New Jersey Chapter
Network Security & Privacy Liability
Assessing the Risk
June 14, 2011 Chapter Meeting
Steve Yesko, ARM
Lowers & Associates
Jeff Kulikowski
AXIS Pro
Meredith Schnur
Wells Fargo
Insurance Services
Risk Mitigation Agenda
•
•
•
•
•
•
•
•
•
•
•
Cyber Risk vs. Data Breach
Types of Breach
Evolution of the Exposure
Top 10 Incidents of 2010
Top 10 Unsolved Crimes
Today Risk Landscape
Organizational Risk Trends
2011 Forecast
IT Security Testing - 3 Prong Approach
IT Risk Mitigation Measures - Be Prepared
Information Resources
Cyber Risk vs. Data Breach
• Cyber Risk Coverage
– Addresses hazards such as unauthorized website
access, on-line libel, data loss and repairs to
databases after system failures.
• Data Breach or Privacy Coverage
– Covers the cost of notification and credit
monitoring services for affected persons, PR
expense to address reputational harm, breach
investigation, legal fees and compensatory
damages, judgments and settlements.
Types of Breach
•
•
•
•
•
•
Theft or Loss
Inappropriate Handling
Inadvertent Exposure
Misuse of Access (Insider Threat)
Unauthorized Access (External Attack)
System Compromise (Malware)
Evolution of the Exposure
• From a kid in the basement of parents home to
highly sophisticated organized crime networks
• From IT/computer related to Internet/web-based
• From theft of money to theft of information
• From outside / in to inside / out
• From legal action brought by consumers to
legal action by regulators
• From expenses to secure network/servers to
expenses for state notification laws
• From an IT issue to a Boardroom issue
• From a national to an international problem
The Biggest Information Security
Incidents of 2010
#10. Affinity Health Plan
Breach, involving 409K records, occurred when copier was returned w/o hard disk erasure; Reported by AHP to comply w / HHS mandates
#9. WellPoint/Anthem BlueCross
Company’s insurance application website was compromised w / faulty authentification code upgrade putting 470K applicant records at risk
#8. CitiGroup
Approximately 600K customers were sent annual tax documents w / SSN printed on outside of envelope (mimicked mail routing number)
#7. Ohio State University
Server housing 760K unencrypted PII records of current/former students, faculty, staff, contractors exposed during hack; No evidence of
data theft
#6. South Shore Hospital
Three boxes of tapes, containing 800K records containing PII, PHI, financial info of hospital community, were lost while being transported for destruction
#5. Lincoln National Financial Securities
Portfolio management system, housing data for 1.2M customers, compromised when actual user name/password were printed in brochure and on public site
#4. AvMed Health Plans
1.2M records of current and former subscribers and their dependents compromised when two unencrypted laptops were stolen from corporate HQ
#3. Gawker
1.3M user email address and passwords stolen in hack; 250k cracked IDs/passwords posted on-line, most common among them, 123456
#2. Education Credit Management Corp.
Safes stolen from ECM offices containing unencrypted portable media (later recovered by police) with 3.3M student loan recipient/applicant info
#1. Netflix
Data sets containing anonymized movie rating and preference information for over 100M subscribers is voluntarily released to contest participants
