Embed Size (px)
Citation preview
Room #202B
Global Threats, Laws, and Antidotes
Cyber Risk Knows No Borders
Table of Contents
#INGO16 ‹#›
1. Introduction2. A Legal & Regulatory Framework3. Cyber Risk Management4. Exploring Cyber Insurance5. Cyberterrorism & NGOs6. Additional Resources
2
#INGO16 ‹#›
Why Worry About Risk?
• “Clinton Foundation Reportedly Targeted by Russian Hackers” (06/22/16)
• “Fraud Alert: Criminals Test Stolen Credit Card Numbers on Charity Websites” (09/17/15)
• “Heritage Foundation Donor Data Possibly Taken in Hack Attack” (09/03/15)
• “Planned Parenthood Claims Cyber Attack” (07/30/15)
• “Council on Foreign Relations Website Hit by Watering Hole Attack” (12/29/12)
• “2 Convio Clients Hit in Security Breach” (11/06/07)
• …And more
3
#INGO16 ‹#›
Online Giving: The New Frontier
• 1,018,464 donors• 1,845,806 donations• $212,215,508 donated• 30,948 nonprofit organizations• Heaviest in December• Online = 9.2% of total giving• Expanding mobile payment
capabilities• Crowdfunding projected at $6B
for social causes in 2016• Double 2014 giving
Source: Chronicle of Philanthropy, January 2016
4
#INGO16 ‹#›
Costs of Cyber Risk
• Reputational damage• Diminished financial support• Impaired stakeholder relations• Greater scrutiny• Direct breach response costs• Fines and penalties• Civil liability• Higher insurance costs
• Premiums• Deductibles/self-insured retentions
5
www.dlapiper.com
Today’s Global Cyber LandscapeA Legal & Regulatory Framework
Michael [email protected] Law ClerkDLA Piper US LLP
6
www.dlapiper.com
Shifting landscapes
Yesterday (1995-2015)
• First generation data processing activities• DP laws in just a few countries• No real enforcement
Today (2015-2018)
• More complex and intensive data processing activities• DP laws in many countries• Stronger enforcement
Tomorrow (2018- …)
• Highly advanced data processing activities• DP laws in most countries/Second generation DP laws• Heavy enforcement
7
www.dlapiper.com
Commensurate expansion in privacy lawsN
o. o
fcou
ntrie
sw
ithpr
ivac
y la
ws
Time Period
60
120
100
80
40
20
01970‐1979 1980‐1989 1990‐1999 2000‐2015
New Countries with Laws
Total
8
www.dlapiper.com
Current status
9
www.dlapiper.com
Enforcement & Sanctions
10
Civil liability- claims for damages from data
subjects- class actions
Administrative liability- administrative fines- dawn raids- data protection authorities
Criminal liability- directors’ liability- fines- imprisonment- prohibition to further process
personal data
Reputational damage- press coverage- customer confidence- supplier confidence
www.dlapiper.com
Significant reputational risk
11
www.dlapiper.com
Advantages of privacy compliant strategy
Consumertrust
Competitive advantage
Market differentiator
12
www.dlapiper.com 13
www.dlapiper.com 14
Cyber Risk Knows No BordersGlobal Threats, Laws & Antidotes
Scott R. Konrad Senior Vice President & Not-for-Profit Business Practice Leader
John FarleyVice President & Cyber Risk Management Services Practice Leader
July 12, 2016
CYBER RISK MANAGEMENT
18http://www.hubinternational.com/crisis-management/cyber-risk
Lost Devices & Inadvertent Publication
of Data
Disgruntled Employees
Vendors & Subcontracto
rs
Hackers & Unsecured Websites
Accidental Intentional
Inte
rnal
Ext
erna
l
Source: Navigant
HOW DO INCIDENTS OCCUR ?
19http://www.hubinternational.com/crisis-management/cyber-risk
Ransomware• FBI reports 2,453 ransomware incidents in 2015• Victims paying over $25M• First 3 months of 2016 @ $209M*
Phishing Emails/Business Email Compromise• 23% of recipients open phishing emails – 11% click on attachments**• 8,200 victims | $1.2B in actual or attempted losses***
TOP THREATS
*Source: Wall Street Journal**Source: Verizon 2016 Data Breach Investigations Report***Source: https://threatpost.com/fbi-social-engineering-hacks-lead-to-millions-lost-to-wire-fraud/114453
20http://www.hubinternational.com/crisis-management/cyber-risk
Internal Client IssuesInternal reportingBroker involvementInsurance and deductibles
ExpertsBreach coachForensicsCredit monitoringNotification firms / Call centersPublic relations
Investigation - internal/forensic/criminalHow did it happenWhen did it happenIs it still happeningWho did it happen toWhat was accessed/acquired (What wasn’t)Encrypted/protected
ANATOMY OF A BREACH RESPONSE
Notice MethodsWrittenElectronicSubstituteMedia
DeadlinesCan range from 15 days to “without unreasonable delay”
InquiriesState regulators (i.e. AG)Federal regulators (i.e. OCR)Federal agencies (i.e. SEC, FTC)Consumer reporting agenciesPlaintiffs
Notice ObligationsStateFederalOther (i.e. PCI)
21http://www.hubinternational.com/crisis-management/cyber-risk
• Email & Passwords = PII• Less time to notify• Credit monitoring required• Notice to attorney general in addition to individuals• Written information security plan & encryption required• July 7, 2015 - 47 State AGs write to Congress, urging
U.S. to preserve state authority over data breaches
STATE NOTIFICATION TRENDS
22http://www.hubinternational.com/crisis-management/cyber-risk
Plaintiff DemandsFraud reimbursementCredit card replacementCredit monitoring/repair/insuranceCivil fines/ penaltiesStatutory damages TimeUnjust enrichmentFear of ID theftActual ID theft Mitigation costsTime spent monitoring
CAUSES OF ACTION
23http://www.hubinternational.com/crisis-management/cyber-risk
REACTIVE
BREACH PREVENTION & INCIDENT RESPONSE PLANNING
24http://www.hubinternational.com/crisis-management/cyber-risk
Data Creates Legal DutiesWhat data do you collect and why?Where is it?How well is it protected?Who can access it?When do you purge it?How do you purge it?
DATA GOVERNANCE & DATA RISKS
25http://www.hubinternational.com/crisis-management/cyber-risk
Categorize & Prioritize Your DataConfidential - Severe impact to the organizationInternal Use Only – Significant impact to the organizationRestricted - Limited impactPublic Information - Minimal to no impact
DATA MAPPING
26http://www.hubinternational.com/crisis-management/cyber-risk
• Technology: Intrusion Detection System (IDS), Security Information and Event Management (SIEM) tools with real-time alerts.
• People: Background checks and training at every level.• Processes: Multi-factor authentication, physical security
& paper files.
BEST PRACTICE DEFENSES
http://www.hubinternational.com/crisis-management/cyber-risk
27http://www.hubinternational.com/crisis-management/cyber-risk
• Create a formal vendor management program focus on:• Regulatory compliance • Mitigation of legal / business /
reputational risk• Require periodic cyber security audits• Require employee background checks• Address roles & responsibilities in
breach response• Insurance and indemnification language • Have a contingency plan to use alternate
vendors
VENDOR MANAGEMENT
28http://www.hubinternational.com/crisis-management/cyber-risk
• Attacks – Ransomware, DDOS, Social Engineering
• Investigation – Documentation & evidence preservation
• Communication – Funders, constituents, regulators & media
• Actions to Avoid – The rush to go public
INCIDENTS TO PLAN FOR
29
INCIDENT RESPONSE TEAM (IRT)
Roles and Responsibilities
Identify Escalate Training/guidance Manage/conduct investigation Preserve documents/materialsAssist Law EnforcementSubmit progress reportsRecommendations to avoid future incidentsIssue final report
Interdisciplinary Approach
Information TechnologyInformation SecurityCompliance/Risk ManagementHuman ResourcesOperationsLegalPublic RelationsFinancePrivacy Development
30http://www.hubinternational.com/crisis-management/cyber-risk
The data breach response management process includes guidance throughout the 5-step data breach lifecycle.
5 STAGES OF A DATA BREACH
31http://www.hubinternational.com/crisis-management/cyber-risk
Key Underwriting
Factors
Third Party Network
AssessmentAnnual
Revenue
OrganizationalStructure
Amount and Scope of PII/PHI
Incident and/or Claims History
Privacy Policies
Business Continuity
Plan
Third Party
Sample Contracts
Employee Training
Review of Contractual
Risk Management
Physical Security
UNDERWRITING CONSIDERATIONS
32http://www.hubinternational.com/crisis-management/cyber-risk
• Cybersecurity governance and risk management• Board level engagement
• Cybersecurity risk assessments• Technical controls• Incident response planning• Staff training• Cyber intelligence and
information sharing• Third-party vendor management• Cyber insurance
SUMMARY: CYBER RISK MANAGEMENT
EXPLORINGCYBER INSURANCE
34http://www.hubinternational.com/crisis-management/cyber-risk
MODULAR PRODUCT DESIGN
Protection Available Against a Variety of Threats
35http://www.hubinternational.com/crisis-management/cyber-risk
MARKET OVERVIEW
• US Cyber market = $2B+ gross written premiums
• Steadily increasing demand• Over 60 insurers in mid-market• Intense competition • Continual product evolution• Competitive terms, conditions,
rates• A great time for buyers
36http://www.hubinternational.com/crisis-management/cyber-risk
TOPICAL ISSUES
• Movement toward cloud computing aggregation concerns
• What happens if cloud provider is breached?• How many customers/users could be affected?
• Consumer protection litigation over business practices and privacy issues
Allegations of wrongful data collection, data sharing, eavesdropping, and opt-in/opt-out preferences
37http://www.hubinternational.com/crisis-management/cyber-risk
2016 FORECAST
• Market capacity will remain stable
• Competitive mid-market pricing – flat rates
• Increased product differentiation through pre-breach services
38http://www.hubinternational.com/crisis-management/cyber-risk
• No two products are built alike• Coverage trigger – occurrence vs. claims-made• ‘Nose’ (retroactive) coverage for unknown events
predating policy inception• Beware of exclusions – e.g., unencrypted devices/data• Protection against acts of third parties• Adequacy of policy limits• Availability of risk management services• Tailor to your specific needs/circumstances
BUYING CONSIDERATIONS
39http://www.hubinternational.com/crisis-management/cyber-risk
HUB International Northeast Limited5 Bryant Park | 1065 Avenue of the AmericasNew York, NY 10018
John FarleyVice President, Cyber Risk Services+1 (212) 338-2150 Direct | +1 (917) 520-3257 [email protected] R. KonradSenior Vice President & Not-for-Profit Practice Leader+1 (212) 338-2295 Direct | +1 (347) 491-9671 [email protected]
FOR MORE INFORMATION
Cyberterrorism and NGOs
40
Who we are
41
What is cyberterrorism?
How is the FBI’s Cyberterrorism Unit different than other Cyber Units?
How does the FBI respond to cyberterrorism?
42
Our interest in NGOs
What we know
What we don’t know
Why we are interested in NGOs
43
How we can work together
Recent example
How we can help you
How you can help us
44
How to reach us
Supervisory Special Agent Tim [email protected]
Program Manager Lisa [email protected]
#INGO16 ‹#›
Additional Resources
• DLA Piper Global Data Protection Handbookhttp://dlapiperdataprotection.com
• eRiskHub®https://eriskhub.com – contact Scott Konrad for access credentials
• HUB Data Breach Cost Calculatorhttps://www.hubinternational.com/business-insurance/cyber-risk-solutions/tools/data-breach-cost-calculator/
• “Why Nonprofits Can’t Afford to Ignore Cyber Risk” (LinkedIn Pulse)https://www.linkedin.com/pulse/why-nonprofits-cant-afford-ignore-cyber-risk-scott-konrad?trk=pulse_spock-articles
45
Don’t forget to fill out a session evaluation, which can be found in the conference app
or in the back of your program
#INGO16 ‹#›46
Thank You.
#INGO16 ‹#›
Michael Schearer | [email protected] Farley | [email protected]
Scott R. Konrad | [email protected] Pappa | [email protected]
47
