO.
24
LITIGATION TRENDS
• Plaintiffs’ Bar (Class Actions)
• Individuals (Identity Theft)
• Government (Privacy Laws)
• Impacted Businesses (Banks/Trading Partners)
• Third Parties
© 2012 ARTHUR J. GALLAGHER & CO.
25
RESPONSE COSTS
•Third & First Party Claims
•Defense
•Notification
•Credit Monitoring
•Public Relations/Reputational Harm
•Forensic Investigations
•Call Center Support
•Identity Theft Education
© 2012 ARTHUR J. GALLAGHER & CO.
26
WHAT DOES A BREACH COST?
Costs of A Breach: $194 average cost per record (includes response costs, defense
and damages) $5.5M average total cost per breach
15% - Legal Services – Defense - $825,000 average cost to defend a claim, per breach cost
Response Costs Per Record: Notification (in/outbound) 11% - $21 Forensics/Legal Expenses/Compliance/Public Relations 15% -
$29 Credit Monitoring and ID Theft Services 3% - $6
1) Source: 2011 Annual Study: U.S. Cost of a Data Breach – by The Ponemon Institute, LLC; Sponsored by Symantec.
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
Who is looking at Cyber?
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
PURCHASE OF NETWORK SECURITY/PRIVACY LIABILITY INSURANCE AND AMOUNT OF LIMIT PURCHASED
28
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
HOW THE COMPANY ARRIVED AT A LIMIT LEVEL
29
© 2012 ARTHUR J. GALLAGHER & CO.
REASONS FOR NOT HAVING A NETWORK SECURITY/PRIVACY LIABILITY PROGRAM IN PLACE
30
© 2012 ARTHUR J. GALLAGHER & CO.
TECHNIQUES USED TO ASSESS CYBER RISK EXPOSURE
31
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
CyberRisk Services – What We Do
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
HOW CAN WE ASSIST?
• Educate• Analyze Exposures/Risks• Analyze coverage gaps – present/future
• Analyze current coverage• Benchmark• Recommend Experts to assist in analysis – all aspects
• Design Risk Transfer Solutions to match Exposures/Risks•Dovetail with client appetite
THE BROKERAGE RUN BY BROKERSTHE BROKERAGE RUN BY BROKERS
Why Should Educational Institutions Consider Cyber Insurance?
Frequency of Privacy Breaches are on the rise
Network threats and vulnerabilities are getting dramatically worse
Over 46 states have enacted Privacy Laws in response to frequency of Privacy Breaches – Let’s not forget FERPA!
Open networks pose challenges for Information Security
An increasing technologically sophisticated student population
Trustees recognize the catastrophic nature of Cyber Risks
Students, faculty, alumni demand prudent Risk Management that protects the institution
The plaintiffs’ bar is becoming more active in pursuing class action litigation
Contracts may require Cyber Insurance
Cyber Insurance can mitigate financial impact a breach may have on an institution
What is the financial loss of a security/ privacy breach?
Cost to defend and/or settle litigation from Identity Theft
Cost to defend and/or settle litigation from banks to recover the value of re-issuing credit cards or fraudulent transactions
Cost to defend and/or settle regulatory investigations and litigation
Cost to respond to regulatory laws
Cost to defend and/or settle unauthorized access or unauthorized use
Cost to defend and/or settle allegations that malicious code (such as viruses) caused harm to the data or computer systems of 3rd parties
Cost to defend and/or settle allegations that an insured's computer system denied a third party the ability to conduct transactions
It is estimated that the average cost of a security/privacy breach is approx. $194 per record and $5.5m to the entity.
Joe DePaul, Managing Director – CyberRisk ServicesSenior Vice, President Management & Professional LiabilityPhone: 212-994-7054Fax: 212-994-7021Email: [email protected]
Adam CottiniArea Vice President
Management & Professional LiabilityPhone: 212-994-7048
Fax: 212-994-7021Email: [email protected]
What cyber services are available for Educational Institutions?
The most vigilant network security and most comprehensive privacy policies are vulnerable to hackers, rogue employees, social engineering, and human error
Cyber Insurance for Higher Educational Institutions
Gallagher CyberRisk in coordination with Gallagher’s Higher Education Practice offers Information Risk Management Services and Products specifically designed for the unique cyber exposures of educational institutions.
