Controlling Technology Risks
Paul A. Forlenza, MGA, RMC Deputy Executive Director,
TRICO JIF
Edward J. Cooney, MBA
Fund Underwriter, TRICO JIF
Members Increasing Use of Technology
• Credit card payments • Websites • Electronic applications • Banking transactions • Payroll processing • Internet-connected devices (IoT)
Hackers see government networks as low hanging fruit!
2
Beyond Outside Threats…
• Employees pose our greatest threat! • A chain is only as strong as its weakest link Human error Disgruntled employee Careless employee Uneducated employee
3
Members Hold a lot of Valuable Information
• Employee PII & PHI • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death
Certificates
4
Other Cyber Risks Facing Members
• Hacktivism • Destructive Malware • Business Interruption • Public Relations
5
Technology Risk Assessments
• Pivot Point Security (2016-2017) • On line Survey • Member Visits – GAP Assessments • Individual Member Reports • Executive Summary Highlighting the most frequently cited
technology based exposures
6
What Did We Learn? • 31% have an Information Security Contingency Plan in place • 29% have an Incident Management Plan that includes the restoration of IT
services • 4.8 - How comprehensive is your Business Continuity / Disaster Recovery plan?
(1= not very comprehensive / 10= very comprehensive) • 100% of Personally Identifiable Information & Protected Health Information is
stored in-house • 83% outsource payroll
88% Casa Payroll Services 9% ADP 3% Paychex
• 27% outsource benefits / 76% outsource IT / 73% outsource web design / 61% outsource email
• 22% require vendors to demonstrate adequate security of their computer systems
• 52% allow vendors to access their network (does not include Edmunds) 7
What Did We Learn? • 76% do not have a contract in place with vendors who have access to
personally identifiable information which requires the other party to defend and indemnify you from legal liabilities
• 0% provide employees, contractors and vendors formal Information Security Awareness training
• 5% encrypt sensitive information when communicating it (account #, SS #, medical information, credit card information, etc.)
• 46% periodically test their security controls
• 22% process credit card transactions
55% filed their PCI SAQ (PCI Self Assessment Questionnaire)
• 54% perform background checks as part of the hiring process
• 100% maintain good practice when storing sensitive information (file cabinets with locks)
8
Boiling it all Down: What do the Members Really Need?
• Security Awareness Training & Ongoing Notifications • Security Risk Policies & Training • Incident Management Plans • Phishing Assessments • External Vulnerability Testing • Third Party Risk Management Policies & Training
Taking these steps will eliminate 80% of our claims! 9
Where Do We Get these Services?
• Cyber Insurers – XL? • The MEL? • Outside governmental sources? • Each member on their own? • The JIF?
10
Cyber Insurers
• Have not traditionally played a pro-active role • Training materials are not widely publicized • What materials do exist are geared towards the
private sector! • While they may offer needed services and coverage,
their clients don’t understand how to access it
11
XL - CyberRiskConnect.com • Cyber Library / News Center
– Trending articles related to cyber exposure • Breach Response Services / Response Partners
– Identifies the panel firms XL Catlin has pre-approved to assist post-breach, and recommends firms for pre-breach training
• Risk Manager Tools – Sample documents to use in everyday operations
Policies on mobile computing or social networking Network & information security self-test and scorecard Breach notification law map & data breach cost calculator
• Learning Center – Educational articles and guides, such as “Forensics: Planning a
Successful Investigation” and “Social Engineering Red Flags” • Privacy Training
– Short training videos on privacy & network security, such as Cybersecurity awareness, risk assessments & data security
12
CyberRiskConnect.com
13
The MEL?
14
Government Sources
WWW.CYBER.NJ.GOV
15
Government Sources
16
The Individual Members?
• Lack of consistency: • Training • Policies
• Financial Resources? • Technical expertise?
17
Where Do We Go From Here?
Technology Risk Management Services RFP • Services Sought: Security Awareness Training Security Awareness Notifications Security Risk Policies & Training Incident Management Plans Phishing Assessments External Vulnerability Testing Third Party Risk Management Policies & Training
18
Technology Risk Management Services RFP
• RFP issued as a Competitive Contract under the LPCL with ACM and BURLCO JIFs
• Issued April 30, 2018 • Responses due May 24, 2018 • Three (3) Responses Received The Incendio Group Media Pro Pivot Point Security
• Sub Committee reviewed & scored proposals on June 29, 2018
19
Technology Risk Management Services RFP
• Contract award recommendations: • Security Awareness Training – Media Pro Extensive library of online training Three year price lock - $7,439 Annually
• All other Services – Pivot Point Year One - $30,305 Years 2 & 3 - $12,037
20
Technology Risk Management Services
• Benefits: • Costs: Short term – efficient & no impact on member budgets Long term – better cyber liability policy pricing
• Consistency in & tracking of training • Consistency in policies & procedures • Consistency in technical services being provided • Compliance with the MEL Cyber Risk Management
Program!
