Cybersecurity and Nonprofit

Transcription

1 Cybersecurity and Nonprofit

2 2 2 Agenda Cybersecurity and Non Profits Scenario #1 Scenario #2 What Makes a Difference Cyber Insurance and How it Helps Question and Answer

3 3 3 Cybersecurity and Nonprofit Terminology Cyber: Having to do with a computer or computing system IoT (Internet of Things): Any device that can be addressed (connected) to the internet Threat: Any circumstance or event with the potential to cause harm to an information system Threat Actor: Bad guy Threat Vector: Modus Operandi Vulnerability: Any condition that creates susceptibility of the information system to a threat Exploit: The successful execution of a threat via a present vulnerability Risk: A relative measure based on the likelihood of an exploit (combination of threat and vulnerability) and the resulting impact of the adverse event on the organization

4 4 4 Cybersecurity and Nonprofit Cyber by the numbers 4.16 Billion = Internet users globally, with over 345 Million in North America (1) 10,323,848,439 = Since 2005, the number of breached records REPORTED in the USA (2) 11,176,988 total in 2016 (2) 1,931,816,163 total in 2017 (2) 263,851,278 total in (as of April 27, 2018) 8042= Since 2005 the number of data breaches REPORTED in the USA (2) 812 data breaches in 2016 (2) 587 data breaches in 2017 (2) 201 data breaches in 2018 (as of April 27, 2018) 1. Estimated Internet Users is 4,156,932,140 as of December 31,

5 5 5 Cybersecurity and Nonprofit Cyber by the numbers Year Records Breaches ,101, ,580, ,683, ,782, ,576, ,920, ,910, ,559, ,398, ,308,560, ,284, ,619,627, ,931,816, ,851, WannaCry: Over 200,000 victims 3,000 in the US Over 350,000 computers infected Numbers reflect only the original attack from May 12-15, 2017 These are only the KNOWN (reported) numbers. Post incident forensics may cause record counts to change or be updated. 10,323,652,234 8,042 Based on data sourced from

6 6 6 Cybersecurity and Nonprofit Cyber by the numbers Type Industry Records Breaches BSR Retail/Merchant 698,539, BSF Financial/Insurance 633,365, GOV Gov't/Military 227,407, MED Healthcare 228,512, BSO Business-Other 8,505,749, EDU Educational 25,143, NGO Nonprofit 4,934, All Years (2005 to present) by Industry Based on data sourced from 10,323,652,

7 7 7 Cybersecurity and Nonprofit Implications for Nonprofit But We only know the numbers (breaches, records, incidents, etc.) that are reported. There are legal obligations to report compromised: o Personally Identifiable Information (PII) o Protected Health Information (PHI) o Payment Card Information (PCI) What other data might be at risk? Business and financial documents Legal documents Internal communications Network infrastructure Sensitive information and personal life details

8 8 8 Cybersecurity and Nonprofit Complicating the problem Thinking I don t have credit card information, I m not a target Cybersecurity can be an afterthought or not even considered Small, overworked teams IT staff not trained in information security Stagnant controls for the organization Lack of awareness of where technology is used and the data being held Lack of preparedness when an incident occurs Limited funds and resources for investing in technology, let alone security.

9 9 9 Cybersecurity and Nonprofit What is changing? Emerging threats: Business interruption o DDoS (Distributed Denial of Service) Ransomware Supply chain interruption Espionage (state sponsored and corporate) Destructive malware Old threats still exist Regulatory landscape changing EU s GDPR (General Data Protection Regulation) US laws updating and changing Other countries are developing and or adopting privacy and cyber regulations.

10 10 Cybersecurity and Nonprofit GDPR EU s GDPR (General Data Protection Regulation) Individual Rights Right to access Right to erasure (aka Right to forget) Data portability Consent Other Key Components: Sanctions Data protection by design and by default Records of processing activities

11 11 Potential Cyber Threats What are the primary threats? At the center Stationary device theft Hacking Portable/mobile workers Physical theft/loss Hacking Unintended disclosure People Stolen credentials Social engineering o Phishing, etc.

12 1 12 Potential Cyber Threats What are the primary threats? IoT and advances in technologies are increasing exposure Process Interruption/Disruption Property Damage Bodily Injury Hacking Often a back door Many organizations are unaware of just what is connected

13 1 13 Who is Exploiting these Threats Who are the bad actors The Face of a Hacker example Targeted vs. crime of opportunity Very organized business General Categories : Criminals o Organized crime o Thieves Insiders Competitors Hacktivists Nation states o Espionage o Sabotage

14 1 14 Insurance and How it Helps Why do I need insurance, I m a Nonprofit? According to the Kroll Global Fraud Risk Report 2017: Construction, Engineering and Infrastructure 67% of respondents affected by security incident in past year 83% of respondents affected by internet fraud in past year 93% of respondents affected by cyber incidents in past year The construction sector posted the greatest yearover year increase in internet fraud incidents Source: Kroll Global Fraud Risk Report 2017

15 1 15 Insurance and How it Helps How does insurance work into the cyber threat? It is not possible to be 100% secure from a cyber-attack, however, there are a number of measures companies can take to reduce their risk and minimize consequences and recovery time. Protection Pre-Breach Protection Post Breach Protection Traditional IT Security NIST Framework: Identify, Protect and Detect NIST Framework: Respond and Recover Insurance

16 1 16 Insurance and How it Helps I ve had a breach, what is this going to cost me? Legal Liability Class action litigation Suits from Customers and Vendors Regulatory Fines and Penalties HIPAA, FTC, GLBA Forensics Type of data taken, how much, which databases/applications were compromised Notification Costs Printing, postage or other communications to customers Credit monitoring services Call center services Crisis Management Costs Legal, public relations or other service fees Advertising or related communications to restore reputation Business Interruption Losses Loss of Income Costs to Recreate Lost or Stolen Data Extra Expenses Reputational Damage Loss of customers Decreased shareholder value Source: Ponemon Institute 2017 Cost of Data Breach Study $3.62 million is the worldwide average total cost of a data breach $141 is the average cost per lost or stolen record 27.7% is the likelihood of a recurring material data breach over the next two years

17 17 Insurance and How it Helps What Insurance products are available from Zurich? Zurich Basic Security & Privacy Policy Zurich Broad Security & Privacy Policy Zurich Umbrella Part D: Cyber for Construction Liability Regulatory Proceedings Privacy Breach Costs Liability / Regulatory Proceedings Internet Media Privacy Breach Costs Business Income Loss Dependent Business Income Loss Digital Asset Replacement Expense Cyber Extortion Threat and Reward Payments Liability Regulatory Proceedings Privacy Breach Costs Attaches to umbrella but is primary cyber coverage

18 1 18 Insurance and How it Helps How does insurance work You purchase Cyber Insurance Zurich claims team works with you to ensure the best optimization of your insurance policy Post-Bind access to Risk Engineering and other Services Zurich Claims Team can assist response if needed You suffer a Privacy or Security Event You access your breach coach and respond to the event (depends on type of event)

19 1 19 Insurance and How it helps Steps to a healthy cyber security and insurance program Understand the specific threats to your company, both immediate and long term reputation, data held, supply chain, business interruption Evaluate current and future needs (including technology, training and insurance) Ensure all employees and management have an understanding of cyber risk and treats your company faces. Promote a cyber-risk management culture and thoughtfulness Seek expert help to ensure your priorities are recognized Culture Understand Threats Insurance

20 2 20 Scenario #1 Ransomware attack in 2018 Shut down 2,000 computers Cleanup bill is currently up to $1.5 Million dollars and they have only recovered 80% to where they were pre-attack (as of 60 days post attack). This is for clean up and recovery ONLY. No legal fees or fines included

21 2 21 Scenario # found a virus in an organizations system Virus originally was released back in 2011 Not destructive inherently, it blocked certain security websites and exfiltrated data (in general not targeting any particular type) Cost : $2,500,000 dollars

22 2 22 Key Takeaways Accept that you have something that is valued by others and that you are a target, regardless of your size Promote a cyber-risk management culture and thoughtfulness Know what you are protecting Keep up with patching Encrypt whenever possible Control access, especially privileged access Expect and prepare for a cyber event Understand your insurance coverage IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER

23 23 Thank You! The information in this publication was compiled by The Zurich Services Corporation from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy. Risk Engineering services are provided by The Zurich Services Corporation The Zurich Services Corporation. All Rights Reserved.