Source: Software, Information & Network Security News
Top 10 Unsolved
Computer Crimes
#10. The WANK Worm (Oct. 89; first hacktivist attack)
#9. UK Ministry of Defense Satellite Hack (Feb. 99)
#8. CDUniverse Credit Card Breach (Jan. 00)
#7. USN Military Source Code Theft (Dec. 00)
#6. Anti-DRM Hack (Oct. 01; Windows Media)
#5. Dennis Kucinich on CBSNews.com (Oct. 03)
#4. Hacking your MBA App (Mar. 06)
#3. The 26,000 Site Hack Attack (Winter 08)
#2. Hannaford/Sweetbay Breach (Feb. 08)
#1. Comcast/Network Solutions Redirect (May 08)
Source: PC Magazine
Today's Risk Landscape
• Data breaches increased significantly in 2010
– ITRC's 2010 Breach Report cited 662 reported breaches
– An increase of 33% over 2009
– Paper Breaches: 20% (no mandatory reporting
requirement)
– Insider Theft:
15.4% (doubled since 2007)
– Hacking:
17% (up 3%)
– Data on the Move, Accidental, Subcontractor: 34.3%
• Threat Volumes are on the Rise
– 2005 - 330,000 unique malware samples;
38 web threats per hour
– 2008 - 16,495,000 unique malware samples;
1,883 web threats per hour
• Threat Vectors are Internet-Based
– 92% now arrive via the Internet (Websites, Links, Email)
– 8% arrive via file transfer (removable media)
Today's Risk Landscape
(cont'd)
• The Underground Economy is More Profitable
–
–
–
–
$100 billion per year marketplace
Malware: $50 - $3,500
Email Addresses: $0.001 per Address
An hour of usage on a Botnet of 8,000 to 10,000 computers:
$200
• Email Threats Continue to Increase
– 115 billion spam messages per day
– Targeted Phishing Attacks (Spearphishing, Whaling)
• Web and Application Threats are Growing
– 450,000 SQL/XSS Injection Attempts per Day
– DNS Changers Re-Directing Users to Malware
• Mobile Threats Being Introduced
– With PC-like Vectors
• Botnets are Proliferating
– In 2008, 34.3 million PCs were infected with bot-associated
malware
Phishing
•
Phishing targets by
Industry:
–
–
–
–
–
–
Financial Institution 50%
Credit Card
19%
Auction
11%
Government
7.5%
On-line Payment 5.7%
On-line Shop
4.9%
Country of Origin of Phishing Emails
•
•
•
•
•
Phishing = Deceptive emails
Spearphishing = Targeted phishing
Pharming = DNS based phishing
SMiShing = Targets cellular texting
Bluesnarfing = Bluetooth
connections
Source: IBM X-Force 2010 Trend Statistics
Country of Origin for Embedded Web Links
The Cyber Crime Black Market
Financing/Money Laundering
Launder Money
Launder Money
Launder Money
Launder Money
Launder Money
Monetize Information
Monetize Information
Monetize Information
Monetize Information
Monetize Information
Information/Identity/Intellectual Property Auctions
Retrieve Information
Retrieve Information
Retrieve Information
Retrieve Information
Retrieve Information
Attack Target
Attack Target
Attack Target
Attack Target
Attack Target
Botmasters (Collectors & Brokers)
Create Propagation/
Attack Vector
Create Propagation/
Attack Vector
Create Propagation/
Attack Vector
Create Propagation/
Attack Vector
Create Propagation/
Attack Vector
Create Exploit
Create Exploit
Discover Vulnerability
Discover Vulnerability
Toolkit Marketplace
Create Exploit
Create Exploit
Create Exploit
Vulnerability Marketplace
Discover Vulnerability
Discover Vulnerability
Discover Vulnerability
Organizational Risk Trends
• Advanced Persistent Threats
New!
• Strong Rising Threats
– Unstable Third Party Providers
– Insecure Trading Partners
• Rising Threats
– Malicious/Disgruntled Insiders
– Careless/Overworked Employees
– Reduced Security Budgets
• Steady Threats
– Remote Workers
– Software Downloading
Why Risk Management?
• IT + Business + Financial Risk
• Part of broader governance, risk or
compliance initiative
• IT => Information Security focus
• Regulatory Compliance
• Measuring threats and costs
Mitigating Cyber Risk
•
•
•
•
•
Avoid it
Ignore it (we are not a target)
Accept it as part of doing business
Manage it (controls/processes)
Transfer it (insurance, escrow)
Risk Mitigation Measures
• IT/Information Security Risk Assessments
• Internal / External and Independent Testing:
– Vulnerability (Scan) Analysis (network, application, database)
– Penetration Testing (same, plus client-side)
– Controls Testing (SAS-70, ISO-2700n, CoBIT, PCI, BITS FISAP)
• Implement, Test, and Continuously Improve:
–
–
–
–
–
–
Data Classification & Protection Measures
Training & Awareness
Logging & Monitoring
Patch/Configuration Management
Network, Server, and Endpoint DLP
AV, IDS/IPS, Proxies & Filters, DSRA
• Develop WISP - BR Team, BR Plan, COOP Approach
• Compliance Audits
IT Security Testing
A Three-Pronged Approach
2011 Forecast
•
•
•
•
•
•
•
•
•
Sophisticated, blended, APTs for the FIs
More smaller, reported breaches elsewhere
Social networking policy implementation rises
Ransomware and ransom attacks will grow
Data minimization and cloud solutions advance
Mobile data is ripe for the picking
Low-tech theft of data/devices increases
Alternative O/S attacks will increase
Microsoft still targeted; Web 2.0 is here to stay
2011 Forecast
•
•
•
•
•
•
•
•
•
More prevalent/deceptive social engineering methods
Privacy awareness / breach preparedness advances
Third-party data collection faces greater scrutiny
The underground economy will continue to flourish
Identity theft and spam will increase worldwide
Continuing exposure due to lost devices
Data encryption seen as means to compliance ends
Federal breach notification legislation comes in 2012?
Collaboration + Openness = Vulnerability to breach
Information Resources
• PGP/Ponemon Study (www.ponemon.org)
• Verizon Data Breach Investigations Report
(www.verizonbusiness.com)
• IBM X-Force Trend & Risk Report (www.ibm.com)
• Betterley Report (www.betterley.com)
• U.S. Dept. of Health & Human Services (www.hhs.gov)
• Privacy Rights Clearinghouse (www.privacyrights.org)
• ePlace (www.eplacesolutions.com)
• Sedona Conference Working Group on eDiscovery
(www.thesedonaconference.org)
• BITS FISAP (www.bitsinfo.org)
• Identity Theft Resource Center (ITRC) Report (www.idtheftcenter.org)
• Internet Crime Complaint Center (IC3) Report (www.ic3.gov)
• Center for Strategic & International Studies (CSIS) (www.csis.org)
• Forrester Research (www.forrester.com)
Stephen Yesko, ARM
VA Office: (540) 338-7151
NY Office: (718) 775-9198
syesko@lowersrisk.com
www.lowersrisk.com
AXIS Capital Holdings
Limited
Security/Privacy Coverage- An
Underwriting Perspective
Jeff Kulikowski:
Axis Pro
Vice President, Regional Underwriting Manager
Security/Privacy Coverage- An Underwriting
Perspective
 Agenda




