Straight Line Winds, Hail, & Crop Damage Nathan Schnur 02/15/2008.
Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff...
-
date post
19-Dec-2015 -
Category
Documents
-
view
222 -
download
0
Transcript of Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff...
![Page 1: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/1.jpg)
Network Security & Privacy Liability Assessing the Risk
Steve Yesko, ARMLowers & Associates
Jeff KulikowskiAXIS Pro
Meredith SchnurWells Fargo
Insurance Services
New Jersey Chapter
June 14, 2011 Chapter Meeting
![Page 2: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/2.jpg)
Risk Mitigation Agenda• Cyber Risk vs. Data Breach
• Types of Breach
• Evolution of the Exposure
• Top 10 Incidents of 2010
• Top 10 Unsolved Crimes
• Today Risk Landscape
• Organizational Risk Trends
• 2011 Forecast
• IT Security Testing - 3 Prong Approach
• IT Risk Mitigation Measures - Be Prepared• Information Resources
![Page 3: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/3.jpg)
Cyber Risk vs. Data Breach• Cyber Risk Coverage
– Addresses hazards such as unauthorized website access, on-line libel, data loss and repairs to databases after system failures.
• Data Breach or Privacy Coverage– Covers the cost of notification and credit monitoring
services for affected persons, PR expense to address reputational harm, breach investigation, legal fees and compensatory damages, judgments and settlements.
![Page 4: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/4.jpg)
Types of Breach
• Theft or Loss• Inappropriate Handling• Inadvertent Exposure• Misuse of Access (Insider Threat)• Unauthorized Access (External Attack)• System Compromise (Malware)
![Page 5: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/5.jpg)
Evolution of the Exposure• From a kid in the basement of parents home to
highly sophisticated organized crime networks• From IT/computer related to Internet/web-based• From theft of money to theft of information• From outside / in to inside / out• From legal action brought by consumers to
legal action by regulators• From expenses to secure network/servers to
expenses for state notification laws• From an IT issue to a Boardroom issue• From a national to an international problem
![Page 6: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/6.jpg)
The Biggest Information Security Incidents of 2010
#10. Affinity Health PlanBreach, involving 409K records, occurred when copier was returned w/o hard disk erasure; Reported by AHP to comply w / HHS mandates
#9. WellPoint/Anthem BlueCross Company’s insurance application website was compromised w / faulty authentification code upgrade putting 470K applicant records at risk
#8. CitiGroup Approximately 600K customers were sent annual tax documents w / SSN printed on outside of envelope (mimicked mail routing number)
#7. Ohio State University Server housing 760K unencrypted PII records of current/former students, faculty, staff, contractors exposed during hack; No evidence of data theft
#6. South Shore Hospital Three boxes of tapes, containing 800K records containing PII, PHI, financial info of hospital community, were lost while being transported for destruction
#5. Lincoln National Financial Securities Portfolio management system, housing data for 1.2M customers, compromised when actual user name/password were printed in brochure and on public site
#4. AvMed Health Plans 1.2M records of current and former subscribers and their dependents compromised when two unencrypted laptops were stolen from corporate HQ
#3. Gawker 1.3M user email address and passwords stolen in hack; 250k cracked IDs/passwords posted on-line, most common among them, 123456
#2. Education Credit Management Corp. Safes stolen from ECM offices containing unencrypted portable media (later recovered by police) with 3.3M student loan recipient/applicant info
#1. NetflixData sets containing anonymized movie rating and preference information for over 100M subscribers is voluntarily released to contest participants
