Presented by:

• Sandy Hauserman Managing Member June 9, 2016

Cyber Attacks: On The Rise!

OAMIC 137th Annual Convention

1

PART I

What is Cyber Insurance?

2

Cyber Insurance covers a broad range of Internet and data Information-related risks. There are both 1st and 3rd party coverages available in the market. Cyber Insurance was first introduced for technology companies in the mid-1990’s. It addressed “intangible asset” risks (digital data) that were not covered under standard insurance policies. The term was first developed to address “internet risks”, or risks that exist in “cyberspace”. Sometimes called “Digital Risk”, it has been broadened in understanding to include both on and offline environments.

3

Cyber Insurance

First Party Coverages in the market include:

• Breach Notification Expense Coverage

• Identity theft Remediation Coverage for Employees

• Crisis or Reputation Management

• Business Interruption and Extra Expense

• Cyber Extortion (Ransomware reimbursement)

• Data Loss

Coverage is often bundled in a Stand Alone policy or provided in modules by Endorsement.

4

Cyber Insurance

Third Party Coverages include (but are not limited to): • Security Breach Liability

• Privacy Liability

• Online Media or Website Publishing Liability

• Intellectual Property Coverage for:

• Patents/Trademarks/Copyright information

• Note: There are many variations of coverage in the market and not all are the same!

• Extended coverage is most often purchased by LARGE National/International Accounts.

5

Cyber Insurance

PART II

Why Do Small to Midsized

Businesses need Cyber Insurance?

6

Every Business is now dependent on Technology and the Internet.

This dependency creates business risk not covered in standard E&O or Property/Casualty Policies.

1. Collecting Personally Identifiable Information (PII)

PII collection, client records & credit/debit card processing make up a significant portion of the overall risk profile. Businesses gather and transmit PII of clients, employees, vendors and others.

PII is the currency of the 21st century. It has value to criminals who sell it or use it to commit Identity theft. Just as a business wouldn’t leave cash sitting around, PII has to be safeguarded.

2. Using the Internet

Cyber criminals want to steal data or damage IT systems. They often plant harmful software on a computer and hope it is accidently transmitted to others – i.e. Ransomware, Worms, Viruses, Trojans, Botnets, Malware, etc.

Why Do SMB’s Need Cyber Insurance?

7

State Breach Notice Laws establish a framework for protecting PII and reporting security breaches to the public.

Some Businesses collect Client’s sensitive medical information and are therefore subject to HIPAA: See summary of regulations at:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf

Notification of individuals who are victims of a security breach is expensive and disruptive to operations.

The average cost is between $50 to $214 for each affected person

These costs include: legal costs, notification costs to victims, investigative expenses to determine loss, & credit monitoring for managing identity theft risk.

Increased business risk for 3rd Party Liability from hackers, viruses, Trojans, and other malware are on the rise.

Identity Theft is the fastest growing crime in America.

Why Do SMB’s Need Cyber Insurance?

8

Privacy and Breach Notification Laws

• 47 States in the U.S. have enacted laws that require a business suffering a security breach to notify victims so they can take action to protect themselves from Identity Theft.

The laws can vary greatly in their definitions of Personally Identifiable Information (PII) and notification requirements.

– Some have “Safe Harbors” for encryption such as “NOTICE is required for breach of unencrypted data, but not required for encrypted data”

– Some states include DNA and biometric data in their definition of Personal Information

– Some states only require notification of electronic data

(not paper-based breaches)

9

Ohio Privacy Laws for Businesses

Ohio has 4 Privacy & Security Breach Notification Statutes:

ORC § 1347.12 Agency disclosure of security breach of computerized personal information data

ORC § 1349.19 Private disclosure of security breach of computerized personal information data

ORC § 1349.191 Investigation of noncompliance with disclosure laws

ORC § 1349.192 Civil action by attorney general for violation of disclosure laws

10

Primary Statute: ORC § 1347.12

Information covered:

Personal information of Ohio residents.

