Slide 1 - Amazon Web Services

Document Sample
Slide 1 - Amazon Web Services Powered By Docstoc
					                                          New Jersey Chapter

Network Security & Privacy Liability
       Assessing the Risk
             June 14, 2011 Chapter Meeting

   Steve Yesko, ARM     Jeff Kulikowski       Meredith Schnur
  Lowers & Associates      AXIS Pro            Wells Fargo
                                            Insurance Services
Risk Mitigation Agenda
•   Cyber Risk vs. Data Breach
•   Types of Breach
•   Evolution of the Exposure
•   Top 10 Incidents of 2010
•   Top 10 Unsolved Crimes
•   Today Risk Landscape
•   Organizational Risk Trends
•   2011 Forecast
•   IT Security Testing - 3 Prong Approach
•   IT Risk Mitigation Measures - Be Prepared
•   Information Resources
  Cyber Risk vs. Data Breach
• Cyber Risk Coverage
  – Addresses hazards such as unauthorized website
    access, on-line libel, data loss and repairs to
    databases after system failures.
• Data Breach or Privacy Coverage
  – Covers the cost of notification and credit
    monitoring services for affected persons, PR
    expense to address reputational harm, breach
    investigation, legal fees and compensatory
    damages, judgments and settlements.
       Types of Breach
•   Theft or Loss
•   Inappropriate Handling
•   Inadvertent Exposure
•   Misuse of Access (Insider Threat)
•   Unauthorized Access (External Attack)
•   System Compromise (Malware)
Evolution of the Exposure
• From a kid in the basement of parents home to
  highly sophisticated organized crime networks
• From IT/computer related to Internet/web-based
• From theft of money to theft of information
• From outside / in to inside / out
• From legal action brought by consumers to
  legal action by regulators
• From expenses to secure network/servers to
  expenses for state notification laws
• From an IT issue to a Boardroom issue
• From a national to an international problem
    The Biggest Information Security
                                          Incidents of 2010
#10. Affinity Health Plan
     Breach, involving 409K records, occurred when copier was returned w/o hard disk erasure; Reported by AHP to comply w / HHS mandates

#9. WellPoint/Anthem BlueCross
     Company’s insurance application website was compromised w / faulty authentification code upgrade putting 470K applicant records at risk

#8. CitiGroup
     Approximately 600K customers were sent annual tax documents w / SSN printed on outside of envelope (mimicked mail routing number)

#7. Ohio State University
     Server housing 760K unencrypted PII records of current/former students, faculty, staff, contractors exposed during hack; No evidence of
     data theft
#6. South Shore Hospital
     Three boxes of tapes, containing 800K records containing PII, PHI, financial info of hospital community, were lost while being transported for destruction

#5. Lincoln National Financial Securities
     Portfolio management system, housing data for 1.2M customers, compromised when actual user name/password were printed in brochure and on public site

#4. AvMed Health Plans
     1.2M records of current and former subscribers and their dependents compromised when two unencrypted laptops were stolen from corporate HQ

#3. Gawker
     1.3M user email address and passwords stolen in hack; 250k cracked IDs/passwords posted on-line, most common among them, 123456

#2. Education Credit Management Corp.
     Safes stolen from ECM offices containing unencrypted portable media (later recovered by police) with 3.3M student loan recipient/applicant info

#1. Netflix
     Data sets containing anonymized movie rating and preference information for over 100M subscribers is voluntarily released to contest participants

                                                                                          Source: Software, Information & Network Security News
           Top 10 Unsolved
            Computer Crimes
#10. The WANK Worm (Oct. 89; first hacktivist attack)
#9. UK Ministry of Defense Satellite Hack (Feb. 99)
#8. CDUniverse Credit Card Breach (Jan. 00)
#7. USN Military Source Code Theft (Dec. 00)
#6. Anti-DRM Hack (Oct. 01; Windows Media)
#5. Dennis Kucinich on (Oct. 03)
#4. Hacking your MBA App (Mar. 06)
#3. The 26,000 Site Hack Attack (Winter 08)
#2. Hannaford/Sweetbay Breach (Feb. 08)
#1. Comcast/Network Solutions Redirect (May 08)
                                     Source: PC Magazine
    Today's Risk Landscape
• Data breaches increased significantly in 2010
   – ITRC's 2010 Breach Report cited 662 reported breaches
   – An increase of 33% over 2009
   – Paper Breaches: 20% (no mandatory reporting
   – Insider Theft:   15.4% (doubled since 2007)
   – Hacking:         17% (up 3%)
   – Data on the Move, Accidental, Subcontractor: 34.3%
• Threat Volumes are on the Rise
   – 2005 - 330,000 unique malware samples;
     38 web threats per hour
   – 2008 - 16,495,000 unique malware samples;
     1,883 web threats per hour
• Threat Vectors are Internet-Based
   – 92% now arrive via the Internet (Websites, Links, Email)
   – 8% arrive via file transfer (removable media)
  Today's Risk Landscape
• The Underground Economy is More Profitable
    –   $100 billion per year marketplace
    –   Malware: $50 - $3,500
    –   Email Addresses: $0.001 per Address
    –   An hour of usage on a Botnet of 8,000 to 10,000 computers:
• Email Threats Continue to Increase
    – 115 billion spam messages per day
    – Targeted Phishing Attacks (Spearphishing, Whaling)
• Web and Application Threats are Growing
    – 450,000 SQL/XSS Injection Attempts per Day
    – DNS Changers Re-Directing Users to Malware
• Mobile Threats Being Introduced
    – With PC-like Vectors
• Botnets are Proliferating
    – In 2008, 34.3 million PCs were infected with bot-associated
                                                •   Phishing targets by
                                                      –   Financial Institution 50%
                                                      –   Credit Card           19%
                                                      –   Auction               11%
                                                      –   Government            7.5%
                                                      –   On-line Payment 5.7%
                                                      –   On-line Shop          4.9%

         Country of Origin of Phishing Emails

•     Phishing = Deceptive emails
•     Spearphishing = Targeted phishing
•     Pharming = DNS based phishing
•     SMiShing = Targets cellular texting
•     Bluesnarfing = Bluetooth
    Source: IBM X-Force 2010 Trend Statistics   Country of Origin for Embedded Web Links
The Cyber Crime Black Market
                                              Financing/Money Laundering

    Launder Money            Launder Money            Launder Money            Launder Money            Launder Money

 Monetize Information     Monetize Information      Monetize Information    Monetize Information     Monetize Information

                               Information/Identity/Intellectual Property Auctions

  Retrieve Information    Retrieve Information      Retrieve Information    Retrieve Information     Retrieve Information

     Attack Target            Attack Target            Attack Target            Attack Target            Attack Target

                                        Botmasters (Collectors & Brokers)

  Create Propagation/      Create Propagation/      Create Propagation/      Create Propagation/      Create Propagation/
     Attack Vector            Attack Vector            Attack Vector            Attack Vector            Attack Vector

                                                   Toolkit Marketplace

     Create Exploit          Create Exploit            Create Exploit          Create Exploit           Create Exploit

