Gsba risk management services gasbo meeting
This presentation is the property of its rightful owner.
Sponsored Links
1 / 28

GSBA Risk Management Services GASBO Meeting PowerPoint PPT Presentation


  • 39 Views
  • Uploaded on
  • Presentation posted in: General

GSBA Risk Management Services GASBO Meeting. Cyber-Risk for School Districts November 7, 2013. Reasons a Business Officer should NOT buy Cyber-Risk Insurance?. Your budgets are tight and will remain tight for the foreseeable future

Download Presentation

GSBA Risk Management Services GASBO Meeting

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Gsba risk management services gasbo meeting

GSBA Risk Management ServicesGASBO Meeting

Cyber-Risk for School Districts

November 7, 2013


Reasons a business officer should not buy cyber risk insurance

Reasons a Business Officer should NOT buy Cyber-Risk Insurance?

  • Your budgets are tight and will remain tight for the foreseeable future

  • Never had a claim involving a breach - at least you don’t think you have had one

  • Your IT folks assure you the District’s firewalls are sound and present no risk of penetration

  • I think we already have coverage somewhere else

  • New coverage being pushed by carriers but really no losses out there

  • I do not want to be the first one to buy the coverage

  • It is not on our radar screen – we will look at this next year

  • We have immunity from this type of loss


Agenda for today

Agenda for Today

Why Cyber-Risk was developed and what does it protect

Your obligations under the law

Examine each reason why you should not buy Cyber Risk Coverage

Outline the GSBA RMF evolving solution

Answer any questions


Why was cyber risk developed

Why was Cyber-Risk Developed?

To protect your electronic assets in the new Cyber-Risk Protection Technological Revolution

No different that protecting buildings and other assets except exposure to a loss is growing faster than you are building buildings


Cyber risk protection privacy computer security protection privacy data breach

Cyber-Risk ProtectionPrivacy & Computer Security ProtectionPrivacy & Data Breach

Coverage has many names in the industry but basic risk is the same:

School district “mishandles” personal data resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach”; or

School district is hacked and the information is stolen resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach” plus any potential liability resulting from the hackers stealing the data


What is protected

What is Protected?

Personally Identifiable Information (PII): It is the combination of a person’s first name (or initial) and last name plus one or more of the following:

Social Security Number

Driver’s License Number

State ID Number

Account Number

Credit or Debit Card Number

Account Passwords or PINS or other access codes


Threats to a school district

Threats to a School District

Internal Threats:

Rogue employee who was fired and wants to “hurt” School District

“Idealist” who wants to “change” the School District policies by disrupting normal operations

Accidental or careless staff who loose the data in either paper format or electronic via a lost laptop

External Threats:

Outside vendor or business associate with access to School District data who steals personal data sources

Organized crime – both foreign and domestic

Hackers or “Hacktivists” who do it “to change the world”


Threats to a school district1

Threats to a School District

Technology:

Viruses, SQL Injections, etc

Structural vulnerability to your network

Employee use of Social Media / networking “opening the door” for hackers to enter your network

Remote teaching putting strain on the security of your internal network firewalls

Phishing

“Old School”:

Dumpster diving for discarded papers that are not shredded

Loss or theft of a laptop with personal data on it


Threats to a school district2

Threats to a School District

Regulatory/Legal:

47 states now have breach notification laws

Georgia is one of the 47 states and it applies to any entity, government or private, that has a breach, the law requires that they notify the people affected by the breach – Georgia Personal Identity Protection Act of 2007

Many breaches do not develop into identifiable theft but the notification and tracking requirement is very expensive to the School District

School nurses have to be careful with HIPAA information especially

At the present time, it is unclear how immunity would apply if the District were sued by a third party injured by a breach


Georgia personal identity protection act of 2007 o c g a 10 1 910 through 10 1 912

Georgia Personal Identity Protection Act of 2007O.C.G.A. 10-1-910 through 10-1-912

Amended to included public universities and other state and local agencies

The unauthorized acquisition of individual’s electronic data that compromises security, confidentiality or integrity of PII.

Can also apply if compromised information is sufficient to perform or attempt identity theft


What would you do if

What would you do if….?

