Cyber Risk Understanding the Issues

1
Cyber Risk - Understanding the Issues

• Presented By
• Adam Cottini
• March 12, 2009

2

Introduction

• According to the Federal Bureau of Investigations
  Identity Theft is the fastest growing white
  collar crime in America!

THE NETWORK Where Personally Identifiable
Information is stored Electronically
THE WORKSPACE Where Personally Identifiable
Information (Electronic/Non-Electronic) is stored
outside of the Network
3
How is an Organization Vulnerable?
4
Sometimes Security Procedures Fail

• Failure of your Network to prevent unauthorized
  access or unauthorized use of your network
  (hackers, rogue employees)
• Failure of your Network to prevent malicious code
• Failure of your Network to prevent denial of
  service attack
• Failure of your Network, your Privacy Policies,
  and/or your Independent Contractors (Information
  Holders) to safeguard private information
  (electronic/non-electronic) in your care,
  custody, or control

The most vigilant Network Security and Privacy
Policies are Vulnerable to Hackers, Rogue
Employees, Social Engineering, and Human Error
5
IT Perspective

• Information Technology Departments are faced with
  the challenge of balancing the demands of
  safeguarding the network and information while
  adapting to ever-changing technologies
• Encryption in database?
• Business servers are porous and need constant
  care
• Need to apply patches to software
• Lack of tested back-up processes
• More data often collected than needed
• Data often stored for too long and/or not
  encrypted
• Tools that help hackers are readily available and
  shared on the Internet at no cost to malicious
  attackers

6
Employee Perspective

• Employees are faced with the challenge of
  balancing work flow needs with safeguarding the
  confidential information used to perform their
  job
• Rogue Employees, social engineering, hacker
  sophistication, and human error
• Customer private records (paper) improperly
  disposed (dumpster)
• Many employees lack computer common sense
• Employees choose easy to decipher passwords
• Clean Desk policy

7
Statistics
8
Facts and Figures
85 of businesses have experienced a data
security breach 46 of businesses fail to
implement encryption solutions even after
suffering a data breach 82 did not seek legal
counsel prior to responding to the incident
despite not having prior response plan in
place 95 of businesses suffering a data breach
were required to notify data subjects whose
information was lost or stolen Over 40 states
require that individuals (customers, employees,
citizens, students, etc.) are notified if their
confidential or personal data has been lost,
stolen, or compromised
Source Ponemon Institute (700 cos)
9
High Frequency Industries
Source Identity Theft Resource Center
10
Sources of Security and Privacy Breaches
Annual Study U.S. Cost of a Data Breach
Understanding Financial Impact, Customer
Turnover, and Preventitive Solutions by The
Ponemon Institute, PGP Corporation and Vontu,
Inc.
11

• Exposures

12
Regulatory Landscape

• HIPAA
• Sarbanes Oxley
• 40 State Privacy Laws
• Federal Privacy Laws
• Federal Trade Commission
• Fair And Accurate Transaction Act of 2003 (FACTA)
• Section 15 U.S.C. 1681c(g) of FACTA limits the
  information that can be printed on an
  electronically printed credit card receipt to the
  last five digits of the credit card number, and
  specifically prohibits printing a credit cards
  expiration date on the receipt.
• Proper disposal of consumer report information
  required. Consumer information under FACTA
  includes records that are consumer reports and
  records that are derived from consumer reports
• FACTA Regulation 114
• The rules implementing section114 require each
  financial institution or creditor to develop and
  implement a written Identity Theft Prevention
  Program to detect, prevent and mitigate identity
  theft in connection with the opening of certain
  accounts or certain existing accounts.

13
Response Costs

• Notification Costs
• Credit Monitoring Costs
• Forensic Investigations
• Call Center Support
• Identity Theft Education
• Public Relations

14
Litigation Trends

• Plaintiffs Bar (Class Actions)
• Individuals (Identity Theft)
• Government (Privacy Laws)
• Impacted Businesses (Banks)

15
What does a Breach Cost?

• Costs Of A Breach (1)
• It is estimated that the average cost of a
  security/privacy breach is 197 per record.
• The average cost is 6.3M per breach.
• The average cost to defend a claim is 8 of the
  average cost per breach or 504,000
• The total cost of a breach ranged from 225,000
  to almost 35 million. Therefore, defense costs
  ranged from 18,000 to 2,800,000
• Additional Costs Per Record (2)
• As high as 50 per record for Discovery and
  Notification
• As high 30 per record for Credit Monitoring
• As high as 150 per record for Customer
  Attrition, cost to meet new audit requirements,
  lost productivity
• As high as 115 per record for Consumer Redress
  imposed by the regulators

(1) Source 2007 Annual Study U.S. Cost of a
Data Breach Understanding Financial Impact,
Customer Turnover, and Preventative Solutions
by The Ponemon Institute, PGP Corporation and
Vontu, Inc. (2) Source Forrester Research
16

• Cyber Insurance Market Place and Coverage

17
Cyber Market

• Primary carriers generally can offer 10M Limit
  of Liability to 20M Limit of Liability
• Capacity for individual risk exceeds 100M
• Sample Markets
• ACE
• AIG
• Axis (Media Pro)
• Beazley (Lloyds)
• CNA
• Chubb
• Darwin
• Hartford
• Hiscox (Lloyds)

18
Available Coverages
19
Thinking Ahead
20
Reasons to Consider Cyber Insurance

• Privacy Breaches are on the rise
• Network threats and vulnerabilities are getting
  dramatically worse
• Over 40 states have enacted Privacy Laws in
  response to frequency of Privacy Breaches
• Stakeholders demand prudent Risk Management that
  protects the organization
• Plaintiffs bar is becoming more active
• Contracts are beginning to require Cyber
  Insurance
• Additional safety net if security defenses and
  procedures fail
• Rogue Employees, social engineering, hacker
  sophistication, and human error

21
Next Steps

• The application
• Loss history
• List of Websites
• Privacy Policy
• Sample Boilerplate Contracts
• Sample Agreements with critical third party
  providers
• Copy of most recent information security
  assessment
• Copy of disaster recovery plan
• Annual Report

22
Thank You