Financial Institutions – Cyber Risk

Managing Cyber Risks In An Interconnected World

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 2

AGENDA

● A NEW ENVIRONMENT

● CYBER RISKS IN NUMBERS

● IMPACT & CONSEQUENCES

● LOSS EXAMPLES BY COVERAGE TYPE

● QUESTIONS & ANSWERS

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 3

A NEW ENVIRONMENT

PAGE 4

Laws & Regulations•Regulatory changes with aggressive enforcement and penalties•Failing to protect Personally Identifiable Information (e.g. employee, customer, vendor) or Personal Health Information or Corporate Confidential Information (e.g. customers, patients, members, employees) has material financial & regulatory consequences

Risk Exposure•Frequency and severity of cyber breaches has not improved with increased security spending and regulation•“Industrialization” of private or confidential data theft•Financial impact of a privacy breach can exceed $100MM

Loss Trends•Expenses & liabilities growing as underwriters are paying multi-million dollar losses•Credit card issuers/banks are suing for cost to reissue cards•Defrauded merchants are suing breached organizations

Cyber Insurance•Cost of risk transfer has decreased as more & more companies buy Cyber Insurance but there have been some recent market changes with large losses in late 2013•Insurer negotiated discounts on notification / credit monitoring services•“Cyber” Insurance has broadened to address these risks

A NEW ENVIRONMENTPrivacy ~ A Heightened & Evolving Exposure

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 5

New Culprits• Loosely formed groups of people who are very good at hacking and work together to do so

– (e.g. Anonymous; Lulzsec)

• State actors (e.g. China; Iran)

New Information Targeted• Corporate data and trade secrets

• Inside information

• Embarrassing information

• Corporate weaknesses

New Motives• Political and ideological

• Personal

• War / terrorism

• Revenge

• “Hacktivism”

A NEW ENVIRONMENTWhat’s New In Cyber World?!

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 6

CYBER RISKS IN NUMBERS

PAGE 7

 Average records lost per breach:   • Over 383,000 in 2013 versus 83,870 in 2012

 

Total records breached: • 822 million in 2013 versus 260 million in 2012

Other 2013 stats:

• Total breaches:  over 2,100

• Breaches per day: nearly 6

  

8 of 15 largest breaches of all time occurred during 2013

WILLIS BREACH STATS 2013

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 8

VERIZON REPORT 2013

PAGE 9

NUMBER OF BREACHES US

DataLossDB.org

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 10

CYBER RISKS IN NUMBERSA Global Exposure

Source: 2012 Data Breach Investigations Report (Verizon)

Breaches by Industry Group

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 11

IMPACT & CONSEQUENCES

PAGE 12

Costs to comply with notification to consumers / employees, credit monitoring costs, cost of restoring data / public relations

Civil penalties and fines Class Action suits Legal costs:

– Civil, regulatory and possibly criminal defense– Data Privacy counsel can cost over $700 p/hour; major breach involves millions in legal costs

Business Interruption Costs

IMPACT & CONSEQUENCESHigh Potential Cost of a Data Breach

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 13

LOSS EXAMPLESBY COVERAGE TYPE

PAGE 14

Privacy Injury Liability• Private lawsuits as a result of unauthorized disclosure or use of private information

in violation of privacy laws, government regulations or institutional policies. This coverage includes online and offline information and the cause can be by third-party custodians of information, employee mistakes or unsanctioned willful actions.

Loss Example – 40 million credit card numbers were stolen from large retailer, the resulting lawsuits from banks and customers exceeded $100 million

Privacy Regulatory Proceedings and PCI Fines• Covers defense of a proceeding or action brought by a privacy regulator and fines

imposed where covered by law. Can include cover for PCI fines.

Loss Example – $2.25 million fine imposed on a drug store chain by the FTC and Department of Health and Human Services Settlement for the loss of millions of

pharmacy records.

LOSS EXAMPLESPrivacy Liability

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 15

Network Security Liability• Covers claims arising from an inability to use or access your network, infection of

others networks, information damage to other networks, inability of others to rely upon the accuracy, validity or integrity of their information residing on your network.

Loss Example – Hackers obtained access to debit card account records and changed limit parameters resulting in fraud and a liability of $10 million.

Content Injury Liability• Defamation, disparagement, copyright, trademark, publicity rights and content

errors, etc. Covers computer readable content and can be expanded to all media Can cover unauthorized expression and other exposures over social media sites by

employees or others for whom a company might be responsible

LOSS EXAMPLESNetwork & Content Liability

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 16

Covers expenses incurred in responding to adverse publicity or media attention arising from a claim covered in the policy and other required response costs including:

• Privacy breach-related “Duty to Notify” costs

• Costs to procure credit monitoring services on behalf of customers.

• Call center costs

• Legal costs from responding to a breach

• Response coaching costs

• Forensic costs

• IT security response costs

LOSS EXAMPLESPublic Relations & Response

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 17

Network Loss or Damage• Covers costs to recreate or restore network pre-loss conditions. Attacks covered

include those instigated by employees. Loss Example – A broker dealer spent more than $3.5 million to remove timed

malicious code designed to bring down the network.

Business Interruption & Extra Expenses• Covers lost online & offline income, as long as your income is network dependent

and the loss is caused by security breach or errors plus expenses of avoiding such a loss.

Loss Example – Professional services firm was the victim of a hacker and lost all its work on an engineering project at a cost of $10 million.

LOSS EXAMPLESNetwork Damages

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 18

Electronic Theft

• Covers for theft via a network of money, securities, goods, services and intangible property (e.g., intellectual property).

Loss Example – Stolen credit cards numbers used to obtain goods through an online site and bank procedures are not followed preventing reimbursement form the acquiring bank

Network Extortion

• Pays credible extortionist demands and response costs to demands for money against threats to release private information or bring down a network.

Loss Example – A large media company incurred significant costs responding to a hacker who showed he had access to the company’s networks and sought money from its celebrity CEO against a threat to bring the network down

LOSS EXAMPLESNetwork Crime

State Compensation Insurance FundAudit Committee Meeting – February 19, 2014Open Agenda Item 6 – Cyber Risk

PAGE 19

QUESTIONS& ANSWERS