Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
GRC/Cyber Insurance
February 18, 2014 Start Time: 9 AM US Pacific,
Noon US Eastern, 5 pm London
1
Join the conversation: #ISSAWebConf
Generously sponsored by:
2
#ISSAWebConf
Welcome Conference Moderator
Allan Wall
ISSA Web Conference Committee, Session
Moderator
3
#ISSAWebConf
Agenda Speakers
•JD Sherry Vice President, Technology and Solutions, Trend Micro, Inc.
•Michael Schmitt Assistant Vice President, Lockton Companies
•Simon Milner Partner, Financial Risks, JLTS
Open Panel with Audience Q&A Closing Remarks
4
#ISSAWebConf
GRC/Cyber Insurance
JD Sherry VP, Technology & Solutions
Trend Micro, Inc.
@jdsherry
5
#ISSAWebConf
6
70 ∧
6
Offense Informs Defense: Stages of Attack
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. C&C
6. Lateral Movement
7. Exfiltration
8. Maintenance
7
#ISSAWebConf
Moves laterally across network seeking
valuable data
Gathers intelligence about organization and
individuals
Targets individuals
or public assets
Employees/Assets
Establishes link to Command &
Control server
Today’s Attacks: Social, Sophisticated, Stealthy!
Attackers
Extracts data of interest – can go
undetected for months!
$$$$
Copyright 2014 Trend Micro Inc.
8
#ISSAWebConf
Custom Defense Threat
intel
Network-wide Detection
Advanced Threat Analysis
Threat Services
Automated Security Updates
Threat Intelligence
Custom Sandboxes
Network Admin
Security
Detect malware,
communications and
behavior invisible to
standard defenses
Analyze the risk
and characteristics
of the attack and
attacker
Adapt security
automatically (IP
black lists, custom
signatures…)
Respond using
the insight needed
to respond to your
specific attackers
Enable a Complete Lifecycle
Copyright 2014 Trend Micro Inc.
9
• Create & empower an incident response team
• Who are your 24/7 “First Responders?”
• Develop vendor and law enforcement relationships
• Create & document a plan-preferably manage it via SaaS
• Create a notification “tree”
• Create communication templates & scripts
• Develop on-call resources & remedies
• Employee training
• Regulatory & legal review
• Ongoing review
• Purchase cyber/data breach insurance
www.DataPrivacyInsurance.com
Incident Response Fundamentals
10
#ISSAWebConf
Risk Management-Prior to Applying
• Conduct a Risk Assessment
• Identify the types of data your business collects
– Are you collecting sensitive data?
– Are you encrypting data at rest or in motion?
• Learn what types of threats your business may be vulnerable to and the risk levels of your data
• Take proactive steps to secure your data and manage and mitigate risks
11 www.DataPrivacyInsurance.com
#ISSAWebConf
Question and Answer
JD Sherry
VP, Technology & Solutions
Trend Micro, Inc. @jdsherry
27
12
#ISSAWebConf
Cyber Security/Cyber Liability/ Data Privacy: Insurance Option
Michael Schmitt
Assistant Vice President Lockton Companies
13
#ISSAWebConf
Motivation to Buy: Notification Requirements • State Notification Laws
– Notification Costs
– IT Forensics
– Legal Guidance (Breach Coach)
– Credit / ID Monitoring
• HIPAA Notification Requirement
14
#ISSAWebConf
Motivation to Buy: Legal Trends
• Claridge v. RockYou, Inc., 785 F. Supp. 2d. 855 (N.D. Cal. 2011)
• Amnesty Int’l USA v. Clapper, 638 F.3d 118 (2nd Cir. 2011)
• Harris v. comScore, Inc., No. 11-C-5807 (N.D.Ill., Apr. 2, 2013)
• Low v LinkedIn, Corp., No. 11-CV-01468-LHK 2012 WL 2873847 (N.D. Cal. July 12, 2012)
• Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012)
15
#ISSAWebConf
Motivation to Buy: Contractually Required
• CONTRACTUAL REQUIREMENTS
– Standard contract clause
– Limits
– Indemnification
– Length of Coverage
16
#ISSAWebConf
Coverage Features
• Definition of Privacy Injury – Unauthorized Collection
– Violation of Own Privacy Policy
– Unfair Competition, Deceptive Trade, Consumer Fraud
• Contractual Coverage
• Vicarious Liability
• Regulatory Coverage
• Retroactive Date (first time buyers)
17
#ISSAWebConf
Developing Issues
• National Institute of Standards and Technology – Cybersecurity Framework
• SEC Guidance – Disclosure re: Cybersecurity Risks & Cyber Incidents
18
#ISSAWebConf
Question and Answer
Michael Schmitt
EVP Engineering
and Products ThreatTrack Security Inc
27
19
#ISSAWebConf
Cyber Risks JLTS
2014
Simon Milner Partner
Financial Risks JLTS
20
#ISSAWebConf
Distinctive. Choice.
Cyber Risk JLTS
2014
Simon Milner
Partner
Financial Risks
21
What coverage is available from Specialist Cyber Insurers?
• First Party – Loss of Electronic Data & Software – Resultant loss of business income – Cyber Extortion – Reputational Harm – Brand Protection expenses – Computer crime (including theft of intellectual property) – Cyber terrorism
• Caused by: – Virus, worms, logic bombs and Trojan Horses – Unauthorised access to the computer system – Unauthorised use when authorised access is permitted – Seizure, destruction or damage to the computer system – Denial of service attack – Accidental damage
• Data entry or malfunction • Ongoing maintenance • Errors in software • Theft of Intellectual Property
22
What coverage is available from Specialist Cyber Insurers?
• Third Party – Professional Services (including miscellaneous services) – Technology Professional services – Multimedia Liability – Security Liability – Breach of Privacy including breach of privacy regulations – Downstream virus – Denial of access
• Causing: – Unintentional breach of contract – Defamation, product disparagement – Libel and Slander – Plagiarism – Invasion of privacy – Infringement of copyright and other Intellectual Property)
• Caused by: – Failure to prevent unauthorised access – Failure to allow authorised access – Negligence – Failure to prevent physical theft of hardware – Theft of data including employee or customer data – Unintentional breach of contract – Failure to prevent transmission of virus to a third party network – Breach of privacy regulations
23
Privacy Risks? •Notification expenses
•Credit file monitoring expenses
•Forensic costs
•Public Relations costs
•Call Centre costs
•Legal cost (to defend a claim brought by a third party)
•Privacy Regulatory Legal Defence
•Privacy Regulatory Fines and Penalties
24
Can traditional Insurance protect you?
• No! (except Professional Indemnity)
• Damage to data is not physical damage and therefore not covered by property insurance
• Commercial crime – money, property and securities
• General Liability / Public and Products – requires BI/PD
• Professional Indemnity affords some cover
25
#ISSAWebConf
Who are the Lloyd’s insurers in London?
Ace
Aegis
ANV
Ascent
Aspen
Barbican
Beazley
Brit
Chubb
Clickforcover (coverholder)
Hiscox
Navigators (Millennium coverholder)
Novae
Principia (coverholder)
26
Who are the non- Lloyd’s insurers in London?
AIG
Allianz
C N A
Liberty
QBE
Swiss Re
XL
Zurich
#ISSAWebConf
27
Question and Answer
Simon Milner
Partner Financial Risks
JLTS
28
#ISSAWebConf
Open Panel with Audience Q&A
•JD Sherry Vice President, Technology and Solutions, Trend Micro, Inc.
•Michael Schmitt Assistant Vice President, Lockton Companies
•Simon Milner Partner, Financial Risks, JLTS
29
#ISSAWebConf
30
Closing Remarks
Online Meetings Made Easy
Thank you to Citrix for donating this Webcast service
Thank you to our Sponsor
#ISSAWebConf
CPE Credit • Within 24 hours of the conclusion of this webcast, you
will receive a link via email to a post Web Conference quiz.
• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
• On-Demand Viewers Quiz Link: http://www.surveygizmo.com/s3/1550218/ISSA-Web-Conference-GRC-Cyber-Insurance-February-18-2014
31
#ISSAWebConf