Northern Insuring Agency

1

2

Important Notice

● This presentation is not a representation that coverage does or does not exist for any particular claim or loss under any insurance policy.

● This presentation is not intended as legal advice. A company should always seek the advice of a qualified attorney when evaluating legal or statutory considerations.

● This presentation is not intended as insurance advice. A company should always seek the advice of a qualified insurance agent or broker when considering their insurance coverage.

Cyber Topics

• Cyber Exposures• Current Trends / Statistics• Types of Cyber Criminals• Government / Regulatory Issues• Risk Management / Loss Control• What’s covered?• Claims Examples

3

What is Cyber Liability?

●Computer Crime

●Identity Fraud

●Cyber Infrastructure Attacks

●Technology Errors and Omissions

●Data Privacy Liability

4

Trends / Contributors to Cyber Exposure

5

● Increasing frequency and severity of data related incidents

● Hacking activity shift from ‘thrill seekers’ to organized criminals

● Increasing interconnectivity (WiFi networks, mobile devices, shared databases, other) 13,311,666,640,184,600

● Increasing amount of digital data: International Data Corporation (IDC) anticipates exponential growth in the digital universe

● Rising opportunity >> criminal activity >> increasing government regulation and public awareness

High Risk Industries

• Big Retail

• Healthcare

• Financial Institutions

• Educational Institutions

6

School Specific Cyber Exposures

• Student Identity Information• Social Networking• Educators Legal Liability• Online Access• Transactional Website• Invasion of Privacy• FERPA

7

School Data Breach

Unauthorized access, use, acquisition or disclosure of Data

•PII – Personally Identifiable Information– Student or Staff Names, plus:– Social security numbers, birth dates, financial account numbers and

associated passwords, driver’s license numbers, other personal and private information

•PHI – Protected Health Information– Staff Health Plan info. or Personnel Files– Student Health Records

(ex. 504 IEP’s, special needs students,

Guidance Counselor Files)

Breach Costs

9

● Average cost of a data breach: Between $3.7 million (NetDiligence) and $5.5 million (Ponemon Institute)

● Price per record varies with the size of the breach. Ponemon ($194 per record)

Causes of a Breach

10

Source: NetDiligence October 2012 “Cyber Liability & Data Breach Insurance Claims”

Causes of a Breach

11

Source: NetDiligence October 2012 “Cyber Liability & Data Breach Insurance Claims”

12

Top Five Types of Security Risks

● Network Security– Virus, SQL Injection, Malware, Trojan Horses, etc.

● Physical Loss or Theft– Lost or stolen laptop; physical file security

● Cyber Extortion– Gaining access to sensitive data and threatening to release it

● Employee Mistakes– IT professionals can’t prevent these types of losses

● Denial of Service Attack– Targeted attack to slow or stop a network

13

Cyber Trends

● Social Media– “Spear Phishing”

– Social engineering

● Mobile Devices– New payment methods

● Cloud Computing– Vendor indemnity

● Payment Card Industry (PCI)

Privacy Legislation

14

● Today: 47 States, DC and Puerto Rico have enacted legislation requiring notification of data breaches involving personal information.

● Federal legislation has also been introduced modeled after state laws – see President Obama’s proposed Consumer Privacy Bill of Rights.

● Numerous consumer protection laws may also come into play, including FACTA, Gramm Leach Bliley, Sarbanes-Oxley, HIPAA and HITECH.

15

NY State Network Breach Notification Law

● Compromised Individuals

● NY Office of Cyber Security

● Attorney General

● Office of Homeland Security

PCI - DSS

• PCI = Payment Card Industry• Card brand-specific contractual data security standards. This is

known as the “PCI-DSS”

Additional Costs of a Data Breach Incident

• Costs for legal compliance – notification• Breach Coach Attorney• IT Forensic Auditors• Breach remediation expenses – credit monitoring• Damage to School Districts reputation• Damage to your internal network and the repair costs• Electronic Data Restoration

Risk Management Evaluation

18

● What loss control initiatives do you have in place?

- Firewalls / updated Virus Protection

- Intrusion Detection Software

- Multi-factor Authentication

● Have you implemented regular audit procedures of all information security protocols and systems?

● Do you have a formal - Operational continuity / disaster recovery plans

- Information security policy / encryption

- procedures for handling a data breach incident

Risk Management Evaluation

19

● Who is responsible for information security?

● Are employees trained on all policies relating to information security?

● What is your districts policy for teacher and student usage of district assets (computers, mobile devices, etc.)?

● What would you do in the event of a Cyber incident?

Risk Management Myth

20

Risk Management Will Eliminate Exposures

●Good risk management reduces exposure and helps in defense of a claim but does not eliminate the exposure.

●High profile cases of large organizations damaged by computer viruses and hacked by outsiders.

– Do you have better data security than each of these companies and government agencies?• Dept of Defense, FBI, NASA, Apple, Amazon, CIA, Google, etc. All of

these companies have been hacked since the start of 2011.

●Firewalls, virus protection, intrusion detection, etc. are good…but they can be compromised, both externally and internally.

●Then remember that almost half of all data breach incidents are caused by staff mistake, lost device or rogue employee.

Cyber Insurance Coverage – Third Parties

21

● Viruses– Liability arising from transmission of a computer virus

● Privacy– Liability for failing to protect clients’ data, information, or identity

from unauthorized access or use.

● Denial of service – Liability arising from others being unable to access your website.

● Worldwide coverage territory

● Defense costs

Cyber Insurance Coverage – Third Parties

22

● Regulatory Defense Costs– Violations of State Notification Laws

● Employee Data– Expansion of coverage to include liability for claims brought by

employees relative to data breach.

● Paper– Liability arising from failure to protect private information in

paper format (versus electronic)

23

Cyber Insurance Coverage – First Party

● Security Breach Notification Expenses– First party expense coverage for costs associated with notification

to individuals whose information may have been breached.

● Crisis Management Expenses– First party expense coverage for costs associated with public

relations.

● Cyber Extortion– First party reimbursement for cyber extortion

24

Typical Cyber Insurance CoverageGrants – First Party

● Data Restoration Expenses– First party expense coverage for costs to recover data lost due to

virus or computer vandalism.

● Computer Fraud and FTF– Traditional Commercial Crime coverages

● Business Interruption– First party reimbursement for lost income from system failure due

to virus or denial of service

25

Coverage Examples

26

Coverage Examples

Sachem Central School DistrictLake Ronkonkoma, New York

Two breaches in the summer of 2013 and November of 2013 resulted in the exposure of student information. The sensitive information that was exposed in July may have been accidentally exposed through an administrative error.

A second breach was discovered on November 8 when the Superintendent learned that student information had been posted on a publicly accessible webpage. The investigation of the November breach is ongoing. Student names and ID numbers were the primary types of data that were exposed in both incidents.

27

Claim Examples

Mount Pleasant School District has informed approximately 915 present and former staff members that their personal information may have been compromised between January 18th 2015 and January 21st 2015.

A spokesperson for Mount Pleasant School District stated that another school district had a denial of service attack and discovered they had been hacked. The district’s technology director found a Tweet containing a link. When the director clicked on it, he was directed to a file that included names, addresses and Social Security numbers” of MPSD staff.

28

Claim Examples

Milwaukee Public Schools

Social Security numbers were printed on the outside of letters that were sent to a third party vendor. As many as 6,000 letters were sent to MPS Medicare D recipients.

Claim Examples

A ring of middle school students were able to gain access to and control of more than 300 computers by phishing for teacher administrative codes. At least 18 students were involved.

The breach happened when students used software to imitate a legitimate software update on their computers. The students then asked teachers to enter administrative account information so that they could complete the software updates or installations. The phony software then stored teacher credentials. The students were then able to control 300 laptops belonging to other students by using the administrative credentials. The school believes that servers and sensitive information were not exposed. The breach occurred around Friday, April 26 and was discovered on Monday, April 29 when students noticed that other students appeared to be controlling student laptops remotely and reported the issue.

29

Claim Examples

An unencrypted flash drive was stolen from a teacher's car. It contained student Social Security numbers and other information.

30

31

InBloom - Privacy Issue

32

Questions?