© 2012 ARTHUR J. GALLAGHER & CO. Agricultural Co-Ops: The Challenges of Protecting Data Today...

© 2012 ARTHUR J. GALLAGHER & CO.

Agricultural Co-Ops:The Challenges of Protecting Data Today

Cyber, Privacy & Network Security

GALLAGHER CYBERRISK SERVICESAPRIL, 30, 2013

© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.

Your Presenters


Your Presenters

3

Joe is the CyberRisk Services Practice Leader at Arthur J. Gallagher. He is responsible for management, business development, marketing and consulting within the products and services related to Cyber Risk. These specifically include Cyber Liability, Privacy Liability, Network Security Liability, Media Liability & Patent Liability.


4

• What is Cyber Risk?

• Trends

• Costs

• Who is looking at Cyber?

• How we can assist

• Coverage

AGENDA


What is Cyber Risk?


6

The CONVERGENCE of TECHNOLOGY with INFORMATION

Information & Data is Valuable: Advancements in technology has enabled organizations to capitalize on the value of Information & Data

Ease of Business: Technology has made storing and removing data easy and convenient (Laptops, back-up drives, thumb drives, recordable CD’s, PDA’s, smart phones, ipads, etc.)

WHAT IS CYBER RISK? NETWORK SECURITY & PRIVACY

The most vigilant Network Security and Privacy Policies are Vulnerable to Hackers, Rogue Employees, Independent

Contractors, and Human Error!


7

WHAT IS CYBER RISK?

According to the FBI Identity Theft is the

fastest growing white collar crime in America!

OUTSIDE THE NETWORK:Where PII & PHI data (Electronic/Non-Electronic) is stored outside of the Network

THE NETWORK: Where PII & PHI

data is stored Electronically


6


9

PERSPECTIVES – IT/EMPLOYEE

IT DepartmentsChallenge = Balancing demands of safeguarding the network/data while adapting to ever-changing technologies and business needs

Encryption Servers are porous and need

constant care Patches to software Lack of tested back-up processes More data often collected than

needed Data often stored for too long Tools that help hackers are

readily available and shared on the Internet at no cost to malicious attackers

Limited Resources $$/Budgets

EmployeesChallenge = Balancing work flow

needs with safeguarding the confidential information used to perform their job

Rogue Employees, social engineering, hacker sophistication, and human error (Societe Generale)

Private records disposed of improperly (dumpster)

Many employees lack computer common sense

Employees choose easy to decipher passwords

Clean Desk policy Training


Trends


HIGH FREQUENCY INDUSTRIES

Source: Identity Theft Resource Center

2012 2011 2010 2009 2008 2007

447 Published Breaches as of

12/31/12

414 Publicized Breaches

Reported Annually


Reported Annually


Reported Annually


Reported Annually


Reported Annually

17,317,184 Records Exposed






(Heartland incident) (94 Million from

TJX incident)

2012 Breaches by Industry:






Financial Banking

3.8% of Breaches2.7% of Records


8.2% of Breaches 30% of Records

11.4% of Breaches0% of Records


7% of Records6.9% of Records

Educational





20% of Breaches2.3% of Records

24.9% of Breaches1% of Records

Govt./Military







Medical/Healthcare







All Other Business



42% of Breaches 41% of Records



28.9% of Breaches 82.6% of Records

11


• 50 State Privacy Laws (County/Local) - Laws or Regulation• Foreign Privacy Laws – UK ICO – Information Commissioner’s Office & many others (trans-

border privacy issues)• Federal Trade Commission • FACTA Regulation 114: Red Flags Rule• FERPA/DPPA• HIPAA / HITECH

• Standard for smooth, consistent, and secure electronic transmission of health care data.

• PII/PHI – personally identifiable information/health information about individuals - PII includes drivers license #’s, SS #’s, Credit Card #’s, address, account numbers & PIN’s

• PHI includes written documents, electronic files, and verbal information. (Even information from an informal conversation can be considered PHI.)• Examples of PHI include:

• Completed health care claims forms• Detailed claim forms• Explanations of benefits• Notes documenting discussions with plan participants

• SEC• PCI/DSS

The REGULATORY LANDSCAPE is…complex, challenging and growing

12


Industry & Region Comparison Table: Boards NOT Reviewing Cyber Insurance Coverage

BOARD REVIEW OF CYBER??Even though risk management is a high priority, most boards are not reviewing their company’s insurance for cyber related risks.

Carnegie Mellon University – CylabGovernance of Enterprise Security:Cylab 2012 Report

Board reviews cyber insurance coverage

North America

Europe Asia Energy/Utilities

Financial

IT/Telecom

Industrials

No 58% 56% 57% 79% 52% 77% 44%

Although cyber incidents are not covered by general liability policies, 57% of the respondents indicated that their boards are not reviewing insurance coverage for cyber related risks, compared with 65% in 2010. This slight improvement, however, is due to the increase in respondents in 2012 that said they did not know. This response was consistent across geographical regions.

It was surprising that a much higher percentage of respondents from the two “consequential” infrastructure sectors 18 – energy/utilities and IT/telecom – indicated that their boards did not review insurance coverage of cyber risks: Seventy-nine percent (79%) of the energy/utilities respondents indicated that their boards do not review coverage and 77% of the IT/telecom sector respondents said the same.

13


TRENDS

Some of the Numbers

• Ponemon Institute LLC 2011 Cost of Data Breach Study• The study found the average … cost per data breach was $5.5

million in 2011. Additionally, the cost per compromised record was $194 per record.

• Ponemon Institute LLC 2012 Cost of Cyber Crime Study • Average annualized cost of cybercrime incurred by a benchmark

sample of U.S. organizations was $8.9 million. • Organizations experiencing an average of 102 successful attacks

per week.• Net Diligence Cyber Liability and Data Breach Insurance Claims

• The average number of records exposed per incident was 1.4 million.

• The average cost per incident was $3.7 million

14


2012 had a significant number of large breaches.

• Global Payments (1.5 million records)• Yahoo! (400 thousand passwords)• Wyndham Hotels (600 thousand credit cards)• eHarmony (1.5 million passwords)• LinkedIn (6.5 million passwords)• Zappos (24 million records)• Gamigo (3 million records)• Texas Attorney General’s Office (6.6 million records)• South Carolina Department of Revenue (3.6 million SS #’s,

387,000 CC #’s)

TRENDS

15


Largest data breaches of all time.TRENDS

16


HAS THE NEXT BIG LITIGATION TREND ARRIVED?

Social Media & Privacy

What is your responsibility to safeguard, monitor and

take down information?

17


WHAT ABOUT THE CLOUD?

Things to think about.

• Where is the data really stored?

• How is the data protected?• What about the provider?• Is the provider transferring

data or moving your data around?

18


U.S. public companies perceptions of risk and their risk management strategies.

19


U.S. public companies perceptions of risk and their risk management strategies.

20


SOURCES OF SECURITY AND PRIVACY BREACHES

41% Negligence

31% Malicious or Criminal Acts

28% System Failure

Source: 2011 Annual Study: U.S. Cost of a Data Breach – by The Ponemon Institute, LLC; Sponsored by Symantec.

2011 Results

21


22

WHO ARE THE STAKEHOLDERS?

LeadershipTeam / Board

Customers/MembersEmployees

CFO

Information

Technology

General CounselChief Security Officer Risk

Management

Who do you see as the key risk stakeholders within your organization and what have been the challenges in bringing them on board?

http://www.google.com/imgres?imgurl=http://castagnogroup.com/wp-content/uploads/2009/01/cfo-final.jpg&imgrefurl=http://castagnogroup.com/about/cfo/&usg=__PQi_yrWq0CO2hceS1BFDrPfzLOs=&h=300&w=300&sz=101&hl=en&start=1&zoom=1&tbnid=0FB_R9IlFOpo2M:&tbnh=116&tbnw=116&ei=jh9yTunbBMuFsgLkr63QCQ&prev=/search?q=chief+financial+officer&hl=en&sa=N&gbv=2&tbm=isch&itbs=1


Costs


24

LITIGATION TRENDS

• Plaintiffs’ Bar (Class Actions)

• Individuals (Identity Theft)

• Government (Privacy Laws)

• Impacted Businesses (Banks/Trading Partners)

• Third Parties


25

RESPONSE COSTS

•Third & First Party Claims

•Defense

•Notification

•Credit Monitoring

•Public Relations/Reputational Harm

•Forensic Investigations

•Call Center Support

•Identity Theft Education


26

WHAT DOES A BREACH COST?

Costs of A Breach: $194 average cost per record (includes response costs, defense

and damages) $5.5M average total cost per breach

15% - Legal Services – Defense - $825,000 average cost to defend a claim, per breach cost

Response Costs Per Record: Notification (in/outbound) 11% - $21 Forensics/Legal Expenses/Compliance/Public Relations 15% -

$29 Credit Monitoring and ID Theft Services 3% - $6

1) Source: 2011 Annual Study: U.S. Cost of a Data Breach – by The Ponemon Institute, LLC; Sponsored by Symantec.


Who is looking at Cyber?


PURCHASE OF NETWORK SECURITY/PRIVACY LIABILITY INSURANCE AND AMOUNT OF LIMIT PURCHASED

28


HOW THE COMPANY ARRIVED AT A LIMIT LEVEL

29


REASONS FOR NOT HAVING A NETWORK SECURITY/PRIVACY LIABILITY PROGRAM IN PLACE

30


TECHNIQUES USED TO ASSESS CYBER RISK EXPOSURE

31


CyberRisk Services – What We Do


HOW CAN WE ASSIST?

• Educate• Analyze Exposures/Risks• Analyze coverage gaps – present/future

• Analyze current coverage• Benchmark• Recommend Experts to assist in analysis – all aspects

• Design Risk Transfer Solutions to match Exposures/Risks•Dovetail with client appetite

THE BROKERAGE RUN BY BROKERSTHE BROKERAGE RUN BY BROKERS

Why Should Educational Institutions Consider Cyber Insurance?

Frequency of Privacy Breaches are on the rise

Network threats and vulnerabilities are getting dramatically worse

Over 46 states have enacted Privacy Laws in response to frequency of Privacy Breaches – Let’s not forget FERPA!

Open networks pose challenges for Information Security

An increasing technologically sophisticated student population

Trustees recognize the catastrophic nature of Cyber Risks

Students, faculty, alumni demand prudent Risk Management that protects the institution

The plaintiffs’ bar is becoming more active in pursuing class action litigation

Contracts may require Cyber Insurance

Cyber Insurance can mitigate financial impact a breach may have on an institution

What is the financial loss of a security/ privacy breach?

Cost to defend and/or settle litigation from Identity Theft

Cost to defend and/or settle litigation from banks to recover the value of re-issuing credit cards or fraudulent transactions

Cost to defend and/or settle regulatory investigations and litigation

Cost to respond to regulatory laws

Cost to defend and/or settle unauthorized access or unauthorized use

Cost to defend and/or settle allegations that malicious code (such as viruses) caused harm to the data or computer systems of 3rd parties

Cost to defend and/or settle allegations that an insured's computer system denied a third party the ability to conduct transactions

It is estimated that the average cost of a security/privacy breach is approx. $194 per record and $5.5m to the entity.

Joe DePaul, Managing Director – CyberRisk ServicesSenior Vice, President Management & Professional LiabilityPhone: 212-994-7054Fax: 212-994-7021Email: [email protected]

Adam CottiniArea Vice President

Management & Professional LiabilityPhone: 212-994-7048

Fax: 212-994-7021Email: [email protected]

What cyber services are available for Educational Institutions?

The most vigilant network security and most comprehensive privacy policies are vulnerable to hackers, rogue employees, social engineering, and human error

Cyber Insurance for Higher Educational Institutions

Gallagher CyberRisk in coordination with Gallagher’s Higher Education Practice offers Information Risk Management Services and Products specifically designed for the unique cyber exposures of educational institutions.

Coverage is available for:

Network Security Liability – Provides liability coverage if an Insured’s Computer System fails to prevent a Security Breach or a Privacy Breach

Privacy Liability – Provides liability coverage if an Insured fails to protect electronic or non-electronic information in their care custody and control

Media Liability – Covers the Insured for Intellectual Property and Personal Injury perils resulting from an error or omission in content (coverage for Patent and Trade Secrets are generally not provided)

Regulatory Liability – Coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws

Notification Expense – 1st Party expenses to comply with Privacy Law notification requirements

Credit Monitoring Expense – 1st Party expenses to comply with Privacy Law Credit Monitoring requirements

Crisis Management – 1st Party expenses to hire a Public Relations firm

Data Recovery – 1st party expenses to recover data damaged on an Insured Computer System as a result of a Failure of Security

Business Interruption- 1st party expenses for lost income from an interruption to an Insured Computer System as a result of a Failure of Security

Cyber Extortion – Payments made to a party threatening to attack an Insureds’ Computer System in order to avert a cyber attack

Professional Errors & Omission Liability –Miscellaneous E&O can be added to a policy when applicable

(The above descriptions are a summary of available coverages and do not replace actual policy language)

Arthur J. Gallagher Risk Management Services, Inc. ~ 250 Park Avenue ~ New York, New York 10177 212-994-7100

Arthur J. Gallagher Risk Management Services, Inc.

33


PROGRAMDESIGN

POLICYANALYSIS

LOSS QUANTIFICATION

LOSS MITIGATION

RISK IDENTIFICATIO

N

Website/Multimedia: Liability arising out of publishing, advertising, or broadcasting by your company on its own behalf or for others.

Data Privacy & Network Security: Liability

arising out of the collection and dissemination of private information and the operation of a computer network.

Professional Services: Liability arising out the performance or failure to perform professional services.

Contractual Vendors, Partners & Subcontractors: Liability arising out of services provided to your company or on behalf of your company by others.

Quadrants of Cyber/E&O Risk

34


35


36


Coverage


Travelers CyberRisk Insurance

• Comprehensive coverage solution• 10 Insuring Agreements provide 1st Party & 3rd Party protection

• Flexible and scalable• Choose the coverage and limits that suit your exposures

• Proven industry leader• Over 25 years writing technology related coverages and a leading writer

of specialty crime coverages

• Travelers financial strength

• World class claim service


Travelers CyberRisk – 3rd Party Coverage

• Network and Information Security Liability•Coverage for:

• Claims arising from the unauthorized access to data containing identity information,

• The failure to provide notification of data breach where required by law,• Transmission of a computer virus, and• Liability associated with the failure to provide authorized users with

access to the company’s website


Travelers CyberRisk – 3rd Party Coverage

Communications and Media Liability•Coverage for:

• Claims arising from copyright infringement, plagiarism, defamation, libel, and slander in electronic content, such as websites and email

• Regulatory Defense Expenses•Coverage for:

• Governmental claims made as a result of network and information security liability or communications and media liability

• Fines/Penalties from regulatory bodies or payment card industry• Available by endorsement


Travelers CyberRisk – 1st Party Coverage

• Crisis Management Event Expenses• Coverage for:

• Public relations services to mitigate negative publicity as a result of cyber liability

• Security Breach Remediation and Notification Expenses• Coverage for:

• Costs incurred to determine whose identity information was accessed,

• Notification to those individuals of the security breach,

• Credit monitoring for 365 days,

• Call center to handle inquiries, and

• Identity fraud expense reimbursement for those individuals affected by the breach



• Computer Program and Electronic Data Restoration Expenses• Coverage for:

• Expenses incurred to restore data lost from damage to computer systems due to computer virus or unauthorized access

• Computer Fraud• Coverage for:

• Loss of money, securities or other property due to unauthorized access to computer system

• Funds Transfer Fraud• Coverage for:

