Philadelphia, PA ~ April 11 & 12, 2007

2007 E&O 2007 E&O SymposiumSymposium

New Threats, New LiabilitiesState of the Privacy Insurance Market April, 2007

Professional Liability Underwriting Society2007 E&O Symposium

Philadelphia, PA

New Threats, New LiabilitiesState of the Privacy Insurance Market April, 2007

Panel

Sandy Codding Managing Director, Marsh Inc.

Mark Greisiger President, NetDiligence

Brian Schaeffer, CISSP Senior VP, CIO, CTO, Liberty Bell Bank

Lori Bailey Asst. VP, National Union Insurance Co.

What Are the Risks?What Are the Risks?

Privacy, Computer and Network Security are not just Internet issues.

Any entity using the following is at risk:

1) a computer network; and/or

2) confidential information.

Traditional Approaches to Traditional Approaches to Technology-Related RiskTechnology-Related Risk

• Corporations have viewed information security as a pure technology problem Budget for services/products Hire CISO, additional IT staff Outsource critical network security components

• Confusing array of products and vendors• Reactive—buy a solution in the wake of an event• Has not been treated like other risk management

issues

Who’s buying?Who’s buying?

•Technology & Telecommunications

• Financial Institutions

• Health Insurers and HMO’s

• Media & Communications

• Retailers

• Colleges & Universities

Why are they buying?Why are they buying?

Contractual Requirements

Regulatory Concerns

Gaps in Traditional Coverage

Pre-Claim Expenses

Actual Claims and Losses

Why are they buying now?Why are they buying now?

Contractual Requirements

• Trading partners are adding new indemnification requirements to contracts specifying privacy and cyber

Regulatory Concerns

• New regulations impose prospective duties upon companies

Gaps in Traditional Coverage

• P&C policies are expressly excluding coverage for cyber & privacy perils• No coverage for pre-claim expenses or regulatory defense

Risks no longer limited to Technology companies

• FI, Retail, et al now finding themselves squarely in the cross hairs of the regulators, organized crime and plaintiffs’ bar

• Victims—individuals and corporations—no longer content to suffer in silence are looking to hold companies responsible for costs associated with breaches

Why aren’t they buying more?Why aren’t they buying more?

Inconsistent Pricing/Underwriting• Pricing varies widely from carrier to carrier for same risk• Terms often seem subject to the whims of the underwriter

Confusing & Restrictive policy language• Multiple coverage grants or modules• More exclusions than thought humanly possible• Limitation to the single “computer attack” peril

Lack of Significant limits for various industries/coverage• FI, Retail, Higher Ed etc are either preferred or restricted classes

depending upon the carrier• Lack of communal approach to excess layers• de minimus sub-limits on Notification and Regulatory Defense

Lack of claims examples• Remember EPLI?

Philadelphia, PA ~ April 11 & 12, 2007

2007 E&O 2007 E&O SymposiumSymposium

FrontlineFrontline PerspectivePerspective

Cyber Risk & Loss Cyber Risk & Loss PreventionPrevention

Mark GreisigerNetDiligence

Customer AttitudesCustomer Attitudes

virus damage hackerscyber

extortionInternet liability

human mistakes

Web vandalsdenial of service

Web site disability access discrimination

computer /server

malfunctions

rogue administrators

ASP service outage

malicious code transmission

Intellectual property

infringementprivacy breach ISP outage

Unix & Windows O.S. Flaws

Risk Mgrs gaining a better appreciation for the diverse threats that Risk Mgrs gaining a better appreciation for the diverse threats that CAN impact their ecom operations, and bottom lineCAN impact their ecom operations, and bottom line

Driving Customer Attitudes Driving Customer Attitudes

Risk Mgrs ( D&Os) see their peers impactedRisk Mgrs ( D&Os) see their peers impacted weeklyweekly

Samples of security breaches within the retail industry

Jan 2007 – TJX: Disclosed that “unauthorized intruder” gained access to its systems in mid-December and may have made off with the card data of customers in the U.S., Canada and Puerto Rico, as well as the U.K. and Ireland.

Nov 2006 - Starbucks Corp. said it had lost track of four laptop computers, two of which had private information on about 60,000 current and former U.S. employees and fewer than 80 Canadian workers and contractors.

February 2006 – OfficeMax: The California retailer at the heart of a major data-security breach affecting as many as 200,000 consumers, banking and law-enforcement sources confirmed. They also said investigators are exploring the possibility that the Russian mob or another Eastern European crime syndicate is responsible for accessing U.S. consumers' debit-card numbers and selling counterfeit cards on the black market worldwide.

April 2005 - Ralph Lauren: Polo Ralph Lauren Corp. blamed a software glitch for a security breach that prompted HSBC North America to notify 108,000 holders of its General Motors-branded MasterCard that their personal information may have been stolen.

April 2005 - DSW Shoe Warehouse: Retail Ventures Inc. this month reported that personal customer information from 108 stores in its DSW Shoe Warehouse subsidiary was stolen. The information, involving 1.4 million credit cards used to make purchases mostly between November and February, included account numbers, names, and transaction amounts.

Network ThreatsNetwork Threats

• Malicious Viruses/trojans, stealth hackers, extortionist, rogue inside or

overseas contractor, disgruntled CIO, greedy fraudsters (phishing), belligerent ‘pranksters’

• Non-Malicious1. Employee/ Partner mistakes (customer data leaks)2. Application glitches

• Business Trends Points of failure are now magnified/multiplied due to trends of

outsourcing computing needs (domestic and overseas)

Massive dependencies and data-sharing between companies and their upstream and downstream vendors (ASPs, partners, ISPs)

Example - How Real Are The Example - How Real Are The Threat Exposures?Threat Exposures?

• Denial of service attacks are more common & difficult to prevent

• Imagine a rogue army of 100,000 ‘bots (hijacked computers) working in unison to attack a company’s transactional website

• Large exposure for clients who require their transactional systems to be available always

• Can be tied to ‘cyber extortion’ – a demand to wire money to an attacker’s bank account or suffer a massive attack (outage)

• This trend will continue due to: The simplicity of the attack Massive growth in broadband connections

which are unknowing ‘zombies’ used by bad guys

Sample ISP log for a biz under attack over a 3 week period

Why The Problem?Why The Problem?

The Internet’s open network• Many companies have a transactional website• Businesses collect and store customer private data

More data often collected than needed Data often Stored for too long

• Business servers (websites) are very porous and need constant care (hardening & patching)

• Tools that help hackers are readily available and shared on the Internet at no cost to malicious attackers

• Bad guys rely on the prevalence of human error Poor passwords Unchanged default settings Lack of tested back-up process No applied patches No encryption in database

A Note On PCIA Note On PCI

• PCI: A security standard that includes requirements for critical protective measures:

* security management * policies and procedures * network architecture * software design

• Goal: to helps organizations proactively protect customer account data

• Developed by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International

PCI: Watch PCI: Watch HowHow & & WhatWhat You You StoreStore

• Customer NPI Data should be encrypted in Database

• Do not store sensitive authentication data subsequent to authorization (not even if it’s encrypted) Do not store the full contents of any track from the

magnetic stripe (on the back of a card)

Do not store the card-validation code (3- or 4-digit value printed on the front or back of a payment card)

Do not store the PIN Verification Value (PVV)

Recent loss events:

Rogue CIO – BI Loss: A company that sold e-books online suffered are major 1st party loss, of approx $500k. Cyber Extortion – BI Loss & potential liability:E-Bank System Exploited – Cash Stolen E-Checking System Breach – BI Loss & potential liability

• Industries most at risk?24x7 modelsClient NPI is being collected, shared, processed, stored

• Lesson…cyber risk exposures can be managed and transferred (Eliminated; mitigate, accept & cede)…. RM needs a seat at the table!

Losses: Recent Real Life Breach Events

What Can Be Done?What Can Be Done?

• Increase awareness of risk• Appreciate the many challenges to manage the

risks• Assess and test• Back to basics: Implement baseline safeguards

and controls• Vigilance: Update and monitor your measures

Strategies For Risk ManagersStrategies For Risk Managers

Loss Prevention ApproachLoss Prevention Approach

• Review Controls Surrounding People Dedicated information security personnel Background checks Proper security budget Vigilance about their jobs

• Review Controls Surrounding Processes Enterprise ISO17799 PCI audit compliance ready (or near) Policies enforced daily Employee education/training Change management processes

• Review Controls Surrounding Technology Managed firewall with IDS/IPS Hardened and patched servers Strong passwords Anti-virus software and transmission Daily backup

Where To Begin?Where To Begin?

• Start with a self-assessment…benchmark against known standards

BCP (backup &hotsite)

CyberCyber Risk Insurability Assessment Risk Insurability Assessment ProcessProcess

What is it?

A ‘quiet audit’ process of a company’s Information Security; Business Continuity; and Privacy Practices.

What is the Purpose?

To Give the Risk Manager (and their Insurer) an Objective and Independent Opinion as to the Functional Risk Profile of an Insured

How is it Conducted?

Either “On-site” or “Remote” often at the request of an Underwriter

What is the End Result?

A Summarized Written Report That Explains the Auditors Understanding of the Insured’s Environment, With Risk Profile & Mitigation Suggestions.

Value of the Assessment Exercise Value of the Assessment Exercise for the RMfor the RM

• Showcase Risk Mgmt Strengths Reaffirm & document due care and a prudent information

security program Good faith effort towards compliance Lessons learned from past loss/ incidents

• Illuminate Red Flags (weak security controls to improve upon)

No firewall Mis-configuration: Key Server in-front of FW No BCP/DR Plan No DR Test (many) No DB/Storage Encryption (most) Opening in the Corp Network perimeter (many) Poor Passwords No Dedicated Security Personnel/ Role No background checks

New Threats, New Liabilities

State of the Privacy Insurance Market

April, 2007

Bank Perspective

GLBAGLBA(Gramm-Leach-Bliley Act – Public Law 106-102)(Gramm-Leach-Bliley Act – Public Law 106-102)

Financial Services Modernization Act of 1999Financial Services Modernization Act of 1999

• Disclosure of privacy policy in regards to the sharing of information with affiliates

• When and how often the customer is notified of the privacy policy

• The ability to “opt-out” of the sharing of non-public personal information with nonaffiliated third parties

• The protection of customer information; Confidentiality, Integrity and Availability

Title V

What does banking look What does banking look like?like?

Image Exchange Network

WEB

ATMs

Branches

Customer Data

Merchant Capture

Real-Time

Real-Time

ACH

Integrity and Availability of Transactions

Key Assets

What are the threats?What are the threats?

Image Exchange Network

WEB

ATMs

Branches

Merchant Capture

Real-Time

Real-Time

ACH

Social Engineering

Fraudulent Transactions

Employee Mistakes

Phishing

Card Skimming

Image Modification

419 Scams

Customer Data

Integrity and Availability of Transactions

Key Assets

Threat MitigationThreat Mitigation

Outsource Vendor mgmt (what is a trusted vendor doing to protect your customer’s data and your banking systems), vender’s vender

People: Infosec staff vigilance; employee awareness & training

Policies: security, privacy, BCP/DR Self-Testing (Scan), Monitoring (Logs) &

Constant Updating (Patch) Two factor Authentication

Threat MitigationThreat Mitigation

Defense in Depth in practice

Key: Make yourself an unattractive target

Philadelphia, PA ~ April 11 & 12, 2007

2007 E&O 2007 E&O SymposiumSymposium

New Threats, New Liabilities:New Threats, New Liabilities:The Carrier PerspectiveThe Carrier Perspective

Lori BaileyAssistant Vice President

Professional Liability DivisionAIG/National Union

215-255-6181Lori.Bailey@aig.com

State of the MarketplaceState of the Marketplace

• Claim Activity Regulatory Oversight Heightened Notification Requirements Aggressive Plaintiff’s Bar More Sophisticated Crime Network Dishonest Insiders Human Error

• Increased Cost of Compliance

Current Trends: CoverageCurrent Trends: Coverage

• Security/Privacy Liability Rogue Employee Coverage Coverage for Information Holders (Vicarious

Liability) Regulatory Claims Coverage

• Crisis Management Coverages Notification Costs/Public Relations Expenses Credit Monitoring Services

Current Trends: Client ProfileCurrent Trends: Client Profile

• Financial Institutions• Healthcare Providers • Colleges & Universities• Retailers• Payment Processors• Professional Services Organizations

Accountants Lawyers Insurance Brokers / Companies

• Anyone handling confidential information (personal or corporate)

Current Trends: LitigationCurrent Trends: Litigation

• Class Action Claims

• Federal Oversight State Attorney General Federal Trade Commission

• International Exposures Foreign Hackers Outsourced Vendors

What’s Next?What’s Next?

• Aftermath of Significant Data Breaches

• Proposed Legislation State Federal

• New Technologies