What Can Go Wrong in the Digital Age? Cyberthreats, Data ...iframe.dri.org/DRI/course-materials/2017-AM/pdfs/31_Goetz.pdf · lenges associated with cyberliability, cyberterrorism,

What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches, and Privacy Invasion

Gregory L. Goetz

Scripps Networks Interactive Inc.

9721 Sherrill Blvd Knoxville, TN 37932

Gregory L. Goetz currently serves as the Vice President of Risk Management for Scripps Networks Interactive, Inc. - a cable and satellite network television media company operating six (6) cable networks under the names Food Network (FN), Home and Garden Television (HGTV), The Travel Channel (TC), Do It Yourself Network (DIY), The Cooking Channel (CC), and Great American Country (GAC) - where he specializes in enterprise-wide risk management practices identifying emerging opportunities and trends while minimizing downside risk through a strategic and integrated collaboration with identified risk owners and key stakeholders, with specific emphasis on network security and privacy risk management processes. Greg has expert knowledge of all commercial insurance policies, particularly directors and officers, media liability, network security and privacy, along with various other alternate risk transfer programs.

What Can Go Wrong in the Digital Age? Cyberthreats, Data Breaches... ■ Goetz ■ 3


I. Introduction ...................................................................................................................................................5 II. Presentation....................................................................................................................................................5

Table of Contents



I. IntroductionAs individuals, businesses, and governments become increasingly dependent on technology, chal-

lenges associated with cyberliability, cyberterrorism, ransomware, and intellectual property protection have become the new normal. And, with the popularity of devices such as Amazon Echo and Google Home, con-cerns regarding the impact of these and similar technologies on personal privacy are prevalent. Greg Goetz will challenge you to consider the ever-present data breach and privacy invasion threats faced by individuals and organizations as we continue into the digital age, and will examine the availability of insurance coverages to afford protection when inevitable liabilities arise.

II. Presentation

Gregory L. Goetz, C.P.C.U. A.R.M. Vice – President, Risk Management Scripps Networks Interactive, Inc

1

What Can Go Wrong In The Digital Age? Cyber Threats, Data Breaches, and Privacy Invasion

Defense Research Institute – October, 2017

Source: iStock Photos

6 ■ Annual Meeting ■ October 2017

Media and entertainment company operating six (6) cable, satellite networks in the USA

Poland, London, Singapore, Brazil, Italy, New Zealand

2


◦ I am not a lawyer

◦ My comments and conclusions - not those of Scripps

◦ Licensed insurance agent and 30 years corporate risk

management experience

3


Presentation Overview and Deliverable:

◦ What is happening today – threats constantly evolving and events continue to occur

◦ Insurance coverage and uncovered exposures

◦ What will happen tomorrow – connected devices, driverless cars and smart homes, risk aggregation and perhaps ‘Cloud Armageddon’

Can we manage and keep pace with technological change?

More questions than answers. Many matters have not been litigated

‘Litigation is on the Way’

4


5

What Can Go Wrong ? Plenty!

Source: Getty Images


‘Cybercrime is a huge global problem due to the Internet of Things (IoT) and inter-networking of physically connected smart devices. More attacks are growing and crime groups are now working together. Unfortunately, cybercrime is very profitable, costing the world $600(AUD) billion globally’

◦ Eugene Kaspersky, Chairman and CEO of Kaspersky Lab

http://thefinancialexpress-bd.com May 24, 2017 6


Copyright GLG, LLC. 2014 All Rights Reserved 7


8


AP Moeller – Maersk Website July 2, 2017 9


Early threats were mainly hackers or ‘hacktivists’ looking to deface or

take websites offline. More for fun and disruption ◦ Today it is about business disruption, extortion, ransom

Some credit card numbers, PII, and other information compromised but not to be sold on the black market, etc. ◦ There is now a thriving black market with data being bought and sold

Relatively few terrorists or state sponsored actors ◦ Terrorism or interference by state actors, governments is here to stay

The loss frequency and severity not high ◦ Losses continue to escalate despite increased spending on security

Few, if any, cyber insurance products or cyber related insurance policy exclusions

10


Technology is changing the risk profile Innovative technology is going to disrupt the insurance market New Technology

◦ SaaS, BYOD, mobile devices, VPN, online banking, the cloud, apps for

downloading, Blockchain, Artificial Intelligence

Threats constantly evolving ◦ Ransomware, state actors, terrorism, social engineering, multiple vendor

access points, IoT Impact – higher frequency, higher severity, more risk aggregation

11


We’ve heard these statements: ◦ ‘The largest ‘taxi’ company owns no vehicles’

◦ ‘The largest room accommodator owns no property’

◦ ‘The largest media entity owns no content (yet)’

Don’t know if these statements are true but technology is

- and will continue to be - a great disruptor

12


World Economic Forum, Global Risk Report 2017 12th Edition 13

3.2 3.15

3.3

3.53

3.8 3.8

3.9

4.16

4.3

4.38

3.0

3.2

3.4

3.6

3.8

4.0

4.2

4.4

4.8 5.0 5.2 5.4 5.6 5.8 6.0

Neg

ativ

e Co

nseq

uenc

es

Benefits

Geo-engineering

Proliferation and ubiquitous presence of linked sensors

Artificial Intelligence

Blockchain

Virtual and augmented reality

Nanotechnology

Space technology

New Computing Technology

3D Printing

Energy capture storage and transmission

Emerging Technologies - Benefits and Consequences


Cyber Breach Events Continue to Occur Despite Spending and Awareness on Cyber-Security

14


Estimated spending on cyber security = $75 billion

But cyber crime alone costs $400 billion (USD)

And mirrors the legitimate growth of the digital economy at

$4.2 trillion Are we getting maximum value for the spend on security?