Important definitions:

• “Security Breach” means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information and that causes, or is reasonably believed to have caused or will cause, a material risk of identity theft or other fraud to a person or property of a resident of Ohio.

• “Encryption” means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

• “Redacted” means altered or truncated so that no more than the last four digits of a social security number, driver’s license number, state identification card number, account number, or credit or debit card number is accessible as part of the data.

Ohio Privacy Laws for Businesses

11

Primary Statute: ORC § 1347.12

Subject to statute:

• Any person, legal entity or business entity that conducts business in the state that owns or licenses computerized data that includes personal information.

Third party recipients:

• Any person that, on behalf of or at the direction of another person or governmental entity, is the custodian of or stores computerized data that includes personal information, must notify that other person or governmental entity of any security breach in an expeditious manner if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to an Ohio resident.

Notification:

• Must be provided in the most expedient time possible but no later than 45 days following the discovery of a breach.

• Substitute notice is available if costs exceed $250K, class exceeds 500K or covered entity has insufficient contact information

• Notification required solely in the case of breaches likely to cause identity theft or fraud

Ohio Privacy Laws for Businesses

12

Primary Statute: ORC § 1347.12

Encryption Safe Harbor:

• Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted or redacted.

Other exemptions:

• A covered entity subject to HIPAA is deemed in compliance with the Ohio statute.

• A financial institution, trust company or credit union, or any affiliates thereof, subject to and in compliance with information security breach protocols imposed by a functional government regulatory agency, is deemed in compliance with Ohio statute.

A determination of no likelihood of harm:

• Does not require notification to Attorney General.

• A waiver of the statute is void and unenforceable.

Civil penalty:

• Up to $1,000 for each day of non-compliance with statute, up to $5,000 per day after 60 days, and up to $10,000 per day after 90 days.

Ohio Privacy Laws for Businesses

13

How BIG is the Cyber Risk Exposure for Small to Mid-Sized businesses?

Cyber risk is BIG and growing every day!

So…Compared to other Exposures

(E&O, EPLI, Property, GL, Auto, Crime, etc.)

…How big is it?

14

Non – Professional Business Risk Profile 2016

28%

22% 15%

18%

8% 6% 3%

Property

Other

GL Auto

Cyber Risk

EPLI Crime/

Fid

15

PART III

Personally Identifiable Information

PII

16

PII The Currency of the Modern Economy

When a Business loses PII in its care custody

and control it loses Customers.

But…how does PII get into a Business and where is it stored?

17

Examples of Personal Information include:

What is Personal Information?

18

• Person’s Name • Date of Birth • Home Address • Phone Number(s) • Facial Image • Retinal Image • DNA • Personal Income • Credit profile • Email Address • Internet Protocol (IP) Address • Social Media Profile

• Social Security Number • Driver’s License Number • Passport Number • State issued ID Card • Credit or Debit Card Number • Bank Account Number and Information • Investment and Retirement Account information • Insurance Policy Number and Information • Medical Records • Passwords

Where and How does PII get into a business?

19

Where does a business get PII? • customers • employees • credit card companies • financial institutions – banks • credit bureaus • government – regulators • subcontractors – vendors • other businesses

How does a business get PII? • in person • website • phone • email, snail mail, courier documents

Where is PII Stored?

20

Digitally

• business network computers/ laptops • employee’s home computer • disks/tapes • databases • flash drives • cell/smart phones/tablets • printers • copy machines

Paper files – at office/branch office/employee’s home Subcontractors/Vendors Suppliers Customers

PART IV

Examples of the types of Cyber

losses a Small Business can suffer?

21

Loss Scenarios

An Employee checks their personal email and unwittingly downloads malware onto the company network.

A company laptop containing PII is stolen from an Employee’s car.

Customers Credit Card/Bank/Health Info is stolen by a hacker from the Business IT system and PII is not encrypted.