Friday September 6, 2013

Atlanta Journal-Constitution


Data breach more recent examples

Data Breach – More Recent Examples

Boston Public Schools, MA: August 2013

21,054 student files: ID numbers, name, age and a photo, sent families automated phone calls and letters

A vendor that makes student ID cards lost a stick drive with the records

San Juan Unified School District, CA: May 2011

4,000 employees and former employees notified by letter

Compromised personal information when employee inadvertently uploaded all the information from a stick drive to a church website

Paulding County Schools, GA

Phishing loss that was covered but entailed notification costs which were not covered


Cost of breach

Cost of Breach

Ponemon Institute – 2013 Cost of a Data Breach Study

Studied breaches in 277 companies in nine countries over ten month in 2012

Average Cost per Record in US $188, second highest to Germany

Significantly lower per record

Public Services : $81

Education : $111

If you had 4,457 records released like the State of Georgia

On your own, based on above cost projections, cost is $494,727

Cost of insurance is a premium based on size of district but works out to about $1 for each current student in District


Reasons a business officer should not buy cyber risk insurance1

Reasons a Business Officer should NOT buy Cyber-Risk Insurance?

  • Your budgets are tight and will remain tight for the foreseeable future

    • They are tight and it will cost more money but as you will see shortly, very affordable – approximately one loss every 15 years payback

    • Will cover not only current PII records (students, employees, & applicants) but will also cover historical records retained by District

  • Never had a claim involving a breach - at least you don’t think you have had one

    • Not a liability issue as much as an internal cost issue if you have a breach and need to comply with the law

    • Buying the expertise on how to handle a breach unlike the State of Georgia case

  • Your IT folks assure you the District’s firewalls are sound and present no risk of penetration

    • Not an IT / Firewall issue – it is a mishandle issue


  • Reasons a business officer should not buy cyber risk insurance2

    Reasons a Business Officer should NOT buy Cyber-Risk Insurance?

    • I think we already have coverage somewhere else

      • Excluded under the GSBA RMF Coverage Agreement and ISO policy forms

      • Intent is not to provide the coverage but silent on some of the liability exposures

      • Will be absolutely excluded as of 7/1/2014

  • New coverage being pushed by carriers but really no losses out there

    • We’ve shown you some examples of actual losses

    • Beazley has 2500 policies and is expecting 800 breaches this year alone

    • Few and far between but when they happen, could be very large and confusing for the District involved


  • Reasons a business officer should not buy cyber risk insurance3

    Reasons a Business Officer should NOT buy Cyber-Risk Insurance?

    • I do not want to be the first one to buy the coverage

      • You are not – already have 12-13 districts buying from the GSBA RMF solution

  • It is not on our radar screen – we will look at this next year

    • Perfectly acceptable to prepare and budget for it

    • Be aware that full clarifying exclusions go into effect on July 1, 2014

    • The current proposals provided to all GSBA RMF members are effective till 12/31/2013 and then new members will be re-evaluated as of July 1, 2014

  • We have immunity from this type of loss

    • From a liability standpoint – probably but from a first party notification standpoint, you must comply with the law


  • The gsba solution

    The GSBA Solution

    Conservative approach but one based in making sure School Districts in Georgia have a competitive, broad coverage option to address this growing exposure

    RMF has worked with Beazley, a prominent carrier in the Cyber Insurance space, to initially offer a group purchased option for each School District in RMF

    Over the next couple of years, RMF will assume some of the risk via the pool to make sure pricing remains stable and any underwriting profits accrue to the benefit of School Districts

    Beazley will issue policies and has the infrastructure to guide a Member through any type of breach and how to help reduce the exposure of a breach


    The gsba solution1

    The GSBA Solution

    The goal is to adopt the Beazley form into the RMF coverage document as of July 1st, 2014 so that we have an affirmative grant of coverage in the coverage document

    For July 1st, 2013, coverage purchased will be on a stand-alone basis with a policy issued from Beazley

    Quotes were provided in late June to all RMF Members

    Quotes are open to bind through 12/31/2013 on pro-rata basis

    Even once the form is adopted into the RMF coverage document, and RMF assumes a layer of risk like it does now on the property and liability coverage lines, Beazley will provide the specialty claims and risk control services to the Members


    The gsba solution2

    The GSBA Solution

    There are six coverage parts in the policy that has been negotiated with Beazley

    In keeping with the pool approach, there is some sharing of limits amongst all the Members in exchange for more competitive pricing for each Member

    Overview of Program Structure:

    Coverage Part 1.A. – Information Security and Privacy Liability

    Liability to a third party as a result of a failure of your network security to protect against identified threats

    Liability to a third party as a result of the disclosure of confidential information


    The gsba solution3

    The GSBA Solution

    Overview of Program Structure:

    Coverage Part 1.B. – Privacy Breach Response Services

    Crisis Management and Identify Theft response services and expense coverage in order to comply with regulatory compliance issues

    This also includes the expense for retaining a crisis management firm to perform a forensic investigation to protect or restore the School District’s reputation as a result of a breach of privacy event

    Based on number of individuals to notify and not a limit of liability

    Coverage Part 1.C. – Regulatory Defense and Penalties

    Fines and penalties associated with School District’s violation of a Privacy Law related to an insured breach

    Coverage Part 1.D. – Website Media Content Liability

    Expansion for Cyber exposures of the coverage provided for under Personal Injury and School Leaders Liability coverage but without some of the electronic means limitations


    The gsba solution4

    The GSBA Solution

    Overview of Program Structure:

    Coverage Part 1.E. – Crisis Management and Public Relations

    To pay for the Public Relations and Crisis Management expenses associated with the costs to manage a breach that gets into the public eye via newspaper, radio, television in order to re-build the School District’s reputation or to avoid undue damage in the reporting of the breach event

    Coverage Part 1.F. – PCI Fines and Costs

    Coverage for direct monetary fines and penalties owed by the School District under the terms of a Merchant Services Agreement and where the alleged breach was due to the result of a non-compliance with the published PCI Data Security Standards


    The gsba solution5

    The GSBA Solution

    Limits of Liability to Members:

    Any one claim limit combined from all sections except Privacy Breach Response Services, is $1,000,000

    Subject to no more than $500,000 from Regulatory Defense and Penalties and $50,000 each from Crisis Management and PCI Fines and Costs

    The overall RMF fund aggregate limits for all Members from all coverage lines except Privacy Breach Response Services is 10 times each of these limits ($10,000,000 , $5,000,000, and $500,000 respectfully)

    For Privacy Breach Response Services, there is no limit of liability as the coverage is based on the number of Notified Individuals

    The RMF fund has an aggregate of 500,000 Notified Individuals subject to sub-limits for the legal and forensic expense coverage part which is limited to 250,000 and the foreign Notified Individuals extension which is limited to 50,000

    Overall RMF fund aggregate limits is again 10 times


    The gsba solution6

    The GSBA Solution

    Retention / Deductibles for Members:

    Any one claim limit combined from all sections except Privacy Breach Response Services, is $25,000

    For Privacy Breach Response Services, the retention is broken into two parts:

    All costs and services under the legal and forensic services combined with the notification costs would be $10,000 combined subject to a sub-retention of no more than $5,000 in legal expenses exposed

    Under the Call Center Services and Credit Monitoring Program, the retenion of any expenses are limited based on the size of the district:

    Small Members, which are less than 1,000 FTE’s, would be responsible for any breaches involving less than 25 individuals

    Medium Members, which are more than 1,000 FTE’s but less than 10,000 FTE’s, would be responsible for any breaches involving less than 50 individuals

    Large Members, which are those Members with more than 10,000 FTE’s, would be responsible for any breaches involving less than 100 individuals


    The gsba solution7

    The GSBA Solution

    Premium Brackets

    Premium is based on FTE (current student and staff combined)

    Includes coverage for alumni records even though alumni count is not included in the FTE for premium determination

    Here are the proposed pricing ranges based on Student Enrollment:

    30,000 plus$29,638 to $31,4530

    20,000 to 29,999$24,432 to $28,2270

    10,000 to 19,999$13,903 to $21,6830

    5,000 to 9,999$7,111 to 11,5042

    2,500 to 4,999$4,392 to $6,6583GWP To-Date:$45,467

    1,000 to 2,499$1,942 to $4,0054

    999 or less$500 to $1,6283


    Conclusion

    Conclusion

    The exposure is here to stay

    Computers and mobile devices that store personal information about your employees and your students are an integral part of your District

    Accidental loss of, or criminal appropriation of, that personal information will continue to happen whether you have good firewall protection or not

    Attacks are getting more frequent and more sophisticated

    Accidents are getting more frequent as we ask staff to do more in a day than ever before

    GSBA RMF and Beazley offer you broad coverage at a reasonable premium and a team ready to respond when necessary


  • Login