Lloyds Report – Closing the Gap, Insuring Your Business Against Evolving Cyber Threats July, 2017 (1) http://www.gartner.com/newsroom/id/3135617

(2)https://www.bcg.com/documents/file100409.pdf 15

(1)

(2)


0

1

2

3

4

5

6

Category 1 Category 2 Category 3 Category 4

Series 1

Series 2

Series 3

Copyright GLG, LLC. 2014 All Rights Reserved 16 FBI Internet Crime Report 2016


$115,000,000 to plaintiffs

$38,000,000 to plaintiff attorneys

$30,000,000 (estimated response costs)

$20,000,000 (estimated security upgrades per the settlement agreement)

Other costs to be determined

17


‘PAST’ CYBER EVENTS (Generally >12 months ago)

18


19

Water supply hacked and contaminated - March 2016 Power grid hacked in Ukraine –

December 2015

German building control system hacked, overloaded, caused explosion - December 2014 Baby Monitors Hacked

DNC hacked – elections at risk – July 2016



20

Pirates allegedly successfully hacked into the computer-held cargo logs of a vessel carrying many large ocean cargo containers The pirates could then determine precisely which container held the most valuable cargo Upon boarding the vessel the pirates could then raid those those pre-identified containers with laser focus

Source: www.foxnews.com – From High Tech to High Seas, Pirates Hack Shipping Company, James Rogers March 2, 2016

Photo Source: Getty Images


RECENT CYBER EVENTS (Generally <12 months ago)

21


22

$350 Million – M&A Impact

Doll that records conversations now classified in Germany as ‘Illegal Espionage Apparatus”

Employee error shuts down some AWS service

DDoS caused by IoT

‘Orange is the New Black’ Programs held for ransom


British Airways

23

Bank of Bangladesh

Several insurers sue GPS maker for faulty weather reports, leading to sinking

System failure leads to widespread outage New cyber security regulations

Negative security research report

Largest bank heist ever – almost $1B

El Faro Sinking


New Technologies: (IoT exploding) Ransomware: (Wanna Cry hits 75 + Countries) (Petya/NotPetya causes wide-spread outage) Fraud E-mail/Wire Transfers: (Swift almost cost $1B) Software Errors/Omissions: (Ship owner sues GPS for sinking) The Human Element: (Amazon employee ‘fat finger’)

Cyber-terrorism, War, Nation State Tools: (Just a matter of time?) Changing Laws, Rules, Court Opinions: (FTC, SEC, 50 states, NY State) Denial of Service: (Iot connected devices flood Dyn) Supply Chain: (Loss of power grid or major cloud provider) Artificial Intelligence: (What will be the overall impact?)

24


Hooligan’s biker gang steals 150 Jeep Wranglers using stolen codes and key designs

Staked out Wranglers to copy VIN numbers then compromised the proprietary Jeep data-base to steal a copy of the key design and codes based on the VIN

Armed with the fake key they used a cheap electronic hand device to pair the key to the car’s computer device

150 cars stolen costing approximately $4.5 million

Just how secure are cars? Will driverless cars become easy targets? ‘How Hacked Computer Codes Allegedly Helped a Biker Gang Steal

150 Jeeps’ by Hamza Shaba, Washington Post, June 1, 2017 25


Ponemon Research Report: Medical Device Securiy – An Industry under Attack and Unprepared to Defend, May, 2017 26

67% of health care equipment device makers expect a cyber attack on their device in the next twelve (12) months

56% of health care organizations expect a cyber attack on their organizations in the next twelve (12) months

59% of equipment device makers have little confidence adequate security protocols and architecture are built into the device(s)

Only 33% of device makers encrypt data traffic among the IoT devices

Only 29% of health care organizations encrypt data from the Iot devices

31% of device makers are aware that an event or harm to patients due to insecure medical device has already occurred

40% of device makers are aware that an event or harm to patients due to insecure medical device has already occurred


The case of St. Jude Medical and Muddy Waters Capital, LLC.

Muddy Waters engaged a security firm (MedSec Holdings) to evaluate the security of St. Jude heart defibrillators

MedSec’s report found security vulnerabilities in the defibrillators

Muddy Waters Capital, LLC had taken short positions in St. Jude Medical stock, meaning it would capitalize if the stock price dropped

St. Jude was later acquired by Abbott Laboratories who issued a patch in partnership with the FDA which confirmed the vulnerability

Should Muddy Waters have taken a short position on a security vulnerability?

Should Muddy Waters have gone directly to St. Jude?

27


Settlement language proposes Muddy Waters not disclose future Abbott product cyber-security flaws to FDA or Homeland Security unless subpoenaed

"MW hereby rejects your noxious settlement proposal that attempts to gag us and [other researchers] from assisting FDA, DHS," ◦ (Muddy Waters wrote on Twitter on Thursday afternoon, referencing the Food and Drug

Administration and the Department of Homeland Security) • Abbot maintains settlement language also contains reference to

not interfering with any government inquiry or investigation

Is this the next ‘bug bounty’ exposure – locate a cyber-security flaw, short the stock, then go public with the flaw?

28


Started over the release of the movie The Interview (Intellectual Property Asset)

Likely North Korean state sponsored terrorism (State sponsored actor)

Intent was to disrupt business and business processes (Business Income Loss)

Damage to data, systems, software, programs (Physical loss to data assets)

Release of sensitive PII information of past and current employees (PII)

Threats made to employees and family members (Loss of morale)

Damaging internal e-mail of executive officers released (Reputational Loss) Sensitive information of talent and other third parties released (PII)

Sony CEO was terminated (Careers harmed)

29


IoT and Privacy Watch out!