                                               Vulnerability Marketplace

 Discover Vulnerability   Discover Vulnerability   Discover Vulnerability   Discover Vulnerability   Discover Vulnerability
Organizational Risk Trends
   • Advanced Persistent Threats
   • Strong Rising Threats
      – Unstable Third Party Providers
      – Insecure Trading Partners
   • Rising Threats
      – Malicious/Disgruntled Insiders
      – Careless/Overworked Employees
      – Reduced Security Budgets
   • Steady Threats
      – Remote Workers
      – Software Downloading
 Why Risk Management?
• IT + Business + Financial Risk
• Part of broader governance, risk or
  compliance initiative
• IT => Information Security focus
• Regulatory Compliance
• Measuring threats and costs
      Mitigating Cyber Risk
•   Avoid it
•   Ignore it (we are not a target)
•   Accept it as part of doing business
•   Manage it (controls/processes)
•   Transfer it (insurance, escrow)
       Risk Mitigation Measures
• IT/Information Security Risk Assessments
• Internal / External and Independent Testing:
   – Vulnerability (Scan) Analysis (network, application, database)
   – Penetration Testing (same, plus client-side)
   – Controls Testing (SAS-70, ISO-2700n, CoBIT, PCI, BITS FISAP)
• Implement, Test, and Continuously Improve:
   –   Data Classification & Protection Measures
   –   Training & Awareness
   –   Logging & Monitoring
   –   Patch/Configuration Management
   –   Network, Server, and Endpoint DLP
   –   AV, IDS/IPS, Proxies & Filters, DSRA
• Develop WISP - BR Team, BR Plan, COOP Approach
• Compliance Audits
    IT Security Testing
A Three-Pronged Approach
              2011 Forecast
•   Sophisticated, blended, APTs for the FIs
•   More smaller, reported breaches elsewhere
•   Social networking policy implementation rises
•   Ransomware and ransom attacks will grow
•   Data minimization and cloud solutions advance
•   Mobile data is ripe for the picking
•   Low-tech theft of data/devices increases
•   Alternative O/S attacks will increase
•   Microsoft still targeted; Web 2.0 is here to stay
                 2011 Forecast
•   More prevalent/deceptive social engineering methods
•   Privacy awareness / breach preparedness advances
•   Third-party data collection faces greater scrutiny
•   The underground economy will continue to flourish
•   Identity theft and spam will increase worldwide
•   Continuing exposure due to lost devices
•   Data encryption seen as means to compliance ends
•   Federal breach notification legislation comes in 2012?
•   Collaboration + Openness = Vulnerability to breach
        Information Resources
• PGP/Ponemon Study (
• Verizon Data Breach Investigations Report
• IBM X-Force Trend & Risk Report (
• Betterley Report (
• U.S. Dept. of Health & Human Services (
• Privacy Rights Clearinghouse (
• ePlace (
• Sedona Conference Working Group on eDiscovery
• Identity Theft Resource Center (ITRC) Report (
• Internet Crime Complaint Center (IC3) Report (
• Center for Strategic & International Studies (CSIS) (
• Forrester Research (
  Stephen Yesko, ARM
VA Office: (540) 338-7151
NY Office: (718) 775-9198
AXIS Capital Holdings

Security/Privacy Coverage- An
Underwriting Perspective
Jeff Kulikowski:   Axis Pro
                   Vice President, Regional Underwriting Manager
           Security/Privacy Coverage- An Underwriting

 Agenda

      Security/Privacy Coverage Components and Coverage
      Known Breach Events
      Underwriting Overview
      Q&A
            What Does The Coverage Provide?

 Proactive coverage grants and carrier support services that
   assist an Insured at the outset of a data breach, including:
     Public Relations assistance

     Costs to issue notification letters to affected (actual or
     Credit Monitoring capabilities to affected individuals

 If a breach escalates into claim for actual damages, then the
   policy provides reimbursement for defense costs and damages,
   subject to policy provisions
 Coverage is also available for the Insured’s loss of income, or
   costs to recreate/repair/replace data lost in the case of a
   Security Event
              Security/Privacy Coverage- Common Insuring

 Base Form Coverage- access to full aggregate limit
        Security and Privacy Liability
        Media Liability (online/offline)
        Computer System Extortion
 Sublimited Coverage
        Crisis Management Expense
        Regulatory Action Coverage
        Crisis Fund
        PCI-DSS Fines and Penalties Coverage
 First Party Coverage
        Business/Network Interruption
        Data Recovery/Information Asset Coverage
              Understanding the Coverage- 1st Party v 3rd Party

 First Party Coverage: direct reimbursement to the Insured for costs
   they incur for the following
   - Crisis Management Expenses
   - Data Restoration/Information Asset
   - Business/Network Interruption
   - Regulatory Defense/Fines and Penalties
   - Cyber Extortion

 Third Party Coverage: defense costs and damages resulting from the
   following, which cause a 3rd Party financial loss
   - Security Liability
   - Privacy Liability
            Security/Privacy Insurance- Coverage Triggers