Source: Software, Information & Network Security News
![Page 7: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/7.jpg)
Top 10 Unsolved Computer Crimes
#10. The WANK Worm (Oct. 89; first hacktivist attack) #9. UK Ministry of Defense Satellite Hack (Feb. 99) #8. CDUniverse Credit Card Breach (Jan. 00)#7. USN Military Source Code Theft (Dec. 00)#6. Anti-DRM Hack (Oct. 01; Windows Media)#5. Dennis Kucinich on CBSNews.com (Oct. 03)#4. Hacking your MBA App (Mar. 06)#3. The 26,000 Site Hack Attack (Winter 08)#2. Hannaford/Sweetbay Breach (Feb. 08)#1. Comcast/Network Solutions Redirect (May 08)
Source: PC Magazine
![Page 8: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/8.jpg)
Today's Risk Landscape• Data breaches increased significantly in 2010
– ITRC's 2010 Breach Report cited 662 reported breaches– An increase of 33% over 2009– Paper Breaches: 20% (no mandatory reporting requirement)– Insider Theft: 15.4% (doubled since 2007)– Hacking: 17% (up 3%)– Data on the Move, Accidental, Subcontractor: 34.3%
• Threat Volumes are on the Rise– 2005 - 330,000 unique malware samples;
38 web threats per hour– 2008 - 16,495,000 unique malware samples;
1,883 web threats per hour• Threat Vectors are Internet-Based
– 92% now arrive via the Internet (Websites, Links, Email)– 8% arrive via file transfer (removable media)
![Page 9: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/9.jpg)
Today's Risk Landscape (cont'd)
• The Underground Economy is More Profitable– $100 billion per year marketplace– Malware: $50 - $3,500– Email Addresses: $0.001 per Address– An hour of usage on a Botnet of 8,000 to 10,000 computers:
$200• Email Threats Continue to Increase
– 115 billion spam messages per day– Targeted Phishing Attacks (Spearphishing, Whaling)
• Web and Application Threats are Growing– 450,000 SQL/XSS Injection Attempts per Day– DNS Changers Re-Directing Users to Malware
• Mobile Threats Being Introduced– With PC-like Vectors
• Botnets are Proliferating– In 2008, 34.3 million PCs were infected with bot-associated
malware
![Page 10: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/10.jpg)
Phishing
Source: IBM X-Force 2010 Trend Statistics Country of Origin for Embedded Web Links
• Phishing = Deceptive emails• Spearphishing = Targeted phishing• Pharming = DNS based phishing• SMiShing = Targets cellular texting• Bluesnarfing = Bluetooth
connections
Country of Origin of Phishing Emails
• Phishing targets by Industry:
– Financial Institution
50%– Credit Card
19%– Auction
11%– Government
7.5%– On-line Payment
5.7%– On-line Shop
4.9%
![Page 11: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/11.jpg)
The Cyber Crime Black Market
Discover Vulnerability
Create Exploit
Create Propagation/Attack Vector
Attack Target
Retrieve Information
Monetize Information
Launder Money
Vulnerability Marketplace
Discover Vulnerability Discover Vulnerability Discover Vulnerability Discover Vulnerability
Create Exploit Create Exploit Create Exploit Create Exploit
Toolkit Marketplace
Create Propagation/Attack Vector
Create Propagation/Attack Vector
Create Propagation/Attack Vector
Create Propagation/Attack Vector
Botmasters (Collectors & Brokers)
Attack Target
Retrieve Information
Attack Target
Retrieve Information
Attack Target
Retrieve Information
Attack Target
Retrieve Information
Information/Identity/Intellectual Property Auctions
Monetize Information
Launder Money
Monetize Information
Launder Money
Monetize Information
Launder Money
Monetize Information
Launder Money
Financing/Money Laundering
![Page 12: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/12.jpg)
Organizational Risk Trends
• Advanced Persistent Threats New!
• Strong Rising Threats– Unstable Third Party Providers – Insecure Trading Partners
• Rising Threats– Malicious/Disgruntled Insiders– Careless/Overworked Employees– Reduced Security Budgets
• Steady Threats– Remote Workers– Software Downloading
![Page 13: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/13.jpg)
Why Risk Management?
