CYBER INSURANCE: A DEEP DIVE

Similar documents
Cybersecurity and Nonprofit

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Cybersecurity The Evolving Landscape

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

Cyber Attack: Is Your Business at Risk?

Jeff Wilbur VP Marketing Iconix

DeMystifying Data Breaches and Information Security Compliance

CYBER INSURANCE: MANAGING THE RISK

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

The Data Breach: How to Stay Defensible Before, During & After the Incident

2017 Annual Meeting of Members and Board of Directors Meeting

Cyber Risks in the Boardroom Conference

Defending Our Digital Density.

The Impact of Cybersecurity, Data Privacy and Social Media

Cyber Insurance: What is your bank doing to manage risk? presented by

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

Business continuity management and cyber resiliency

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

CYBER RESILIENCE & INCIDENT RESPONSE

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Protecting your next investment: The importance of cybersecurity due diligence

You ve Been Hacked Now What? Incident Response Tabletop Exercise

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Hacking and Cyber Espionage

2017 RIMS CYBER SURVEY

Healthcare HIPAA and Cybersecurity Update

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

How will cyber risk management affect tomorrow's business?

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Information Security Is a Business

The Evolving Threat to Corporate Cyber & Data Security

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Cybersecurity Auditing in an Unsecure World

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Anticipating the wider business impact of a cyber breach in the health care industry

Preparing for a Breach October 14, 2016

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

June 2 nd, 2016 Security Awareness

CYBERSECURITY PREPAREDNESS AND RESPONSE

Cyber Security Incident Response Fighting Fire with Fire

Are we breached? Deloitte's Cyber Threat Hunting

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

CyberEdge. End-to-End Cyber Risk Management Solutions

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Security Breaches: How to Prepare and Respond

How to Prepare a Response to Cyber Attack for a Multinational Company.

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

Cybersecurity and Hospitals: A Board Perspective

Information Governance, the Next Evolution of Privacy and Security

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

INTELLIGENCE DRIVEN GRC FOR SECURITY

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

CYBER SOLUTIONS & THREAT INTELLIGENCE

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

ID Theft and Data Breach Mitigation

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

ISACA West Florida Chapter - Cybersecurity Event

Personal Cybersecurity

Angela McKay Director, Government Security Policy and Strategy Microsoft

Addressing the elephant in the operating room: a look at medical device security programs

Changing the Game: An HPR Approach to Cyber CRM007

What It Takes to be a CISO in 2017

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

A Forensic Accountant in Cyber Security

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Cyber Risk for. Small and Medium-Sized Enterprises (SMEs)

The Cyber War on Small Business

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

HOSTED SECURITY SERVICES

Cyber-Threats and Countermeasures in Financial Sector

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Cybersecurity Today Avoid Becoming a News Headline

Effective Cyber Incident Response in Insurance Companies

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Cyber Due Diligence: Understanding the New Normal in Corporate Risk

Security Awareness Training Courses

Transcription:

CYBER INSURANCE: A DEEP DIVE Jdy Selby Febrary 24, 2017 BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by garantee, and forms part of the international BDO network of independent member firms.

WITH YOU TODAY JUDY SELBY Managing Director BDO Conslting Technology Advisory Services +1 203-905-6252 jselby@bdo.com Page 2

AGENDA Page 3 Today s Threat Landscape Understanding Yor Risk Cybersecrity Risk Management Overview Cybersecrity Mitigation Cyber Insrance Conclsion