Coverage is available for:
Network Security Liability – Provides liability coverage if an Insured’s Computer System fails to prevent a Security Breach or a Privacy Breach
Privacy Liability – Provides liability coverage if an Insured fails to protect electronic or non-electronic information in their care custody and control
Media Liability – Covers the Insured for Intellectual Property and Personal Injury perils resulting from an error or omission in content (coverage for Patent and Trade Secrets are generally not provided)
Regulatory Liability – Coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws
Notification Expense – 1st Party expenses to comply with Privacy Law notification requirements
Credit Monitoring Expense – 1st Party expenses to comply with Privacy Law Credit Monitoring requirements
Crisis Management – 1st Party expenses to hire a Public Relations firm
Data Recovery – 1st party expenses to recover data damaged on an Insured Computer System as a result of a Failure of Security
Business Interruption- 1st party expenses for lost income from an interruption to an Insured Computer System as a result of a Failure of Security
Cyber Extortion – Payments made to a party threatening to attack an Insureds’ Computer System in order to avert a cyber attack
Professional Errors & Omission Liability –Miscellaneous E&O can be added to a policy when applicable
(The above descriptions are a summary of available coverages and do not replace actual policy language)
Arthur J. Gallagher Risk Management Services, Inc. ~ 250 Park Avenue ~ New York, New York 10177 212-994-7100
Arthur J. Gallagher Risk Management Services, Inc.
33
© 2012 ARTHUR J. GALLAGHER & CO.
PROGRAMDESIGN
POLICYANALYSIS
LOSS QUANTIFICATION
LOSS MITIGATION
RISK IDENTIFICATIO
N
Website/Multimedia: Liability arising out of publishing, advertising, or broadcasting by your company on its own behalf or for others.
Data Privacy & Network Security: Liability
arising out of the collection and dissemination of private information and the operation of a computer network.
Professional Services: Liability arising out the performance or failure to perform professional services.
Contractual Vendors, Partners & Subcontractors: Liability arising out of services provided to your company or on behalf of your company by others.
Quadrants of Cyber/E&O Risk
34
© 2012 ARTHUR J. GALLAGHER & CO.
35
© 2012 ARTHUR J. GALLAGHER & CO.
36
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
Coverage
© 2012 ARTHUR J. GALLAGHER & CO.
Travelers CyberRisk Insurance
• Comprehensive coverage solution• 10 Insuring Agreements provide 1st Party & 3rd Party protection
• Flexible and scalable• Choose the coverage and limits that suit your exposures
• Proven industry leader• Over 25 years writing technology related coverages and a leading writer
of specialty crime coverages
• Travelers financial strength
• World class claim service
© 2012 ARTHUR J. GALLAGHER & CO.
Travelers CyberRisk – 3rd Party Coverage
• Network and Information Security Liability•Coverage for:
• Claims arising from the unauthorized access to data containing identity information,
• The failure to provide notification of data breach where required by law,• Transmission of a computer virus, and• Liability associated with the failure to provide authorized users with
access to the company’s website
© 2012 ARTHUR J. GALLAGHER & CO.
Travelers CyberRisk – 3rd Party Coverage
Communications and Media Liability•Coverage for:
• Claims arising from copyright infringement, plagiarism, defamation, libel, and slander in electronic content, such as websites and email
• Regulatory Defense Expenses•Coverage for:
• Governmental claims made as a result of network and information security liability or communications and media liability
• Fines/Penalties from regulatory bodies or payment card industry• Available by endorsement
© 2012 ARTHUR J. GALLAGHER & CO.
Travelers CyberRisk – 1st Party Coverage
• Crisis Management Event Expenses• Coverage for:
• Public relations services to mitigate negative publicity as a result of cyber liability
• Security Breach Remediation and Notification Expenses• Coverage for:
• Costs incurred to determine whose identity information was accessed,
• Notification to those individuals of the security breach,
• Credit monitoring for 365 days,
• Call center to handle inquiries, and
• Identity fraud expense reimbursement for those individuals affected by the breach
© 2012 ARTHUR J. GALLAGHER & CO.
Travelers CyberRisk – 1st Party Coverage
• Computer Program and Electronic Data Restoration Expenses• Coverage for:
• Expenses incurred to restore data lost from damage to computer systems due to computer virus or unauthorized access
• Computer Fraud• Coverage for:
• Loss of money, securities or other property due to unauthorized access to computer system
• Funds Transfer Fraud• Coverage for:
• Loss of money or securities due to fraudulent transfer instructions to a financial institution
© 2012 ARTHUR J. GALLAGHER & CO.