Security/Privacy Coverage Components and Coverage
Triggers
Known Breach Events
Underwriting Overview
Q&A
What Does The Coverage Provide?
 Proactive coverage grants and carrier support services that
assist an Insured at the outset of a data breach, including:
 Public Relations assistance
 Costs to issue notification letters to affected (actual or
potential)individuals
 Credit Monitoring capabilities to affected individuals
 If a breach escalates into claim for actual damages, then the
policy provides reimbursement for defense costs and damages,
subject to policy provisions
 Coverage is also available for the Insured’s loss of income, or
costs to recreate/repair/replace data lost in the case of a
Security Event
Security/Privacy Coverage- Common Insuring
Agreements
 Base Form Coverage- access to full aggregate limit



Security and Privacy Liability
Media Liability (online/offline)
Computer System Extortion
 Sublimited Coverage




Crisis Management Expense
Regulatory Action Coverage
Crisis Fund
PCI-DSS Fines and Penalties Coverage
 First Party Coverage


Business/Network Interruption
Data Recovery/Information Asset Coverage
Understanding the Coverage- 1st Party v 3rd Party
 First Party Coverage: direct reimbursement to the Insured for costs
they incur for the following
- Crisis Management Expenses
- Data Restoration/Information Asset
- Business/Network Interruption
- Regulatory Defense/Fines and Penalties
- Cyber Extortion
 Third Party Coverage: defense costs and damages resulting from the
following, which cause a 3rd Party financial loss
- Security Liability
- Privacy Liability
Security/Privacy Insurance- Coverage Triggers
 Accidental release or unauthorized disclosure of Personally
Identifiable Information, Corporate Confidential Information or
other confidential data
 Unauthorized Access to or Unauthorized Use of Protected Data
on an Insured’s Computer System that directly results in theft,
alteration, destruction, deletion, corruption or damage of
Protected Data
 failure to prevent a party from accessing a computer or network
system under the control of the Insured, when the party has the
intent to deny or disrupt service, cause network functionality to
fail, transmit malicious code via the Insured’s networks, or
deny/disrupt access to online services or computer system
 Transmitting or receiving Malicious Code via the Insured’s
Computer system
Commonly Used Policy Terms
 Personally Identifiable Information (PII): SSN,
Medical/Healthcare data, Driver’s License #/State ID, Financial
Information(Credit Card#, Debit Card#), other non-public
information
 Corporate Confidential Information: info subject to a
confidentiality agreement/NDA
 Malicious Code: computer virus, Trojan horse, or other code,
script or software program designed to damage, harm if infect a
computer
 Privacy Regulations: HIPAA, Gramm-Leach-Bliley, etc
 Data Breach: a loss of PII or Corporate Confidential Information,
regardless of medium or method
Typical Policy Provisions
 Common Carvebacks to Policy Exclusions and Definitions





Rogue Employee Coverage Carveback to the
fraudulent/intentional acts exclusion
Misappropriation of Trade Secrets Carveback
Employee Retirement Income Security Act of 1974 Carveback
Employee Carveback to the Insured vs Insured Exclusion
Consumer Redress Fund to be included in the definition of
Damages
 Common Exclusions




Infringement of Patent
Employment Practices Liability
Unsolicited faxes, email, or other communication
Unlawful collection or acquisition of Protected Data
Known Breach Events
 TJX Companies



94,000,000 Affected Individuals
States Attorneys General V. TJX Companies- total of $9.5M spend
establishing Discretionary Funds, data security Funds, and
reimbursement of Plaintiff Attorney Fees
$40M settlement Pending with VISA
$13.5M Consumer Class Action Settlement in Massachusetts
 Heartland Payment Systems


130,000,000 Affected individuals
Numerous cases and settlements pending through the US with
Consumers, Financial Institutions, Vendors, Payment Processors,
etc
Notable Costs to date include $60M settlement with VISA, $3.5m
settlement with American Express
Known Breach Events- continued
 CardSystems


40,000,000 credit card numbers lost as a result of security
breach/hacking incident
Class Action suit filed in 2005, but case was eventually
closed as CardSystems filed Chapter 11 on 5/12/2006
 T-Mobile/Deutsche Telekom

17,000,000 Customers’ data affected due to lost disk drive
 BNY Mellon Shareowner Services

12,500,000 affected individuals due to lost backup tape
 American Honda Motor Company

4,900,000 names, addresses, e-mail addresses, user
names and VINs exposed from email list
SOURCE:www.DataLossDB.com
How is Security/Privacy Coverage Underwritten?
 Industry/Class of Business
 Security Controls and Procedures
 Privacy Policy/Internal Controls
 Other Risk Controls
 Litigation Review
 Financial Analysis
Industry and Litigation Potential Analysis
 High Risk Industries include:
- Healthcare
- Finance
- Retail
- Leisure/Entertainment
- Secondary and Higher Education
- Utilities
 All other Industries still at risk, depending on the PII or
Confidential Data held
Security/Privacy Risk Control Analysis
 Information Security and Privacy Policy
 Business Continuity/Disaster Recovery Plan
 Security/Privacy Compliance with Industry Standards
 Employee Restrictions for Data Access, and Data Classification
Schemes
 User Profile Management
 Physical Security Controls
 Encryption methodology
 Data Storage Methodology
 Use of 3rd party applications(Firewall/IPS/IDS)
Other Risk Controls
 Vendor management
- Identification of outsourced activities
- Indemnification/Hold Harmless provisions
- Vendor Selection and Auditing Procedures
- Insurance Requirements
 Regulatory Compliance
 Recent Changes to Management or Auditors
 Other Risk Management Controls
Litigation Review
 Past Claims History
 Public Search of Breach History
 Claims within the Insured’s Industry
 State Requirements for Privacy Breach Response
 Review of Pending Industry Regulations
Financial Review
 Revenues Levels and Projections
 Income statement
 Balance Sheet
 Cash Flow Statement
 Were any key accounting conventions changed?
Axis Capital Holdings Ltd.
 Founded in November 2001 ($1.7b start-up capital)



