Cyber Insurance: What is your bank doing to manage risk? David Kitchen presented by Lisa Micciche
Today s Agenda Claims Statistics Common Types of Cyber Attacks Typical Costs Incurred to Respond to an Incident Prevention and Remediation Tips We will not cover: Overview of notification laws (US State, HIPAA, GDPR, etc.) Communication strategies Regulatory notifications and investigations
2017 Cyber Claims Reported Claims by Industry Financial Sector 18% Professional Sector 18% Retail/Wholesale 12% Manufacturing 10% Business Services 10% Other 8% Energy & Transportation 8% Media & Technology 8% Public Entity & Non-Profit 5% Hospitality 5% Source: AIG Cyber Claims Study 2018
2017 Cyber Claims Reported Claims by Type, Across Industries Extortion 29% Data Breach 19% Security Failures 15% Impersonation Fraud 9% Other 8% Virus Infection (Non-Ransomware) 8% Physical Loss of Assets 6% Regulatory Issues 4% Denial of Service Attack 2% Source: AIG Cyber Claims Study 2018
2017 Cyber Claims Reported Claims by Type Community Banks Claims Losses by Type Community Banks Ransomware 2% Phishing 3% Physical Data Loss 8% Intellectual Property 1% ADA 6% Ransomware 7% ADA 37% Intellectual Property 23% Data / System Breach 13% Impersonatio n Fraud 14% Impersonation Fraud 51% Data / System Breach 35%
Top 3 Security Risks Remote access ability Weak password requirements Lack of education (phishing)
What happened?
Industries Affected Source: BakerHostetler Data Security Incident Response Report 2018
Data at Risk Source: BakerHostetler Data Security Incident Response Report 2018
Timeline: Incident Response Trends Source: BakerHostetler Data Security Incident Response Report 2018
Overall Source: BakerHostetler Data Security Incident Response Report 2018
W-2 and Business Email Compromise Scammers use emails from a target organization s CEO, asking HR and accounting personnel for employee W-2 information. Scammers last year also phished online payroll management account credentials used by corporate HR professionals.
Business Email Compromise Examples Version 1: Bogus Invoice, Supplier Swindle, and Invoice Modification A business, with a long standing relationship with a supplier, is asked to wire funds for invoice payment to an alternate, fraudulent account. If an e-mail is received, the subject will spoof the e-mail request so it appears similar to a legitimate account that takes close scrutiny to determine it was fraudulent. If a fax or call is received, it will mimic a legitimate request. Version 2: CEO Fraud, Business Executive Scam, Masquerading, and Financial Industry Wire Frauds Email accounts of business executives (CFO, CTO, etc.) are compromised. The account may be spoofed or hacked. "A request for a wire transfer from the compromised account is made to a second employee who is normally responsible for processing these requests. In some instances, a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank X for reason Y. Version 3 An employee has his/her personal e-mail hacked. Requests for invoice payments to fraudster-controlled bank accounts are sent from the employee s personal e-mail to vendors identified from the contact list. The business may not become aware of the fraudulent requests until they are contacted by the vendors to follow up on the status of their invoice payment.
Account Takeovers
Phishing Statistics
Threat Vector Tactics: The Most Used Email Lures 2016 Proofpoint The Human Factor
Ransomware on the Rise On April 29, 2016, the FBI issued a warning that ransomware attacks are on the rise. Cyber-criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers. Hollywood Presbyterian Medical Center paid 40 bitcoins about $17,000 to hackers who were holding its computer network hostage.
Ransomware is here to stay Critical reliance on technology New iterations affect mobile and IoT devices Low entry cost for cybercriminals Business oriented ransomware models are: Developing new strains Engaging in customer service Data mining
A Simplified View of a Data Breach Discovery of a Data Breach Evaluation of the Data Breach Managing the Short-Term Crisis Handling the Long-Term Consequences Theft, loss, or Unauthorized Disclosure of PHI, PII, PCI Forensic Investigation and Legal Review Notification and Credit Monitoring Public Relations Class-Action Lawsuits Regulatory Fines, Penalties, and Consumer Redress Reputational Damage Income Loss
Responding to Security Incidents is Costly Source: BakerHostetler Data Security Incident Response Report 2018
Be Compromise Ready Threat information gathering Technology preventative & detective Personnel awareness & training Security assessments Understand where assets and sensitive data are located Implement reasonable safeguards Increase detection capabilities Vendor management Incident response plan and tabletop exercises Insurance Ongoing diligence and oversight
Incident Response Trends 1. Increase awareness of cybersecurity issues 2. Identify and implement basic security measures 3. Create a forensics plan 4. Build business continuity into your incident response plan 5. Manage your vendors 6. Combat ransomware 7. Purchase the right cyber insurance policy 8. Implement a strong, top-down risk management program 9. Adopt updated password guidance, and implement MFA or other risk-based authentication controls 10. Keep data secure in the cloud 11. Prepare for more regulatory inquiries
We welcome your questions at this time.
Thanks for your participation Contact information David Kitchen, BakerHostetler dkitchen@bakerlaw.com 216-861-7060 Lisa Micciche, ABA Insurance Services lmicciche@abais.com 216-220-1297