Embed Size (px)
DESCRIPTION
New Threats, New Liabilities State of the Privacy Insurance Market April, 2007. Professional Liability Underwriting Society 2007 E&O Symposium Philadelphia, PA. New Threats, New Liabilities State of the Privacy Insurance Market April, 2007. Panel - PowerPoint PPT Presentation
Citation preview
Philadelphia, PA ~ April 11 & 12, 2007
2007 E&O 2007 E&O SymposiumSymposium
New Threats, New LiabilitiesState of the Privacy Insurance Market April, 2007
Professional Liability Underwriting Society2007 E&O Symposium
Philadelphia, PA
New Threats, New LiabilitiesState of the Privacy Insurance Market April, 2007
Panel
Sandy Codding Managing Director, Marsh Inc.
Mark Greisiger President, NetDiligence
Brian Schaeffer, CISSP Senior VP, CIO, CTO, Liberty Bell Bank
Lori Bailey Asst. VP, National Union Insurance Co.
What Are the Risks?What Are the Risks?
Privacy, Computer and Network Security are not just Internet issues.
Any entity using the following is at risk:
1) a computer network; and/or
2) confidential information.
Traditional Approaches to Traditional Approaches to Technology-Related RiskTechnology-Related Risk
• Corporations have viewed information security as a pure technology problem Budget for services/products Hire CISO, additional IT staff Outsource critical network security components
• Confusing array of products and vendors• Reactive—buy a solution in the wake of an event• Has not been treated like other risk management
issues
Who’s buying?Who’s buying?
•Technology & Telecommunications
• Financial Institutions
• Health Insurers and HMO’s
• Media & Communications
• Retailers
• Colleges & Universities
Why are they buying?Why are they buying?
Contractual Requirements
Regulatory Concerns
Gaps in Traditional Coverage
Pre-Claim Expenses
Actual Claims and Losses
Why are they buying now?Why are they buying now?
Contractual Requirements
• Trading partners are adding new indemnification requirements to contracts specifying privacy and cyber
Regulatory Concerns
• New regulations impose prospective duties upon companies
Gaps in Traditional Coverage
• P&C policies are expressly excluding coverage for cyber & privacy perils• No coverage for pre-claim expenses or regulatory defense
Risks no longer limited to Technology companies
• FI, Retail, et al now finding themselves squarely in the cross hairs of the regulators, organized crime and plaintiffs’ bar
• Victims—individuals and corporations—no longer content to suffer in silence are looking to hold companies responsible for costs associated with breaches
Why aren’t they buying more?Why aren’t they buying more?
Inconsistent Pricing/Underwriting• Pricing varies widely from carrier to carrier for same risk• Terms often seem subject to the whims of the underwriter
Confusing & Restrictive policy language• Multiple coverage grants or modules• More exclusions than thought humanly possible• Limitation to the single “computer attack” peril
Lack of Significant limits for various industries/coverage• FI, Retail, Higher Ed etc are either preferred or restricted classes
depending upon the carrier• Lack of communal approach to excess layers• de minimus sub-limits on Notification and Regulatory Defense
Lack of claims examples• Remember EPLI?
Philadelphia, PA ~ April 11 & 12, 2007
2007 E&O 2007 E&O SymposiumSymposium
FrontlineFrontline PerspectivePerspective
Cyber Risk & Loss Cyber Risk & Loss PreventionPrevention
Mark GreisigerNetDiligence
Customer AttitudesCustomer Attitudes
virus damage hackerscyber
extortionInternet liability
human mistakes
Web vandalsdenial of service
Web site disability access discrimination
computer /server
malfunctions
rogue administrators
ASP service outage
malicious code transmission
Intellectual property
infringementprivacy breach ISP outage
Unix & Windows O.S. Flaws
Risk Mgrs gaining a better appreciation for the diverse threats that Risk Mgrs gaining a better appreciation for the diverse threats that CAN impact their ecom operations, and bottom lineCAN impact their ecom operations, and bottom line
Driving Customer Attitudes Driving Customer Attitudes
Risk Mgrs ( D&Os) see their peers impactedRisk Mgrs ( D&Os) see their peers impacted weeklyweekly
Samples of security breaches within the retail industry
Jan 2007 – TJX: Disclosed that “unauthorized intruder” gained access to its systems in mid-December and may have made off with the card data of customers in the U.S., Canada and Puerto Rico, as well as the U.K. and Ireland.
Nov 2006 - Starbucks Corp. said it had lost track of four laptop computers, two of which had private information on about 60,000 current and former U.S. employees and fewer than 80 Canadian workers and contractors.
February 2006 – OfficeMax: The California retailer at the heart of a major data-security breach affecting as many as 200,000 consumers, banking and law-enforcement sources confirmed. They also said investigators are exploring the possibility that the Russian mob or another Eastern European crime syndicate is responsible for accessing U.S. consumers' debit-card numbers and selling counterfeit cards on the black market worldwide.
April 2005 - Ralph Lauren: Polo Ralph Lauren Corp. blamed a software glitch for a security breach that prompted HSBC North America to notify 108,000 holders of its General Motors-branded MasterCard that their personal information may have been stolen.
April 2005 - DSW Shoe Warehouse: Retail Ventures Inc. this month reported that personal customer information from 108 stores in its DSW Shoe Warehouse subsidiary was stolen. The information, involving 1.4 million credit cards used to make purchases mostly between November and February, included account numbers, names, and transaction amounts.
Network ThreatsNetwork Threats
• Malicious Viruses/trojans, stealth hackers, extortionist, rogue inside or
overseas contractor, disgruntled CIO, greedy fraudsters (phishing), belligerent ‘pranksters’
• Non-Malicious1. Employee/ Partner mistakes (customer data leaks)2. Application glitches
• Business Trends Points of failure are now magnified/multiplied due to trends of
outsourcing computing needs (domestic and overseas)
Massive dependencies and data-sharing between companies and their upstream and downstream vendors (ASPs, partners, ISPs)
Example - How Real Are The Example - How Real Are The Threat Exposures?Threat Exposures?
• Denial of service attacks are more common & difficult to prevent
• Imagine a rogue army of 100,000 ‘bots (hijacked computers) working in unison to attack a company’s transactional website
• Large exposure for clients who require their transactional systems to be available always
• Can be tied to ‘cyber extortion’ – a demand to wire money to an attacker’s bank account or suffer a massive attack (outage)
• This trend will continue due to: The simplicity of the attack Massive growth in broadband connections
which are unknowing ‘zombies’ used by bad guys
Sample ISP log for a biz under attack over a 3 week period
Why The Problem?Why The Problem?
The Internet’s open network• Many companies have a transactional website• Businesses collect and store customer private data
More data often collected than needed Data often Stored for too long
• Business servers (websites) are very porous and need constant care (hardening & patching)
• Tools that help hackers are readily available and shared on the Internet at no cost to malicious attackers
• Bad guys rely on the prevalence of human error Poor passwords Unchanged default settings Lack of tested back-up process No applied patches No encryption in database
A Note On PCIA Note On PCI
• PCI: A security standard that includes requirements for critical protective measures:
* security management * policies and procedures * network architecture * software design
• Goal: to helps organizations proactively protect customer account data
• Developed by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
PCI: Watch PCI: Watch HowHow & & WhatWhat You You StoreStore
• Customer NPI Data should be encrypted in Database
• Do not store sensitive authentication data subsequent to authorization (not even if it’s encrypted) Do not store the full contents of any track from the
magnetic stripe (on the back of a card)
Do not store the card-validation code (3- or 4-digit value printed on the front or back of a payment card)
Do not store the PIN Verification Value (PVV)
Recent loss events:
Rogue CIO – BI Loss: A company that sold e-books online suffered are major 1st party loss, of approx $500k. Cyber Extortion – BI Loss & potential liability:E-Bank System Exploited – Cash Stolen E-Checking System Breach – BI Loss & potential liability
• Industries most at risk?24x7 modelsClient NPI is being collected, shared, processed, stored
• Lesson…cyber risk exposures can be managed and transferred (Eliminated; mitigate, accept & cede)…. RM needs a seat at the table!
Losses: Recent Real Life Breach Events
What Can Be Done?What Can Be Done?
• Increase awareness of risk• Appreciate the many challenges to manage the
risks• Assess and test• Back to basics: Implement baseline safeguards
and controls• Vigilance: Update and monitor your measures
Strategies For Risk ManagersStrategies For Risk Managers
Loss Prevention ApproachLoss Prevention Approach
• Review Controls Surrounding People Dedicated information security personnel Background checks Proper security budget Vigilance about their jobs
• Review Controls Surrounding Processes Enterprise ISO17799 PCI audit compliance ready (or near) Policies enforced daily Employee education/training Change management processes
• Review Controls Surrounding Technology Managed firewall with IDS/IPS Hardened and patched servers Strong passwords Anti-virus software and transmission Daily backup
Where To Begin?Where To Begin?
• Start with a self-assessment…benchmark against known standards
BCP (backup &hotsite)
CyberCyber Risk Insurability Assessment Risk Insurability Assessment ProcessProcess
What is it?
A ‘quiet audit’ process of a company’s Information Security; Business Continuity; and Privacy Practices.
What is the Purpose?
To Give the Risk Manager (and their Insurer) an Objective and Independent Opinion as to the Functional Risk Profile of an Insured
How is it Conducted?
Either “On-site” or “Remote” often at the request of an Underwriter
What is the End Result?
A Summarized Written Report That Explains the Auditors Understanding of the Insured’s Environment, With Risk Profile & Mitigation Suggestions.
Value of the Assessment Exercise Value of the Assessment Exercise for the RMfor the RM
• Showcase Risk Mgmt Strengths Reaffirm & document due care and a prudent information
security program Good faith effort towards compliance Lessons learned from past loss/ incidents
• Illuminate Red Flags (weak security controls to improve upon)
No firewall Mis-configuration: Key Server in-front of FW No BCP/DR Plan No DR Test (many) No DB/Storage Encryption (most) Opening in the Corp Network perimeter (many) Poor Passwords No Dedicated Security Personnel/ Role No background checks
New Threats, New Liabilities
State of the Privacy Insurance Market
April, 2007
Bank Perspective
GLBAGLBA(Gramm-Leach-Bliley Act – Public Law 106-102)(Gramm-Leach-Bliley Act – Public Law 106-102)
Financial Services Modernization Act of 1999Financial Services Modernization Act of 1999
• Disclosure of privacy policy in regards to the sharing of information with affiliates
• When and how often the customer is notified of the privacy policy
• The ability to “opt-out” of the sharing of non-public personal information with nonaffiliated third parties
• The protection of customer information; Confidentiality, Integrity and Availability
Title V
What does banking look What does banking look like?like?
Image Exchange Network
WEB
ATMs
Branches
Customer Data
Merchant Capture
Real-Time
Real-Time
ACH
Integrity and Availability of Transactions
Key Assets
What are the threats?What are the threats?
Image Exchange Network
WEB
ATMs
Branches
Merchant Capture
Real-Time
Real-Time
ACH
Social Engineering
Fraudulent Transactions
Employee Mistakes
Phishing
Card Skimming
Image Modification
419 Scams
Customer Data
Integrity and Availability of Transactions
Key Assets
Threat MitigationThreat Mitigation
Outsource Vendor mgmt (what is a trusted vendor doing to protect your customer’s data and your banking systems), vender’s vender
People: Infosec staff vigilance; employee awareness & training
Policies: security, privacy, BCP/DR Self-Testing (Scan), Monitoring (Logs) &
Constant Updating (Patch) Two factor Authentication
Threat MitigationThreat Mitigation
Defense in Depth in practice
Key: Make yourself an unattractive target
Philadelphia, PA ~ April 11 & 12, 2007
2007 E&O 2007 E&O SymposiumSymposium
New Threats, New Liabilities:New Threats, New Liabilities:The Carrier PerspectiveThe Carrier Perspective
Lori BaileyAssistant Vice President
Professional Liability DivisionAIG/National Union
State of the MarketplaceState of the Marketplace
• Claim Activity Regulatory Oversight Heightened Notification Requirements Aggressive Plaintiff’s Bar More Sophisticated Crime Network Dishonest Insiders Human Error
• Increased Cost of Compliance
Current Trends: CoverageCurrent Trends: Coverage
• Security/Privacy Liability Rogue Employee Coverage Coverage for Information Holders (Vicarious
Liability) Regulatory Claims Coverage
• Crisis Management Coverages Notification Costs/Public Relations Expenses Credit Monitoring Services
Current Trends: Client ProfileCurrent Trends: Client Profile
• Financial Institutions• Healthcare Providers • Colleges & Universities• Retailers• Payment Processors• Professional Services Organizations
Accountants Lawyers Insurance Brokers / Companies
• Anyone handling confidential information (personal or corporate)
Current Trends: LitigationCurrent Trends: Litigation
• Class Action Claims
• Federal Oversight State Attorney General Federal Trade Commission
• International Exposures Foreign Hackers Outsourced Vendors
What’s Next?What’s Next?
• Aftermath of Significant Data Breaches
• Proposed Legislation State Federal
• New Technologies