30


FTC’s Consumer Sentinel Network Data Book, February 2016 31

325,519

551,622

713,657 860,383 909,314 906,129

1,070,447

1,261,124

1,428,977 1,470,306

1,898,543

2,115,079 2,175,912

2,633,697

3,140,803

3,050,374

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

3,500,000

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Total Complaints

Consumer Complaints Up Across the Board!


“Frenchman Sues Uber for $48 Million - App Glitch He Says Made his Wife Suspect He Was Cheating” ◦ Frenchman wife’s phone to summon a Uber ride ◦ Claims to have signed out of the Uber app but it continued to record his Uber trips

on his wife’s phone ◦ Wife suspected an affair and filed for divorce

Your ‘Smart TV’ Might be Smarter Than you Think

◦ Vizio pays $2.2M to settle charge by the FTC its software collected television

owner’s viewing data without knowledge or consent ◦ FTC alleged PII data removed but IP addresses supplied to data aggregators to

match TV viewing habits with personal information like age, sex, income, marital status, education, etc.

◦ Vizio collected up to 100 billion anonymized viewing data points each day from its TV’s

◦ Now provides clear notice and opt-out consent with instructions

32

(1)

(1) The Washington Post, February 13, 2017 (2) New York Times OnLine February 2, 2017

(2)


Siri, Cortana, Alexa – What are they collecting? ◦ Man found dead inside home connected to Alexa – did it record conversation? ◦ Police may subpoena records related to murder

IoT Devices Inside Personal Vehicles ◦ “Black Box” inside newer cars will track and record data ◦ Rental cars can capture your cell phone data when synced via UBS cord ◦ Consider the future for litigation: What information of value will the ‘Black Box’ contain for litigation purposes What about litigation holds – how will the evidence be preserved

Bose Corporation ◦ Privacy class-action lawsuit alleging Bose records and keeps customer’s listening

habits without permission violating wiretapping law(s) ◦ Bose Connect – a free software app that helps consumers download and listen to

favorite music

33


Beware the EU Global Data Protection Regulation (GDPR) ◦ Takes effect May, 2018

◦ Wide and sweeping privacy and security regulation

◦ Heavy focus on consumer choice: right to be forgotten, upfront consent to

collect data, consumer right to have all records destroyed, etc.

◦ Significant fines for non-compliance (up to 4% of global revenue)

◦ Any US business targeting an EU consumer falls under this new regulation

Other FTC Privacy Matters of Interest: ◦ FTC vs. Turn, Inc. ◦ FTC vs. D-Link Corporation

34


35

What Could Go Wrong? The Insurance!

Source: iStock Images


Will insurance coverage keep up with the changing exposures? ◦ The pace of change in technology and litigation will exceed the industry’s

ability to model, price, and write policy coverage forms

Can insurance companies underwrite and price the risk given the constant change and loss aggregation? ◦ The aggregated risk modeling needed for cyber interconnected exposures

does not exist

Many policy forms have not been litigated ◦ “THERE ARE OVER 67 DIFFERENT CYBER INSURERS WITH 67 DIFFERENT

APPLICATIONS, SUBMISSIONS, PROCESSES, UNDERWRITING, POLICY FORMS AND CLAIMS HANDLING PROCESSES’

KEVIN KALINICH – AON CYBER PRACTICE LEADER

36


The insurance industry can place up to $500 million - $600 million cyber coverage (generally) on any one risk

Some large organizations should be able to get up to $500 million to $1billion (or more)

Retailers and other large credit card handlers have difficulty securing

adequate limit for PCI-DSS related risks and will have sub-limited coverage

Many other policy sub-limits may apply, such as for notification costs

Insurers are wary about risk concentration and risk interconnections

Will there be enough capacity to fully cover all cyber related risks

37


0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

Pure Loss Ratio

Defense and Cost

Containment

Expense Ratio

Adjusting Expense

Overall Combined

Ratio

Profit

11.5% Profit

47.1%

10%

28.7

2.7%

Aon: Cyber Update, 2016 Cyber Insurance Profits and Performance Report May, 2017 – Stand Alone Cyber Statutory Filings 38

88.5%


Cyber risk impacts? What insurance is available? What insurance is unavailable? What are the coverage issues and concerns?

39


40

Regulatory Action

FTC, SEC, States, GDPR

Reputation and Stock Price Drop

First Party Notification

et al expenses

System restoration

for increased security

Bank Credit Card Fine, Penalty,

Assessment

Business Interruption and Extra Expense

Damage or corruption

to data, programs, software

Civil Suits, Consumer

Class, Cost to Defend

Value of lost contract or customers

Ransom Payment

Loss of Intellectual Property

Loss/theft of funds

(BEC)

Directors and Officers Derivative

Shareholder Litigation

Bodily Injury and

Property Damage

Sample Breach Impact Costs

Privacy Breach

Product Liability


41

Source: Deloitte – Beneath the Surface of a Cyber Attack, A Deeper Look at Business Impacts, 2016


42

Deloitte

Example: Health Insurer Breach Scenario

Estimated Cost

Duration

Above the Line Post-breach customer protection $21,000,000 3 years

Cyber-security improvements $14,000,000 1years

Customer breach notification $10,000,000 6 years

Attorney fees and litigation $10,000,000 5 years

Regulatory compliance (HIPAA fines, etc.) $2,000,000

1 year

Public relations $1,000,000 1 year

Technical investigation $1,000,000 6 years

Below the Line Value of lost contract revenue $830,000,000 5 years

Value of lost customer relationships $430,000,000 3 years

Devaluation of trade name (reputation and brand) $230,000,000 5 years

Increased cost to raise debt $60,000,000 5 years

Insurance premium increases $40,000,000 3 years

Operations disruption $30,000,000 immediate

Source: Deloitte – Beneath the Surface of a Cyber Attack, A Deeper Look at Business I 2016

Loss of intellectual property

$ ?