 Accidental release or unauthorized disclosure of Personally
   Identifiable Information, Corporate Confidential Information or
   other confidential data
 Unauthorized Access to or Unauthorized Use of Protected Data
   on an Insured’s Computer System that directly results in theft,
   alteration, destruction, deletion, corruption or damage of
   Protected Data
 failure to prevent a party from accessing a computer or network
   system under the control of the Insured, when the party has the
   intent to deny or disrupt service, cause network functionality to
   fail, transmit malicious code via the Insured’s networks, or
   deny/disrupt access to online services or computer system
 Transmitting or receiving Malicious Code via the Insured’s
   Computer system
            Commonly Used Policy Terms

 Personally Identifiable Information (PII): SSN,
   Medical/Healthcare data, Driver’s License #/State ID, Financial
   Information(Credit Card#, Debit Card#), other non-public
 Corporate Confidential Information: info subject to a
   confidentiality agreement/NDA
 Malicious Code: computer virus, Trojan horse, or other code,
   script or software program designed to damage, harm if infect a
 Privacy Regulations: HIPAA, Gramm-Leach-Bliley, etc
 Data Breach: a loss of PII or Corporate Confidential Information,
   regardless of medium or method
              Typical Policy Provisions

 Common Carvebacks to Policy Exclusions and Definitions
        Rogue Employee Coverage Carveback to the
         fraudulent/intentional acts exclusion
        Misappropriation of Trade Secrets Carveback
        Employee Retirement Income Security Act of 1974 Carveback
        Employee Carveback to the Insured vs Insured Exclusion
        Consumer Redress Fund to be included in the definition of
 Common Exclusions
        Infringement of Patent
        Employment Practices Liability
        Unsolicited faxes, email, or other communication
        Unlawful collection or acquisition of Protected Data
            Known Breach Events

 TJX Companies-
       94,000,000 Affected Individuals
       States Attorneys General V. TJX Companies- total of $9.5M spend
        establishing Discretionary Funds, data security Funds, and
        reimbursement of Plaintiff Attorney Fees
       $40M settlement Pending with VISA
       $13.5M Consumer Class Action Settlement in Massachusetts

 Heartland Payment Systems-
       130,000,000 Affected individuals
       Numerous cases and settlements pending through the US with
        Consumers, Financial Institutions, Vendors, Payment Processors,
       Notable Costs to date include $60M settlement with VISA, $3.5m
        settlement with American Express
              Known Breach Events- continued

 CardSystems
       40,000,000 credit card numbers lost as a result of security
        breach/hacking incident
       Class Action suit filed in 2005, but case was eventually
        closed as CardSystems filed Chapter 11 on 5/12/2006
 T-Mobile/Deutsche Telekom
       17,000,000 Customers’ data affected due to lost disk drive
 BNY Mellon Shareowner Services
       12,500,000 affected individuals due to lost backup tape
 American Honda Motor Company
       4,900,000 names, addresses, e-mail addresses, user
        names and VINs exposed from email list
           How is Security/Privacy Coverage Underwritten?

 Industry/Class of Business
 Security Controls and Procedures
 Privacy Policy/Internal Controls
 Other Risk Controls
 Litigation Review
 Financial Analysis
                 Industry and Litigation Potential Analysis

 High Risk Industries include:
   - Healthcare
   - Finance
   - Retail
   - Leisure/Entertainment
   - Secondary and Higher Education
   - Utilities
 All other Industries still at risk, depending on the PII or
   Confidential Data held
            Security/Privacy Risk Control Analysis

 Information Security and Privacy Policy
 Business Continuity/Disaster Recovery Plan
 Security/Privacy Compliance with Industry Standards
 Employee Restrictions for Data Access, and Data Classification
 User Profile Management
 Physical Security Controls
 Encryption methodology
 Data Storage Methodology
 Use of 3rd party applications(Firewall/IPS/IDS)
           Other Risk Controls

 Vendor management
  - Identification of outsourced activities
  - Indemnification/Hold Harmless provisions
  - Vendor Selection and Auditing Procedures
  - Insurance Requirements
 Regulatory Compliance
 Recent Changes to Management or Auditors
 Other Risk Management Controls
           Litigation Review

 Past Claims History
 Public Search of Breach History
 Claims within the Insured’s Industry
 State Requirements for Privacy Breach Response
 Review of Pending Industry Regulations
          Financial Review

 Revenues Levels and Projections
 Income statement
 Balance Sheet
 Cash Flow Statement
 Were any key accounting conventions changed?
            Axis Capital Holdings Ltd.

