6
0914000N
Cybercrime is a clear, present, and permanent danger. While it’s a permanent condition, however, the actors, threats, and techniques are very dynamic.”
— Tom Ridge, CEO of Ridge Global and first
secretary of the US Department of Homeland Security
7
0914000N
Data Theft: Past History
Physical in Nature
Shoulder Surfing Surveillance Photos Dumpster Diving
9
0914000N
Data Theft: Current
Cyber in Nature
Social Media Like-Jacking Link-Jacking Phishing Social Spam Social Engineering
10
0914000N
Changing Attacker Profiles Recreational Criminal Hacktivist Organized
Crime State Sponsored
Fame/ Notoriety
Vandalism Statement Economic Gain Cyberwar, state secrets, Industrial espionage
Limited Technical Resources
Limited Technical Capabilities
Relentless, emotionally committed
Significant Technical Resources/ Capabilities
Highly sophisticated
Known Exploits Vast Networks Established syndicates
Nearly unlimited resources
Targeted Attacks Adware, Crimeware, IP theft
Advanced persistent threats
12
0914000N
Four Potential Minefields to Worry About
Bring Your Own Device, BYOD
Know Your Employee
Supply Chain Risk
Cyber and Technology Risk
13
0914000N
The 2 P’s to Remember
Everyone is a potential target and it is nearly impossible to totally prevent an attack
If You Can’t Prevent
You Must Prepare
Martin
McBride
Larry Selnick, SVP and Director, Commercial Deposit and Treasury Services Sales, Webster Bank
CTC Cybersecurity Task Force Member
© 2014 USI Insurance Services. All rights reserved.
CONFIDENTIAL AND PROPRIETARY: This presentation and the information contained herein is confidential and proprietary information of USI Insurance Services, LLC ("USI"). Recipient agrees not to copy, reproduce or distribute this document,
in whole or in part, without the prior written consent of USI. Estimates are illustrative given data limitation, may not be cumulative and are subject to change based on carrier underwriting. © 2014 USI Insurance Services. All rights reserved.
Larry Racioppo, SVP | Management & Professional Services (MPS) www.usi.com
NETWORK SECURITY & PRIVACY (“CYBER”) OVERVIEW
Se
pte
mb
er 2
016
© 2014 USI Insurance Services. All rights reserved.
18
First Party
Other Business Costs
Business interruption
Data repair
/replacement
Cyber-extortion
Social Engineering
First Party
Breach Notice Costs
Forensic Investigation
Crisis management/PR
Notification costs
Credit monitoring
Third Party
Civil Lawsuits
Consumer class action
Corporate or financial
institution suits
Credit card brands
PCI fines, penalties,
and assessments
Third Party
Regulatory Actions
State AG investigations
FTC investigations
Health & Human
Services
Foreign Privacy Entities
Security/Privacy Liability
What Can a Cyber Policy Cover?
© 2014 USI Insurance Services. All rights reserved.
19
E-mail received from “PayPal”:
You’ve sent a payment of $90 to Youseff Mansouer
Cyber Statistics
Forwarded to PayPal and their response:
Thank you for partnering with PayPal to combat fraudulent emails. We take reports of suspicious email
very seriously. Your submission helps us identify potentially malicious activity and take the appropriate
action needed to protect our customers.
Did you know that approximately 90% of all email sent worldwide falls into the spoof,
phishing, spam, and general junk category? By submitting reports of suspicious email to us you
are helping to address this problem.
© 2014 USI Insurance Services. All rights reserved.
20
The most prevalent attacks against smaller businesses are Web-based and phishing/social engineering.
Negligent employees or contractors and third parties cause most data breaches.
Cyber Statistics
In June, 2016, the Ponemon Institute surveyed
600 small to medium sized companies. 55
percent of these respondents indicated their
companies experienced a cyber attack in the
past 12 months and more than half reported a
data breach involving the release of customer
and/or employee information.
% of Organizations experiencing a cyber attack
or data breach in the past 12 months:
Source:
© 2014 USI Insurance Services. All rights reserved.
21
Social Engineering
Hackers use trickery, based on internal or vendor communication, to induce employees to
process fraudulent wire transfers
Average “Social Engineering” related loss is $130,000
Claims of $100,000 to $500,000 are the norm for mid-size businesses
Top 5 include:
Xoom Corp. - $30M (January 2015)
Scouler Co. - $17.2M (February 2015)
Ubiquiti Networks - $46.7M (August 2015)
FACC (Austria) - $54M (January 2016)
Crelan Bank (Belgium) - $76M (February 2016)
Cyber Statistics
Cyber Extortion (aka Ransomware)
Cyber attack that involves a demand for $$ to avoid or stop a network attack/data breach
On average, in 2016 there are approx. 4,000 ransomware attacks per day…up from 1,000 in 2015
77% of attacks b/w $500 - $10,000
20% of attacks sought over $10,000
Only 1% sought excess of $150,000
© 2014 USI Insurance Services. All rights reserved.
22
Breach Response Costs coverage
- Offered at full policy limit or sub-limited?
- Inclusive of overall limit or “Outside” the limit?
- Dollar amount or on a “per record” basis
Other things to consider:
- Regulatory coverage (seek full limit and defense/penalties)
- Seek full “unknown” prior acts coverage
- Avoid “Unencrypted portable device” exclusions
- Data restoration/business interruption cover (waiting period)?
- Cyber extortion/ransomware coverage?
- Social Engineering sub-limit offered?
Negotiating a cyber placement
© 2014 USI Insurance Services. All rights reserved.
23
Fills gaps in “traditional” property/casualty insurance
Acts as a financial backstop to protect your budget
Be out in front with continuity planning
Assist in establishing relationships with key vendors
Demonstrates an organizational commitment to network security/privacy
Access to wide range of resources at time of loss:
Forensics firm – who, what, where, when
Attorney for various state requirement compliance
Contractual indemnification obligations
Public Relations expense – brand protection
Credit monitoring, notification assistance
ID restoration services
Licensed investigator/fraud specialist
Cyber Insurance as a Last Line of Defense
Cyber Insurance Market – An Opportunity for Growth
What is Cyber Insurance?
First Party Data Breach Expense Digital Recovery Loss Business Interruption Loss Contingent Business Interruption Loss
Crime Cyber Extortion Electronic/Deceptive Funds Transfer Telephone Toll Fraud
Third Party Privacy Liability Network Security Liability Internet Media Liability
What about other lines?
This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.
26
26
13%
Market Share
• Cyber Market Estimated at $3.5 billion (up from $500M ‘08 / Approximately $3bn in US)
• Market Penetration Estimates: Major Accounts 27-50% Commercial Insurance 17-35% Small Commercial 3-6%
Primary Industries: Financial Technology
“New” Chubb (13%)
Professional Services Retail/Hospitality Healthcare Life Sciences Education Public Entity
AIG
Beazley Rest of Market
Key Emerging Trends
July, 2016
27
Internet of Things
Post-Incident
Shifts
Credential Harvesting
Ransomware
Social Engineering
This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.
Regulatory Shift (s)
• General Data Protection Regulation (GDPR Update)
• FTC interest in payment environment and Fintech security
• Trade Association/’Standard Setting’ interest in cyber
NAIC CA Attorney General “Reasonable Security” FINRA Department of Labor Department of Homeland Security USA vs. China; USA vs. Russia Treasury
• AG Feedback: Preparation and Transparency
What data did you have? Where was it? How was it being protected?
• Single state changes impacting incident response countrywide
CT 2 Years of Credit Monitoring Tennesee Encryption Expectation
July, 2016
This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.
29
EMV Shift (The other shift)
• EMV led to new account fraud incidents doubling.
• In 2015, the U.S. transitioned to EMV cards, designed to reduce in-person fraud and the profitability of counterfeit card operations.
• Fraudsters reacted by moving away from existing card fraud to focus on new account fraud.
• This drove a 113% increase in incidents involving new account fraud, which accounted for 20% of all fraud losses.
July, 2016
This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.
30
Cyber Litigation Update
• Standing (and damages)
• Consumer claims vs. B2B litigation
• Transparency-Based Litigation
Wrongful collection claims, Adult/Social Media Dating Sites
• PCI Fines, Penalties, Assessments & contractual implications
• Long development (large social media incidents several years ago) because of credential harvesting
July, 2016
This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.
31
August, 2016
33
“We’ve noticed patterns of (claims) trends that would better suit our clients if we were transparent and if we showed them where incidents went awry…” — Michael Tanenbaum, Chubb Professional Risk
Wall Street Journal, April 2015
Cyber Claims and Industry Trends (10 years of data) Triggers and Industry Trends (as of 8/2016)
August, 2016
This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.
34
Paper 6%
Human Error 18%
Privacy Policy 6%
Hack 29%
Rogue Employee 13%
Software Error 3%
Other 8%
Laptops 12%
Hard Drives 3%
Other 2%
Lost/Stolen Devices
17%
Industry Breakout:
• Healthcare – 32%
• Professional
Services – 14%
• Technology- 10%
• Retail – 9%
• Education - 7%
• Travel &
Hospitality - 7%
• Financial
Institutions - 6%
• Media – 4%
• Non-Profit – 3%
• Public Entity – 2%
Cyber Claims and Industry Trends (last 3 years) Triggers and Industry Trends (as of 8/2016)
August, 2016
This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.
35
Paper 6%
Human Error 22% Privacy Policy 4%
Hack 33%
Rogue Employee 11% Software Error
2%
Other 9%
Laptops 9%
Other 2%
Lost/Stolen Devices
12%
USB 1%
Industry Breakout 2014-2016:
• Healthcare – 33%
• Professional Services – 16%
• Retail – 8%
• Education- 8%
• Technology – 7%
• Travel & Hospitality – 7%
• Financial Institutions – 4%
• Media – 4%
Targeted Attacks for Sensitive Data:
• Lost/Stolen Devices
• 2014 – 14%
• 2015 – 11%
• 2016 – 10%
• Hack
• 2014 – 27%
• 2015 – 40%
• 2016 – 33%
• Rogue Employee
• 2014 – 15%
• 2015 – 13%
• 2016 – 5%
Cyber Claims and Industry Trends (10 years) Triggers by Industry Segment (as of 8/2016)
August, 2016
This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.
