CYBER INSURANCE: A DEEP DIVE

Transcription

1 CYBER INSURANCE: A DEEP DIVE Jdy Selby Febrary 24, 2017 BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by garantee, and forms part of the international BDO network of independent member firms.

2 WITH YOU TODAY JUDY SELBY Managing Director BDO Conslting Technology Advisory Services Page 2

3 AGENDA Page 3 Today s Threat Landscape Understanding Yor Risk Cybersecrity Risk Management Overview Cybersecrity Mitigation Cyber Insrance Conclsion

4 TODAY S THREAT LANDSCAPE Page 4

5 CYBERSECURITY TODAY INTERNAL THREAT: Internal actors were responsible for 43% of data loss, half of which is intentional, half accidental. TODAY S THREAT LANDSCAPE Page 5 COMPUTER INTRUSIONS: This year, companies that had data breaches involving less than 10,000 records, the average cost of data breach was $4.9 million and those companies with the loss or theft of more than 50,000 records had a cost of data breach of $13.1 million. BUSINESS COMPROMISE: Between Janary 2015 and Jne 2016, there has been a 1,300% increase in identified exposed losses, a combined exposed dollar loss of more than $3 billion. RANSOMWARE: Nearly 80% of organizations [srveyed in the U.S.] have been victim of a cyber attack dring the past 12 months and nearly 50% have been victim of a ransomware attack. Intel Secrity Report, Grand Theft Data: Data exfiltration stdy: Actors, tactics, and detection 2016 Data Breach Stdy: United States, Benchmark research sponsored by IBM Independently condcted by Ponemon Institte LLC, Jne 2016 FBI Pblic Service Annoncement, Jne 14, 2016; Alert Nmber I PSA Understanding the Depth of the Global Ransomware Problem, Osterman Research Srvey Report, Pblished Agst 2016, Sponsored by Malwarebytes

6 TODAY S LANDSCAPE: DATA BREACHES BY THE NUMBERS 48% TODAY S THREAT LANDSCAPE $4 million 29% average cost of a data breach increase in total cost of data breach since 2013 cased by malicios or criminal attacks $158 average cost per lost or stolen record Page 6 $355 average cost per lost or stolen record in healthcare organizations 2016 Data Breach Stdy: Global Analysis, Benchmark research sponsored by IBM Independently condcted by Ponemon Institte LLC Jne 2016

7 CYBER INTRUSIONS INCREASING HackingTeam ü Rate of breaches increasing since 2005 ü Cross-indstry impact: healthcare, retail, insrance, technology, financial services ü Mltiple types of breaches/threats ü Hottest breaches phishing and ransomware Page 7

8 ANATOMY OF A HACK Page 8

9 UNDERSTANDING YOUR RISK Page 9

10 UNDERSTANDING YOUR RISK + THREAT VULNERABILITY CONSEQUENCE RISK Page 10

11 TARGETED DATA PII PCI PHI Defense, National Secrity, Critical Infrastrctre IP Bsiness Intelligence MNPI Page 11

12 LIFE CYCLE OF DATA PRIVACY AND PROTECTION Creation / Collection UNDERSTANDING YOUR RISK Disposition Storage Dration Use Page 12

13 MOTIVATIONS AND INCENTIVES Page 13

14 EMPLOYEE RISKS Employees as cyber targets UNDERSTANDING YOUR RISK Page 14 Phishing Spear Phishing / Social Engineering spoofing and hijacking Negligent Employees Non-compliant Employees

15 VULNERABILITIES SOFTWARE PATCHING Lack of software pdates UNDERSTANDING YOUR RISK ACCESS CONTROL Who has access to yor system and do they really need it? THIRD PARTY VENDORS Are yor third party vendors secre? PEOPLE Internal actors p to no good or being exploited Page 15

16 CYBERSECURITY RISK MANAGEMENT OVERVIEW Page 16

17 WHAT IS CYBERSECURITY RISK MANAGEMENT PROGRAM? CYBERSECURITY RISK MANAGEMENT OVERVIEW Integrated set of policies, processes, technologies and controls that minimize vlnerabilities and protect against threat to spport Confidentiality information kept private and secre Integrity data not inappropriately modified, deleted or added Availability systems/information available to whom reqires them Page 17

