Controlling Technology Risks

Paul A. Forlenza, MGA, RMC Deputy Executive Director,

TRICO JIF

Edward J. Cooney, MBA

Fund Underwriter, TRICO JIF

Members Increasing Use of Technology

• Credit card payments • Websites • Electronic applications • Banking transactions • Payroll processing • Internet-connected devices (IoT)

Hackers see government networks as low hanging fruit!

2

Beyond Outside Threats…

• Employees pose our greatest threat! • A chain is only as strong as its weakest link Human error Disgruntled employee Careless employee Uneducated employee

3

Members Hold a lot of Valuable Information

• Employee PII & PHI • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death

Certificates

4

Other Cyber Risks Facing Members

• Hacktivism • Destructive Malware • Business Interruption • Public Relations

5

Technology Risk Assessments

• Pivot Point Security (2016-2017) • On line Survey • Member Visits – GAP Assessments • Individual Member Reports • Executive Summary Highlighting the most frequently cited

technology based exposures

6

What Did We Learn? • 31% have an Information Security Contingency Plan in place • 29% have an Incident Management Plan that includes the restoration of IT

services • 4.8 - How comprehensive is your Business Continuity / Disaster Recovery plan?

(1= not very comprehensive / 10= very comprehensive) • 100% of Personally Identifiable Information & Protected Health Information is

stored in-house • 83% outsource payroll

88% Casa Payroll Services 9% ADP 3% Paychex

• 27% outsource benefits / 76% outsource IT / 73% outsource web design / 61% outsource email

• 22% require vendors to demonstrate adequate security of their computer systems

• 52% allow vendors to access their network (does not include Edmunds) 7

What Did We Learn? • 76% do not have a contract in place with vendors who have access to

personally identifiable information which requires the other party to defend and indemnify you from legal liabilities

• 0% provide employees, contractors and vendors formal Information Security Awareness training

• 5% encrypt sensitive information when communicating it (account #, SS #, medical information, credit card information, etc.)

• 46% periodically test their security controls

• 22% process credit card transactions

55% filed their PCI SAQ (PCI Self Assessment Questionnaire)

• 54% perform background checks as part of the hiring process

• 100% maintain good practice when storing sensitive information (file cabinets with locks)

8

Boiling it all Down: What do the Members Really Need?

• Security Awareness Training & Ongoing Notifications • Security Risk Policies & Training • Incident Management Plans • Phishing Assessments • External Vulnerability Testing • Third Party Risk Management Policies & Training

Taking these steps will eliminate 80% of our claims! 9

Where Do We Get these Services?

• Cyber Insurers – XL? • The MEL? • Outside governmental sources? • Each member on their own? • The JIF?

10

Cyber Insurers

• Have not traditionally played a pro-active role • Training materials are not widely publicized • What materials do exist are geared towards the

private sector! • While they may offer needed services and coverage,

their clients don’t understand how to access it

11

XL - CyberRiskConnect.com • Cyber Library / News Center

– Trending articles related to cyber exposure • Breach Response Services / Response Partners

– Identifies the panel firms XL Catlin has pre-approved to assist post-breach, and recommends firms for pre-breach training

• Risk Manager Tools – Sample documents to use in everyday operations

Policies on mobile computing or social networking Network & information security self-test and scorecard Breach notification law map & data breach cost calculator

• Learning Center – Educational articles and guides, such as “Forensics: Planning a

Successful Investigation” and “Social Engineering Red Flags” • Privacy Training

– Short training videos on privacy & network security, such as Cybersecurity awareness, risk assessments & data security

12

CyberRiskConnect.com

13

The MEL?

14

Government Sources

WWW.CYBER.NJ.GOV

15

Government Sources

16

The Individual Members?

• Lack of consistency: • Training • Policies

• Financial Resources? • Technical expertise?

17

Where Do We Go From Here?

Technology Risk Management Services RFP • Services Sought: Security Awareness Training Security Awareness Notifications Security Risk Policies & Training Incident Management Plans Phishing Assessments External Vulnerability Testing Third Party Risk Management Policies & Training

18

Technology Risk Management Services RFP

• RFP issued as a Competitive Contract under the LPCL with ACM and BURLCO JIFs

• Issued April 30, 2018 • Responses due May 24, 2018 • Three (3) Responses Received The Incendio Group Media Pro Pivot Point Security

• Sub Committee reviewed & scored proposals on June 29, 2018

19

Technology Risk Management Services RFP

• Contract award recommendations: • Security Awareness Training – Media Pro Extensive library of online training Three year price lock - $7,439 Annually

• All other Services – Pivot Point Year One - $30,305 Years 2 & 3 - $12,037

20

Technology Risk Management Services

• Benefits: • Costs: Short term – efficient & no impact on member budgets Long term – better cyber liability policy pricing

• Consistency in & tracking of training • Consistency in policies & procedures • Consistency in technical services being provided • Compliance with the MEL Cyber Risk Management

Program!