1 to 3 years


Copyright GLG, LLC. 2014 All Rights Reserved 43


Media, Cyber, Privacy Liability Professional Liability Network Security Liability Consulting, other professional E&O Privacy Liability Extortion (ransom) Threats Technology Liability E&O Regulatory Proceeding Technology products, hardware, software Consumer Redress Funds PCI – DSS Crisis Management – PR Business income, extra expense

First Party Property Insurance Commercial General Liability Damage to data, programs, software Carve back for bodily injury Business interruption and extra expense Products Liability (may need separate policy) Off premises data services time element

Crime Insurance Directors and Officers Computer Fraud Derivative Shareholder Litigation Funds Transfer Fraud BEC (fake executive/employee or vendor e-mail)

Kidnap and Ransom Cover for extortion/ransom (ware)

44


Some of Deloitte’s below the line costs

Loss of Business Reputation or Brand Value ◦ Cyber insurance does not cover the financial loss arising from brand or reputational impact

IP In Your Care, Custody, Control (Mossack Fonseca Law Firm - “Panama Papers”)

◦ What about intellectual property of others in your care, custody, control? ◦ Cyber/ Legal malpractice policies need to reviewed very closely to determine if coverage

exist for loss of data or IP (e.g. sensitive business contracts) in care, custody, control

Loss of Business Contracts or Relationships ◦ Some cyber and property policies now include business interruption loss. Check policy

closely for loss of business contracts or relationships

Loss of Your Intellectual Property or Business Valuation ◦ Value of trade secrets, trade dress, patents are not covered ◦ A failed merger & acquisition due to a security breach - consider the downside costs!

45


46

The New Wolves of Wall Street A new class of cyber criminals is targeting companies’ private information

“It is no longer hacking for a quick payout. It is hacking as a business model.” Preet Bharara, US Attorney

Source: The New Wolves of Wall Street, Michelle Kerr, LRP, July 5, 2016 Source: Getty Images


Cyber-Terrorism or War

Experian Prediction #2: Nation-State Cyber Attacks Will Move from Espionage to War ◦ Cyber-terrorism coverage can be included with clear and broad definition ◦ Be certain the coverage applies to ALL computer systems – yours, the cloud, mobile

devices – and not limited solely to your computer system ◦ Be certain ‘data’ is included if not already in the definition of a computer system ◦ Compare the war exclusion to cyber-terrorism coverage- NBCU vs. Atlantic Mutual – U.S. District Court, Los Angeles, Ca. June, 2016 (terror or

war) media production case filed recently

Breach of Contract

◦ Problematic exclusion for a policy insured ◦ Used by Federal vs. PF Chang to defeat coverage ◦ Where possible, use “for” versus “arising out of, related to, or in connection with…a

breach of contract” ◦ Carve backs to the exclusion for breach of contract is available for PCI- DSS coverage,

technology, and professional services contracts

47

1

1. Data Breach Industry Forecast Fourth Annual 2017 Experian Data Breach Resolution


Policy Exclusion(s) – Failure to follow ‘reasonable security practices’ ◦ Columbia Casualty Insurance v Cottage Health Systems - No.: 2:15-cv-03432

United States District Court for the Central District of California ◦ ‘Reasonable security practices’ is very subjective so be mindful of the exclusion ◦ Some policy applications may have the same language, warranty, so be cautious

Policy Retroactive Dates ◦ A policy retro-date can defeat coverage for a cyber event not yet known ◦ This has been the source of numerous coverage denials and issues

48


Policy Sub-limits ◦ New Hotel Monteleone LLC v Certain Underwriters at Lloyds of

London, No. 2015-11711 (Civ Dist. Ct. Orleans Parish, Louisiana)

◦ PCI-DSS sublimit of $200,000 for credit card association fines and penalties with a full policy limit of $3,000,000. Payment card processor (BMO Harris Bank) made demand for fraud recoveries/assessments that insurer contends are sub-limited to $200,000

◦ Hotel argues: 1) sub-limit applies only to card association claims but not processor, 2) full policy limit would apply to reimbursements, fraud recoveries, or assessments, 3) the sub-limit is limited to card association (MasterCard, Visa) imposed fines and penalties so the full policy limit applies to all other claims

◦ Moses A Ryan, Ltd v Sentinal Insurance Company, US District Court, District of Rhode Island, April 28, 2017

◦ Ransomware, encrypted and locked files, 3 months, $700,000 loss of revenue ◦ Policy covered business income, extra expense for ‘direct physical loss or damage’ ◦ Policy sub-limit of $20,000 under Cyber and Media Endorsement ◦ Insurer paid $20,000. Moses Ryan argues for full $1M business income loss limit

49


Number of Deductibles or Occurrences

◦ Mostly, policies apply one deductible to the same, related, repeated wrongful act ◦ Read policy closely however – (Great American made the argument each transfer was

a separate and unrelated wrongful act: Incomm v Great American)

