Best Practices for Insuring Medical Practices from Cyber Risk Karin Landry Spring Consulting Group, LLC Managing Partner “There are two kinds of companies today, those who know they have been hacked, and those who don’t.” James Comey FBI Director (USA Today, May 2014) 3 Cyber Risk Trend/Statistics 2013 Verizon Data Breach Study • Organized crime accounts for 55% of all breaches studied • Organizations under 100 employees account for 31% of all breaches • 66% of breaches took months to discover • 69% of breaches are discovered by external party • 78% of the breaches are considered low to very low difficulty • Method of action: – 40% Malware – 52% Hacking • Most desired data for organized crime: – Payment card information – Authentication credentials – Bank account information • 48% of the 47,000 security incidents studied were attributed to errors such as: – Lost devices – Publishing errors – Mis-delivered email/mail 4 True Cost of a Data Breach Fines/Penalties Loss of Customers/ Donors Notification (as required by law) Forensics (determining where, what and how much data was breached) $188 Per Record for U.S.* Damage Control Expenses (to retain clients, restore confidence in org. and restore reputation) NOTE: This study DOES NOT factor in costs associated with defense costs or liability payments made *Source: 2013 Cost of a Data Breach Study – Ponemon Institute 5 Anatomy of a Data Breach Incident • Malicious attack, employee error, or theft Discovery • Victims are sometimes the last to know. Usually discovered within months Forensics Analysis • What, Where and How Response • Compliance to regulatory requirements for notification Damage Control • Offering credit monitoring /fraud monitoring to impacted parties 6 Common Cyber Risk Coverages Business Income/Extra Expense Crime Extortion and computer fraud/funds transfer fraud Employee Privacy Liability Restoration/ Replacement of Electronic Data Security Breach Liability Media/Website Publishing Liability Security Breach Expense Public Relations Expense Fines/Penalties - Regulatory proceedings and payment card industry 7 Regulatory Considerations: Data Breach Notification Laws • In effect in 47 states except: – Alabama – New Mexico – South Dakota • Subject to statutory fines/penalties – Exemptions and notification deadlines vary by state • HIPAA /HITECH law to entities that keep patient health information – Enforced by the Department of Health/Human Services 8 Social Media Exposures Content • Potentially liable for content (i.e., Facebook page, YouTube video, blog on your website) Privacy • Content posted can breach a person’s privacy or lead to identity theft Intellectual Property Infringement • Copyright/trademark Virus/Malware • Could be uploaded to your social media site that infects other members who click on that link Reputational/Public Relations Risk • Certain negative content can go viral and reach a critical mass of people in a very short time 9 Risk Management View 52% of risk managers have dedicated cyber risk insurance policy* • Cyber viewed as very high profile risk by CEOs, CFOs, treasurers and risk managers • Captive may be an excellent alternative to fill gaps between self insurance and true risk transfer – Cyber risk may diversify a captive’s more traditional risk 56% of risk managers cite cyber risk as “top concern”* *Source: Business Insurance Survey 10 How to Price Cyber Insurance • The market for network, information security, and privacy (cyber) insurance remained stable in 2013 • Recent events will define the market for the next several years • Pricing sources: – Commercial market quotes – Broker indications based on: • Industry (retail, manufacturing, financial institution) • Exposure (credit cards, healthcare personal data, SSNs, HIPAA exposures) • Company size (# of customers, # of transactions) – Actuary – Transfer pricing study 11 Case Study: Nittany Insurance Company Nittany Insurance Company • Single-parent Vermont-based captive, owned by The Pennsylvania State University 1992 Established as funding vehicle for hospital professional liability insurance 2000 Later in 2000’s Expanded to include reinsurance of primary GL and auto coverage Added more coverages for convenience of University (i.e. deductible reimbursement for master insurance programs) 13 Penn State University • Flagship land-grant University in the Commonwealth of Pennsylvania – However, NOT owned by the State • Operating Budget 2013/14: $5 Billion • 25,000 full-time faculty and staff, plus another 15,000 part-time employees • 93,000 students at 20 campuses • Two hotel/conference centers • One very large football stadium 14 The Situation 22 million overtly-hostile computer intrusions blocked daily Decentralized educational departments and IT networks/ systems Over 95 million spam emails blocked daily 170,000 email accounts receive 3.2 million emails daily • Insurers not interested in covering large research institution with open computing philosophy • Commercially available policy forms did not provide needed coverage • Wanted a single funnel to accumulate expenses and manage responses to breaches • Wanted behavior modification: – Incentivize decentralized units to use good computer security practices 15 The Solution • Placed risk in owned captive • Key feature of the coverage is a two-tiered deductible – If a unit employs certain “good practices” advocated by IT Security Operation Services, but has a breach anyway, $25,000 deductible – If a unit did not employ “good practices”, and that led or contributed to a breach, $100,000 deductible 16 The Results • Firewalls more reliably installed, maintained and patched • Security software updated real-time • Software contracts routinely scrutinized and include security requirements • Actual compromises decreased significantly • Release of SSN’s declined from 10,000 at a time to 5-10 in isolated instance 17 Contact Information Karin Landry Managing Partner Spring Consulting Group, LLC Karin.Landry@springgroup.com Phone: 617-589-0930; ext. 102 w w w . s p r i n g g r o u p . c o m 18