The Time for Cyber Coverage is
Now
Your insureds and clients
Are Not Immune
October 8, 2014
Kevin Ribble
E.V.P. Edgewater Holdings
President, EPRMA.org
kribble@edgewater.net
(214) 676-8662 (office)
(312) 431-1766 (fax)
Texas License # 1682508
Today’s Agenda

Introduction to Panel

Cyber Crime statistics

Why are mid-market accounts considered to Be at High-Risk?

Types of Threats

What is the potential harm to your insureds and client’s businesses?

Overview of Data Breaches

Overview of a cyber-attach

Case Studies

Risk Transfer & Risk Management

Cyber coverages recommended & broker coverage check list

Summary

Q&A
Cyber Crime Statistics
Data Under Siege
Global Cyber Event Heat Map
Cyber Event Type Composition by
Year
Cyber Events by Company Size
Number of
Employees
0 - 25
25 - 50
50 - 100
100 - 250
250 - 500
500 - 1,000
1,000 - 5,000
5,000 - 10,000
10,000+
Total
Event
Count
1,626
571
570
761
515
544
1,427
638
3,595
10,247
Percenta
ge
15.9%
5.6%
5.6%
7.5%
5.0%
5.3%
13.9%
6.2%
35.1%
100.0%
Cyber Litigation Frequency Index
700
600
Improper Collection
of Digital Data
500
400
Privacy Violations
300
200
Improper
Disposal/Distribution
Loss or Theft
(Printed Records)
100
0
2005
2006
2007
2008
2009
2010
2011
2012
2013
All
Privacy Violations
System/Network Security Violation or Disruption
Digital Data Breach, Loss, or Theft
Improper Disposal/Distribution, Loss or Theft (Printed Records)
Improper Collection of Digital Data
Data Under Siege:
Malicious Threats


Hackers, extortionists, disgruntled employees, fraudsters
Malware, spyware, spam,
Malware, short for malicious (or malevolent) software, is software used or programmed by
attackers to disrupt computer operation, gather sensitive information, or gain access to private
computer systems. It can appear in the form of code, scripts, active content, and other
software.[1] 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive
software.[2]
Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers,
dialers, spyware, adware, malicious BHOs, rogue security software and other malicious
programs; the majority of active malware threats are usually worms or trojans rather than
viruses.[

Phishing, pharming

A: Both pharming and phishing are methods used to steal personal information from
unsuspecting people over the Internet.
Phishing typically involves fraudulent bulk e-mail messages that guide recipients to legitimatelooking but fake Web sites and try to get them to supply personal information like account
passwords.
Pharming tampers with the domain-name server system so that traffic to a Web site is secretly
redirected to a different site altogether, even though the browser seems to be displaying the
Web address you wanted to visit.
Data Under Siege
1992 – 2007, 2M unique malicious programs
2007 – 2009, 33.9M unique malicious programs
2010 hit new record 1.5 Billion (ump)
31% of IT specialist were unaware of most deadly
(ump)
87%, of system vulnerabilities were due to 3rd
party applications, Microsoft, Java, IT
infrastructure
“U.S. Code Cracking Agency Works as if Compromised” – Reuters News 12 16 2010
Global IT Security Risks Report, Kaspersky Lab 2012
Cyber Crime and Small Businesses
 ATM skimming generates losses of $50 million
each year1
 One in 20 adults is at risk of identity theft
 One in 465 is a victim of identity theft
 Average cost per compromised document: $214
• Not including civil damages and/or defense costs)
1 Electronic
Funds Transfer Agency
www.efta.org
Why are Small & Mid-market Businesses
considered to be at High Risk?
Cyber Crime and Small Businesses
 Over 20% of small businesses have suffered a data
breach1
 Number of attacks on rise, breach size declining, indicating
cybercriminals go after smaller targets e.g. small
enterprises (less security = easier attacks)
 Malicious attacks (hacking or inside theft) constitute 40% of
recorded breaches in 2011
 Visa reports 80% all card breaches arise from Level 4
merchants (those with fewer than 50 employees)
 Each year, more than 10 million individual identity thefts
1 Poneman
Institute Study on Cyber Crime
Small Business Data Theft Risk Management Study
Threats: Not “If” but “When”
Non-Malicious Threats
 Employee mistakes: Lost / stolen laptops and
portable devices
 Application glitches
 Network operation and “sharing” trends
 Points of failure are now multiplied due to
outsourcing
 Dependencies & data-sharing between biz
partners including cloud servers
 Upstream & down stream vendors (ASPS,
partners, ISPs)
Methods of Fraud
What Are Thieves Looking For?
PII & Cardholder Data
Social security numbers, names and addresses
 Health insurance applications
• Primary Account Number (PAN)
• CID number (this must never be stored)
• Sensitive authentication data = card use and cardholder’s
identity
Methods Include
• Compromised card readers
• Papers stored in unlocked filing cabinets
• Data held in a payment system database
• Hidden camera recordings entry of authentication data
• Secret “tap” on your company’s wired or wifi network
The Risk to Your Insureds
Disgruntled employees – non-disclosure
Loss of revenue, System crashes from hackers
Data Breach: Auto customer data, patient PII,
Your e-mail infects customers
Businesses utilize social media, e-marketing materials,
company blogs
Lack of knowledge & resources to respond to breach,
timely
The High Risk to Small and Mid-size
Accounts
(under 50 employees & < 10MM Gross Revenue)
Why are Small & Mid-market Businesses considered to be at
High Risk?
Hackers and thieves are targeting Small Businesses,
because:
• Small businesses typically lack the resources and expertise to
successfully fend-off – or even respond to – attacks
• Lack of a formal IT department means that Payment Card
Industry (PCI) Data Security compliance is particularly
challenging for small organizations

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL
companies that process, store or transmit credit card information maintain a secure environment.
An attack or error of negligence could prove catastrophic for
the typical small business
“Over 20% of small businesses had already suffered a data breach…. small businesses do not have
adequate measures or remedies in place to protect themselves.”
- Larry Ponemon
Ponemon Institute
Small Business Data Theft Risk Management Study
Potential for Business Harm to Your Insured’s
Enterprise
What is the potential harm to your client’s enterprise?
Business fall-out can be severe (including negligence and breach)
Agency E&O / D&O
•
Failing to meet Payment Card Industry (PCI) rules or negligently managing PII
data
 State statutory notification, fines and penalties
 Fines and Penalties (liquidated damages)
 Termination of ability to accept payment cards
 Reduction in business, lost customers (20% likely)
 Cost of reissuing payment cards ($100 per card VISA)
 Fraud losses (see civil damages)
 Legal costs, settlements, and judgments
 Increase in compliance costs
 Going out of business (i.e., breach exceeds net worth of company)
Joseph F. Bermudez, Esq.
Scott D. Sweeney, Esq.
Wilson Elser, LLP
October 8, 2014
Cyber Breaches and Liability
18
© 2014 Wilson Elser. All rights reserved.
Overview
•
•
•
•
Data Breach Overview
Data Breaches in the News
Life Cycle of a Breach
Are you Ready?
19
© 2013 Wilson Elser. All rights reserved.
Data Breach Overview
•
•
•
•
How do breaches occur?
Costs of a data breach
Legal liability for breaches
Data breach response and mitigation
20
© 2014 Wilson Elser. All rights reserved.
Data Breaches
Who Are the Victims?
•
•
•
•
•
•
Financial institutions
Retail and restaurant industries
Manufacturing, transportation, utilities
IT and professional services firms
Health Care organizations
Impact on larger organizations
21
© 2014 Wilson Elser. All rights reserved.
Data Breaches
Who Is Perpetrating Breaches?
•
•
•
•
•
Outsiders of the organization
Insiders of the organization
Business partners
Multiple parties
State (government) affiliated actors
22
© 2014 Wilson Elser. All rights reserved.
Data Breaches
How Do Breaches Occur?
•
•
•
•
•
•
•
•
Hacking
Insider wrongdoing
Human error
Network intrusion exploiting stolen credentials
Use of malware
Physical attacks
Leveraged social tactics such as phishing
Privilege misuse and abuse, including theft of IP
and corporate espionage
23
© 2014 Wilson Elser. All rights reserved.
Data Breach Response Costs
•
•
•
•
•
•
Avg. total organizational cost of breach ($5.8M)
Avg. detection costs ($417,700)
Avg. notification costs ($509,237)
Avg. remediation costs ($1,599,996)
Avg. lost business costs ($3,324,959)
$201 a record
Note: Figures do not include mega breaches in excess of
100,000 breached records
Source: Ponemon Institute 2014 Cost of Data Breach Study
24
© 2014 Wilson Elser. All rights reserved.
Other Breach Related Costs
• Litigation costs
– Consumer class actions
– Shareholder suits
– Government investigations and proceedings
• Impact on corporate finances
–
–
–
–
Cash flow
Loan covenants and credit
Shareholder value
Reputational injury and loss of business
25
© 2014 Wilson Elser. All rights reserved.
Data Breaches in the News
26
© 2014 Wilson Elser. All rights reserved.
Target Data Breach Overview
• Hackers used stolen credentials from a third
party vendor
• Inserted malware into the company’s
computerized payment systems
• Malware scraped credit card data
• Data breach compromised 40 million credit and
debt accounts
• Personal data of 110 million customers was
compromised
27
© 2014 Wilson Elser. All rights reserved.
Company’s Public Disclosures
12/19/13
• Company announced that hackers gained
unauthorized access to payment card data
• Affected credit and debit card transactions in
U.S. stores from 11/27/13 to 12/15/13
• Internal investigation of the data breach
• Retention of outside forensics firm
• Company also alerted authorities and financial
institutions
28
© 2014 Wilson Elser. All rights reserved.
Company’s Public Disclosures
1/13/14
•
•
•
•
CEO and Chairman apologized to customers
Provided status update on internal investigation
Malware removed
Company hired data security experts to investigate
causes of the breach
• Company was working with law enforcement
• Assured customers they would have “zero liability” for
fraudulent charges
• One year of free credit monitoring services
29
© 2014 Wilson Elser. All rights reserved.
Impact on Company’s Financials
• 5.5% decrease in sales in 4Q 2013
• “Meaningfully softer results” following news of
the breach
• 11% drop in stock price
• Reputational injury
30
© 2014 Wilson Elser. All rights reserved.
Data Breach Response Costs
• $61 million incurred in 4Q 2013 for data breach
response costs
• Amounts include
– internal investigation costs
– credit monitoring
– staffing call centers
• Company’s insurers agreed to pay $44 million
• Company will continue to incur breach related
costs for the foreseeable future
31
© 2014 Wilson Elser. All rights reserved.
Data Breach Lawsuits
•
•
•
•
•
80 civil lawsuits filed against company
Suits by customers
Suits by payment card issuing banks
Shareholder litigation against D&Os
Government investigations
– Federal Trade Commission
– SEC and DOJ
– 30 State Attorney Generals
32
© 2014 Wilson Elser. All rights reserved.
CFO Testifies Before U.S. Senate
• 2/4/14 – Company’s CFO testified before senate
committee
• On 12/12/13, DOJ alerted Company to “suspicious
activity”
• Internal investigation confirmed installation of malware
and potential theft of credit card data
• Company invested $5 million in a public education
campaign regarding cybersecurity
• Company launched a retail industry Cybersecurity and
Data Privacy Initiative
33
© 2014 Wilson Elser. All rights reserved.
Other Recent Data Breaches
•
•
•
•
•
•
•
•
•
Home Depot
Neiman Marcus
Advocate Healthcare
Twitter
Adobe
Facebook
Living Social
Evernote
Federal Reserve Bank
34
© 2014 Wilson Elser. All rights reserved.
Life Cycle of a Breach
• Triggering the Incident Response Team
• Making sure the right people / partners are part of the team
• Containment
• Have you stopped the “bleeding”?
• Remediation
• Have you taken steps to prevent this type of event from
occurring in the future?
• Identification of the Threat or Security Incident
• What just happened?
Notification – and beyond
Overview
You are part of a company that
operates retail stores throughout
the United States. Payment-card
and HR processing is handled by
your corporate offices for all
stores. The Company employees
approximately 20,000 employees.
Cyber Attack!
ATTACK!
What Just Happened?
•Your Company was the victim of a sql injection attack
against a web application that provided information on
customers who had purchased the Company’s
services. The hacker appears to have gained access t
o a database that was serving the web application.
•Question: What Do You Do?
Information Exposed
oThe initial investigation shows that the database contained
employees’ names, addresses, social security numbers,
driver’s license numbers, position, and bank account
information. The database has been operational for 5
years. The database appears to have stored cardholder
information for repeat customers.
oQuestion: Now what? Does this impact your initial plan of
action?
Monkey Wrench #1
You just learned that Brian Krebs, an online reporter who is
credited with breaking the story that Target had been breached,
and is followed by thousands of other publications, posted a story
on his blog that the Company appears to have been breached.
The story mentions that the Company failed to return phone calls
for two days.
Monkey Wrench #2
The CEO of the Company contacts you, and tells you that he just
received an e-mail from an unknown e-mail address, informing him
that this person has the personal information of the CEO and his
daughter, provides his driver’s license as proof, and threatens to
post it online unless the CEO pays a ransom.
Update From Investigation
The database contained a link to an application that was connected to
the Company’s payment processing system, which is centrally located at
the Company’s headquarters. The application automatically updated
information for repeat customers, but also allowed the hacker to
potentially access the payment card information of all customers,
exposing over 2 million credit cards.
Monkey Wrench #3
The FBI has just showed up at your door, and wants access to
your data center so it can image your computers and servers in
order to investigate the cyber attack.
Money Wrench #4
In the midst of your investigation, you receive an Inquiry from
regulatory agency requesting more information about the event,
asking for policies and procedures, and seeking a meeting.
Summary
Responding Quickly, But Effectively Matters
Know Who Your “Team” Members Are Before You Have An Event Internal And External
Training And Education Matters!
No Two Events Are Alike - Expect The Unexpected
Cyber Stress Test
Are you Prepared?
How many of the following does your company
have?
1.
Do you process or store credit cards for payments?
2.
Have you had a PCI compliance audit conducted or have you had any external assessment to
confirm you are compliant with the PCI standards?
3.
Do you store any of the following information about your customers or employees: social security
number, name and address, credit card or bank details?
4.
Do you maintain an active presence on any major social media sites (e.g.? Facebook, Twitter,
YouTube, Trip Advisor, etc.)?
5.
Do you store any business critical data or information on your systems (e.g. financial / accounting
records, client lists, claim data, etc.?)
6.
Do you use a voice over IP telephony system (VoIP)?
7.
Do you have any individuals within the business that can authorize online payments of more than
$5,000?
8.
Do you rely on any technology systems in order to collect payments from customers?
9.
Do you encrypt all data delivered to credit card vendor?
10. Do you rely on any third party systems in order to secure bookings
Mid-Markeet Business Owners Cyber Stress
Test
How many of the following does your company have?
Do you process or store credit cards for payments?
This function captures PII and exposes to hacking PII = contract damages ($100 per replaced
card) ($214 credit monitoring etc. per customer)
Have you had a PCI compliance audit conducted or have you had any external assessment to confirm
you are compliant with the PCI standards?
This is the legal test to legal liability if hacked. The vendor can hold credit equal to the potential
legal exposure and hold until issue resolved, includes charges for replacement of credit card
Do you store any of the following information about your customers or employees: social security
number, name and address, credit card or bank details?
HIPPA exposure – hurricane
Do you maintain an active presence on any major social media sites (e.g? Facebook, Twitter,
YouTube, Trip Advisor, etc.)?
Copyright Violations, Reputation damages – not covered by GL
Stress Test continued
Do you store any business critical data or information on your systems (e.g. financial / accounting
records, customer lists, customer reservations, etc?)
Release of business personal information without consent and PII
Do you use a voice over IP telephony system (VoIP)?
Easy access point for hackers, increase exposure to privacy violations
Do you have any individuals within the business that can authorize online payments of more than
$5,000?
Security control requirements are much greater if this is in practice
Do you rely on any technology systems in order to collect payments from customers?
Another method for hackers to access PII exposing owner to breach and contract damages
9. Do you encrypt all data delivered to credit card vendor?
This is an automatic violation of PCI standards and most state codes
10. Do you rely on any third party systems in order to secure bookings (e.g. Open Table?)
Up-stream data retention facilities / clouds, if breached by your stored data can infect others data
= legal exposure to large number of PII that are not your clients.
Best Solution
Risk Transfer &
Risk Management
How to Protect Your
Company’s Data
Comply with the golden 12 Rules
Goal
Rule
Build and Maintain a Secure
Network
 Install and maintain a firewall configuration to protect data
 Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder and
HIPPA Data
 Protect stored data
 Encrypt transmission of cardholder data and sensitive information across
public networks
Maintain a Vulnerability
Management Program
 Use and regularly update anti-virus software
Implement Strong Access
Control Measures
 Restrict access to data by business need-to-know
 Develop and maintain secure systems and applications
 Assign a unique ID to each person with computer access
 Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
 Track and monitor all access to network resources and cardholder data
Maintain an Information
Security Policy
 Maintain – and update – a policy that addresses information security
 Regularly test security systems and processes
How to Protect Your
Company’s Data
Comply with the golden 12 Rules
Goal
Rule
Build and Maintain a
Secure Network
 Install and maintain a firewall configuration to protect
Protect Cardholder
and HIPPA Data
 Protect stored data
data
 Do not use vendor-supplied defaults for system
passwords and other security parameters
 Encrypt transmission of cardholder data and sensitive
information across public networks
Maintain a
Vulnerability
Management
Program
 Use and regularly update anti-virus software
Implement Strong
Access Control
Measures
 Restrict access to data by business need-to-know
Regularly Monitor
and Test Networks
 Track and monitor all access to network resources and
Maintain an
 Maintain – and update – a policy that addresses
 Develop and maintain secure systems and applications
 Assign a unique ID to each person with computer access
 Restrict physical access to cardholder data
cardholder data
 Regularly test security systems and processes
Recommended Cyber Coverage
What does System Damage &
Interruption cover?
This is first party cover that protects companies against their own losses resulting from damage to
data caused either deliberately by a malicious employee or hacker, or totally accidentally (the
infamous “fat finger”). The system interruption cover stems directly from this but is restricted to
malicious employees, hackers or computer viruses. This provides protection against loss of profits
arising directly from these perils.
What does Cyber & Privacy
Liability cover? (includes PCI
fines and penalties)
This provides liability coverage – including legal defense costs and indemnity payments – for claims
brought against you arising from a data security breach, whether through electronic means or
otherwise. This is provided on an “all risks basis”. The coverage is also extended to include liability
protection against claims arising from you spreading a computer virus or from your systems being
used to hack a third party.
What does Breach Response
cover?
This provides first party cover for the cost of complying with breach notification laws. Coverage is
also included for voluntary security breach notification, where this helps to mitigate adverse impact
upon the company’s brand or reputation. The coverage itself will pay for the legal costs of drafting a
breach letter, the cost of printing and posting the letter, credit monitoring costs, and forensic costs
that may be required to identify the extent of the breach.
What does Media Liability
cover? (limited to web site
unless add endorsement) PL
& GL duplicate cover
This provides comprehensive liability coverage including legal defense costs as well as indemnity for
damages and fines (where insurable). Essentially, this coverage protects against claims for intellectual
property rights infringement (excluding patent) and defamation arising from content published by
the company or on its behalf. This coverage also extends to social media and user generated content,
including company and employee blogs.
What does regulatory
privacy cover?
This provides coverage for the costs associated with defending yourself against a regulatory action
brought against you as a direct result of a privacy breach. This includes actions brought by federal
regulators such as the FTC and similar state or industry bodies. Coverage is also extended to include
fines and penalties that are issued as a result, where these are insurable by law.
Recommended Cyber Coverage Limits
System Damage & Interruption - (minimum $250k)
Regulatory Fines & Penalties – $1M limits
Privacy Breach Notification – $250k / $1M limits
Media Liability - $1M limits
PCI Fines & Penalties – $250k, $1M limit
Policy Review Questions
First & Third-Party Liability
Coverage for transmission of virus to third party and 3rd party to others
Copyright infringement from website
Forensic investigation covered as part of breach notification?
Coverage applies to both electronic and physical data breaches e.g. paper,
laptop, disks, PDA etc. ?
Coverage applies to both personal and company information? (IFI 1st Co)
Coverage applies to employee and customer information
Information in care custody or control of insured’s vendors include cloud
servers and paper records being transported?
Policy apply to accidental losses and leaks?
Does application require PCI compliance or encryption?
No insider exclusion?
Direct intentional attacks are covered is “wild viruses” those not specifically
targeting insured?
Liquidated damages and fines and penalties? Know position, provable court
Policy Review Questions
Media liability
Media Liability is valid anywhere in world?
Coverage extend to include social networking , emails, twitter? (PL & GL)
Coverage apply to user-generated content (opinion boards for feedback)
Extortion – no limit to threat method
Breach Response – Crisis Management
Policy apply to attorney fees to draft response to breach and related deliver costs?
Is credit monitoring included for individuals? (employees? )
Will policy provide options to notification methods?
Coverage include forensic investigation?
First Party business interruption
Forensic Investigation covered?
Do they offer contingent period after system restored?
Based on time system is down or a stated time period?
Wild & targeted viruses included ?
Loss of Reputation ?
Summary
Questions?
58
© 2014 Wilson Elser. All rights reserved.
Contact
Melissa Ventrone
Wilson Elser LLP (Chicago)
Phone: 312-821-6105
Email: Melissa.Ventrone@wilsonelser.com
Joseph F. Bermudez, Scott D. Sweeney
Wilson Elser LLP (Denver)
Phone: 303-572-5310; 303-572-5324
Email: Joseph.Bermudez@wilsonelser.com
Scott.Sweeney@wilsonelser.com
59
© 2014 Wilson Elser. All rights reserved.
Questions?