21

Don’t Forget! EPL/Cyber Risk Management Budget

• Funds can be used to offset cyber security related expenses

• Annual member allotment: • $1,000 to $3,000 - based upon member size

• Available balances included in the monthly agenda packet

22

Edward J. Cooney, MBA: Conner Strong & Buckelew

• Vice President/Account Executive Commercial Lines – Major Accounts

• MEL Underwriting Manager • Negotiates MEL Reinsurance Program Property Liability Workers Compensation

• Markets and Places MEL Insurance Programs EPL/POL Cyber Aircraft - Drones

23

MEL Cyber Task Force

• Comprised of MEL Commissioners & Fund Professionals Meets quarterly Reviews recent cyber claims Evaluates need for additional cyber related

services, coverage and limits Recommends additional training & policies as

needed Reviews & recommends changes to Cyber Risk

Management Program

24

Technology Risk Management

Cyber Attacks Against NJ Local Government Are Increasing

25

Cyber Claims Activity

By Event Type By Department

$71 per capita cost of a data breach for the Government Sector (2nd) 2017 Ponemon Institute

53% of data breaches were caused by human error or system glitch 2017 Ponemon Institute

26

Public Entity Cyber Trends

Frequency of Email Malware

Malicious Email Themes

Phishing Rate

Cost of Malware

27

Cyber Claims Activity (cont’d) MEL Claims Examples

• Social Engineering A town treasurer received an email looking to be from the town commissioner requesting a wire transfer be made to an address included in the email for a particular project in the town. Deception: 1) Looked like it was from the town commissioner as the email address was spoofed; and 2) Seemed to be for a sound purpose. $20,000 was sent to the fraudster.

• Ransomware An administrative employee of a municipality clicked on a “spoofed” link in a fake email, downloading the ransomware to the infected device and other devices it could spread to on the network. The municipality had daily backups, but the backups were performed on the same network. As such, the lost data could not be reconstructed. Breach counsel and forensics were engaged. Total loss in excess of $60,000.

• Malware Malware downloaded via a spoofed email onto a city employee’s workstation. Since the workstation was open to a shared server, including a shared drive, multiple workstations were affected. Breach counsel and forensics were engaged, determining the personal information of nearly 900 individuals was compromised, triggering New Jersey notification regulations. The individuals were notified, and a call center and a credit monitoring account were setup for the affected individuals. Total loss in excess of $125,000.

• Breach / Ransomware A network connected printer (“IoT” device) had an “open port” to the internet. An intruder gained access to the town’s network via the open port and downloaded Ransomware onto the network. Breach counsel and forensics were engaged. Total loss in excess of $40,000.

28

Recent Activity

29

Cyber Claim Engagement Letters

30

31

Technology Risk Management

Time to rethink Technology Investments and controls?

32

MEL Cyber Risk Management Program

33

Technology Risk Management

• Technology Management • Technical Competency • Cyber Hygiene

Three areas that all local governments must address

34

MEL Cyber Risk Management Plan

Incentive 35

MEL Cyber Risk Management Plan

1. Distributed December 18, 2017 2. Tier 1 & 2 standards 3. Tier 1 compliance $5,000

reimbursement of deductible 4. Tier 2 compliance $7,500

reimbursement of deductible

36

MEL Cyber Risk Management Plan

1. Meet minimum backup standards 2. Install software security patches 3. Use defensive software 4. Annual cyber hygiene training for

employees 5. Management adopts basic cyber

incident response plan 6. Management adopts Information

Technology Practices Policy

Tier 1 Compliance Standards:

37

MEL Cyber Risk Management Plan

1. Server (physical) security 2. Server access & privilege controls 3. Staff or contractor to respond to

security incidents 4. Adopt internet & email use policy 5. Encryption of files with PII & HII 6. Password Management Policy 7. Leadership has access to technology

decision making tools & professionals

Tier 2 Compliance Standards:

38

MEL Cyber Risk Management Plan

1. Members submit an initial compliance checklist

2. If a member has a claim, they can submit a reimbursement request for a portion of their deductible

3. Members will need to document compliance with the standard(s) to receive reimbursement

How it works:

39

How Many Members Have Qualified?

2

103

Members Qualified for Deductible Reimbursement

QualifiedNot Qualified

40

MEL Cyber Risk Management Plan

1. Get the assistance of an IT Professional! 2. The Plan contains detailed explanation of

the standards, model policies, & checklists. 3. Standards will be updated from time to

time to keep up with the evolving threats. 4. ACM, BURLCO, & TRICO JIFs provide their

members with a “cyber budget” that can be used to offset compliance costs.

Some final thoughts:

41

Questions?

42