Privacy ◦ Some policies may exclude wrongful collection or wrongful tracking of PII or data

exclusion (Excluded) - ‘Collection of information by you (or by others on your behalf)

without the knowledge or permission of the persons to whom such information relates’

◦ Be mindful of any exclusion for ‘unintended violation of your privacy policy’

Bodily Injury or Property Damage ◦ Most commercial general liability policies now exclude cyber-related liability ◦ Buy-back endorsements exist for bodily injury (ISO CG 21 06 05 14) ◦ Buy-back endorsements exist for some property damage (ISO CG 04 37 12 04) ◦ Most cyber policies have give back for mental anguish, emotional distress

50


Unsupported Software Exclusion (Key issue in WannaCry) ◦ Be cautious of any exclusion for unsupported or legacy software ◦ This exclusion is problematic for any company using older software no

longer supported by the vendor ◦ Of course, unsupported software increases the risk of loss to the insured

and insurer

alleging, based upon, arising out of or attributable to the inability to use, or lack of performance of, software programs…due to the expiration or withdrawal of technical support by the software vendor; or

Negotiate for Voluntary Notification Cost Coverage

◦ Some insurers will offer voluntary notification cost coverage rather than

only notification cost when notice is required by law

51


Notification: ◦ Claim means: …written demand received by any Insured for money or

services…(would include a ransomware demand)

…in no event shall the Underwriters be given notice of Claim later than the end of the Policy Period , the end of the Optional Extension Period (if applicable), or sixty (60) days after the expiration date of the Policy Period…

• Report all ‘written demands’ – even if small dollar demands

Consent to Settle and/or Incur Costs:

…the Insured shall not admit liability, make any payment, assume any obligations, incur any expense, enter into any settlement, select the services and products described in Insuring Agreement D., stipulate to any judgment or award or dispose of any Claim without the written consent of the Underwriters…

• Secure consent to pay unless policy provides authority to the insured

52


PF Chang v. Federal Insurance Company, US District Court Arizona, CV 15-01322 PHX-SMM Chang had a breach and Bank of America (credit card processor) brought a

claim for three items: Case Management Fee - $50,000 Operational Reimbursement - $163,122 Fraud Recovery - $1,716,798

Only fraud recovery was not covered: Was not a Claim for (Privacy) Injury and would also be excluded by the breach of contract exclusion

Privacy Injury – ‘injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Records, or exceeding access to such Person’s Records’

Court: Bank of America itself did not sustain a Privacy Injury, its records (such Person’s)

were not compromised so it had no claim as a privacy injury Bank of America’s claim was grounded in a contract to which Chang’s breach of

contract exclusion applied

Note: No evidence Chang’s policy had coverage for PCI-DSS breach

53


54

MasterCard Visa

Bank of America Processor (BAMS)

PF Chang

Customers

Discover

Credit Card Transactions

Data owner and notification obligations

Fraud Assessments Charges

1. BAMS did not sustain

a privacy injury. Its records were not compromised.(MasterCard sustained the Privacy injury)

1. BAMS claim is

contractual. Exclusion would apply.

Privacy Injury: ‘Injury…sustained by a person… because of…access to such person’s record’

Processing Agreement


No evidence in the PF Chang case that it purchased PCI-DSS coverage

Had PCI-DSS coverage been in place this case might not exist

55

Sample Cyber Policy Wording: Be certain to include monetary assessments: PCI-DSS assessment means any written demand received by an insured from a Payment Card Association (e.g., MasterCard, Visa, American Express) or acquiring bank for a monetary assessment (including but not limited to a contractual fine, penalty, operational assessments, card reissuance fees and costs, fraud assessments and recoveries, and case management fees) due to an insured’s non-compliance or breach of contract in accordance with PCI data security standards resulting from a failure of security or privacy peril.

PCI-DSS coverage often removes or limits the Breach of Contract Exclusion: for liability you assume under any contract or agreement, including but not limited to, any contract price, cost guarantee or cost estimate being exceeded; however, this exclusion does not apply to: with respect to Security and Privacy Liability Coverage, the obligation to comply with PCI data security standards;


Cyber Business Interruption subject to a time waiting period: ◦ No coverage if the time waiting period is not met

◦ Be cautious to tie the retention to both a time waiting period and a

dollar retention and not limited solely to the time waiting period: If the Loss incurred by any insured during the Waiting Hours Period is greater than the

applicable (dollar) Retention set for the in the Declarations, the Remaining Retention equals Zero

In other words, once the time waiting period is met the stated dollar deductible should apply

Will new technology fall under business interruption definitions?

◦ System Failure means failure of security of a Computer System ◦ Will Blockchain (a distributed peer to peer ledger) satisfy the definition of

computer system?

56


Who is the data owner? ◦ Hospital ‘owns’ the HIPAA data, retailer ‘owns’ consumer data ◦ Therefore, the hospital data owner, not its vendor, has the duty and obligation to notify

the consumer

Be certain your policy covers a breach at a vendor or off-site location ◦ You have the obligation to notify your customers or consumers as the record owner ◦ Your claim to vendor will be a technology or professional liability errors and omissions

based claim – failure under contract to provide a contracted service ◦ Your vendor will need to indemnify/reimburse you for your costs to notify and respond

Contractual obligation to indemnify another party might not be covered ◦ Often seen in credit card processing agreements and other agreements ◦ The credit card processor or third party vendor will not sustain a ‘Privacy Injury’ – its

records are not compromised ◦ They do not have the obligation to notify the consumer – you do