 Founded in November 2001 ($1.7b start-up capital)
       Strong balance sheet - $5.6 Billion of Shareholders Equity
       $3.5 Billion in Premium for the FYE 2010
       No legacy exposures
 IPO July 2003 – NYSE: AXS
 Rated A XV (AM Best) ; A+ Strong (S&P) (Upgrade February
 Specialty Lines Insurance and Treaty Reinsurance
 AXIS website:
Wells Fargo Insurance Services

   NJ RIMS Meeting – June 14, 2011
   Network Security & Privacy Liability

   Presented by:
   Meredith Schnur
   Professional Risk Group

                                          Wells Fargo Insurance Services
 Regulatory Environment

 What Should You Be Asking?

 Vendor Management

 Gaps in Traditional Insurance

 Resources

 eRisk Hub

 Primary Markets

 Marketing & Underwriting Process

                                     Wells Fargo Insurance Services
Legal Issues & The Regulatory Environment
Legislation has now imposed affirmative duties on companies as to
how they handle data, principally client/customer information:

   Gramm Leach-Bliley Act: Requires financial institutions to safeguard customers’ records
    and information against unauthorized access.     Imposes major privacy and security
    requirements on financial services companies

   Health Insurance Portability and Accountability Act (HIPAA): Healthcare organizations
    required to safeguard individually identifiable health information. Imposes penalties on
    organizations that violate HIPAA (further amended by the HITECH Act)

   California SB1386: A California law requiring companies to notify their CA customers and
    employees of computer security breaches. The law applies to any business that stores
    customer and employee information electronically even if the company is not based in the
    Golden State.

   Privacy Breach Notification Laws: Spreading of California SB 1386; adopted by 46 states
    as of December 2010. Duty to notify customers where consumer/customer information has
    been compromised (electronic or non-electronic means, state legislation varies)

   Massachusetts Privacy Law 201 CMR 17.00: This law is the first state law to require
    specific technology when protecting personal information. If you do business with residents
    in MA or have employees that reside in MA, compliance is mandatory by March 1, 2010.

                                                                             Wells Fargo Insurance Services
    Legal Issues and The Regulatory
    PCI Security Standards: The standards globally govern all merchants and organizations
     that store, process or transmit cardholder data. PCI security standards are technical and
     operational requirements set by the Payment Card Industry Security Standards Council (PCI
     fines not generally covered under insurance policies).

    FACTA (Fair and Accurate Credit Transactions Act): Prohibits businesses from printing
     more than 5 digits of any customer’s credit card number or card expiration date on any
     receipt issued at a point of sale. For machines in use before 1/1/05, the merchant has 3
     years to comply. For machines in use after 1/1/05, the merchant has one year to comply.

    Red Flag Rules: Established by FACTA, requires financial institutions or creditors to
     develop and implement an Identity Theft Prevention Program in connection with both new
     and existing accounts. The program must include reasonable policies and procedures for
     detecting, preventing and mitigating identity theft.

    Federal HITECH Act – health plans, health care providers and health care clearinghouses
     (ie. Covered entities), among other things, must review and update their business associate
     agreements, as well as their privacy and security policies and procedures. Requires that any
     data breach event exceeding 500 records be reported to the Department of Health and
     Human Services.

                                                                                  Wells Fargo Insurance Services
What Should You Be Asking?
    Have we analyzed our cyber liabilities?
    What legal rules apply to the information we maintain or that is kept by vendors,
     partners and other third parties? The laws surrounding breaches are complex.
    Have we assessed our legal exposure to governmental investigations?
    Have we assessed our exposure to suits by our customers, vendors or suppliers?
    Have we protected our organization in contracts with vendors?
    What laws apply in different states and countries in which we conduct business?
    Do we have adequate staffing to reasonably maintain and safeguard our important
     assets and processes?
    Have we prepared an incident response plan and business continuity plan?
    Do we have a documented, proactive crisis communications plan?

     It is critical to have a solid incident response plan in
     place prior to any security or privacy breach.

** Questions supplied by the “The Financial Impact of Cyber Risk” Publication – American National Standards
   Institute (ANSI) and Internet Security Alliance.

                                                                                             Wells Fargo Insurance Services
Vendor Management & Requirements
 IT/Software Companies

     Request Tech E&O to include network security/privacy coverage

     Some Tech E&O policies have security/privacy exclusions

 Other Business Services – Payroll, Auditors

     Request appropriate E&O coverage to include network security/privacy

 Credit Card Processors/Acquiring Banks

     Request Network Security/Privacy Coverage

 Other Vendors that interact with your systems or sensitive
  information, or handle information on your behalf

     Request Network Security/Privacy Coverage

                                                                Wells Fargo Insurance Services
Gaps in Traditional Insurance
Why is this not covered elsewhere?

    Commercial General Liability Insurance: Typically covers bodily injury and property damage to
     “tangible” property. Data and software are considered to be “intangible”

    Property Insurance: Typically responds to “direct physical loss” by a covered peril (ie. fire,
     windstorm). Intangible property is not covered under Business Interruption and Extra Expense

    Fidelity/Crime Insurance: Typically provides coverage to the organization for losses resulting
     from the theft of money, securities and “other tangible property.” Information theft is not covered
     under a standard fidelity bond.       “Other property” does not include proprietary information,
     confidential information or copyrights, trademarks, etc.

    Professional Errors & Omissions: Typically only covers financial loss arising out of professional
     services to others. Computer attacks do not fall within the provision of “professional services,” and
     some E&O policies will exclude coverage caused by “unauthorized access.”

    Technology Errors & Omissions: Covers only financial loss arising out of technology services
     performed for others. If in the provision of technology services, your negligence leads to an
     unauthorized access or transmission of a virus, coverage would apply. However, if an employee
     commits an intentional act or if an outside hacker, unrelated to services provided by you, causes a
     customer to suffer a financial loss, no coverage would apply under a typical technology errors &
     omissions policy. Most Technology E&O policies can be extended to cover network security and
     privacy related exposures.

                                                                                       Wells Fargo Insurance Services

 – data breach chronology recorded
  by year and by industry class

 – updated statistics on privacy breaches
  (see following page)

 – regulations and breaches in excess of 500
  records as mandated by HITECH

 – information portal for WFIS clients

                                                 Wells Fargo Insurance Services
                       eRisk Hub

 Learning Center

 News Center

 Incident Road Map

 Free Breach Coach

 Resource Directory

 Risk Manager Tools

                                   Wells Fargo Insurance Services
                                                      Primary Markets
            Markets*                                                                Best Rating

            ACE USA                                                                  “A+” XV

            Allied World/Darwin Group                                                 “A” XV

            Arch                                                                      “A” XV

            Axis                                                                      “A” XV

            Beazley USA                                                              “A” VIII

            Chartis                                                                   “A” XV

            Chubb Group                                                              “A++” XV

            CNA                                                                       “A” XV

            Digital Risk Managers (MGA writing on Lloyds paper – Brit, Kiln, ACE)     “A” XV

            Hartford                                                                  “A” XV

            Hiscox USA                                                               “A” VIII

            Ironshore                                                                “A-” XIII

            London Markets (Beazley, Hiscox, Brit, Kiln, ACE, Barbican, CFC)          “A” XV

            One Beacon                                                                “A” XV

            Philadelphia                                                              “A” XV

            RLI                                                                       “A+” X

            Zurich North America                                                      “A” XV

            XL                                                                        “A” XV

* - Many additional carriers will offer this coverage on an excess basis
                                                                                          Wells Fargo Insurance Services
Marketing & Underwriting Process

             Step 1:
     Evaluation of Exposures:                      Step 4:
    Consultation to determine          Proposal Analysis and Discussions
   exposures – First Party, Third
       Party and/or Privacy

              Step 2:                              Step 5:
    Required Applications and/or         On-line Security Assessment
      Assessment Completed               and/or Conference Call with

                Step 3:
                                                   Step 6:
     Marketing Process: Submit
                                             Binding the Coverage
  application to selected markets to
           solicit proposals

                                                           Wells Fargo Insurance Services

Shared By: