Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series

Click to edit Master title style

9/13/2016 1

9/13/2016 1

Bruce Carlson President & CEO Connecticut Technology Council

Martin

McBride

Frank Rudewicz, Partner in Charge – NE Advisory Services Marcum LLP

marcumllp.com

Data Breaches and

Cyber Threats:

Past and Present

6

0914000N

Cybercrime is a clear, present, and permanent danger. While it’s a permanent condition, however, the actors, threats, and techniques are very dynamic.”

— Tom Ridge, CEO of Ridge Global and first

secretary of the US Department of Homeland Security

7

0914000N

Data Theft: Past History

Physical in Nature

Shoulder Surfing Surveillance Photos Dumpster Diving

8

0914000N

IT Infrastructure Services

Root Cause: Past History

Laziness Complacency

9

0914000N

Data Theft: Current

Cyber in Nature

Social Media Like-Jacking Link-Jacking Phishing Social Spam Social Engineering

10

0914000N

Changing Attacker Profiles Recreational Criminal Hacktivist Organized

Crime State Sponsored

Fame/ Notoriety

Vandalism Statement Economic Gain Cyberwar, state secrets, Industrial espionage

Limited Technical Resources

Limited Technical Capabilities

Relentless, emotionally committed

Significant Technical Resources/ Capabilities

Highly sophisticated

Known Exploits Vast Networks Established syndicates

Nearly unlimited resources

Targeted Attacks Adware, Crimeware, IP theft

Advanced persistent threats

11

0914000N


Root Cause: Current

Laziness

Complacency

12

0914000N

Four Potential Minefields to Worry About

Bring Your Own Device, BYOD

Know Your Employee

Supply Chain Risk

Cyber and Technology Risk

13

0914000N

The 2 P’s to Remember

Everyone is a potential target and it is nearly impossible to totally prevent an attack

If You Can’t Prevent

You Must Prepare

Q&A? Final Thoughts

Martin

McBride

Larry Selnick, SVP and Director, Commercial Deposit and Treasury Services Sales, Webster Bank

CTC Cybersecurity Task Force Member

Martin

McBride

Larry Racioppo, SVP Management & Professional Services

USI

© 2014 USI Insurance Services. All rights reserved.

CONFIDENTIAL AND PROPRIETARY: This presentation and the information contained herein is confidential and proprietary information of USI Insurance Services, LLC ("USI"). Recipient agrees not to copy, reproduce or distribute this document,

in whole or in part, without the prior written consent of USI. Estimates are illustrative given data limitation, may not be cumulative and are subject to change based on carrier underwriting. © 2014 USI Insurance Services. All rights reserved.

Larry Racioppo, SVP | Management & Professional Services (MPS) www.usi.com

NETWORK SECURITY & PRIVACY (“CYBER”) OVERVIEW

Se

pte

mb

er 2

016


18

First Party

Other Business Costs

Business interruption

Data repair

/replacement

Cyber-extortion

Social Engineering

First Party

Breach Notice Costs

Forensic Investigation

Crisis management/PR

Notification costs

Credit monitoring

Third Party

Civil Lawsuits

Consumer class action

Corporate or financial

institution suits

Credit card brands

PCI fines, penalties,

and assessments

Third Party

Regulatory Actions

State AG investigations

FTC investigations

Health & Human

Services

Foreign Privacy Entities

Security/Privacy Liability

What Can a Cyber Policy Cover?


19

E-mail received from “PayPal”:

You’ve sent a payment of $90 to Youseff Mansouer

Cyber Statistics

Forwarded to PayPal and their response:

Thank you for partnering with PayPal to combat fraudulent emails. We take reports of suspicious email

very seriously. Your submission helps us identify potentially malicious activity and take the appropriate

action needed to protect our customers.

Did you know that approximately 90% of all email sent worldwide falls into the spoof,

phishing, spam, and general junk category? By submitting reports of suspicious email to us you

are helping to address this problem.


20

The most prevalent attacks against smaller businesses are Web-based and phishing/social engineering.

Negligent employees or contractors and third parties cause most data breaches.

Cyber Statistics

In June, 2016, the Ponemon Institute surveyed

600 small to medium sized companies. 55

percent of these respondents indicated their

companies experienced a cyber attack in the

past 12 months and more than half reported a

data breach involving the release of customer

and/or employee information.

% of Organizations experiencing a cyber attack

or data breach in the past 12 months:

Source:


21

Social Engineering

Hackers use trickery, based on internal or vendor communication, to induce employees to

process fraudulent wire transfers

Average “Social Engineering” related loss is $130,000

Claims of $100,000 to $500,000 are the norm for mid-size businesses

Top 5 include:

Xoom Corp. - $30M (January 2015)

Scouler Co. - $17.2M (February 2015)

Ubiquiti Networks - $46.7M (August 2015)

FACC (Austria) - $54M (January 2016)

Crelan Bank (Belgium) - $76M (February 2016)

Cyber Statistics

Cyber Extortion (aka Ransomware)

Cyber attack that involves a demand for $$ to avoid or stop a network attack/data breach

On average, in 2016 there are approx. 4,000 ransomware attacks per day…up from 1,000 in 2015

77% of attacks b/w $500 - $10,000

20% of attacks sought over $10,000

Only 1% sought excess of $150,000


22

Breach Response Costs coverage

- Offered at full policy limit or sub-limited?

- Inclusive of overall limit or “Outside” the limit?

- Dollar amount or on a “per record” basis

Other things to consider:

- Regulatory coverage (seek full limit and defense/penalties)

- Seek full “unknown” prior acts coverage

- Avoid “Unencrypted portable device” exclusions

- Data restoration/business interruption cover (waiting period)?

- Cyber extortion/ransomware coverage?

- Social Engineering sub-limit offered?

Negotiating a cyber placement


23

Fills gaps in “traditional” property/casualty insurance

Acts as a financial backstop to protect your budget

Be out in front with continuity planning

Assist in establishing relationships with key vendors

Demonstrates an organizational commitment to network security/privacy

Access to wide range of resources at time of loss:

Forensics firm – who, what, where, when

Attorney for various state requirement compliance

Contractual indemnification obligations

Public Relations expense – brand protection

Credit monitoring, notification assistance

ID restoration services

Licensed investigator/fraud specialist

Cyber Insurance as a Last Line of Defense

Martin

McBride

Matt Prevost, Vice President, North American Financial Lines Chubb

State of Cyber Risk & Cyber Litigation CTC September 14th

September, 2016 Matt Prevost

Cyber Insurance Market – An Opportunity for Growth

What is Cyber Insurance?

First Party Data Breach Expense Digital Recovery Loss Business Interruption Loss Contingent Business Interruption Loss

Crime Cyber Extortion Electronic/Deceptive Funds Transfer Telephone Toll Fraud

Third Party Privacy Liability Network Security Liability Internet Media Liability

What about other lines?

This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.

26

26

13%

Market Share

• Cyber Market Estimated at $3.5 billion (up from $500M ‘08 / Approximately $3bn in US)

• Market Penetration Estimates: Major Accounts 27-50% Commercial Insurance 17-35% Small Commercial 3-6%

Primary Industries: Financial Technology

“New” Chubb (13%)

Professional Services Retail/Hospitality Healthcare Life Sciences Education Public Entity

AIG

Beazley Rest of Market

Key Emerging Trends

July, 2016

27

Internet of Things

Post-Incident

Shifts

Credential Harvesting

Ransomware

Social Engineering


Impact to a Company What is changing post-incident?

September, 2016

28

Regulatory Shift (s)

• General Data Protection Regulation (GDPR Update)

• FTC interest in payment environment and Fintech security

• Trade Association/’Standard Setting’ interest in cyber

NAIC CA Attorney General “Reasonable Security” FINRA Department of Labor Department of Homeland Security USA vs. China; USA vs. Russia Treasury

• AG Feedback: Preparation and Transparency

What data did you have? Where was it? How was it being protected?

• Single state changes impacting incident response countrywide

CT 2 Years of Credit Monitoring Tennesee Encryption Expectation

July, 2016


29

EMV Shift (The other shift)

• EMV led to new account fraud incidents doubling.

• In 2015, the U.S. transitioned to EMV cards, designed to reduce in-person fraud and the profitability of counterfeit card operations.

• Fraudsters reacted by moving away from existing card fraud to focus on new account fraud.

• This drove a 113% increase in incidents involving new account fraud, which accounted for 20% of all fraud losses.

July, 2016


30

Cyber Litigation Update

• Standing (and damages)

• Consumer claims vs. B2B litigation

• Transparency-Based Litigation

Wrongful collection claims, Adult/Social Media Dating Sites

• PCI Fines, Penalties, Assessments & contractual implications

• Long development (large social media incidents several years ago) because of credential harvesting

July, 2016


31

Cyber Claims “What are we seeing?”

Over 15 Years of Cyber Claims Data -August 2016

August, 2016

August, 2016

33

“We’ve noticed patterns of (claims) trends that would better suit our clients if we were transparent and if we showed them where incidents went awry…” — Michael Tanenbaum, Chubb Professional Risk

Wall Street Journal, April 2015

Cyber Claims and Industry Trends (10 years of data) Triggers and Industry Trends (as of 8/2016)

August, 2016


34

Paper 6%

Human Error 18%

Privacy Policy 6%

Hack 29%

Rogue Employee 13%

Software Error 3%

Other 8%

Laptops 12%

Hard Drives 3%

Other 2%

Lost/Stolen Devices

17%

Industry Breakout:

• Healthcare – 32%

• Professional

Services – 14%

• Technology- 10%

• Retail – 9%

• Education - 7%

• Travel &

Hospitality - 7%

• Financial

Institutions - 6%

• Media – 4%

• Non-Profit – 3%

• Public Entity – 2%

Cyber Claims and Industry Trends (last 3 years) Triggers and Industry Trends (as of 8/2016)

August, 2016


35

Paper 6%

Human Error 22% Privacy Policy 4%

Hack 33%

Rogue Employee 11% Software Error

2%

Other 9%

Laptops 9%

Other 2%

Lost/Stolen Devices

12%

USB 1%

Industry Breakout 2014-2016:

• Healthcare – 33%

• Professional Services – 16%

• Retail – 8%

• Education- 8%

• Technology – 7%

• Travel & Hospitality – 7%

• Financial Institutions – 4%

• Media – 4%

Targeted Attacks for Sensitive Data:

• Lost/Stolen Devices

• 2014 – 14%

• 2015 – 11%

• 2016 – 10%

• Hack

• 2014 – 27%

• 2015 – 40%

• 2016 – 33%

• Rogue Employee

• 2014 – 15%

• 2015 – 13%

• 2016 – 5%

Cyber Claims and Industry Trends (10 years) Triggers by Industry Segment (as of 8/2016)

August, 2016


36

0%

5%

10%

15%

20%

25%

30%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

9%

22%

18%

28%

9%

Healthcare

0%

5%

10%

15%

20%

25%

30%

35%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

36%

8%

21%

10% 12%

Technology

0%

10%

20%

30%

40%

50%

60%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

56%

11% 11% 3%

14%

Retail

0%

5%

10%

15%

20%

25%

30%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

24%

8%

28%

21%

3%

Professional Services

Cyber Claims and Industry Trends (10 years) Triggers by Industry Segment (as of 8/2016)

August, 2016


37

0%

10%

20%

30%

40%

50%

Hack RogueEmployee

Lost/StolenDevices

HumanError

Paper

36%

8%

21% 10%

12%

Education

0%

10%

20%

30%

40%

50%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

41%

8%

16% 14%

5%

Financial Institutions

0%

10%

20%

30%

40%

50%

60%

70%

Hack Paper HumanError

Unknown

65%

5%

25%

5%

Public Entity

0%

10%

20%

30%

40%

50%

60%

Hack RogueEmployee

Paper HumanError

Unknown

51%

10% 6%

10% 15%

Travel & Hospitality

2 Year Review (2015 & 2016)- Triggers by Industry

August, 2016


38

0%20%40%60%80%

63%

13% 6% 6% 6%

Financial Institutions

0%10%20%30%40%50%60%

59%

18% 18%

5% 3%

Education

0%10%20%30%40%

38%

19% 14%

7% 6%

Healthcare

0%

5%

10%

15%

20%

25%

30%

30%

23% 23%

7% 5%

Professional Services

0%

20%

40%

60%

57%

14% 10% 7% 5%

Retail

Chubb. Insured.

Disclaimer The material presented in this presentation is not intended to provide legal or other expert advice as to any of the subjects mentioned, but rather is presented for general information only. You should consult knowledgeable legal counsel or other knowledgeable experts as to any legal or technical questions you may have. Further, the insurance discussed is a product summary only. For actual terms and conditions of any insurance product, please refer to the policy. Coverage may not be available in all states.

Chubb. Insured.

Martin

McBride

Heather Bearfield, Principal – Assurance Services

Marcum LLP

marcumllp.com

Cybersecurity

44

0914000N

Cybersecurity “…cybersecurity encompasses all that protects enterprises and individuals from intentional attacks, breaches and incidents as well as the consequences.”

Source:

ISACA, Transforming Cybersecurity, 2013

45

0914000N

"Every minute, we are seeing about half a million attack attempts that are

happening in cyber space." -Derek Manky, Fortinet global security strategist

Research company Gartner predicts there will be 6.8 billion connected devices in use in 2016, a 30 percent increase over

2015. By 2020, that number will jump to more than 20 billion connected devices, predicts Gartner. Put another way, for

every human being on the planet, there will be between two and three connected devices

46

0914000N

Security Scenario – General Info

Source:

Verizon, Data Breach Report, 2015

47

0914000N


Attack Types

Hacking Attempts: 50% Malware: 66% Social Engineering: 46% Phishing: 68%

48

0914000N

Source: SearchEngine Journal

49

0914000N

2016 Cyber Predictions

1. Destructive attacks worsen. 2. Social engineering gets personal. 3. Attacks through apps. 4. Internet of things hacks increase. 5. Laws on infrastructure security.

Solution: Cyber Insurance

50

0914000N

50

76% agree or strongly agree with United States President Obama’s proposal to require companies to notify consumers of a data breach within 30 days

0% 10% 20% 30% 40% 50% 60%

Other

Not enough human resources

Increased cost

Systems not designed for this

Concern over corporate reputation

10%

Of the following, what do you think is the greatest challenge companies would face if they needed to notify consumers of a data breach within 30 days of its discovery?

55%

15%

14%

8%

Source:

ISACA, Global Cybersecurity Status Report, 2015

What Do IT Professionals Say About Cybersecurity?

Questions???

Martin

McBride

Panel Q&A

Frank Rudewicz Partner in Charge – NE Advisory Services Marcum LLP

Heather Bearfield Principal – Assurance Services

Marcum LLP

Matt Prevost Vice President, North American Financial Lines Chubb

Moderator: Larry Selnick SVP and Director, Commercial Deposit and Treasury Services Sales, Webster Bank CTC Cybersecurity Task Force Member

Larry Racioppo SVP Management & Professional Services

USI

Bruce Carlson President & CEO CT Technology Council

Patricia Fisher President & CEO JANUS Associates, Inc.

Nancy Hancock Partner Pullman and Comley LLC

Richard Harris Partner Day Pitney LLP

Rick Huebner President & CEO Visual Technologies, Inc.

Lyle Liberman COO JANUS Associates, Inc.

Andy McCarthy VP of Engineering & Technical Ops, Western NE Region Comcast

Suzanne Novak Owner/President ERUdyne. LLC

Dr. Leon Pintsov CEO SignitSure Inc.

Paige Rasid COO CT Technology Council

Larry Selnick Director, Treasury and Payment Solutions, Webster Bank

Ray Umerley Vice President Chief Data Protection Officer, Pitney Bowes

Ron Vernier SVP and CIO Hartford Steam Boiler

Martin

McBride

October 20, 2016 9 am – 3 pm

Networking Mixer from 3-4

Trumbull Marriott