21
Don’t Forget! EPL/Cyber Risk Management Budget
• Funds can be used to offset cyber security related expenses
• Annual member allotment: • $1,000 to $3,000 - based upon member size
• Available balances included in the monthly agenda packet
22
Edward J. Cooney, MBA: Conner Strong & Buckelew
• Vice President/Account Executive Commercial Lines – Major Accounts
• MEL Underwriting Manager • Negotiates MEL Reinsurance Program Property Liability Workers Compensation
• Markets and Places MEL Insurance Programs EPL/POL Cyber Aircraft - Drones
23
MEL Cyber Task Force
• Comprised of MEL Commissioners & Fund Professionals Meets quarterly Reviews recent cyber claims Evaluates need for additional cyber related
services, coverage and limits Recommends additional training & policies as
needed Reviews & recommends changes to Cyber Risk
Management Program
24
Technology Risk Management
Cyber Attacks Against NJ Local Government Are Increasing
25
Cyber Claims Activity
By Event Type By Department
$71 per capita cost of a data breach for the Government Sector (2nd) 2017 Ponemon Institute
53% of data breaches were caused by human error or system glitch 2017 Ponemon Institute
26
Public Entity Cyber Trends
Frequency of Email Malware
Malicious Email Themes
Phishing Rate
Cost of Malware
27
Cyber Claims Activity (cont’d) MEL Claims Examples
• Social Engineering A town treasurer received an email looking to be from the town commissioner requesting a wire transfer be made to an address included in the email for a particular project in the town. Deception: 1) Looked like it was from the town commissioner as the email address was spoofed; and 2) Seemed to be for a sound purpose. $20,000 was sent to the fraudster.
• Ransomware An administrative employee of a municipality clicked on a “spoofed” link in a fake email, downloading the ransomware to the infected device and other devices it could spread to on the network. The municipality had daily backups, but the backups were performed on the same network. As such, the lost data could not be reconstructed. Breach counsel and forensics were engaged. Total loss in excess of $60,000.
• Malware Malware downloaded via a spoofed email onto a city employee’s workstation. Since the workstation was open to a shared server, including a shared drive, multiple workstations were affected. Breach counsel and forensics were engaged, determining the personal information of nearly 900 individuals was compromised, triggering New Jersey notification regulations. The individuals were notified, and a call center and a credit monitoring account were setup for the affected individuals. Total loss in excess of $125,000.
• Breach / Ransomware A network connected printer (“IoT” device) had an “open port” to the internet. An intruder gained access to the town’s network via the open port and downloaded Ransomware onto the network. Breach counsel and forensics were engaged. Total loss in excess of $40,000.
28
Cyber Claim Engagement Letters
30
31
Technology Risk Management
Time to rethink Technology Investments and controls?
32
MEL Cyber Risk Management Program
33
Technology Risk Management
• Technology Management • Technical Competency • Cyber Hygiene
Three areas that all local governments must address
34
MEL Cyber Risk Management Plan
Incentive 35
MEL Cyber Risk Management Plan
1. Distributed December 18, 2017 2. Tier 1 & 2 standards 3. Tier 1 compliance $5,000
reimbursement of deductible 4. Tier 2 compliance $7,500
reimbursement of deductible
36
MEL Cyber Risk Management Plan
1. Meet minimum backup standards 2. Install software security patches 3. Use defensive software 4. Annual cyber hygiene training for
employees 5. Management adopts basic cyber
incident response plan 6. Management adopts Information
Technology Practices Policy
Tier 1 Compliance Standards:
37
MEL Cyber Risk Management Plan
1. Server (physical) security 2. Server access & privilege controls 3. Staff or contractor to respond to
security incidents 4. Adopt internet & email use policy 5. Encryption of files with PII & HII 6. Password Management Policy 7. Leadership has access to technology
decision making tools & professionals
Tier 2 Compliance Standards:
38
MEL Cyber Risk Management Plan
1. Members submit an initial compliance checklist
2. If a member has a claim, they can submit a reimbursement request for a portion of their deductible
3. Members will need to document compliance with the standard(s) to receive reimbursement
How it works:
39
How Many Members Have Qualified?
2
103
Members Qualified for Deductible Reimbursement
QualifiedNot Qualified
40
MEL Cyber Risk Management Plan
1. Get the assistance of an IT Professional! 2. The Plan contains detailed explanation of
the standards, model policies, & checklists. 3. Standards will be updated from time to
time to keep up with the evolving threats. 4. ACM, BURLCO, & TRICO JIFs provide their
members with a “cyber budget” that can be used to offset compliance costs.
Some final thoughts:
41
Questions?
42