18 A HOLISTIC APPROACH CYBERSECURITY RISK MANAGEMENT OVERVIEW Page 18

19 CYBERSECURITY MITIGATION Page 19

20 BDO CYBERSECURITY FRAMEWORK Key Policy & Process Domains Governance & Strategy Cybersecrity Lifecycle IDENTIFY Data privacy / Cybersecrity risk protection profile management Identity & access management Cybersecrity risk ASSETS management program Threat & risk intelligence Third party / vendor RECOVER INTEGRITY AVAILABILITY CONFIDENTIALITY management Incident response & planning PROTECT VULNERABILITIES THREATS optimization Metrics / reporting Page 20 and responsibilities (Board of Directors, Exective Management, etc.) Investment Asset inventories Training / awareness Organization roles RESPOND DETECT Legal & compliance Cyber insrance

21 THREAT INTELLIGENCE CYBERSECURITY MITIGATION Page 21 Private Sector Threat Information Government Classified and Unclassified Evidence and Intelligence Cyber Threat Intelligence

22 INFORMATION SHARING CHANNELS CYBERSECURITY MITIGATION Page 22

23 CYBER INSURANCE Page 23

24 THE GROWING CYBER INSURANCE MARKET Proportion of companies bying secrity & privacy insrance 65% CYBER INSURANCE 35% Page 24 SOURCE:

25 THE GROWING CYBER INSURANCE MARKET View cyber risk as a significant threat CYBER INSURANCE Personal datadriven indstries 76% Non-data-driven indstries 55% Prchase secrity & privacy insrance Personal datadriven indstries 78% Non-data-driven indstries 59% Page 25 SOURCE:

26 THE GROWING CYBER INSURANCE MARKET C-site exectives who view cyber secrity as a significant threat 85% CYBER INSURANCE 58% Page 26 21% Have no employee edcation program in place SOURCE:

27 Information (own and of others) Bsiness Reptation/Crisis Management Bsiness Interrption Reglatory Investigations POTENTIAL EXPOSURES Media Liability Cyber Extortion Third Party Liability Network Itself Page 27

28 INSURABLE CYBER RISKS CYBER INSURANCE Legal liability to others for compter secrity breaches Legal liability to others for breaches of confidential information Reglatory actions, fines and investigations Loss or damage to data and information Loss of revene de to a compter attack Extra expense to recovery or respond to a compter attack Loss or damage to reptation Cyber-extortion Cyber-terrorism Page 28

29 First Party COVERAGE GRANTS Damage to digital assets Bsiness interrption CYBER INSURANCE Extortion Privacy breach expenses Third Party Privacy liability Network secrity liability Internet media liability Reglatory liability Contractal liability Page 29

30 AVAILABLE COVERAGES CYBER INSURANCE Network Secrity Liability Liability to a third party as a reslt of a failre of yor network secrity to protect against destrction, deletion, or corrption of a third party s electronic data, denial of service attacks against internet sites or compters; or transmission of virses to third party compters and systems. Privacy Liability Liability to a third party as a reslt of the disclosre of confidential information collected or handled by yo or nder yor care, cstody or control. Incldes coverage for yor vicarios liability where a vendor loses information yo had entrsted to them in the normal corse of yor bsiness. Page 30

31 AVAILABLE COVERAGES Reglatory Investigative Defense Coverage for legal expenses associated with representation in connection with a reglatory investigation, inclding indemnification of fines and penalties where insrable. CYBER INSURANCE Event Response and Crisis Management Expense Expenses incrred in response to a data breach event, inclding retaining forensic investigator, crisis management. Cyber Extortion Ransom and/or investigative expenses associated with a threat directed at yo that wold case an otherwise covered event or loss. Page 31

32 AVAILABLE COVERAGES Network Bsiness Interrption Reimbrsement of yor loss of income and/or extra expense reslting from an interrption or sspension of compter systems de to a failre of technology. Incldes coverage for dependent bsiness interrption. CYBER INSURANCE Data Asset Protection Recovery of costs and expenses yo incr to restore, recreate, or recollect yor data and other intangible assets that are corrpted or destroyed by a compter attack. Page 32

33 UNDERWRITING FACTORS Indstry Process CYBER INSURANCE Size of company Type and volme of data Risk management Technology Incident response Claims People Page 33

34 COVERAGE DANGER ZONES CYBER INSURANCE Notice to the Insrer Retention of Consel or Forensics Firm Before Notice Panel Firms? Pre-Notice Costs Effect of Breach Start Date Isses with Bsiness Interrption Coverage Valing a Cyber Claim Are the Limits Sfficient? Page 34

35 PCI ISSUES CYBER INSURANCE Fines Penalties Assessments PFIs PCI Compliance Certifications PCI Recertification Affirmative Claims Against Processor, Card Brands, and QSAs Coverage for costs of responding to sbpoenas or civil investigative demands Page 35

36 NON-PII CYBER EVENTS CYBER INSURANCE Intellectal Property Proprietary and Confidential Bsiness Information Bodily Injry Property Damage Page 36

37 EFFECTIVE INDEMNITY AGREEMENTS Privacy Liability CYBER INSURANCE Page 37 With respect to all Insring Clases, [Federal] shall not be liable for any Loss on accont of any Claim, or for any Expense... based pon, arising from or in conseqence of any... liability assmed by any Insred nder any contract or agreement.

38 CYBER INSURANCE BUSINESS INTERRUPTION CONCERNS With respect to the NETWORK INTERRUPTION INSURING AGREEMENT of this Clase 1., solely with respect to a Secrity Failre first occrring dring the Policy Period and reported to the Insrer prsant to the terms of this policy, this Network Interrption Coverage Section affords the following coverage: NETWORK INTERRUPTION INSURING AGREEMENT The Insrer shall pay all Loss in excess of the Remaining Retention that an Insred incrs after the Waiting Hors Period and solely as a reslt of a Secrity Failre. (l) Waiting Hors Period means the nmber of hors set forth in Item 6 of the Declarations that mst elapse once a Material Interrption has begn. Page 38

39 HOW DO YOU SUBMIT A CLAIM? CYBER INSURANCE Page 39 Docmentation reqirements Application of waiting periods/sb-limits (e.g., bsiness interrption verss network interrption) Common items of dispte in the adjstment process

40 CONCLUSION Page 40

41 OUR CYBERSECURITY SERVICES Page 41 Cyber Risk Management Strategy & Program Design Cyber Risk Assessment & Secrity Testing Data Privacy & Protection Secrity Architectre & Transformation Incident Response Planning Bsiness Continity Planning & Disaster Recovery Digital Forensics & Cyber Investigations Cyber Insrance Claim Preparation & Coverage Adeqacy Evalation

42 JUDY SELBY Managing Director BDO Conslting Technology Advisory Services SPEAKER BIO Jdy Selby is a Managing Director in BDO Conslting s Technology Advisory Services practice, having more than 20 years of experience in insrance and technology. Known as one of the premier voices in legal technology by Legaltech News, she conslts with clients on cyber insrance, cybersecrity, information governance, data privacy and complex insrance matters. She advises clients on best practices for handling information throghot its life cycle, from creation or collection throgh disposition. In addition, Jdy works with organizations and their consel to advise on data privacy and cyber insrance isses, having depth of experience in coverage adeqacy evalation, international arbitration and all phases of insrance coverage litigation. Prior to joining BDO, Jdy was a partner at Baker Hostetler, where she was cochair of the Information Governance team and fonder of the ediscovery and Technology team. She is the co-chair of the Claims and Litigation Management (CLM) Alliance Cyber Liability Committee and serves on the Law360 Insrance and Legaltech News editorial boards. Jdy has completed corses on the internet of things (IoT), big data, crisis management / bsiness continity and cybersecrity at the Massachsetts Institte of Technology. Page 42

43 Abot BDO Conslting BDO Conslting, a division of BDO USA, LLP, provides clients with Financial Advisory, Bsiness Advisory and Technology Services in the U.S. and arond the world, leveraging BDO s global network of more than 64,000 professionals. Having a depth of indstry expertise, we provide rapid, strategic gidance in the most challenging of environments to achieve exceptional client service. BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assrance, tax, advisory and conslting services to a wide range of pblicly traded and privately held companies. BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by garantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: Material discssed is meant to provide general information and shold not be acted on withot professional advice tailored to yor firm s individal needs BDO USA, LLP. All rights reserved.