1 / 36

New Threats, New Liabilities State of the Privacy Insurance Market April, 2007

New Threats, New Liabilities State of the Privacy Insurance Market April, 2007. Professional Liability Underwriting Society 2007 E&O Symposium Philadelphia, PA. New Threats, New Liabilities State of the Privacy Insurance Market April, 2007. Panel

alden-smith
Download Presentation

New Threats, New Liabilities State of the Privacy Insurance Market April, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Threats, New LiabilitiesState of the Privacy Insurance Market April, 2007 Professional Liability Underwriting Society 2007 E&O Symposium Philadelphia, PA Philadelphia, PA ~ April 11 & 12, 2007

  2. New Threats, New Liabilities State of the Privacy Insurance Market April, 2007 Panel Sandy Codding Managing Director, Marsh Inc. Mark Greisiger President, NetDiligence Brian Schaeffer, CISSP Senior VP, CIO, CTO, Liberty Bell Bank Lori Bailey Asst. VP, National Union Insurance Co.

  3. What Are the Risks? Privacy, Computer and Network Security are not just Internet issues. Any entity using the following is at risk: 1) a computer network; and/or 2) confidential information.

  4. Traditional Approaches to Technology-Related Risk • Corporations have viewed information security as a pure technology problem • Budget for services/products • Hire CISO, additional IT staff • Outsource critical network security components • Confusing array of products and vendors • Reactive—buy a solution in the wake of an event • Has not been treated like other risk management issues

  5. Who’s buying? • Technology & Telecommunications • Financial Institutions • Health Insurers and HMO’s • Media & Communications • Retailers • Colleges & Universities

  6. Why are they buying? • Contractual Requirements • Regulatory Concerns • Gaps in Traditional Coverage • Pre-Claim Expenses • Actual Claims and Losses

  7. Why are they buying now? • Contractual Requirements • Trading partners are adding new indemnification requirements to contracts specifying privacy and cyber • Regulatory Concerns • New regulations impose prospective duties upon companies • Gaps in Traditional Coverage • P&C policies are expressly excluding coverage for cyber & privacy perils • No coverage for pre-claim expenses or regulatory defense • Risks no longer limited to Technology companies • FI, Retail, et al now finding themselves squarely in the cross hairs of the regulators, organized crime and plaintiffs’ bar • Victims—individuals and corporations—no longer content to suffer in silence are looking to hold companies responsible for costs associated with breaches

  8. Why aren’t they buying more? • Inconsistent Pricing/Underwriting • Pricing varies widely from carrier to carrier for same risk • Terms often seem subject to the whims of the underwriter • Confusing & Restrictive policy language • Multiple coverage grants or modules • More exclusions than thought humanly possible • Limitation to the single “computer attack” peril • Lack of Significant limits for various industries/coverage • FI, Retail, Higher Ed etc are either preferred or restricted classes depending upon the carrier • Lack of communal approach to excess layers • de minimus sub-limits on Notification and Regulatory Defense • Lack of claims examples • Remember EPLI?

  9. FrontlinePerspective Cyber Risk & Loss Prevention Mark Greisiger NetDiligence Philadelphia, PA ~ April 11 & 12, 2007

  10. Customer Attitudes Risk Mgrs gaining a better appreciation for the diverse threats that CAN impact their ecom operations, and bottom line

  11. Driving Customer Attitudes Risk Mgrs ( D&Os) see their peers impactedweekly Samples of security breaches within the retail industry Jan 2007 – TJX: Disclosed that “unauthorized intruder” gained access to its systems in mid-December and may have made off with the card data of customers in the U.S., Canada and Puerto Rico, as well as the U.K. and Ireland. Nov 2006 - Starbucks Corp. said it had lost track of four laptop computers, two of which had private information on about 60,000 current and former U.S. employees and fewer than 80 Canadian workers and contractors. February 2006 – OfficeMax: The California retailer at the heart of a major data-security breach affecting as many as 200,000 consumers, banking and law-enforcement sources confirmed. They also said investigators are exploring the possibility that the Russian mob or another Eastern European crime syndicate is responsible for accessing U.S. consumers' debit-card numbers and selling counterfeit cards on the black market worldwide. April 2005 - Ralph Lauren: Polo Ralph Lauren Corp. blamed a software glitch for a security breach that prompted HSBC North America to notify 108,000 holders of its General Motors-branded MasterCard that their personal information may have been stolen. April 2005 - DSW Shoe Warehouse: Retail Ventures Inc. this month reported that personal customer information from 108 stores in its DSW Shoe Warehouse subsidiary was stolen. The information, involving 1.4 million credit cards used to make purchases mostly between November and February, included account numbers, names, and transaction amounts.

