C Y B E R S E C U R I T Y I N S U R A N C E S E M I N A R

Can You Afford NOT To Have

Cybersecurity?

March 4, 2015

TODAY’S

PRESENTERS

Reggie Dejean

Specialty Lines Manager

Lawley & Lawley Andolina Verdi

Mary Beth DiBacco

Specialty Insurance Manager

Chubb Insurance

Carl Cadregari

Executive Vice President and Practice

Lead

Bonadio IT/IS Risk Management

DIGITAL HACKING

FORENSICS

HEADLINES

HEADLINES EXPLAINED

Identities left exposed in Indiana salvage yards - items included medical records, bank statements, insurance cards, employee identification cards, car registrations, a signature, a child’s name, dates of birth, and an application for welfare assistance.

Stolen Pioneer bank laptop contained some customers’ data Pioneer Bank over the weekend alerted some of its customers that

an employee’s laptop stolen Jan. 26 contained “secured personal information of certain customers, including names, social security numbers, street addresses, and account and debit card numbers.”

Harel Chiropractic Clinic notifies 3,000 patients of breach

HEADLINES EXPLAINED CONT.

St. Peter’s Health Partners is warning of a possible data breach in its email system, following the theft of a manager’s cellphone.

California Pacific Medical Center discovers employee was improperly accessing patient records for one year

Natural Grocers Investigating Card Breach - traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country

HEADLINES EXPLAINED CONT.

Data Breach Results in $4.8 Million HIPAA Settlements from New York and Presbyterian Hospital

A 214 bed Medical Center laptop stolen with data in an excel spreadsheet -Medical Center says data is safe since the thief would have to know how to unhide columns in Excel spreadsheet to read them

THREATS TO DATA

Internal Threats

External Threats

Have You Heard About Target?

Not just credit card information but also personal identifiable information (PII) is at risk

According to recent surveys Street Cost – Social Security Number……..$ 1.00

Street Cost – Financial Record ……........... $ 0.50

Lost Medical Record………………………..$316.00

CSIRPComputer Secur i ty Incident Response Plan

• Wh a t t o d o wh e n y o u “ t h i n k o r k n o w” y o u h a v e h a d

a d i s c l o s u r e

• T h e wh o , wh a t wh e r e a n d wh e n t o f o l l o w

• S t e p b y s t e p p r o c e s s

• M a y b e r e q u i r e d b y s o m e l a ws a n d r e g u l a t i o n s

CSIRP

You Need a B reach Not i f ica t ion Po l icy

1. NY State, HIPAA, PCI, GLBA requires a documented policy that

includes all factors of breach notification including:

• When to alert persons whose data has been breached

• What you have to pay for

• When to send lost data information to the Attorney General and regulatory bodies

• When you are to place conspicuous notice on your website

• When you are to alert local media and television

CSIRP

You need a p lan to fo l low that inc ludes:

1. What constitutes a breach

2. Who is on the team

3. Who is allowed to talk to any external entity

4. When to involve external crisis management

5. When to trigger your liability policy

CSIRP

1. How to assess the risks (likelihood and severity)

2. Does the breach fall into pre-defined categories

(and what are they)

3. What to do to investigate the breach

4. What to do to minimize the breach

5. What to do to report on the breach

6. What to do to never repeat the breach

7. How to close the incident

AFTER THE INFORMATION

HAS BEEN GATHERED

INFORMATION

WHAT IS THE IMMEDIATE EXPENSE?

• Notification• Creating letter or

other notification• Printing or design• Mailing or other

transmission

• Public Relations• Call Center

operations• Credit Monitoring

or Identity Theft Remediation

• Advertising & Press Releases

• Forensics• Legal Expenses for outside

Attorney• Cost of Forensic

Examination• Cost to Remediate

Discovered Vulnerabilities

KEY COSTS TO A DATA BREACH

DIRECT

COSTSVICTIM COSTS

INDIRECT COSTS

($134)

Cost Per Record $201 (2014)

• Discovery• Data Forensics

• Notification• Call Center• Identity Monitoring• Identity Remediation

• Lawsuits• Regulatory Fines• Additional Security &

Audit Requirements• Reputational

Damage/Lost BusinessSource: Ponemon Institute, LLC and Symantec Corporation. 2014 Annual Study: U.S. Cost of a Data Breach.

March 2014

DATA IS VULNERABLEData can escape your organization in many different ways

Source: Privacy Rights Clearinghouse, Chronology of Data Breaches 2008-2013. www.privacyrights.org

4% 6% 12% 12% 18% 23% 25%

STATIONARY DEVICE

UNKNOWN

PHYSICAL

MALICIOUS INSIDER

NEGLIGENCE

HACKING

PORTABLE DEVICES

COMPUTER SECURITY vs. INFORMATION

SECURITY

COMPUTER SECURITY This means the collective processes and

mechanisms by which sensitive and

valuable information and services are

protected from publication, tampering

ro collapse by unauthorized activiites or

untrustworthy individuals and unplanned

events.

INFORMATION SECURITY This is the practice of defending

information from unauthorized access,

use, disclosure, disruption, modification,

perusal, inspection, recording or

destruction. It is a general term that can

be used regardless of the form the data

may take (electronic, physical, etc.).

INCIDENT RESPONSE PLAN

1. If a company does not have one they are playing with fire

2. Essential for company to have in place in order to effectively respond to a security breach

3. IRP’s should be tested at least on an annual basis using various breach scenarios

4. IRP’s typically include:

1. A. IRP Team (Ideally SR Mgmt. in Info Tech, Customer Service, Legal, Privacy & PR

2. B. Clear guidelines categorizing a risk/threat level

3. C. Documentation Instructions

4. D. Guidelines for getting third parties involved

5. E. Notification Process

-- One of the most important practices --

Sets the security foundation

First measure that must be taken to

reduce the risk of unacceptable use of the company’s information resources

Companies define which assets are critical and ways to protect them

Development and implementation of a security policy turns employees into active participants towards securing company information (helps prevent human factor)

Should be tested and reviewed on

an annual basis

INFORMATION SECURITY POLICY

Key factors to help a company protect their systems

Protection starts with firewalls as they protect resources on a private

network

Anti-virus software can be used to prevent, detect & remove viruses

Intrusion detection software monitors the network for malicious activity or policy violations & reports back (should be reviewed monthly at a minimum)

Penetration tests look for vulnerable access points (preferred but many small companies don’t run.

VIRUS PREVENTION, INTURSION

DETECTION & PENETRATION TESTING

Iphones, Blackberrys & Laptops bring on challenges to protecting data

A mobile device security policy should prohibit the storage of confidential data on mobile devices

If data is stored on a mobile devices, the security policy should mandate the use of data encryption (128 Bit recommended)

Want to see power up passwords, kill switches, and alerts in internal system when PII is sent

MOBILE DEVICE SERCURITY

WHAT WE CAN PROVIDE IN

PROTECTION & PREVENTION

CYBERSECURITY

THE PATH TO UNDERSTANDING

Exposure & Causes of Loss

“You hold private information”

Legal Issues

“You are obligated to protect it”

Costs of a Data Breach

“Breaches are costly and

complicated”

BBR

Key Features

“Coverage is

available”

Consumer Information

Credit cards, debit cards, payment info

Social Security Numbers, ITIN’s, taxpayer records

Protected Healthcare Information (PHI), e.g.

medical records, test results

Personally Identifiable Information (PII), e.g.

Drivers License / Passport details

Non-PII, like email addresses, phone lists, address

Employee Information

Employers have at least some of the above

information

on all of their employees

Business Partners

Sub-contractors and Independent Contractors

Information received from commercial clients as

a part of

commercial transactions or services

B2B exposures like projections, forecasts, M&A

activity,

trade secrets

INFORMATION AT RISK

PII: Personal Identifiable Information

PHI: Personal Health Information

Many people think that without credit cards

or PHI, they don’t have a data breach risk.

But can you think of any business without

any of the above kinds of information?

WHAT IS A DATA BREACH?

Actual release or disclosure of information to an unauthorized individual/entity that relates to a person and that:

May cause the person inconvenience or harm (financial/reputational)

- Personally Identifiable Information (PII)

- Protected Healthcare Information (PHI)

May cause your company inconvenience or harm

(financial/reputational)

- Customer Data, Applicant Data

- Current/Former Employee Data, Applicant Data

- Corporate Information/Intellectual Property

Paper or Electronic

Potential Security Threats

- Compromises to the integrity, security or confidentiality of information

- Circumstances where a data breach may have happened or could happen in the future. (e.g. lost flash drive with PII)

KEY CAUSES OF LOSS

• Lost/Stolen Portable

Computers or Media• Employee Misuse

• Negligent Release

• Improper Disposal of

Paper Records

• Lost/Stolen Backup

Tapes• Computer Hacking• Vendor Negligence• Improper Disposal of

Computer Equipment

Hackers make the headlines, but almost half of data breach incidents result from “insider negligence”.(Ponemon Institute)

815 MILLION

RECORDS

LEAKEDSince Privacy Rights Clearinghouse began tracking US data breaches

in 2005

CAUSES OF LOSS

Malicious or

Criminal

Attack

36%

System

Glitch

29%

Human

Factor

35%

• Hacking• Virus, Malware• Phishing• Spear Phishing• Network Intrusion

• Lost laptops• Improper disposal of backup

tapes• Accidental release• Broken business practices• Un-shredded documents

• Negligent release

Source: 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute , May 2013

64% of breaches

are accidental

TYPICAL COSTS

• Response costs – sending out notices, call center services, and the offer of

credit monitoring:

o Up to $30 per record

• Forensics, to determine the size and scope of the breach:

o $25,000 to more than $500,000

• Legal Costs:

o Very costly: $200,000 up to the millions

• A retailer with just 10 sales a day would pay $781,000 for a year’s worth of

breached records.

• An MRI facility conducting 15 scans a day would face expenses exceeding

$1 million for every year of patient records compromised.

IT TAKES 20

YEARS TO BUILD

A REPUTATION,

AND FIVE

MINUTES TO

DESTROY IT.-- Warren

Buffett

“

”

Q&A Reggie Dejean

Specialty Lines Manager

Lawley & Lawley Andolina Verdi

Mary Beth DiBacco

Specialty Insurance Manager

Chubb Insurance

Carl Cadregari

Executive Vice President and Practice

Lead

Bonadio IT/IS Risk Management

THANK YOU

Lawley Insurance