Strong balance sheet - $5.6 Billion of Shareholders Equity
$3.5 Billion in Premium for the FYE 2010
No legacy exposures
 IPO July 2003 – NYSE: AXS
 Rated A XV (AM Best) ; A+ Strong (S&P) (Upgrade February
2009)
 Specialty Lines Insurance and Treaty Reinsurance
 AXIS website: www.axiscapital.com
Wells Fargo Insurance Services
NJ RIMS Meeting – June 14, 2011
Network Security & Privacy Liability
Presented by:
Meredith Schnur
Professional Risk Group
Wells Fargo Insurance Services
Agenda
 Regulatory Environment
 What Should You Be Asking?
 Vendor Management
 Gaps in Traditional Insurance
 Resources
 eRisk Hub
 Primary Markets
 Marketing & Underwriting Process
Wells Fargo Insurance Services
Legal Issues & The Regulatory Environment
Legislation has now imposed affirmative duties on companies as to
how they handle data, principally client/customer information:

Gramm Leach-Bliley Act: Requires financial institutions to safeguard customers’ records
and information against unauthorized access.
Imposes major privacy and security
requirements on financial services companies

Health Insurance Portability and Accountability Act (HIPAA): Healthcare organizations
required to safeguard individually identifiable health information. Imposes penalties on
organizations that violate HIPAA (further amended by the HITECH Act)

California SB1386: A California law requiring companies to notify their CA customers and
employees of computer security breaches. The law applies to any business that stores
customer and employee information electronically even if the company is not based in the
Golden State.

Privacy Breach Notification Laws: Spreading of California SB 1386; adopted by 46 states
as of December 2010. Duty to notify customers where consumer/customer information has
been compromised (electronic or non-electronic means, state legislation varies)

Massachusetts Privacy Law 201 CMR 17.00: This law is the first state law to require
specific technology when protecting personal information. If you do business with residents
in MA or have employees that reside in MA, compliance is mandatory by March 1, 2010.
Wells Fargo Insurance Services
Legal Issues and The Regulatory
Environment

PCI Security Standards: The standards globally govern all merchants and organizations
that store, process or transmit cardholder data. PCI security standards are technical and
operational requirements set by the Payment Card Industry Security Standards Council (PCI
fines not generally covered under insurance policies).

FACTA (Fair and Accurate Credit Transactions Act): Prohibits businesses from printing
more than 5 digits of any customer’s credit card number or card expiration date on any
receipt issued at a point of sale. For machines in use before 1/1/05, the merchant has 3
years to comply. For machines in use after 1/1/05, the merchant has one year to comply.

Red Flag Rules: Established by FACTA, requires financial institutions or creditors to
develop and implement an Identity Theft Prevention Program in connection with both new
and existing accounts. The program must include reasonable policies and procedures for
detecting, preventing and mitigating identity theft.

Federal HITECH Act – health plans, health care providers and health care clearinghouses
(ie. Covered entities), among other things, must review and update their business associate
agreements, as well as their privacy and security policies and procedures. Requires that any
data breach event exceeding 500 records be reported to the Department of Health and
Human Services.
Wells Fargo Insurance Services
What Should You Be Asking?

Have we analyzed our cyber liabilities?

What legal rules apply to the information we maintain or that is kept by vendors,
partners and other third parties? The laws surrounding breaches are complex.

Have we assessed our legal exposure to governmental investigations?

Have we assessed our exposure to suits by our customers, vendors or suppliers?

Have we protected our organization in contracts with vendors?

What laws apply in different states and countries in which we conduct business?

Do we have adequate staffing to reasonably maintain and safeguard our important
assets and processes?

Have we prepared an incident response plan and business continuity plan?

Do we have a documented, proactive crisis communications plan?
It is critical to have a solid incident response plan in
place prior to any security or privacy breach.
** Questions supplied by the “The Financial Impact of Cyber Risk” Publication – American National Standards
Institute (ANSI) and Internet Security Alliance.
Wells Fargo Insurance Services
Vendor Management & Requirements
 IT/Software Companies

Request Tech E&O to include network security/privacy coverage

Some Tech E&O policies have security/privacy exclusions
 Other Business Services – Payroll, Auditors

Request appropriate E&O coverage to include network security/privacy
 Credit Card Processors/Acquiring Banks

Request Network Security/Privacy Coverage
 Other Vendors that interact with your systems or sensitive
information, or handle information on your behalf

Request Network Security/Privacy Coverage
Wells Fargo Insurance Services
Gaps in Traditional Insurance
Why is this not covered elsewhere?

Commercial General Liability Insurance: Typically covers bodily injury and property damage to
“tangible” property. Data and software are considered to be “intangible”

Property Insurance: Typically responds to “direct physical loss” by a covered peril (ie. fire,
windstorm). Intangible property is not covered under Business Interruption and Extra Expense
coverage.

Fidelity/Crime Insurance: Typically provides coverage to the organization for losses resulting
from the theft of money, securities and “other tangible property.” Information theft is not covered
under a standard fidelity bond.
“Other property” does not include proprietary information,
confidential information or copyrights, trademarks, etc.

Professional Errors & Omissions: Typically only covers financial loss arising out of professional
services to others. Computer attacks do not fall within the provision of “professional services,” and
some E&O policies will exclude coverage caused by “unauthorized access.”

Technology Errors & Omissions: Covers only financial loss arising out of technology services
performed for others. If in the provision of technology services, your negligence leads to an
unauthorized access or transmission of a virus, coverage would apply. However, if an employee
commits an intentional act or if an outside hacker, unrelated to services provided by you, causes a
customer to suffer a financial loss, no coverage would apply under a typical technology errors &
omissions policy. Most Technology E&O policies can be extended to cover network security and
privacy related exposures.
Wells Fargo Insurance Services
Resources
 www.privacyrights.org – data breach chronology recorded
by year and by industry class
 www.ponemon.org – updated statistics on privacy breaches
(see following page)
 www.hhs.org – regulations and breaches in excess of 500
records as mandated by HITECH
 www.eriskhub.com – information portal for WFIS clients
Wells Fargo Insurance Services
eRisk Hub
 Learning Center
 News Center
 Incident Road Map
 Free Breach Coach
 Resource Directory
 Risk Manager Tools
Wells Fargo Insurance Services
Primary Markets
Markets*
ACE USA
Best Rating
“A+” XV
Allied World/Darwin Group
“A” XV
Arch
“A” XV
Axis
“A” XV
Beazley USA
Chartis
Chubb Group
“A” VIII
“A” XV
“A++” XV
CNA
“A” XV
Digital Risk Managers (MGA writing on Lloyds paper – Brit, Kiln, ACE)
“A” XV
Hartford
“A” XV
Hiscox USA
“A” VIII
Ironshore
“A-” XIII
London Markets (Beazley, Hiscox, Brit, Kiln, ACE, Barbican, CFC)
“A” XV
One Beacon
“A” XV
Philadelphia
“A” XV
RLI
“A+” X
Zurich North America
“A” XV
XL
“A” XV
* - Many additional carriers will offer this coverage on an excess basis
Wells Fargo Insurance Services
Marketing & Underwriting Process
Step 1:
Evaluation of Exposures:
Consultation to determine
exposures – First Party, Third
Party and/or Privacy
Step 2:
Required Applications and/or
Assessment Completed
Step 3:
Marketing Process: Submit
application to selected markets to
solicit proposals
Step 4:
Proposal Analysis and Discussions
Step 5:
On-line Security Assessment
and/or Conference Call with
Insurer
Step 6:
Binding the Coverage
Wells Fargo Insurance Services