• Loss of money or securities due to fraudulent transfer instructions to a financial institution



E-Commerce Extortion•Coverage for:

• Money paid due to threats made regarding an intent to fraudulently transfer funds, destroy data, introduce a virus or attack on computer system, or disclose electronic customer information

• Business Interruption and Additional Expense•Coverage for:

• Loss of income, and the extra expense incurred to restore operations, as result of a computer system disruption caused by a virus or other unauthorized computer attack


Travelers CyberRisk – Underwriting

• Adobe “fillable-saveable” format

• Create, save and e-mail in PDF format

• Allows for e-signatures• Accessible at

www.travelers.com/cyberrisk

http://www.travelers.com/cyberrisk


Travelers CyberRisk – Claims

A hacker successfully obtains sensitive personal information from the insured’s computer system. As a result, a number of customers bring a claim against the insured for allowing access to their personal information.

Damages and defense costs for covered lawsuits.

Network and Information Security Liability

Insuring Agreement

Claim Scenario

Coverage Response

Communications and Media Liability

Regulatory Defense Expenses

A lawsuit is brought against the insured by a competitor alleging that their online marketing content and product branding have been plagiarized and their trademarks infringed upon.

An insured with offices nationwide suffers a major data breach involving thousands of customers. As a result, Attorneys General in multiple states bring a regulatory action against the insured.

Damages and defense costs for covered lawsuits.

Costs for responding to regulatory claims stemming from the data breach.



A skilled cyber criminal hacks into the insured’s internal processing system. Names, addresses, and credit card information for over 50,000 of the insured’s customers are captured out of the system.

Costs for hiring a Breach Response firm to find and fix the breach, assist with notice requirements and expenses, provide credit monitoring and a call center for impacted individuals, and obtaining an ID Fraud policy for affected victims.

Security Breach Remediation and Notification Expense

Insuring Agreement

Claim Scenario

Coverage Response

Computer Program and Electronic Data Restoration Expenses

Computer Fraud

A computer virus totally destroys the insured’s operating system software and data.

Costs for repair and restoration of the insured’s computer programs and electronic data.

An organized crime ring gains unauthorized access to the insured’s accounts payable in their computer system, and alters the bank routing information on outgoing payments. The result - $1 million transferred to the crime ring’s account.

Direct loss of the insured’s money, securities or other property.



The insured receives an email that appeared to be from its bank but was not. The insured’s employee opened the email, which activated a computer virus called a Trojan horse that read key strokes from their computer. The perpetrator used this means to obtain banking and password information and initiate a fraudulent electronic wire transfer from the insured’s bank account.

The insured’s funds that were fraudulently transferred from its bank account.

Funds Transfer Fraud

Insuring Agreement

Claim Scenario

Coverage Response

E-Commerce Extortion

Business Interruption and Additional Expense

The insured receives a series of notes which threaten to hack into its customer database and disclose all of the contact information to the general public.

Money or securities paid to the extortioner.

A company’s server is infected by a severe virus, and as a result the insured’s sales website is not available to customers for an extended period.

The net profit that would have been earned (or net losses that would have been avoided) resulting from the computer system disruption.



The insured’s Chief Customer Service Officer has his laptop stolen. The laptop contains over 100,000 customer records, including social security numbers.

Costs for hiring a Public Relations firm to restore customer confidence or mitigate negative publicity generated from the incident.

Crisis Management Event Expenses

Insuring Agreement

Claim Scenario

Coverage Response


GALLAGHER ERISK HUBAs an Arthur J. Gallagher policyholder, you will receive complimentary access to

the eRisk Hub® portal, powered by NetDiligence®. eRisk Hub provides tools and resources to help you understand your exposures, establish a response plan

and minimize the effects of a breach on your organization.

49


Questions?

© 2012 ARTHUR J. GALLAGHER & CO. Agricultural Co-Ops: The Challenges of Protecting Data Today...

Documents

Transcript of © 2012 ARTHUR J. GALLAGHER & CO. Agricultural Co-Ops: The Challenges of Protecting Data Today...