Ransomware infects Business IT system freezing computer and criminal seeks to extort funds to free up system.

Paper records containing PII are not shredded before disposing and are retrieved by criminals (Dumpster Diving).

An Employee researching online lands on a website that downloads a worm turning computer into a spamming machine.

Company donates printer or copier to church without wiping data from internal hard drive.

A retired or fired ex-employee signs into their company account and steals PII or installs malware creating havoc.

22

Scary Stuff If a Business unlawfully releases 100 personal records, the average amount the business would have to pay to notify the individuals would be over Five Thousand Dollars.

If a Business unlawfully released 1,000 personal records, the average amount to notify the individuals would be over Fifty Thousand Dollars. A modest sized breach can result in a huge legal liability that could potentially bankrupt a small business.

Buying insurance coverage for “Breach Notification Expenses” is a good way to protect a business from having to pay for these types of unwanted expenses.

23

Scary Stuff (Cont.) If an individual who has been notified actually suffers a monetary loss – (i.e. a criminal takes out a mortgage in his/her name) or more importantly if medical information collected by the business gets in the wrong hands Or… If a Virus, Botnet, Trojan, Worm, etc. is transmitted from a business computer system to someone else’s computer system and as a result, that person/business suffers a monetary loss -

The business can get: Sued

Buying Liability Insurance coverage for law suits, whether they have merit or not is the easiest and most efficient way to arrange for stand- by legal help and other assistance and to help pay for damages inflicted on others.

24

25

First Party coverage for Breach Notification expenses is not sufficient ….

Businesses need 3rd Party Liability

Why?

Breach notice laws establish notification requirements and “Standards of Care,” under which a law suit can be based.

Most States and Departments of Insurance have developed websites and other promotional material to provide businesses and policyholders with advice on how to protect PII thereby creating additional “Standards of Care.”

Plaintiff Attorneys are actively seeking to expand the legal definition of “loss” to make it easier to bring law suits - Cyber is seen as the next big profit center.

No business wants to be sued without stand by professional help. The most efficient way to arrange for stand by help is to buy liability insurance.

Policyholders expect protection from lawsuits – Agents not offering Liability coverage are at a competitive disadvantage and may have to explain why 3rd party liability was not offered to the Insured.

Hackers & Criminals are now targeting small to mid-sized businesses as these are often the least secure from attack –

as a result law suits are on the rise.

Small Businesses are now Targets

“Criminals (are) changing tactics from attacking really large targets to attacking a lot of really small targets where the amount of card numbers or PII records compromised is measured in thousands instead of millions.” * Verizon Data Breach Investigations Report of April 2011

– still valid and growing in 2016!

26

Loss Examples

Totally Promotional OH 8/24/2015 Electronic Breach | Unknown # of Records | Criminal Hacker Totally Promotional notified an undisclosed number of customers that attackers forced their way into its systems and gained access to some customer payment card data and other information. http://www.scmagazine.com/totally-promotional-attack-compromises-payment-cards-other-data/article/434514

Community Mercy Health Partners OH 12/11/201 Paper Breach | Unknown # Records | Dumpster Diving A man discovered dumpsters contained patient medical records and other paperwork and folders. http://www.healthcareinfosecurity.com/paper-records-disposal-still-messy-problem-a-8744?rf=2015-12-14-eh&mkt_tok

EnvisionRx OH 10/23/2015 Paper-based Breach | 540 Records | Software Error An error occurred when exporting data from a PDF file for a prescription mailing, resulting in 540 patients (out of a mailing of 11,000 letters) being sent data relating to other patients. PHI data was exposed. http://www.hipaajournal.com/another-hipaa-breach-courtesy-of-a-printing-error-8205/

Tremco OH 7/29/2015 Electronic Breach| Unknown # of Records| Employee Error A HR employee left his Company-issued laptop computer in the pocket of an airplane seat. http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Tremco%20SBN%20to%20Consumer.pdf

When a business is subject to a privacy breach notification event, they are publicly “named & shamed”

27

Loss Examples

Abercrombie & Fitch OH 4/15/2015 Electronic Breach | Unknown # of Records | Software Misconfiguration Abercrombie learned that some of its employees' accounts on a self-help human resource portal were accessed by another individual using the employees' usernames and passwords. http://doj.nh.gov/consumer/security-breaches/documents/abercrombie-fitch-20150415.pdf

Sweaty Bands OH 4/10/2015 Electronic Breach | Unknown # of Records | Software Compromise A criminal gained access to the servers hosting our website's payment processing software and installed malicious code on our systems that was accessed customers' personal information. http://www.ago.vermont.gov/assets/files/Consumer/Sweaty%20Bands%20SBN%20to%20Consumer.pdf

Endocrinology Associates, Inc. OH 8/14/2015 Paper Breach | 1,400 records | Burglary The provider while renovating its location, stored patient charts in a rented POD on-site which was broken into. While an inventory search proved that no patient information was missing, the provider explained that it “cannot confirm with certainty” that no charts were compromised. http://healthitsecurity.com/news/possible-health-data-breaches-for-ohio-wash.-providers

Akorn Inc OH 6/4/2015 Electronic Breach | 50,000 records | Criminal Hacker Four company e-mail accounts were compromised over several weekends though the cause of breach has not been determine. http://www.hipaajournal.com/akorn-database-for-highest-bidder-hacker-holds-pharma-data-auction-7088/

When a business is subject to a privacy breach notification event, they are publicly “named & shamed”

28

Loss Examples

Uncle Maddio's Pizza Joint GA 12/22/2015 Electronic Breach | 972 records | Criminal Hacker 972 former and current employees had their name, address, phone number and Social Security numbers in plain text stolen from a database. http://www.databreaches.net/database-leak-exposes-uncle-maddios-employees-and-customers-info/

Oiselle.com OR 11/24/2015 Electronic Breach | Unknown # of Records | Criminal Hacker Oiselle.com was the target of criminal hacking. Information stolen includes: Name, email & billing address, credit card number, expiration month and year, and 3-digit security code http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Oiselle%20Running%20SBN%20to%20Consumers.pdf

Casey's General Stores IA 10/28/2015 Electronic Breach| Unknown # of Records | Criminal Data Theft Found “credit card skimming devices” on the fuel pumps at seven of its stores. http://kwqc.com/2015/10/28/tips-to-keep-your-identity-safe-after-security-breach-at-davenport-caseys-general-store/

Office of Peggy E. Olson, CPA MT 10/9/2015 Electronic Breach | Unknown # of Records | Malware A virus infected my computer and an unauthorized individual may have gained access to my computer for a limited period of time- less than one hour. http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Peggy%20Olson%20SBN.pdf

When a business is subject to a privacy breach notification event, they are publicly “named & shamed”

29

Loss Examples

Village Pizza & Pub IL 9/1/2015 | Electronic | Uknown # of Records | Criminal Hacker Point-of-sale payment card processing system compromised. http://www.databreaches.net/il-village-pizza-pub-notifies-customers-of-data-security-breach-at-transformpos/

Vision Nissan NY 7/24/2015 | Paper | Unknown # of Records | Dumpster Diving The documentation had been placed in the dumpster, not shredded, after the mobile car dealership from Vision had done business in Norwich. http://www.wbng.com/news/video/Personal-documents-found-in-Norwich-dumpster-318491251.html

Rite Aid Corporation PA 6/3/2015 | Paper | 2,345 records stolen | Physical Theft Looted prescription drug information was stolen during the April riots. http://www.baltimoresun.com/news/maryland/baltimore-riots/bs-md-rite-aid-statement-20150603-story.html

Shell Vacations Club-West FL 1/6/2015 | Paper | Unknown # of Records | Physical Theft PII was taken as a result of a break-in at a California office. https://oag.ca.gov/system/files/SVC_West_NONMA%20US%20CONSUMER%20LTR_SAMPLE_031715_0.pdf?

AAAA TV CO 2/24/2015 | Paper | Unknown # of Records | Dumpster Diving An Investigative reporter received a tip that the owner of a store was throwing away customers’ personal information in a dumpster behind the store. http://www.databreaches.net/watch-dumpster-confrontation-fox31-investigator-finds-customers-personal-info/

Gallagher Pool Wealth Mgt OH 4/24/2015 Electronic Breach | Unknown # of Records | Employee Error A security vulnerability made the contents of a network drive accessible from the Internet. http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-253570.pdf

When a business is subject to a privacy breach notification event, they are publicly “named & shamed”

30

PART V

How does a Small Business protect itself from Cyber Crime?

Learn how to Protect PII !

31

32

1. Train Employees. Criminals are experts in exploiting people who do not know how to adequately protect PII.

2. Have a plan to secure PII - Adopt and implement a Written Information Security Plan (WISP). A WISP outlines the security controls and business practices for handling PII.

3. Encrypt the Corporate network and any mobile devices making PII only accessible by the User.

4. Store paper records in a locked file cabinet or room - backup electronic data and store both on and offsite.

5. Maintain Firewalls on any computer device connected to the internet.

6. Use Anti-Virus software and update it no less than every 30 days.

7. Use strong passwords.

8. DON’T click on links or open attachments in suspicious emails! If you know the sender, but think the email looks strange, call the sender to verify it is genuine.

9. Dispose of unnecessary or outdated paper & Electronic PII. Erase Data from printers, cell phones, copiers, computers. Shred paper documents.

Top Precautions for Protecting PII

PART VI

Homeowners & Farmowners Cyber Risk

33

Homeowners & Farmowners have Cyber Risk Too!

Identity Theft is the fastest growing crime in America

Individuals are prime targets for Identity Thieves

Homeowners Can Get Sued for;

o Transmitting a computer virus to a third party

o Losing Personal Information in their care, custody & control

37 States REQUIRE by LAW: Homeowners to notify Individuals whose Personally Identifiable Information (PII) under the Homeowners Care, Custody or Control which is lost or stolen.

34

Homeowners & Farmowners have Cyber Risk Too!

Most Homeowners have Internet Access

o With Multiple Devices connected to the internet

o Internet Access tends to be “Always On”

Home electronic devices are increasing internet connectivity.

Most IoT Devices have security vulnerabilities making them targets.

Homeowners are frequently victimized by Malware or Ransomware.

o Hackers can gain access to a homeowners computer network data.

o Hackers target children who often don’t take precautions.

o Majority of Homeowners lack Privacy and Security awareness.

35

90% of the Farmowners & Homeowners market provides only Identity Theft Remediation coverage (IDTR)

• IDTR is NOT insurance - It is a Service Contract dressed up to look like insurance

• IDTR is insufficient coverage in a growing market for 3rd party Cyber Liability

• IDTR Service Providers regularly charge fees for information that is widely

available for free

• Low policyholder activations yield low customer satisfaction and high “per user”

costs

• Internet Usage creates significant exposure to loss and requires genuine insurance

coverage solutions. Policyholders assume IDTR includes Liability

• Insurers bear credit risk of Service Providers that are thinly capitalized

36

Why Insurers should offer HO & FO 1st & 3rd party Cyber coverage…

(1) Become a Market Leader – Policyholders expect their insurer to be proactive in extending protection to help them manage their risk!

(2) Update your General Liability forms – steer unintended cyber risk exposure to specific Cyber Insurance policy language.

(3) Enhance Your Brand - gift cyber coverage and aggressively advertise that you look after your policyholders by responding to their new exposures.

(4) Liability Coverage – Cyber Insurance is an inexpensive way to provide standby legal help to policyholders to defend them from the clutches of plaintiff lawyers; IDTR is not enough!

(5) Blend Coverage Grants with Services to assist policyholders in need of help (example: Ransomware Call Center Support)

37

Appendix

More information on how to protect a Small Business from Cyber Crime!

38

Businesses should be aware that:

• Losing “personal information” can lead to identity theft.

• Identity Theft can be a serious problem and should not be underestimated.

• Complacency and ignorance are NOT excuses to avoid harm or liability.

Insurance is not a substitute for complacent behavior

Management needs to train against people thinking that “they don’t need to worry about identity theft because they have insurance for that”.

Most Cyber policies have conditions precedent requiring policyholders to take reasonable security precautions to protect personal information.

Failing to do so can void the coverage!

Most internet users do NOT implement good practices and often engage in risky internet behavior. Training and education can help manage the risk.

Every Business has liability in handling “Personal Information”

39

• Know who has Access to Personal Information. Restrict access to sensitive PII such as social security, credit card numbers & financial info.

• Implement a Written Information Security Plan (WISP). A WISP is a program that outlines the security controls and business practices for handling PII and is designed to:

1. ensure the security and confidentiality of personal information; 2. protect against any anticipated threats or hazards to the security or

integrity of such information; and 3. protect against unauthorized access to or use of such information in a

manner that creates a substantial risk of identity theft or fraud.

• Conduct background checks on employees who have access to PII.

Many acts of identity theft occur from within the company. From corporate accounting to courier delivery personnel, anyone who handles personal information should be screened for criminal backgrounds and sign a commitment to uphold the company’s confidentiality standards and security protocol.

Guidance for a business to Protect Personal Information

40

• Train Employees. Business wide privacy risk and awareness training benefits the whole company. Criminals are experts in exploiting people who do not take precautions in using the company computer system.

• Keep Training Employees. Regular training updates is important for company-wide awareness to let employees know what the latest threats are and include guidance on ways to protect the company from these risks.

• Institute Good Business Practices Corporate wide. Develop a Security Plan that identifies good business practices to protect PII including plans to manage a crisis event so you know how to respond and plan to protect the company from employees in the event they leave the company.

Guidance for a business to Protect Personal Information

41

• Discover where your Company holds PII.

Conduct an audit on your computers, printers, scanners, copiers, wireless devices and any other electronic devices that can store personal or sensitive information to determine if PII is unnecessarily stored in an unintended place. If so, delete it or send it to a secure place.

• Have a plan to secure Personal Information.

• Store Paper based PII in a locked store room or file cabinet. • Install security for the building premises such as camera systems and card key access. • Limit access to PII to only those personnel that are required to use it. • Require Employees to log off computers and lock up files. • Track shipments and deliveries with outside contractors.

• Encrypt Electronic Data at Rest.

It is best to adopt a company wide policy of using encryption for computers, tablets, smart phones and other devices that employees use for business. Some States require the use of encryption, and others provide “safe harbor” protection to businesses that use it.

Guidance for a business to Protect Personal Information

42

• Dispose of unnecessary or outdated Personal Information.

This includes both Paper and Electronic document formats

• Paper-based Personal Information:

• Shred it. Place shredders near copiers for easy access. • Heavy Duty cross cut shredders are best • Incinerating paper based documents destroys PII

• Electronic-based Personal Information

• Delete Data from computer devices.

• Degauss (electromagnets) or run a “wiping” utility software program to clean hard-to-find files that might otherwise be discoverable.

• Destroy hard drives in hardware prior to disposing or recycling (recycled computer devices is a frequent cause of PII loss).

• Leased Equipment such as printers, copiers, scanners, faxes and phones often contain vast amounts of Personal Information. Ensure your leasing company’s policy protects you by contracting to erase all forms of PII.

Guidance for a business to Protect Personal Information

43