Your vendor would need to indemnify you via contract terms ◦ Vendor’s insurance policy may contain a breach of contract exclusion ◦ Make certain there is a carve back covering liability assumed under contract ◦ The breach of contract exception for liability one would otherwise have without a contract

being in place might not apply as they have no real liability to the consumer

57


BEC (Business E-Mail Compromise)

Computer Crime, Funds Fraud Transfer

58


‘Austrian firm fires CEO after $56-million cyber scam*’

◦ Firm wired $56 million based on a fraudulent e-mail

Actual E-mail to Scripps: From: Lxxxxxx <[email protected]> Date: October 3, 2014 at 1:35:00 PM EDT To: <[email protected]> Subject: Fwd: Wiring Instruction M, Process a wire of $36,850 to the attached account information. Code it to General & Admin Expenses and notify me once its done. I'll forward support later on, currently working on it. Thanks,

Source: Australian Firm Fires CEO after $56-million Cyber Scam, May 26, 2016 AFP World News 59


BEC Scams now targeting all parties in real estate transfers

Buyers, sellers, real estate agents…..and law firms

Follow transactions then perfectly time a fraudulent request to wire money or otherwise divert funds to a fictitious account

Real estate fraud complaint up 480% this year alone!

FBI May 4, 2017 BEC Alert 60


Computer Crime Insurance and Funds Fraud Transfer (fake e-mail) 5 recent cases of interest: ◦ InComm v Great America, Bank of Bellingham v BankInsure, Taylor & Lieberman

v Federal, Medidata v Federal, Apache Corporation v Great American

Key Insurance Coverage Questions for Cyber Crime Coverage: ◦ Is a ‘voluntary’ transfer of funds based on a fraudulent e-mail that looks legit

covered? ◦ If a person with authorized access makes a fraudulent transfer is that covered?

◦ Is the loss direct or indirect?

◦ If an employee violates internal policy leading to a loss is that covered?

◦ If a programming error allows a fraudulent transfer to occur is that covered?

61


Incomm Holdings v Great American Insurance Company (1:15 cv 2671 WSD) U.S. Dist. Ct. Northern Dist. Of Georgia, Atlanta, Division ◦ InComm sells pre-paid debit cards that can be re-loaded with funds via separate

“chit” ◦ A consumer must call an interactive voice response (IVR) to re-load the card ◦ When persons made simultaneous calls to load a “chit”, many ‘chits’ were

redeemable multiple times when they should have been redeemable only once

Crime Policy Wording: ◦ “{Great American} will pay for loss of…. resulting directly from the use of any

computer to fraudulently cause a transfer of that property from inside the premises or banking premises…to a person… outside those premises

Key Coverage Disputes: ◦ Is the IVR system a computer or is the IVR a phone system? ◦ Insurer maintains loss is not direct, rather stems from InComm’s contractual commitment

with bank to deposit funds when “chit” redeemed ◦ Insurer maintains each transaction is a separate policy occurrence under the deductible ◦ Coding errors in the IVR system, not computer fraud or ‘hacking’

62


Judge ruled March 2017 in favor of Great American Insurance Company

Judge held redemptions were made over a phone system rather than via a computer (system) as required by the policy

The losses occurred after the initial redemption was made (e.g. when a subsequent call made to reload the chit) and those re-loads of the chit were all done by phone rather than a computer

The claimed loss was not direct - did not result from a direct transfer of funds from a computer system

Incomm plans to appeal

63


State Bank of Bellingham v BankInsure - U.S. Court of Appeals, 14-3432, Appeal from US District Court, Minneapolis, Minnesota

Bellingham made a claim under the policy when one of its computers became infected with malware that allowed criminals to transfer $485,000

Bellingham employee violated company policy leaving computer on all night, so BankInsure denied the claim on the grounds the loss was the result of a failure to adhere to security protocols

Court reviewed ‘direct’ and took into consideration the ‘efficient proximate cause’ (the unlawful computer hacking by a third party)

Ruled in favor of Bellingham for coverage to apply

Taylor & Lieberman v Federal Insurance Company – Ninth Circuit Court of Appeals (March, 2017)

Taylor & Lieberman received fraudulent e-mails from a fraudster using a client e-mail address requesting funds be sent

Ninth Circuit held fraudulent e-mails were neither forgeries nor financial instruments (for funds transfer fraud coverage under a crime policy), and there was no unauthorized entry into the insured computer system (for computer fraud coverage under a crime policy), such that no coverage applied

64


In Bellingham, there was an intrusion by the hacker into the policyholder computer system introducing a malicious malware

In Taylor & Lieberman, there was no hack or intrusion into a computer system. An employee’s e-mail was hacked rather than the computer system itself, leading to a fraudulent request to wire funds

In Taylor & Lieberman, there was no coverage as it was a ‘voluntary’ transfer of funds by an employee (albeit based on a fraudulent e-mail)

In Bellingham, coverage applied as there was unauthorized access to a computer system

65


The fraudulent ‘executive e-mail’ to wire funds

Federal denied coverage – voluntary transfer of funds Apache Corporation v. Great American Insurance Company No 15-

20499 2016 WL6090901 (Fifth Circuit Court of Appeals, October 2016)

Fraudulent phone call made to Apache employee followed by fraudulent vendor invoice from what appeared to be a ‘legitimate’ vendor

Employee paid the fake vendor invoice which shortly afterward was found to be fraudulent

Fifth Circuit reversed the underlying decision and determined the loss was not a ‘direct loss’ of computer use as required by the policy

Using a computer to initiate a fraudulent invoice was incidental rather than direct and not covered by the policy

66

Medidata v.Federal Insurance Company – 1:15-CV 00907 United States District Court, Southern District of New York