TODAY S THREAT LANDSCAPE Page 4

CYBERSECURITY TODAY INTERNAL THREAT: Internal actors were responsible for 43% of data loss, half of which is intentional, half accidental. TODAY S THREAT LANDSCAPE Page 5 COMPUTER INTRUSIONS: This year, companies that had data breaches involving less than 10,000 records, the average cost of data breach was $4.9 million and those companies with the loss or theft of more than 50,000 records had a cost of data breach of $13.1 million. BUSINESS E-MAIL COMPROMISE: Between Janary 2015 and Jne 2016, there has been a 1,300% increase in identified exposed losses, a combined exposed dollar loss of more than $3 billion. RANSOMWARE: Nearly 80% of organizations [srveyed in the U.S.] have been victim of a cyber attack dring the past 12 months and nearly 50% have been victim of a ransomware attack. Intel Secrity Report, Grand Theft Data: Data exfiltration stdy: Actors, tactics, and detection 2016 Data Breach Stdy: United States, Benchmark research sponsored by IBM Independently condcted by Ponemon Institte LLC, Jne 2016 FBI Pblic Service Annoncement, Jne 14, 2016; Alert Nmber I-061416-PSA Understanding the Depth of the Global Ransomware Problem, Osterman Research Srvey Report, Pblished Agst 2016, Sponsored by Malwarebytes

TODAY S LANDSCAPE: DATA BREACHES BY THE NUMBERS 48% TODAY S THREAT LANDSCAPE $4 million 29% average cost of a data breach increase in total cost of data breach since 2013 cased by malicios or criminal attacks $158 average cost per lost or stolen record Page 6 $355 average cost per lost or stolen record in healthcare organizations 2016 Data Breach Stdy: Global Analysis, Benchmark research sponsored by IBM Independently condcted by Ponemon Institte LLC Jne 2016

CYBER INTRUSIONS INCREASING 2016 2015 2014 HackingTeam 2013 2012 2011 2010 2009 ü Rate of breaches increasing since 2005 ü Cross-indstry impact: healthcare, retail, insrance, technology, financial services ü Mltiple types of breaches/threats ü Hottest breaches phishing and ransomware 2008 2007 2006 2005 Page 7

ANATOMY OF A HACK Page 8

UNDERSTANDING YOUR RISK Page 9

UNDERSTANDING YOUR RISK + THREAT VULNERABILITY CONSEQUENCE RISK Page 10

TARGETED DATA PII PCI PHI Defense, National Secrity, Critical Infrastrctre IP Bsiness Intelligence MNPI Page 11

LIFE CYCLE OF DATA PRIVACY AND PROTECTION Creation / Collection UNDERSTANDING YOUR RISK Disposition Storage Dration Use Page 12

MOTIVATIONS AND INCENTIVES Page 13

EMPLOYEE RISKS Employees as cyber targets UNDERSTANDING YOUR RISK Page 14 Phishing Spear Phishing / Social Engineering Email spoofing and hijacking Negligent Employees Non-compliant Employees

VULNERABILITIES SOFTWARE PATCHING Lack of software pdates UNDERSTANDING YOUR RISK ACCESS CONTROL Who has access to yor system and do they really need it? THIRD PARTY VENDORS Are yor third party vendors secre? PEOPLE Internal actors p to no good or being exploited Page 15

CYBERSECURITY RISK MANAGEMENT OVERVIEW Page 16

WHAT IS CYBERSECURITY RISK MANAGEMENT PROGRAM? CYBERSECURITY RISK MANAGEMENT OVERVIEW Integrated set of policies, processes, technologies and controls that minimize vlnerabilities and protect against threat to spport Confidentiality information kept private and secre Integrity data not inappropriately modified, deleted or added Availability systems/information available to whom reqires them Page 17

A HOLISTIC APPROACH CYBERSECURITY RISK MANAGEMENT OVERVIEW Page 18

CYBERSECURITY MITIGATION Page 19

BDO CYBERSECURITY FRAMEWORK Key Policy & Process Domains Governance & Strategy Cybersecrity Lifecycle IDENTIFY Data privacy / Cybersecrity risk protection profile management Identity & access management Cybersecrity risk ASSETS management program Threat & risk intelligence Third party / vendor RECOVER INTEGRITY AVAILABILITY CONFIDENTIALITY management Incident response & planning PROTECT VULNERABILITIES THREATS optimization Metrics / reporting Page 20 and responsibilities (Board of Directors, Exective Management, etc.) Investment Asset inventories Training / awareness Organization roles RESPOND DETECT Legal & compliance Cyber insrance

THREAT INTELLIGENCE CYBERSECURITY MITIGATION Page 21 Private Sector Threat Information Government Classified and Unclassified Evidence and Intelligence Cyber Threat Intelligence

INFORMATION SHARING CHANNELS CYBERSECURITY MITIGATION Page 22

CYBER INSURANCE Page 23

THE GROWING CYBER INSURANCE MARKET Proportion of companies bying secrity & privacy insrance 65% CYBER INSURANCE 35% 2011 2016 Page 24 SOURCE: https://www.zrichna.com/en/abot/news/news-releases/2016/10272016_overallpward-trend-contines-zrichs-advisen-cyber-srvey

THE GROWING CYBER INSURANCE MARKET View cyber risk as a significant threat CYBER INSURANCE Personal datadriven indstries 76% Non-data-driven indstries 55% Prchase secrity & privacy insrance Personal datadriven indstries 78% Non-data-driven indstries 59% Page 25 SOURCE: https://www.zrichna.com/en/abot/news/news-releases/2016/10272016_overallpward-trend-contines-zrichs-advisen-cyber-srvey

THE GROWING CYBER INSURANCE MARKET C-site exectives who view cyber secrity as a significant threat 85% CYBER INSURANCE 58% 2011 2016 Page 26 21% Have no employee edcation program in place SOURCE: https://www.zrichna.com/en/abot/news/news-releases/2016/10272016_overallpward-trend-contines-zrichs-advisen-cyber-srvey

Information (own and of others) Bsiness Reptation/Crisis Management Bsiness Interrption Reglatory Investigations POTENTIAL EXPOSURES Media Liability Cyber Extortion Third Party Liability Network Itself Page 27

INSURABLE CYBER RISKS CYBER INSURANCE Legal liability to others for compter secrity breaches Legal liability to others for breaches of confidential information Reglatory actions, fines and investigations Loss or damage to data and information Loss of revene de to a compter attack Extra expense to recovery or respond to a compter attack Loss or damage to reptation Cyber-extortion Cyber-terrorism Page 28

First Party COVERAGE GRANTS Damage to digital assets Bsiness interrption CYBER INSURANCE Extortion Privacy breach expenses Third Party Privacy liability Network secrity liability Internet media liability Reglatory liability Contractal liability Page 29

AVAILABLE COVERAGES CYBER INSURANCE Network Secrity Liability Liability to a third party as a reslt of a failre of yor network secrity to protect against destrction, deletion, or corrption of a third party s electronic data, denial of service attacks against internet sites or compters; or transmission of virses to third party compters and systems. Privacy Liability Liability to a third party as a reslt of the disclosre of confidential information collected or handled by yo or nder yor care, cstody or control. Incldes coverage for yor vicarios liability where a vendor loses information yo had entrsted to them in the normal corse of yor bsiness. Page 30

AVAILABLE COVERAGES Reglatory Investigative Defense Coverage for legal expenses associated with representation in connection with a reglatory investigation, inclding indemnification of fines and penalties where insrable. CYBER INSURANCE Event Response and Crisis Management Expense Expenses incrred in response to a data breach event, inclding retaining forensic investigator, crisis management. Cyber Extortion Ransom and/or investigative expenses associated with a threat directed at yo that wold case an otherwise covered event or loss. Page 31

AVAILABLE COVERAGES Network Bsiness Interrption Reimbrsement of yor loss of income and/or extra expense reslting from an interrption or sspension of compter systems de to a failre of technology. Incldes coverage for dependent bsiness interrption. CYBER INSURANCE Data Asset Protection Recovery of costs and expenses yo incr to restore, recreate, or recollect yor data and other intangible assets that are corrpted or destroyed by a compter attack. Page 32

UNDERWRITING FACTORS Indstry Process CYBER INSURANCE Size of company Type and volme of data Risk management Technology Incident response Claims People Page 33

COVERAGE DANGER ZONES CYBER INSURANCE Notice to the Insrer Retention of Consel or Forensics Firm Before Notice Panel Firms? Pre-Notice Costs Effect of Breach Start Date Isses with Bsiness Interrption Coverage Valing a Cyber Claim Are the Limits Sfficient? Page 34

PCI ISSUES CYBER INSURANCE Fines Penalties Assessments PFIs PCI Compliance Certifications PCI Recertification Affirmative Claims Against Processor, Card Brands, and QSAs Coverage for costs of responding to sbpoenas or civil investigative demands Page 35

NON-PII CYBER EVENTS CYBER INSURANCE Intellectal Property Proprietary and Confidential Bsiness Information Bodily Injry Property Damage Page 36

EFFECTIVE INDEMNITY AGREEMENTS Privacy Liability CYBER INSURANCE Page 37 With respect to all Insring Clases, [Federal] shall not be liable for any Loss on accont of any Claim, or for any Expense... based pon, arising from or in conseqence of any... liability assmed by any Insred nder any contract or agreement.

CYBER INSURANCE BUSINESS INTERRUPTION CONCERNS With respect to the NETWORK INTERRUPTION INSURING AGREEMENT of this Clase 1., solely with respect to a Secrity Failre first occrring dring the Policy Period and reported to the Insrer prsant to the terms of this policy, this Network Interrption Coverage Section affords the following coverage: NETWORK INTERRUPTION INSURING AGREEMENT The Insrer shall pay all Loss in excess of the Remaining Retention that an Insred incrs after the Waiting Hors Period and solely as a reslt of a Secrity Failre. (l) Waiting Hors Period means the nmber of hors set forth in Item 6 of the Declarations that mst elapse once a Material Interrption has begn. Page 38

HOW DO YOU SUBMIT A CLAIM? CYBER INSURANCE Page 39 Docmentation reqirements Application of waiting periods/sb-limits (e.g., bsiness interrption verss network interrption) Common items of dispte in the adjstment process

CONCLUSION Page 40

OUR CYBERSECURITY SERVICES Page 41 Cyber Risk Management Strategy & Program Design Cyber Risk Assessment & Secrity Testing Data Privacy & Protection Secrity Architectre & Transformation Incident Response Planning Bsiness Continity Planning & Disaster Recovery Digital Forensics & Cyber Investigations Cyber Insrance Claim Preparation & Coverage Adeqacy Evalation

JUDY SELBY Managing Director BDO Conslting Technology Advisory Services +1 203-905-6252 jselby@bdo.com SPEAKER BIO Jdy Selby is a Managing Director in BDO Conslting s Technology Advisory Services practice, having more than 20 years of experience in insrance and technology. Known as one of the premier voices in legal technology by Legaltech News, she conslts with clients on cyber insrance, cybersecrity, information governance, data privacy and complex insrance matters. She advises clients on best practices for handling information throghot its life cycle, from creation or collection throgh disposition. In addition, Jdy works with organizations and their consel to advise on data privacy and cyber insrance isses, having depth of experience in coverage adeqacy evalation, international arbitration and all phases of insrance coverage litigation. Prior to joining BDO, Jdy was a partner at Baker Hostetler, where she was cochair of the Information Governance team and fonder of the ediscovery and Technology team. She is the co-chair of the Claims and Litigation Management (CLM) Alliance Cyber Liability Committee and serves on the Law360 Insrance and Legaltech News editorial boards. Jdy has completed corses on the internet of things (IoT), big data, crisis management / bsiness continity and cybersecrity at the Massachsetts Institte of Technology. Page 42

Abot BDO Conslting BDO Conslting, a division of BDO USA, LLP, provides clients with Financial Advisory, Bsiness Advisory and Technology Services in the U.S. and arond the world, leveraging BDO s global network of more than 64,000 professionals. Having a depth of indstry expertise, we provide rapid, strategic gidance in the most challenging of environments to achieve exceptional client service. BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assrance, tax, advisory and conslting services to a wide range of pblicly traded and privately held companies. BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by garantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: www.bdo.com. Material discssed is meant to provide general information and shold not be acted on withot professional advice tailored to yor firm s individal needs. 2016 BDO USA, LLP. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback