Ironshore Data Privacy CE/CLE Seminar
September 17, 2014
1
Life Cycle of a Breach
 Identification of the Threat or Security Incident
 What just happened?
 Triggering the Incident Response Team
 Making sure the right people / partners are part of the team
 Containment
 Have you stopped the “bleeding”?
 Remediation
 Have you taken steps to prevent this type of event from occurring in the future?
 Notification – and beyond
Overview
You are part of a company
that operates retail stores
throughout the United States.
Payment-card and HR
processing is handled by your
corporate offices for all
stores. The Company
employees approximately
20,000 employees.
3
Cyber Attack!
ATTACK!
4
SQL Demo
SQL Injection
8/21/2014
Rafael Negron
SQL Injection
What is SQL?
SQL
Changes
o Used to store, edit, and retrieve
database data
SQL
o Applications issue SQL commands
that manage data
Database
Retrieval
o SQL: Structured Query Language
Web Application
SQL Injection
Web Application
Changes
o Malicious SQL statements, are
intended to do things, such as
display,
“Username and Password”
Retrieval
o Malicious SQL statements are
inserted into an entry field for
execution
Database
SQL Mini-Lesson
"Users" Table
UserName
FirstName
LastName
Password
CJONES
Cynthia
Jones
XXXXXX
BSMITH
Bill
Smith
YYYYYY
SKING
Susan
King
ZZZZZZZ
RSMITH
Rob
Smith
AAAAA
SELECT UserName, Password
Column data returned
FROM Users
Table containing data
WHERE LastName = 'Smith'
Criteria rows must meet
Query Results
UserName
Password
BSMITH
YYYYYY
RSMITH
AAAAA
Exploitation Methodology
Step 1 Scan
Step 1 Vulnerability Assessment
Step 3 Remote Exploitation
Step 3 Privilege Escalate
Windows Passwords
SQL Demonstration
Pass The Hash
Pass The Hash Demo
What Just Happened?
 Your Company was the victim of a sql injection attack against a web
application that provided information on customers who had purchased the
Company’s services. The hacker appears to have gained access to a
database that was serving the web application.
 Question: What Do You Do?
19
Information Exposed
 The initial investigation shows that the database contained employees’
names, addresses, social security numbers, driver’s license numbers,
position, and bank account information. The database has been operational
for 5 years. The database appears to have stored cardholder information for
repeat customers.
 Question: Now what? Does this impact your initial plan of action?
20
Monkey Wrench #1
You just learned that Brian Krebs, an online reporter who is credited with
breaking the story that Target had been breached, and is followed by
thousands of other publications, posted a story on his blog that the
Company appears to have been breached. The story mentions that the
Company failed to return phone calls for two days.
21
Monkey Wrench #2
The CEO of the Company contacts you, and tells you that he just received
an e-mail from an unknown e-mail address, informing him that this person
has the personal information of the CEO and his daughter, provides his
driver’s license as proof, and threatens to post it online unless the CEO
pays a ransom.
22
Update From Investigation
 The database contained a link to an application that was connected to the
Company’s payment processing system, which is centrally located at the
Company’s headquarters. The application automatically updated
information for repeat customers, but also allowed the hacker to potentially
access the payment card information of all customers, exposing over 2
million credit cards.
Monkey Wrench #3
The FBI has just showed up at your door, and wants access to your data
center so it can image your computers and servers in order to investigate
the cyber attack.
24
Money Wrench #4
In the midst of your investigation, you receive an Inquiry from regulatory agency
requesting more information about the event, asking for policies and
procedures, and seeking a meeting.
25
Summary
 Responding Quickly, But Effectively Matters
 Know Who Your “Team” Members Are Before You Have An Event - Internal
And External
 Training And Education Matters!
 No Two Events Are Alike - Expect The Unexpected
26
Ironshore Data Privacy CE/CLE Seminar
September 17, 2014
27
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Panelists:
Anjali C. Das, Partner Wilson Elser, LLP
Ty R. Sagalow, President Innovation Insurance Group, LLC
William A. Boeck, SVP Lockton Companies
Lindsay B. Nickle, Partner Wilson Elser, LLP
Kristi Janicek, Ironshore
Brenda Barnat, Abernathy MacGregor Group
28
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
OVERVIEW
 Corporate Exposures for a Data Breach
 Lack of Board Oversight for Data Privacy and Security
 SEC Guidance and Enforcement
 Rise in Shareholder Litigation Against D&Os
 Corporate Governance and Cyber Risk Management
 Cyber Insurance versus Other Insurance
29
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
DATA BREACHES IN THE NEWS









Target
Neiman Marcus
Advocate Healthcare
Twitter
Adobe
Facebook
Living Social
Evernote
Federal Reserve Bank
30
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
CORPORATE EXPOSURES FOR A DATA BREACH
31
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Average Data Breach Response Costs
 Avg. total organizational cost of breach ($5,403,644)
 Avg. detection costs ($395,262)
 Avg. notification costs ($565,020)
 Avg. remediation costs ($1,412,548)
 Avg. lost business costs ($3,030,814)
 $200 a record
Note:
Figures do not include mega breaches in excess of 100,000 breached
records
Source: Ponemon Institute 2013 Cost of Data Breach Study
32
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Other Breach Related Costs
Litigation costs
 Consumer class actions
 Shareholder suits
 Government investigations and proceedings
Impact on corporate finances
 Cash flow
 Loan covenants and credit
 Shareholder value
 Reputational injury and loss of business
33
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Adverse Impact on Target’s Corporate Financials
 5.5% decrease in sales in 4Q 2013
 “Meaningfully softer results” following news of the breach
 11% drop in stock price
 Reputational injury
34
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Target Data Breach Related Costs
 $88 million incurred for data breach response costs and
related expenses to date
 Amounts include
 internal investigation costs
 credit monitoring
 staffing call centers
 $52 million in expected insurance recoveries
 $100 million in dedicated cyber liability insurance
35
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Target Management Shake Up
 CIO/CEO “resignations”
 CFO testifies before Congress
 Shareholder proxy advisor ISS recommends ousting
Board members
 Appointment of new Chief Information Security Officer
36
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
LACK OF BOARD OVERSIGHT FOR DATA SECURITY
37
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
“Only a few executive officers understand
security and the rest are clueless. . . . [T]his
causes a big disconnect between the people
performing information security to protect an
organization’s data and the top-level executives
at the organization.”
Source: Larry Ponemon, Founder of the Ponemon Institute
38
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
 Many Boards are reassessing their skills
in cyber risk management
 Experience in overseeing the growing threat of cyber
security risk is one of the key attributes Boards will
consider when appointing new directors
 IT expertise is now considered one of the top 5 attributes
for today’s Board members
 Only 11% of Boards are “very confident” of their ability to
manage cyber risk
Source: NYSE 2014 Survey: What Directors Think
39
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
SEC GUIDANCE AND ENFORCEMENT FOR DATA
SECURITY AND PRIVACY
40
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
SEC Cyber Risk Disclosure Guidance
 Discussion of aspects of business or operations that give
rise to material cyber risks (costs and consequences)
 Outsourced functions that may give rise to a cyber risk
and how company manages that risk
 Description of material cyber incidents to date (costs and
consequences)
 Risks related to cyber incidents that may remain
undetected for an extended period
 Description of relevant insurance coverage
41
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
 5/1/13 Letter from SEC Chair Mary Jo White to Senator
Rockefeller highlights the SEC’s interest in cyber risk
 Cybersecurity risks are an “increasing concern” for public
companies and financial markets
 Since 2012, the SEC has issued 50 comment letters to
companies regarding their cyber risk disclosures
 SEC continues to “prioritize” this issue
 SEC is evaluating the “efficacy” of its guidance
 Possibility that the SEC consider further action on this
topic
42
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
“Boards that choose to ignore, or minimize, the
importance of cybersecurity oversight
responsibility, do so at their own peril.”
SEC Commissioner Luis Aguilar speaking at the NYSE Conference:
Cyber Risks and the Boardroom (June 10, 2014)
43
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
SEC “Blueprint” of Cybersecurity Issues
for Wall Street Firms
1. Inventory of information security assets
2. Dedicated employees responsible for monitoring and
detecting cybersecurity threats
3. Cyber liability insurance
4. Security policies, practices, and internal controls
5. Cybersecurity risks associated with third party vendors,
service providers, and business partners
44
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
D&O CYBER EXPOSURE:
THE NEW FRONTIER FOR SHAREHOLDER SUITS
45
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
 Securities Class Actions
 Was there a stock drop following news of big data
breach
 Did the D&Os knowingly conceal a material cyber risk
(scienter)
 Were the stock losses caused by the bad news or by
a “corrective disclosure” (loss causation)
 Did company adequately disclose cyber risks in its
filings (per SEC guidance)
46
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
 Derivative Actions
 Breach of fiduciary duties and lack of oversight by
Board
 Weak internal controls for cyber risk
 Damages to company resulting from data breach or
other cyber threat
47
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Target Shareholder Suits
 Shareholder derivative suits against Target’s D&Os for
breach of fiduciary duty related to the 2013 data breach
 Suits filed in Minnesota federal court
 Suits name CEO, CFO, CIO and Board of Directors
 D&Os allegedly failed to: (1) promptly notify customers of
the data breach, and (2) implement internal controls to
detect and prevent a data breach
 Complaints highlight Company’s Privacy Policy
 Company allegedly failed to use the PCI Data Security
Standard for large retail companies
48
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Company’s Purported Damages
1. Reputational injury and loss of business
2. Loss of revenue and profits
3. Costs of defending and/or settling consumer class
actions
4. Costs incurred in response to government
investigations
5. Costs incurred from Company’s internal investigation
6. Data breach remediation costs
49
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Corporate Governance and Cyber Risk Management
Best Practices
50
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
SEC Recommendations to Boards
to Manage Cyber Risk
1. Use the NIST Framework as Guidance
2. Retain Directors with technical and security expertise
3. Companies should have skilled employees to manage
cyber risk on a day-to-day basis
4. Boards should make sure that companies have a tested
data breach response and recovery plan in place
51
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
National Institute of
Standards & Technology Framework
1) Identify critical IT and electronic data assets
2) Protect these assets
3) Detect cybersecurity threats
4) Respond to cyber attacks (breach response plan)
5) Recover lost, stolen, or impaired assets (recovery
plan)
52
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Privacy Policy
 Due Diligence




Who is responsible for Privacy Policy (i.e., Chief Privacy Officer)
What PII does the Company collect
From which states/countries is PII collected
Who has access to the PII (both inside and outside the Company)
 Drafting the Privacy Policy




Does it provide notice of the Company’s collection of PII
Does it provide consumers with opt-in/opt-out for use of their information
Is PII being protected through appropriate (industry standard) security
Is the Policy prominently located on the Company’s Website
 Compliance/Auditing
 Are employees trained on protecting PII
 Does the Company employ effective security measures to protect PII
 Does the Company periodically audit compliance with its Privacy Policy
53
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Contracts with Vendors/Business Associates










ID type of data to be stored or processed (PHI, PII, etc.)
Where will data be stored, transferred, access
Specify baseline security standards that Vendor must adhere to
Does Vendor have its own Privacy Policy
Definition of a reportable security breach
Who will be responsible for notifying consumers (Company or Vendor)
Data disposal and deletion requirements and time-frame
Company’s right to audit Vendor for compliance with data security/privacy
Address Vendor’s use of Subcontractors
Who has to comply with what laws, and who is financially responsible
(Company or Vendor, or both)
54
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
More Data Security Policies and Procedures











Training employees
Restricting users and access to network resources
Implementing a process for managing IT assets
Adopting a security policy that addresses mobile media
Maintaining controls to secure portable media
Maintaining protection against DDoS attacks
Maintaining a written data destruction policy
Maintaining a written cybersecurity breach response plan
Testing computer backup systems
Using data encryption
Conducting periodic audits to ensure compliance with security policies
55
Carnegie Mellon’s Corporate Governance Best
Practices Checklist for Cyber Risk
 Establish a Board Cyber Risk Committee
 Recruit directors with IT and security expertise
 Conduct an annual audit of security and breach
response programs and controls
 Require management to give periodic reports on privacy
and security risks
 Require the Board to conduct an annual review of
budgets for privacy and security risk management
 Evaluate potential liabilities and losses for cyber risk
 Review the adequacy of cyber risk insurance coverage
56
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Privacy and Security Risk Disclosures
 Privacy concerns relating to our technology could damage our
reputation and deter current and potential users from using our
products and services.
 In addition, as nearly all of our products and services are web-based, the
amount of data we store for our users on our servers (including personal
information) has been increasing. Any systems failure or compromise of our
security that results in the release of our users’ data could seriously limit the
adoption of our products and services, as well as harm our reputation and
brand and, therefore, our business. We expect to continue to expend
significant resources to protect against security breaches. The risk that
these types of events could seriously harm our business is likely to increase
as we expand the number of web-based products and services we offer,
and operate in more countries.
(Source: Google Form 10-Q 7/24/14)
57
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Privacy and Security Risk Disclosures
 We experienced a significant data security breach in the fourth quarter
of fiscal 2013 and are not yet able to determine the full extent of its
impact and the impact of government investigations and private
litigation on our results of operations, which could be material.
 We are currently subject to a number of governmental investigations and
private litigation and other claims relating to the Data Breach, and in the
future we may be subject to additional investigations and claims of this sort.
These investigations and claims could have a material adverse impact on
our results of operations or profitability.
 Finally, we believe that the greatest risk to our business arising out of the
Data Breach is the negative impact on our reputation and loss of confidence
of our guests, as well as the possibility of decreased participation in our
REDcards Rewards loyalty program which our internal analysis has
indicated drives meaningful incremental sales.
(Source: Target Form 10-K 3/14/14)
58
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Don’t Count on Traditional Insurance
to Respond to Cyber Exposures
 CGL Coverage
 D&O Insurance
 Cyber Liability Insurance
59
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
CGL Policy
 Coverage A: Bodily Injury or Property Damage
 Property damage means physical injury to tangible
property, including loss of use of property
 Is electronic data physical or tangible property?
 Evolution of ISO standard form CGL Policies
 Pre-2001: No exclusion for electronic data
 Post-2001: Electronic data excluded
 Post-2004: Exclusion for damages arising out of the loss of, damage to,
corruption of, or inability to access electronic data
60
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
CGL Policy
 Coverage B: Personal and Advertising Injury
 Includes “oral or written publication of material that
violates a person’s right to privacy”
 Coverage B might apply to theft of consumer data or
misuse of customer information
 Post-2001 ISO standard form CGL policy exclude
coverage for Internet-related activities
61
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
New ISO Exclusion for CGL Policies
1). Arising out of any access or disclosure of any
person’s or organization’s confidential or personal
information;
OR
2). Arising out of the loss of, damage to, corruption of,
or inability to access or manipulate electronic data
62
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Public Company D&O Policy
 Coverage for shareholder suits
 Limited coverage for investigations
 Entity coverage limited to Securities Claims
 No specific cyber exclusions
 Bodily injury and property damage exclusion
 Personal injury exclusion
 Other insurance provision
63
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Private Company D&O Policy
 Duty to defend
 Broad entity coverage
 Could include claims for negligence for failure to reasonably
safeguard customer information
 Bodily injury / property damage exclusion that applies to injury to
physical or tangible property
 Personal injury exclusion that applies to claims for “invasion of
privacy”
 Courts have held that loss or theft of PII pursuant to a data breach
does not give rise to a typical tort claim for invasion of privacy
64
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
Cyber Liability Policy
1. First Party Coverage, including:
 Breach notification costs
 Forensic investigation
 Credit monitoring or identity theft
 Public relations / crisis management
 Call centers
2. Business Interruption Coverage
3. Cyber Extortion Coverage
4. Third Party Claims against Insureds
5. Regulatory Investigations
65
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
D&O and Corporate Cyber Exposure Takeaways
 The buck stops with the Board
 No companies are immune to a data breach
 If the Target shareholder suits gain traction, more may
follow
 Companies should have adequate cyber risk
management policies and procedures
 Boards should be well-informed of cyber risks
 Duty to disclose material cyber risks
 Boards should consider how insurance responds to
cyber-related claims
66
CYBER RISKS
THE BUCK STOPS WITH THE BOARD
HYPOTHETICAL DATA BREACH SCENARIO
&
MOCK EMERGENCY BOARD MEETING
67
Ironshore Data Privacy CE/CLE Seminar
September 17, 2014
68
Imagine someone trying to break
into your house. Now imagine it
60,000 times a day.
http://www.ibm.com/smarterplanet/ie/en/business_resilience_management/overview/inde
x.html?re=spf
69
Agenda
From a forensic, legal, and insurance perspective:
 Bring Your Own Device (BYOD)
 Vendor and Supply Chain Risks
 What Data Do I Collect, Where Is My Data, Who Has Access To My
Data
 The Insider Threat
70
Thank You For Attending
Company Panel Participants:
71