  12. Network Threats • Malicious • Viruses/trojans, stealth hackers, extortionist, rogue inside or overseas contractor, disgruntled CIO, greedy fraudsters (phishing), belligerent ‘pranksters’ • Non-Malicious • Employee/ Partner mistakes (customer data leaks) • Application glitches • Business Trends • Points of failure are now magnified/multiplied due to trends of outsourcing computing needs (domestic and overseas) • Massive dependencies and data-sharing between companies and their upstream and downstream vendors (ASPs, partners, ISPs)

  13. Example - How Real Are The Threat Exposures? • Denial of service attacks are more common & difficult to prevent • Imagine a rogue army of 100,000 ‘bots (hijacked computers) working in unison to attack a company’s transactional website • Large exposure for clients who require their transactional systems to be available always • Can be tied to ‘cyber extortion’ – a demand to wire money to an attacker’s bank account or suffer a massive attack (outage) • This trend will continue due to: • The simplicity of the attack • Massive growth in broadband connections which are unknowing ‘zombies’ used by bad guys Sample ISP log for a biz under attack over a 3 week period

  14. Why The Problem? The Internet’s open network • Many companies have a transactional website • Businesses collect and store customer private data • More data often collected than needed • Data often Stored for too long • Business servers (websites) are very porous and need constant care (hardening & patching) • Tools that help hackers are readily available and shared on the Internet at no cost to malicious attackers • Bad guys rely on the prevalence of human error • Poor passwords • Unchanged default settings • Lack of tested back-up process • No applied patches • No encryption in database

  15. A Note On PCI • PCI: A security standard that includes requirements for critical protective measures: • * security management • * policies and procedures • * network architecture • * software design • Goal: to helps organizations proactively protect customer account data • Developed by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International

  16. PCI: Watch How & What You Store • Customer NPI Data should be encrypted in Database • Do not store sensitive authentication data subsequent to authorization (not even if it’s encrypted) • Do not store the full contents of any track from the magnetic stripe (on the back of a card) • Do not store the card-validation code (3- or 4-digit value printed on the front or back of a payment card) • Do not store the PIN Verification Value (PVV)

  17. Losses: Recent Real Life Breach Events • Recent loss events: • Rogue CIO – BI Loss: A company that sold e-books online suffered are major 1st party loss, of approx $500k. • Cyber Extortion – BI Loss & potential liability: • E-Bank System Exploited – Cash Stolen • E-Checking System Breach – BI Loss & potential liability • Industries most at risk? • 24x7 models • Client NPI is being collected, shared, processed, stored • Lesson…cyber risk exposures can be managed and transferred (Eliminated; mitigate, accept & cede)….RM needs a seat at the table!

  18. What Can Be Done? • Increase awareness of risk • Appreciate the many challenges to manage the risks • Assess and test • Back to basics: Implement baseline safeguards and controls • Vigilance: Update and monitor your measures

  19. Strategies For Risk Managers Loss Prevention Approach • Review Controls Surrounding People • Dedicated information security personnel • Background checks • Proper security budget • Vigilance about their jobs • Review Controls Surrounding Processes • Enterprise ISO17799 • PCI audit compliance ready (or near) • Policies enforced daily • Employee education/training • Change management processes • Review Controls Surrounding Technology • Managed firewall with IDS/IPS • Hardened and patched servers • Strong passwords • Anti-virus software • and transmission • Daily backup

  20. Where To Begin? • Start with a self-assessment…benchmark against known standards

  21. BCP (backup &hotsite)

  22. CyberRisk Insurability Assessment Process • What is it? A ‘quiet audit’ process of a company’s Information Security; Business Continuity; and Privacy Practices. • What is the Purpose? To Give the Risk Manager (and their Insurer) an Objective and Independent Opinion as to the Functional Risk Profile of an Insured • How is it Conducted? Either “On-site” or “Remote” often at the request of an Underwriter • What is the End Result? A Summarized Written Report That Explains the Auditors Understanding of the Insured’s Environment, With Risk Profile & Mitigation Suggestions.

  23. Value of the Assessment Exercise for the RM • Showcase Risk Mgmt Strengths • Reaffirm & document due care and a prudent information security program • Good faith effort towards compliance • Lessons learned from past loss/ incidents • Illuminate Red Flags (weak security controls to improve upon) • No firewall • Mis-configuration: Key Server in-front of FW • No BCP/DR Plan • No DR Test (many) • No DB/Storage Encryption (most) • Opening in the Corp Network perimeter (many) • Poor Passwords • No Dedicated Security Personnel/ Role • No background checks

  24. New Threats, New Liabilities State of the Privacy Insurance Market April, 2007 Bank Perspective

  25. GLBA(Gramm-Leach-Bliley Act – Public Law 106-102)Financial Services Modernization Act of 1999 Title V • Disclosure of privacy policy in regards to the sharing of information with affiliates • When and how often the customer is notified of the privacy policy • The ability to “opt-out” of the sharing of non-public personal information with nonaffiliated third parties • The protection of customer information; Confidentiality, Integrity and Availability

  26. WEB What does banking look like? Key Assets Real-Time Integrity and Availability of Transactions Merchant Capture ATMs Customer Data Real-Time Branches ACH Image Exchange Network

  27. WEB What are the threats? Social Engineering Key Assets Real-Time Fraudulent Transactions Phishing Integrity and Availability of Transactions Merchant Capture ATMs Customer Data Real-Time Card Skimming Employee Mistakes Image Modification Branches 419 Scams ACH Image Exchange Network

  28. Threat Mitigation • Outsource Vendor mgmt (what is a trusted vendor doing to protect your customer’s data and your banking systems), vender’s vender • People: Infosec staff vigilance; employee awareness & training • Policies: security, privacy, BCP/DR • Self-Testing (Scan), Monitoring (Logs) & Constant Updating (Patch) • Two factor Authentication

  29. Threat Mitigation Defense in Depth in practice Key: Make yourself an unattractive target

  30. New Threats, New Liabilities:The Carrier Perspective Lori BaileyAssistant Vice PresidentProfessional Liability DivisionAIG/National Union 215-255-6181 Lori.Bailey@aig.com Philadelphia, PA ~ April 11 & 12, 2007

  31. State of the Marketplace • Claim Activity • Regulatory Oversight • Heightened Notification Requirements • Aggressive Plaintiff’s Bar • More Sophisticated Crime Network • Dishonest Insiders • Human Error • Increased Cost of Compliance

  32. Current Trends: Coverage • Security/Privacy Liability • Rogue Employee Coverage • Coverage for Information Holders (Vicarious Liability) • Regulatory Claims Coverage • Crisis Management Coverages • Notification Costs/Public Relations Expenses • Credit Monitoring Services

  33. Current Trends: Client Profile • Financial Institutions • Healthcare Providers • Colleges & Universities • Retailers • Payment Processors • Professional Services Organizations • Accountants • Lawyers • Insurance Brokers / Companies • Anyone handling confidential information (personal or corporate)

  34. Current Trends: Litigation • Class Action Claims • Federal Oversight • State Attorney General • Federal Trade Commission • International Exposures • Foreign Hackers • Outsourced Vendors

  35. What’s Next? • Aftermath of Significant Data Breaches • Proposed Legislation • State • Federal • New Technologies

More Related