36
0%
5%
10%
15%
20%
25%
30%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
9%
22%
18%
28%
9%
Healthcare
0%
5%
10%
15%
20%
25%
30%
35%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
36%
8%
21%
10% 12%
Technology
0%
10%
20%
30%
40%
50%
60%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
56%
11% 11% 3%
14%
Retail
0%
5%
10%
15%
20%
25%
30%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
24%
8%
28%
21%
3%
Professional Services
Cyber Claims and Industry Trends (10 years) Triggers by Industry Segment (as of 8/2016)
August, 2016
This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.
37
0%
10%
20%
30%
40%
50%
Hack RogueEmployee
Lost/StolenDevices
HumanError
Paper
36%
8%
21% 10%
12%
Education
0%
10%
20%
30%
40%
50%
Hack RogueEmployee
Lost/StolenDevices
HumanError
PrivacyPolicy
41%
8%
16% 14%
5%
Financial Institutions
0%
10%
20%
30%
40%
50%
60%
70%
Hack Paper HumanError
Unknown
65%
5%
25%
5%
Public Entity
0%
10%
20%
30%
40%
50%
60%
Hack RogueEmployee
Paper HumanError
Unknown
51%
10% 6%
10% 15%
Travel & Hospitality
2 Year Review (2015 & 2016)- Triggers by Industry
August, 2016
This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.
38
0%20%40%60%80%
63%
13% 6% 6% 6%
Financial Institutions
0%10%20%30%40%50%60%
59%
18% 18%
5% 3%
Education
0%10%20%30%40%
38%
19% 14%
7% 6%
Healthcare
0%
5%
10%
15%
20%
25%
30%
30%
23% 23%
7% 5%
Professional Services
0%
20%
40%
60%
57%
14% 10% 7% 5%
Retail
Chubb. Insured.
Disclaimer The material presented in this presentation is not intended to provide legal or other expert advice as to any of the subjects mentioned, but rather is presented for general information only. You should consult knowledgeable legal counsel or other knowledgeable experts as to any legal or technical questions you may have. Further, the insurance discussed is a product summary only. For actual terms and conditions of any insurance product, please refer to the policy. Coverage may not be available in all states.
44
0914000N
Cybersecurity “…cybersecurity encompasses all that protects enterprises and individuals from intentional attacks, breaches and incidents as well as the consequences.”
Source:
ISACA, Transforming Cybersecurity, 2013
45
0914000N
"Every minute, we are seeing about half a million attack attempts that are
happening in cyber space." -Derek Manky, Fortinet global security strategist
Research company Gartner predicts there will be 6.8 billion connected devices in use in 2016, a 30 percent increase over
2015. By 2020, that number will jump to more than 20 billion connected devices, predicts Gartner. Put another way, for
every human being on the planet, there will be between two and three connected devices
47
0914000N
IT Infrastructure Services
Attack Types
Hacking Attempts: 50% Malware: 66% Social Engineering: 46% Phishing: 68%
49
0914000N
2016 Cyber Predictions
1. Destructive attacks worsen. 2. Social engineering gets personal. 3. Attacks through apps. 4. Internet of things hacks increase. 5. Laws on infrastructure security.
Solution: Cyber Insurance
50
0914000N
50
76% agree or strongly agree with United States President Obama’s proposal to require companies to notify consumers of a data breach within 30 days
0% 10% 20% 30% 40% 50% 60%
Other
Not enough human resources
Increased cost
Systems not designed for this
Concern over corporate reputation
10%
Of the following, what do you think is the greatest challenge companies would face if they needed to notify consumers of a data breach within 30 days of its discovery?
55%
15%
14%
8%
Source:
ISACA, Global Cybersecurity Status Report, 2015
What Do IT Professionals Say About Cybersecurity?
Frank Rudewicz Partner in Charge – NE Advisory Services Marcum LLP
Heather Bearfield Principal – Assurance Services
Marcum LLP
Matt Prevost Vice President, North American Financial Lines Chubb
Moderator: Larry Selnick SVP and Director, Commercial Deposit and Treasury Services Sales, Webster Bank CTC Cybersecurity Task Force Member
Larry Racioppo SVP Management & Professional Services
USI
Bruce Carlson President & CEO CT Technology Council
Patricia Fisher President & CEO JANUS Associates, Inc.
Nancy Hancock Partner Pullman and Comley LLC
Richard Harris Partner Day Pitney LLP
Rick Huebner President & CEO Visual Technologies, Inc.
Lyle Liberman COO JANUS Associates, Inc.
Andy McCarthy VP of Engineering & Technical Ops, Western NE Region Comcast
Suzanne Novak Owner/President ERUdyne. LLC
Dr. Leon Pintsov CEO SignitSure Inc.
Paige Rasid COO CT Technology Council
Larry Selnick Director, Treasury and Payment Solutions, Webster Bank
Ray Umerley Vice President Chief Data Protection Officer, Pitney Bowes
Ron Vernier SVP and CIO Hartford Steam Boiler