• IT + Business + Financial Risk
• Part of broader governance, risk or compliance initiative
• IT => Information Security focus
• Regulatory Compliance
• Measuring threats and costs
![Page 14: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/14.jpg)
Mitigating Cyber Risk
• Avoid it
• Ignore it (we are not a target)
• Accept it as part of doing business
• Manage it (controls/processes)
• Transfer it (insurance, escrow)
![Page 15: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/15.jpg)
Risk Mitigation Measures• IT/Information Security Risk Assessments• Internal / External and Independent Testing:
– Vulnerability (Scan) Analysis (network, application, database)– Penetration Testing (same, plus client-side)– Controls Testing (SAS-70, ISO-2700n, CoBIT, PCI, BITS FISAP)
• Implement, Test, and Continuously Improve:– Data Classification & Protection Measures– Training & Awareness– Logging & Monitoring– Patch/Configuration Management– Network, Server, and Endpoint DLP– AV, IDS/IPS, Proxies & Filters, DSRA
• Develop WISP - BR Team, BR Plan, COOP Approach• Compliance Audits
![Page 16: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/16.jpg)
IT Security TestingA Three-Pronged Approach
![Page 17: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/17.jpg)
2011 Forecast• Sophisticated, blended, APTs for the FIs• More smaller, reported breaches elsewhere• Social networking policy implementation rises• Ransomware and ransom attacks will grow• Data minimization and cloud solutions advance• Mobile data is ripe for the picking• Low-tech theft of data/devices increases• Alternative O/S attacks will increase• Microsoft still targeted; Web 2.0 is here to stay
![Page 18: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/18.jpg)
2011 Forecast• More prevalent/deceptive social engineering methods• Privacy awareness / breach preparedness advances• Third-party data collection faces greater scrutiny• The underground economy will continue to flourish• Identity theft and spam will increase worldwide• Continuing exposure due to lost devices• Data encryption seen as means to compliance ends• Federal breach notification legislation comes in 2012?• Collaboration + Openness = Vulnerability to breach
![Page 19: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/19.jpg)
Information Resources• PGP/Ponemon Study (www.ponemon.org) • Verizon Data Breach Investigations Report
(www.verizonbusiness.com)• IBM X-Force Trend & Risk Report (www.ibm.com) • Betterley Report (www.betterley.com) • U.S. Dept. of Health & Human Services (www.hhs.gov) • Privacy Rights Clearinghouse (www.privacyrights.org)• ePlace (www.eplacesolutions.com)• Sedona Conference Working Group on eDiscovery
(www.thesedonaconference.org) • BITS FISAP (www.bitsinfo.org) • Identity Theft Resource Center (ITRC) Report (www.idtheftcenter.org)• Internet Crime Complaint Center (IC3) Report (www.ic3.gov)• Center for Strategic & International Studies (CSIS) (www.csis.org) • Forrester Research (www.forrester.com)
![Page 21: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/21.jpg)
Security/Privacy Coverage- An Underwriting PerspectiveJeff Kulikowski: Axis Pro
Vice President, Regional Underwriting Manager
AXIS Capital Holdings Limited
![Page 22: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/22.jpg)
Security/Privacy Coverage- An Underwriting Perspective
Agenda
Security/Privacy Coverage Components and Coverage Triggers
Known Breach Events Underwriting Overview Q&A
![Page 23: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/23.jpg)
What Does The Coverage Provide?
Proactive coverage grants and carrier support services that assist an Insured at the outset of a data breach, including:
Public Relations assistance Costs to issue notification letters to affected (actual or
potential)individuals Credit Monitoring capabilities to affected individuals
If a breach escalates into claim for actual damages, then the policy provides reimbursement for defense costs and damages, subject to policy provisions
Coverage is also available for the Insured’s loss of income, or costs to recreate/repair/replace data lost in the case of a Security Event
![Page 24: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/24.jpg)
Security/Privacy Coverage- Common Insuring Agreements
Base Form Coverage- access to full aggregate limit Security and Privacy Liability Media Liability (online/offline) Computer System Extortion
Sublimited Coverage Crisis Management Expense Regulatory Action Coverage Crisis Fund PCI-DSS Fines and Penalties Coverage
First Party Coverage Business/Network Interruption Data Recovery/Information Asset Coverage
![Page 25: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/25.jpg)
Understanding the Coverage- 1st Party v 3rd Party
First Party Coverage: direct reimbursement to the Insured for costs they incur for the following
- Crisis Management Expenses
- Data Restoration/Information Asset
- Business/Network Interruption
- Regulatory Defense/Fines and Penalties
- Cyber Extortion
Third Party Coverage: defense costs and damages resulting from the following, which cause a 3rd Party financial loss
- Security Liability
- Privacy Liability
![Page 26: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/26.jpg)
Security/Privacy Insurance- Coverage Triggers
Accidental release or unauthorized disclosure of Personally Identifiable Information, Corporate Confidential Information or other confidential data
Unauthorized Access to or Unauthorized Use of Protected Data on an Insured’s Computer System that directly results in theft, alteration, destruction, deletion, corruption or damage of Protected Data
failure to prevent a party from accessing a computer or network system under the control of the Insured, when the party has the intent to deny or disrupt service, cause network functionality to fail, transmit malicious code via the Insured’s networks, or deny/disrupt access to online services or computer system
Transmitting or receiving Malicious Code via the Insured’s Computer system
![Page 27: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/27.jpg)
Commonly Used Policy Terms
Personally Identifiable Information (PII): SSN, Medical/Healthcare data, Driver’s License #/State ID, Financial Information(Credit Card#, Debit Card#), other non-public information
Corporate Confidential Information: info subject to a confidentiality agreement/NDA
Malicious Code: computer virus, Trojan horse, or other code, script or software program designed to damage, harm if infect a computer
Privacy Regulations: HIPAA, Gramm-Leach-Bliley, etc
Data Breach: a loss of PII or Corporate Confidential Information, regardless of medium or method
![Page 28: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/28.jpg)
Typical Policy Provisions
Common Carvebacks to Policy Exclusions and Definitions Rogue Employee Coverage Carveback to the
fraudulent/intentional acts exclusion Misappropriation of Trade Secrets Carveback Employee Retirement Income Security Act of 1974 Carveback Employee Carveback to the Insured vs Insured Exclusion Consumer Redress Fund to be included in the definition of
Damages
Common Exclusions Infringement of Patent Employment Practices Liability Unsolicited faxes, email, or other communication Unlawful collection or acquisition of Protected Data
![Page 29: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/29.jpg)
Known Breach Events
TJX Companies- 94,000,000 Affected Individuals States Attorneys General V. TJX Companies- total of $9.5M spend
establishing Discretionary Funds, data security Funds, and reimbursement of Plaintiff Attorney Fees
$40M settlement Pending with VISA $13.5M Consumer Class Action Settlement in Massachusetts
Heartland Payment Systems- 130,000,000 Affected individuals Numerous cases and settlements pending through the US with
Consumers, Financial Institutions, Vendors, Payment Processors, etc
Notable Costs to date include $60M settlement with VISA, $3.5m settlement with American Express
![Page 30: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/30.jpg)
Known Breach Events- continued
CardSystems 40,000,000 credit card numbers lost as a result of security
breach/hacking incident Class Action suit filed in 2005, but case was eventually
closed as CardSystems filed Chapter 11 on 5/12/2006
T-Mobile/Deutsche Telekom 17,000,000 Customers’ data affected due to lost disk drive
BNY Mellon Shareowner Services 12,500,000 affected individuals due to lost backup tape
American Honda Motor Company 4,900,000 names, addresses, e-mail addresses, user
names and VINs exposed from email list
SOURCE:www.DataLossDB.com
![Page 31: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/31.jpg)
How is Security/Privacy Coverage Underwritten?
Industry/Class of Business
Security Controls and Procedures
Privacy Policy/Internal Controls
Other Risk Controls
Litigation Review
Financial Analysis
![Page 32: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/32.jpg)
Industry and Litigation Potential Analysis
High Risk Industries include:
- Healthcare
- Finance
- Retail
- Leisure/Entertainment
- Secondary and Higher Education
- Utilities
All other Industries still at risk, depending on the PII or Confidential Data held
![Page 33: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/33.jpg)
Security/Privacy Risk Control Analysis
Information Security and Privacy Policy
Business Continuity/Disaster Recovery Plan
Security/Privacy Compliance with Industry Standards
Employee Restrictions for Data Access, and Data Classification Schemes
User Profile Management
Physical Security Controls
Encryption methodology
Data Storage Methodology
Use of 3rd party applications(Firewall/IPS/IDS)
![Page 34: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/34.jpg)
Other Risk Controls
Vendor management
- Identification of outsourced activities
- Indemnification/Hold Harmless provisions
- Vendor Selection and Auditing Procedures
- Insurance Requirements
Regulatory Compliance
Recent Changes to Management or Auditors
Other Risk Management Controls
![Page 35: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/35.jpg)
Litigation Review
Past Claims History
Public Search of Breach History
Claims within the Insured’s Industry
State Requirements for Privacy Breach Response
Review of Pending Industry Regulations
![Page 36: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/36.jpg)
Financial Review
Revenues Levels and Projections
Income statement
Balance Sheet
Cash Flow Statement
Were any key accounting conventions changed?