Travelers CyberRisk – 1st Party Coverage
E-Commerce Extortion•Coverage for:
• Money paid due to threats made regarding an intent to fraudulently transfer funds, destroy data, introduce a virus or attack on computer system, or disclose electronic customer information
• Business Interruption and Additional Expense•Coverage for:
• Loss of income, and the extra expense incurred to restore operations, as result of a computer system disruption caused by a virus or other unauthorized computer attack
© 2012 ARTHUR J. GALLAGHER & CO.
Travelers CyberRisk – Underwriting
• Adobe “fillable-saveable” format
• Create, save and e-mail in PDF format
• Allows for e-signatures• Accessible at
www.travelers.com/cyberrisk
© 2012 ARTHUR J. GALLAGHER & CO.
Travelers CyberRisk – Claims
A hacker successfully obtains sensitive personal information from the insured’s computer system. As a result, a number of customers bring a claim against the insured for allowing access to their personal information.
Damages and defense costs for covered lawsuits.
Network and Information Security Liability
Insuring Agreement
Claim Scenario
Coverage Response
Communications and Media Liability
Regulatory Defense Expenses
A lawsuit is brought against the insured by a competitor alleging that their online marketing content and product branding have been plagiarized and their trademarks infringed upon.
An insured with offices nationwide suffers a major data breach involving thousands of customers. As a result, Attorneys General in multiple states bring a regulatory action against the insured.
Damages and defense costs for covered lawsuits.
Costs for responding to regulatory claims stemming from the data breach.
© 2012 ARTHUR J. GALLAGHER & CO.
Travelers CyberRisk – Claims
A skilled cyber criminal hacks into the insured’s internal processing system. Names, addresses, and credit card information for over 50,000 of the insured’s customers are captured out of the system.
Costs for hiring a Breach Response firm to find and fix the breach, assist with notice requirements and expenses, provide credit monitoring and a call center for impacted individuals, and obtaining an ID Fraud policy for affected victims.
Security Breach Remediation and Notification Expense
Insuring Agreement
Claim Scenario
Coverage Response
Computer Program and Electronic Data Restoration Expenses
Computer Fraud
A computer virus totally destroys the insured’s operating system software and data.
Costs for repair and restoration of the insured’s computer programs and electronic data.
An organized crime ring gains unauthorized access to the insured’s accounts payable in their computer system, and alters the bank routing information on outgoing payments. The result - $1 million transferred to the crime ring’s account.
Direct loss of the insured’s money, securities or other property.
© 2012 ARTHUR J. GALLAGHER & CO.
Travelers CyberRisk – Claims
The insured receives an email that appeared to be from its bank but was not. The insured’s employee opened the email, which activated a computer virus called a Trojan horse that read key strokes from their computer. The perpetrator used this means to obtain banking and password information and initiate a fraudulent electronic wire transfer from the insured’s bank account.
The insured’s funds that were fraudulently transferred from its bank account.
Funds Transfer Fraud
Insuring Agreement
Claim Scenario
Coverage Response
E-Commerce Extortion
Business Interruption and Additional Expense
The insured receives a series of notes which threaten to hack into its customer database and disclose all of the contact information to the general public.
Money or securities paid to the extortioner.
A company’s server is infected by a severe virus, and as a result the insured’s sales website is not available to customers for an extended period.
The net profit that would have been earned (or net losses that would have been avoided) resulting from the computer system disruption.
© 2012 ARTHUR J. GALLAGHER & CO.
Travelers CyberRisk – Claims
The insured’s Chief Customer Service Officer has his laptop stolen. The laptop contains over 100,000 customer records, including social security numbers.
Costs for hiring a Public Relations firm to restore customer confidence or mitigate negative publicity generated from the incident.
Crisis Management Event Expenses
Insuring Agreement
Claim Scenario
Coverage Response
© 2012 ARTHUR J. GALLAGHER & CO.
GALLAGHER ERISK HUBAs an Arthur J. Gallagher policyholder, you will receive complimentary access to
the eRisk Hub® portal, powered by NetDiligence®. eRisk Hub provides tools and resources to help you understand your exposures, establish a response plan
and minimize the effects of a breach on your organization.
49
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
Questions?
© 2012 ARTHUR J. GALLAGHER & CO.