Some crime policies will insure BEC fraudulent E-mail from (fake) executives or employees but specific policy wording is required

Be certain to also include Computer Fraud and Funds Transfer Fraud Coverage (or called: Social Engineering, Impersonation Cover)

Sample policy language to insure the fraudulent employee E-mail: ◦ A fraudulent written instruction to transfer, pay, or deliver electronic funds

or transfer funds which purports to have been issued by an employee of the insured but was in fact fraudulently issued by someone without the insured’s consent

Some insurers will also insure fraudulent E-mail (funds transfer) from

(fake) vendor invoices but specific policy wording is required

67


United States Department of Treasury Notice of Guidance issued December 27, 2016 making it clear Cyber falls under TRIA

Stand-alone Cyber Liability Policies are included under the TRIA Act of 2002

TRIA provides a federal ‘backstop’ up to $100 billion for insurance claims from acts of terrorism

Insurers must provide disclosures and offers that comply with TRIA for any new or renewal policies

Effective Date: April 1, 2017

68


Many cyber insurer policies are now specifically including coverage for business income and extra expense in cyber liability coverage forms

Some Property Insurers (FM and XL) have cyber coverage for virus and malware, data destruction, and business income

This policy coverage will be subject to a waiting period

Waiting period can range from 8 hours to 48 hours

Must read the policies closely to understand the coverage intended (for example, some policies may require a virus/ ransom to be ‘directed at’ the policy insured)

Some insurers are now including ‘system failure’ in addition to ‘system

security’ (breach) 69


AIG CyberEdge (SM)- Products/Completed Operation Liability Insurance ◦ Bodily injury or property damage for products-completed operations hazard, caused

by a Security Failure or Product Security or System Failure

◦ Security Failure –failure of a computer system due to a security issue ◦ System Failure – failure of a computer system

◦ Product Security Failure – hardware, software, components…1) under ownership or

operation of person other than the named insured, 2) are part of the Named Entity’s Products, 3) linked together

CyberEdge (SM) - Commercial General Liability Insurance ◦ Bodily injury or property damage caused by a security failure or privacy peril

CyberEdge (SM) First Party Property Damage Insurance ◦ First party property loss as a result of a security failure

CyberEdge (SM) Network Interruption Insurance ◦ Business income and extra expense loss as a result of a security or system failure

70


Is there a subrogation wave on the horizon? ◦ Many, many business contracts for software, services, hardware being negotiated

Is there contract certainty? ◦ In other words, will the insurance coverage match, mirror contractual intent? ◦ With 67 different policy wordings how will this play out in the future?

Will insurers pay claims for data owners then subrogate other parties?

What about products - completed operations when a security breach is

the primary cause of a fire in a plant. Will the plant insurer subrogate?

What about limitation of liability provisions? Will they be upheld?

Two cases of interest:

Affinity Gaming vs. Trustwave Holdings, Inc. ◦ Case No.: 2:15-cv-2464 US District Court District Of Nevada

Travelers vs. Ignition Studio, Inc. ◦ Case #1:15 CV:00608, US District Court, Northern District of Illinois

71


Insurance Claim Scenario: Two large ocean vessels (A and B) are in the Port of New Orleans with A close to docking portside. Both are equipped with state of the art electronic systems connected wirelessly to the Internet and satellite systems including all of the ship’s navigational systems. Suddenly B’s engines fire-up and it moves swiftly toward A, the Captain of B is powerless to shut off or disable the engines, when B strikes A broadside. The impact is huge: Vessel A, carrying oil, catches fire and sinks, causing an environmental disaster, shuts down the Port of New Orleans for an estimated two months, and two persons are dead. It is determined by computer forensics that an on-shore hacker had seized control of B’s entire navigational systems. Multiple parties provided the computer hardware, software, component parts, switches, sensors, and installation for electronic systems (e.g. The Products) to Vessel A. Vessel B’s insurer reminds them of the ‘all claims arising out of or in connection to a cyber-liability event’ exclusion under the Protection and Indemnity Policy (P&I). Vessel A’s insurer sues all parties involved.

72


73

The Future: IoT Connected Devices Driverless Cars and Your Smart Home Risk Aggregation



“The Internet of Things is Wildly Insecure…And Often Unpatchable” “The security problem grows larger and larger each time another unsecured IoT device is connected to the Internet”. Bruce Schneier, Expert International Security Technologist

74


The Dyn disruption was not all that sophisticated:

75

Many electronic gadgets connected to internet but

default password from manufacturer NOT

changed

Hackers knew the default then simply ‘tool-over’ many

gadgets

Hackers –with many gadgets under control –

send signals to Dyn which overloads the system (DdoS attack)


76 Source: iStock Photos


There will be 25 billion connected consumer devices by year end 2015

There will be 50 billion connected consumer devices by year end 2020

Consumers only! – FTC report does not address business devices

Mobile data traffic will exceed fifteen exabytes by 2018

An exabyte of storage could contain 50,000 years’ worth of DVD-quality video

77

Source: FTC Report 2015 Internet of Things, Privacy and Security in a Connected World


78

0.001 0.5

8.7 11.2

14.4

18.2

22.9

28.4

34.8

42.1

50.1

0

10

20

30

40

50

60

1993 2003 2012 2013 2014 2015 2016 2017 2018 2019 2020

Billi

ons

of C

onne

cted

Dev

ices

Number of Connected Devices Globally

Source: FTC Report 2015 Internet of Things, Privacy and Security in a Connected World


79

Half of companies have already adopted IoT technology, and by 2019 that number is expected to reach 85 percent.

Half of our respondents feel external attack is the greatest threat to their IoT systems, and 84 percent have already experienced an IoT related breach

Over 77 percent of business leaders said that IoT was ‘just beginning’ and will transform business as we know it.

Source: Hewlett Packard: The Internet of Things: Today and Tomorrow


The Information Value Loop:

Create ◦ Sensors generate information about event or state

Communicate ◦ Transmit the information from one place to another

Aggregate

◦ Gather information created at different times and sources

Analyze

◦ Discern patterns, relationships, leading to descriptions, predictions,

prescriptions for action

Act ◦ Initiate, change, or maintain a physical event or state

Deloitte University Press 2015: Inside the Internet of Things – A Primer on

the Technologies Building the Internet 80


Certainly data can help manufacturers improve products: ◦ Product functionality ◦ Product maintenance

Predictive modeling

◦ Data to predict your consumer habits, buying trends, likes and dislikes ◦ What do you listen to, like, ask for (Alexa – play songs by The Beatles for me)

Targeted advertising ◦ Advertisers long for rich and actionable data

But data must be actionable. Storing data for no purpose is a liability

Ashley Madison Breach – many had asked for their information to be

deleted completely

81


Many IoT devices are not being designed with security in mind

IF patches are even issued by manufacturers unlikely consumers will upload patches to the devices

Mass connectivity raises the risk aggregation concern ◦ Dyn – consumer IoT devices taken over and ‘flooded’ Dyn domain servers

◦ WannaCry and Petya – Virus could be uploaded to connected devices on a massive

scale

Privacy concern and litigation may increase substantially ◦ Data – being collected at alarming pace:

◦ Vizio collected up to 100 billion anonymized viewing data points each day

82


83

YOUR DRIVERLESS CAR WILL BE HACKED! And if it crashes who will be responsible?



Today negligence and liability follow the driver/vehicle owner

Personal automobile insurance will pay if the insured is legally liable

However, with a driverless car, is the driver responsible or is the product manufacturer responsible?

Will there be a big spike in product liability coverage needs?

Will the personal automobile market dry up and go away?

What will the regulatory framework look like for self driving cars?

How can insurers understand and price the new technology and changing exposure?

Consider the ‘data’ collected – when you go, where you go, how many are in the vehicle, for how long, how fast, miles driven/ridden, maintenance schedule – how will this data be used?

84


Will personal automobile insurance revenues really reduce by $160 billion?

Wall Street Journal Article – July 26, 2016 ◦ Due to safety enhancements of driverless cars project personal lines insurance

market to shrink to $40 billion by 2040 Will there be a big spike in product liability coverage needs?

◦ Can the premium volume be made up in commercial product liability coverage?

85 Source: Driverless Cars Threat to Crash Insurers Earnings, Wall Street Journal, July 26, 2016, by Leslie Scism


Charlotte’s public transportation is under a ‘future vision review’ The plan is to spend upward of $6 billion for light rail transportation with

three new rail lines connecting various destinations The time-line for the first phase alone is estimated to be completed in 2025

to 2027

CAT (Charlotte Area Transit) ridership has been decreasing slightly

Light rail would remove or lower congestion with guaranteed times

But driverless cars threaten the ROI spend on infrastructure transit

Should Charlotte spend the money?

‘Will Self-Driving Cars Kill Transit as we Know It? It could be Charlotte’s $6 Billion Bet’ - Charlotte Observer, Steve Harrison, February 24, 2017

86


‘Fixed route transportation won’t make any sense in ten (10) or fifteen (15) years’

‘We are on the precipice of as much change in transportation as we have seen in 100 years’

Disruption is clearly coming. Is it correct to pause and ask “is the transit plan from twenty (20) years ago may not be the best plan for the next two decades”?

87 Charlotte Observer, Steve Harrison, February 24, 2017


Driverless Car Scenarios: Owned or leased by individual owner (in place today) License Model Exclusive License: A person owns the car but is not the everyday user, another person (licensee) is the normal user Non Exclusive License License does not have exclusive right or use of the car shared or perhaps multiple users Fleet Owned Model

Similar to Uber today where user pays by the ride or per-month fee on an as needed basis Individual Owned Model Uber like app connects driverless cars owned by individuals. For example, your car drives you to work then your car is out earning money all day via Uber like app.

Autonomous Vehicls Business Models: How Will you ‘Own’ One? Janine Bowen, Leclair Ryan, November 1, 2016 88


89

Your bank

Direct bill pay Your employer

Social media

Kids' games

Your investment accounts

Your Credit Cards

Source: Getty Images Alexa, Cortina, Siri


Who will know when you are at home or away?

Will insurance claims decrease due to enhanced monitoring and electronic protection, or will insurance claims increase should hackers be able to steal passcodes for entry or override various systems?

Will insurers give home discounts or credits to smart home owners?

Privacy issues will be big as there will be many data connection points from the home that will be captured and analyzed

What claims might the home builder face when a wired home he or she built floods because a hacker was able to turn on all water outlets to the home when the homeowners were on a two week vacation?

What is the risk concentration issue – could one hacker tap into hundreds or thousands of homes at one time?

90


Law #1 – Everything connected to the Internet can be hacked

Law #2 – Everything is being connected to the Internet

Law #3- Everything else follows from the first two laws

91

Source: Risk Nexus – Beyond Data Breaches: Global Interconnections of Cyber Risk. Zurich and Atlantic Council, April 2014 http://www3.weforum.org/docs/ WEF_IT_PathwaysToGlobalCyberResilience_ Report_2012.pdf.


AIG Survey – