Data Breaches & Cyber : Understanding the Risk · 2019-06-14 · Beazley plc MS Office 365 - Data Discovery and Review Costs are Costly The cyber threat landscape is changing 14 June,

Data Breaches &Cyber :Understanding theRisk.

Alex Ricardo, CIPP/USBeazley Breach Response

Beazley plc

This presentation and content is not meant to be consideredprofessional legal advice.

The presenter is not a licensed attorney and all informationobtained from this presentation should be considered forinformational purposes only.

You should consult with a licensed privacy counsel for anydecisions surrounding your corporate privacy initiatives,incident response plan or data breach response methodology.

Disclaimer

2

Beazley plc November 2017

A cyber breach isn’talways a disaster.Mishandling it is.

Slide 3

Threat landscape

Beazley plc

The loss or disclosure of personal or sensitive datacontinues to be a huge concern and risk forcompanies.

2009:

2014

2015:

2016:

2017:

2018:

2019 Projection:

“Let’s go to thetote board”

Beazley – Breach statistics

Managing breach incidents since 2009

Handled 750+ incidents

Handled 1,200+ incidents




4,500+ incidents

As of 1/1/2019 – 11,000+ incidents

Slide 514 June, 2019

Beazley plcSource: Beazley – 2018 stats

Physical loss:

Breach Incidents – It’s not all cyber-related

14 June, 2019

5%of breach incidents involve physical loss

Accident or Unintended disclosure:

20%of breach incidents result from broken business practices

Company/3rd party:

30%of breach incidents are a result of a 3rd party

Slide 6

Approximately

Beazley plc

Unintended Disclosure

Paper / Physical Records

• Un-shredded Documents

• Dumpster Diving

• File cabinets – sold/donated

• Natural Disasters

• X-Ray Images

Where’s the Risk?

7

Beazley plc

Where’s the Risk?

8

Unintended Disclosure

Electronic assets• Computers

• Smart phones

• Backup tapes

• Hard drives

• Servers

• Copiers

• Fax machines

• Scanners

• Printers

Leasing Contracts - Review

Beazley plc

Business Email Compromise

– 24% of 2018 incidents (vs 13% of 2017), 811 incidents in 2018 (vs 348 2017)

– Financial Institutions, Healthcare, Education

– MM (59%) vs SME (41%)

– Examples

– “CFO” email

– “HR – Payroll Form” email

– CEO “W2 Request” email

– Payroll Diversion emails

Where’s the Risk?

9

Beazley plc

Lost/Missing/Stolen Electronic Assets

• 6% of 2018 Incidents

• #1 issue with regulators

• encrypt – Encrypt – ENCRYPT!

• Unencrypted portable media exclusions

Where’s the Risk?

10

Beazley plc

Mishaps due to Broken Business Practices – Unintended Disclosure

• 20% of 2018 incidents (source: Beazley statistics)

• Industry Agnostic

Where’s the Risk?

11

Beazley plc

Rogue Employees

9% of 2018 incidents (source: Beazley statistics)

• Disgruntled

• Information Security / Information Technology

• Enticed

• Human Resources

• Call Centers

• Finance

Where’s the Risk?

12

Beazley plc

Most Recent Threats

Beazley plc

Ransomware

Beazley plc

Ransomware incidents

The cyber threat landscape is changing

14 June, 2019 Slide 15Source: Beazley – 2018 statistics

• 2015-2016 – “Turning Point” in Ransomware

• 9% of 2018 Incidents - 298 in 2018

• Healthcare, Financial Services, Professional Services

• SME vs MM – 72% vs 28%

Beazley plc

“ To ‘B’reach Or Not To ‘B’reach ”

Ransomware

14 June, 2019 Slide 16

• Most are not breaches

• Forensics is necessary

• Industry mandate may apply (ie: Covered Entities under HIPAA)

• Retain under counsel

• Need for regulatory inquiries in the future

Beazley plc

Ransom Amounts

Ransomware


• $100s/$1000s/$10000s

• Beazley highest paid ransom – nearly 7 figures

• Outliers are becoming more common and actors more bold

• Actors make up in volume

• FBI estimated in 2017, $1B were paid in ransomware demands

Beazley plc

Who Are These Actors?

Ransomware


• No More ‘Dark Hoodies’

• Professional Business Model

• “Best Customer Service”

• Bitcoin Wallet ID

• “Double Dippers”

• “Honor Amongst Thieves”

• Known Terrorist Organizations

Beazley plc

Why Would You Pay?

Ransomware


• “You Are Not the US Government”

• Technical Challenges at Data Restoration

• Bad segmentation

• Corrupt restored data

• Improper backup intervals for data purpose

Beazley plc

Who Do Actors Target?

Ransomware


• All industries targeted

• LinkedIn is their friend

Beazley plc

CryptoJacking

Beazley plc

CryptoJacking



• Hacker does not seek PII/PHI but “CPU Power”

• Hacks and Hijacks IOT devices throughout an organization

• PCs / Laptops

• Servers

• Security Cameras

• “Coffeemakers & Refrigerators”

• Leverages IOT devices’ CPU power to mine for crypto-currency, like BitCoin

Beazley plc

MS Office 365

Beazley plc

MS Office 365 - Technical Issues Necessitating Data Discovery and Review



• O365 Default Settings Provide Insufficient Logging

• MS has disabled the “magic logs”

• Attackers Synching the Inbox

• Programmatic searches do not work on unsearchable PDFs

• Large spreadsheets of data can require manual review

Beazley plc

MS Office 365 - Data Discovery and Review Costs are Costly



EmailPlatform

No. of InboxesNo. of

DocumentsCost

BBR Legal /Forensic Sublimit

No. of NotifiedIndividuals

MS O365 70 inboxes 450,000 $2,000,000.00 $2,500,000.00 83,000

MS O365 189 inboxes 1,750,000 $1,850,000.00 $1,000,000.00 362,000

MS O365 120 inboxes 855,000 $1,400,000.00 $2,500,000.00 TBD

MS O365 24 inboxes 365,000 $675,000.00 $1,500,000.00 TBD

Beazley plc

MS Office 365 - Lessons Learned



• Multi-Factor Authentication

• MS Logging Script and O365 Audit Logs Turned ON

• Email Retention Settings

Beazley plc

The Breach ResponseMethodology

Beazley plc

The Data Breach Response Methodology

28

Phase 4

Claims Defense

Phase 3

Response

Phase 2

Investigation

Phase 1

Discovery &Assessment

Privacy Counsel

Crisis

Management

Class-Action Lawsuits

RegulatoryInvestigations, Fines,

Penalties

Communications

& Services Reputational Damage

Business

Income Loss

Incident Discovery

Trigger IncidentResponse Plan

Forensics

Conclusion & Results

Risk Can Still Be Managed “Cannot Un-Ring the Bell”

Beazley plc

Best Practices on Crafting aData Breach Response Plan

Beazley plc

“Living Document”

– Routinely updated to keep current

Clear and Easy-to-Use in the midst of a crisis incident

– Succinct

– Organized by sections

Not a “phone book” but not a “leaflet”

– Background information on regulations and laws

– Detailed procedures and steps on incident management

– Contact details of the Incident Response Team

Document all discoveries for evidentiary needs

Objectives for a Data Breach Incident Response Plan

30

Beazley plc

NCUA (12 CFR Part 748)

GLBA (Section 501(b))

PCI DSS (Section 12.9)

Red Flags Rule – FACT Act (Section .90(d)(1))

HIPAA Security Rule (Section 164.308)

ISO 17799/27002 (Section 6.3)

Certain State Information Security Laws

– MA 201 CMR 17

Regulatory Satisfaction for a Data Breach Incident Response Plan

31

Beazley plc

Background

Incident Response Team

Incident Management

– Risk Transfer Requirements

– Threat Level Definitions

– Checklist #1 : Incident Triaging

– Checklist #2 : Breach Universe Definitions

– Checklist #3 : Notification Procedures

– Mitigation/Remediation

The Anatomy of the Data Breach Incident Response Plan

32

Beazley plc

Background

– Purpose of the Plan

– High-Level Legal Landscape / History

– Internal Policies

– Versioning

– Custodian/Contact for revisions


33

Beazley plc

Incident Response Team

– Roles & Responsibilities

– Internal Members of the IRT

– External Members of the IRT

– Contact Information of Members of the IRT

– Define “Threat Levels” to members of the IRT


34

Beazley plc

Incident Management

– Risk Transfer Requirements

– The IRT should be in sync with risk management and insurance requirements

– Threat Level Definitions

– Establish threat levels for incidents

– A breach of 1 individual is not like a breach of 1,000,000.

– A breach of 12 individuals due to fax error is not like a malware virus intrusion leaking

100,000 records of PHI.


35

Beazley plc

The 3 “Checklists”

Beazley plc

– Threat level defined to trigger appropriate members of the IRT

– Insurance Carrier need to be advised?

– Privacy Counsel needed?

– Investigation needed?– Forensics

– Traditional

– Both

– Electronic data? Paper-based data? Both?

– Is a 3rd party involved? Or the cause?

– Law Enforcement Needed?– FBI? Secret Service? State/Local?

– Police Report needed? (Theft involved?)

– PR/Crisis Management Needed? Media Involved (yet)?

Checklist #1 : Incident Triaging

37

Beazley plc

– Size of affected population– Types of Data Compromised– PII

– PHI

– Other

– Individuals– Name

– DOB (or age, adult/minor status)

– Deceased?

– Foreign National?

– Most recent mailing address

– Localization of individual (Preferred Language)

Checklist #2 : Breach Universe Definitions

38

Beazley plc

– Define timing strategy of all communications

– Police Report needed? (if theft involved)

– Affected Individuals’ notification fulfillment needed?– Draft notification letters

– Description of what happened

– Description of data types involved

– Steps to protect oneself

– What entity is doing to investigate and mitigate harm. Remedy? (credit monitoring)

– Contact details for questions

– Apology?

– Obtain corporate logo and signature image

– Affected Individuals’ call center needed?– Establish escalation contacts

– Draft FAQs

– Draft Scripts

Checklist #3 : Notification Procedures – part 1

39

Beazley plc

– Government Agencies / Attorneys General

– Draft notification letters - Federal, State, Local (where applicable)

– Press Releases

– Draft Press Releases and Scripts for Media

– Internal Communications

– Draft internal memos

– General Workforce, Management, Board of Directors

– Website

– HITECH Substitute Notice (if applicable)

– Public Posting

– Require separate phone # from notification #

– Assess need for localization (multiple languages)

– Accompanying remedy with notice

– Credit Monitoring / Credit Reports

– Identity Theft Resolution

– Credit-related fraud restoration

– Healthcare record fraud restoration

Checklist #3 : Notification Procedures – part 2

40

Beazley plc

Mitigation and Remediation

– Recovery

– Eradicate vulnerabilities

– Reinstate repaired/hardened systems

– Review – Lessons Learned

– Log/Record incident in an incident database for trending/historical analytics

– Review with incident response team

– Review information security systems, policies and procedures, workflows

– Review physical security systems, policies and procedures, workflows

– Update training program accordingly

– Update incident response plan


41

Beazley plc

Last Bit of Advice …

Beazley plc

Perception is Half the Regulatory Battle

– People use “breach” too frequently and you don’t want your customers or regulators to think

you are subject to numerous breaches

– “Breach” suggests something bad happened or is going to happen

– “Breach” has legal significance. Don’t prematurely call an “incident” or an “event”, a

“breach”

Best Practices

– Refrain from using “Breach” in anything memorialized

– Emails, Voicemails, Text Messages, Written Memos

– Train your incident response team to not use “Breach” within internal communications as they assess &

investigate the “incident” or “event”

Why we should be careful with the word “Breach”

43

Beazley plc

“It’s bad enough a company may possibly face liability from the data breach itself. The last thing you want is to create further liability

exposure from how you respond to the incident.

Making sure you are kept in the best defensible position possible during the course of your breach response methodology should be a

priority.”

44

Alex Ricardo, CIPP/USBreach Response Services

Beazley Group

Rockefeller Center1270 Avenue of the AmericasNew York, NY 10020

t: +1 (917) 344 3311c: +1 (646) 934-4100e: [email protected]

For More Information: www.beazley.com

The descriptions contained in this broker communication are for preliminary informational purposes only. The product is available on an admitted basis in some but not all US jurisdictions through BeazleyInsurance Company, Inc., and is available on a surplus lines basis through licensed surplus lines brokers underwritten by Beazley syndicates at Lloyd’s. Certain Lodestone services may not be available on anadmitted basis at this time. The exact coverage afforded by the product described herein is subject to and governed by the terms and conditions of each policy issued. The publication and delivery of theinformation contained herein is not intended as a solicitation for the purchase of insurance on any US risk. Beazley USA Services, Inc. is licensed and regulated by insurance regulatory authorities in therespective states of the US and transacts business in the State of California as Beazley Insurance Services (License#: 0G55497).

Questions?