![Page 37: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/37.jpg)
Axis Capital Holdings Ltd.
Founded in November 2001 ($1.7b start-up capital) Strong balance sheet - $5.6 Billion of Shareholders Equity $3.5 Billion in Premium for the FYE 2010 No legacy exposures
IPO July 2003 – NYSE: AXS
Rated A XV (AM Best) ; A+ Strong (S&P) (Upgrade February 2009)
Specialty Lines Insurance and Treaty Reinsurance
AXIS website: www.axiscapital.com
![Page 38: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/38.jpg)
Wells Fargo Insurance Services
Wells Fargo Insurance Services
NJ RIMS Meeting – June 14, 2011
Network Security & Privacy Liability
Presented by:
Meredith Schnur
Professional Risk Group
![Page 39: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/39.jpg)
Wells Fargo Insurance Services
Agenda
Regulatory Environment
What Should You Be Asking?
Vendor Management
Gaps in Traditional Insurance
Resources
eRisk Hub
Primary Markets
Marketing & Underwriting Process
![Page 40: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/40.jpg)
Wells Fargo Insurance Services
Legal Issues & The Regulatory Environment
Gramm Leach-Bliley Act: Requires financial institutions to safeguard customers’ records and information against unauthorized access. Imposes major privacy and security requirements on financial services companies
Health Insurance Portability and Accountability Act (HIPAA): Healthcare organizations required to safeguard individually identifiable health information. Imposes penalties on organizations that violate HIPAA (further amended by the HITECH Act)
California SB1386: A California law requiring companies to notify their CA customers and employees of computer security breaches. The law applies to any business that stores customer and employee information electronically even if the company is not based in the Golden State.
Privacy Breach Notification Laws: Spreading of California SB 1386; adopted by 46 states as of December 2010. Duty to notify customers where consumer/customer information has been compromised (electronic or non-electronic means, state legislation varies)
Massachusetts Privacy Law 201 CMR 17.00: This law is the first state law to require specific technology when protecting personal information. If you do business with residents in MA or have employees that reside in MA, compliance is mandatory by March 1, 2010.
Legislation has now imposed affirmative duties on companies as to how they handle data, principally client/customer information:
![Page 41: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/41.jpg)
Wells Fargo Insurance Services
Legal Issues and The Regulatory Environment
PCI Security Standards: The standards globally govern all merchants and organizations that store, process or transmit cardholder data. PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council (PCI fines not generally covered under insurance policies).
FACTA (Fair and Accurate Credit Transactions Act): Prohibits businesses from printing more than 5 digits of any customer’s credit card number or card expiration date on any receipt issued at a point of sale. For machines in use before 1/1/05, the merchant has 3 years to comply. For machines in use after 1/1/05, the merchant has one year to comply.
Red Flag Rules: Established by FACTA, requires financial institutions or creditors to develop and implement an Identity Theft Prevention Program in connection with both new and existing accounts. The program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft.
Federal HITECH Act – health plans, health care providers and health care clearinghouses (ie. Covered entities), among other things, must review and update their business associate agreements, as well as their privacy and security policies and procedures. Requires that any data breach event exceeding 500 records be reported to the Department of Health and Human Services.
![Page 42: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/42.jpg)
Wells Fargo Insurance Services
What Should You Be Asking? Have we analyzed our cyber liabilities?
What legal rules apply to the information we maintain or that is kept by vendors, partners and other third parties? The laws surrounding breaches are complex.
Have we assessed our legal exposure to governmental investigations?
Have we assessed our exposure to suits by our customers, vendors or suppliers?
Have we protected our organization in contracts with vendors?
What laws apply in different states and countries in which we conduct business?
Do we have adequate staffing to reasonably maintain and safeguard our important assets and processes?
Have we prepared an incident response plan and business continuity plan?
Do we have a documented, proactive crisis communications plan?
It is critical to have a solid incident response plan in place prior to any security or privacy breach.
** Questions supplied by the “The Financial Impact of Cyber Risk” Publication – American National Standards Institute (ANSI) and Internet Security Alliance.
![Page 43: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/43.jpg)
Wells Fargo Insurance Services
Vendor Management & Requirements
IT/Software Companies
Request Tech E&O to include network security/privacy coverage
Some Tech E&O policies have security/privacy exclusions
Other Business Services – Payroll, Auditors
Request appropriate E&O coverage to include network security/privacy
Credit Card Processors/Acquiring Banks
Request Network Security/Privacy Coverage
Other Vendors that interact with your systems or sensitive information, or handle information on your behalf
Request Network Security/Privacy Coverage
![Page 44: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/44.jpg)
Wells Fargo Insurance Services
Gaps in Traditional Insurance
Commercial General Liability Insurance: Typically covers bodily injury and property damage to “tangible” property. Data and software are considered to be “intangible”
Property Insurance: Typically responds to “direct physical loss” by a covered peril (ie. fire, windstorm). Intangible property is not covered under Business Interruption and Extra Expense coverage.
Fidelity/Crime Insurance: Typically provides coverage to the organization for losses resulting from the theft of money, securities and “other tangible property.” Information theft is not covered under a standard fidelity bond. “Other property” does not include proprietary information, confidential information or copyrights, trademarks, etc.
Professional Errors & Omissions: Typically only covers financial loss arising out of professional services to others. Computer attacks do not fall within the provision of “professional services,” and some E&O policies will exclude coverage caused by “unauthorized access.”
Technology Errors & Omissions: Covers only financial loss arising out of technology services performed for others. If in the provision of technology services, your negligence leads to an unauthorized access or transmission of a virus, coverage would apply. However, if an employee commits an intentional act or if an outside hacker, unrelated to services provided by you, causes a customer to suffer a financial loss, no coverage would apply under a typical technology errors & omissions policy. Most Technology E&O policies can be extended to cover network security and privacy related exposures.
Why is this not covered elsewhere?
![Page 45: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/45.jpg)
Wells Fargo Insurance Services
www.privacyrights.org – data breach chronology recorded by year and by industry class
www.ponemon.org – updated statistics on privacy breaches (see following page)
www.hhs.org – regulations and breaches in excess of 500 records as mandated by HITECH
www.eriskhub.com – information portal for WFIS clients
Resources
![Page 46: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/46.jpg)
Wells Fargo Insurance Services
Learning Center
News Center
Incident Road Map
Free Breach Coach
Resource Directory
Risk Manager Tools
eRisk Hub
![Page 47: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/47.jpg)
Wells Fargo Insurance Services
Primary Markets
Markets* Best Rating
ACE USA “A+” XV
Allied World/Darwin Group “A” XV
Arch “A” XV
Axis “A” XV
Beazley USA “A” VIII
Chartis “A” XV
Chubb Group “A++” XV
CNA “A” XV
Digital Risk Managers (MGA writing on Lloyds paper – Brit, Kiln, ACE) “A” XV
Hartford “A” XV
Hiscox USA “A” VIII
Ironshore “A-” XIII
London Markets (Beazley, Hiscox, Brit, Kiln, ACE, Barbican, CFC) “A” XV
One Beacon “A” XV
Philadelphia “A” XV
RLI “A+” X
Zurich North America “A” XV
XL “A” XV
* - Many additional carriers will offer this coverage on an excess basis
![Page 48: Network Security & Privacy Liability Assessing the Risk Steve Yesko, ARM Lowers & Associates Jeff Kulikowski AXIS Pro Meredith Schnur Wells Fargo Insurance.](https://reader036.fdocuments.in/reader036/viewer/2022062300/56649d295503460f949fdee8/html5/thumbnails/48.jpg)
Wells Fargo Insurance Services
Marketing & Underwriting Process
Step 1: Evaluation of Exposures:
Consultation to determine exposures – First Party, Third
Party and/or Privacy
Step 3: Marketing Process: Submit
application to selected markets to solicit proposals
Step 2: Required Applications and/or
Assessment Completed
Step 4: Proposal Analysis and Discussions
Step 6: Binding the Coverage
Step 5: On-line Security Assessment and/or Conference Call with
Insurer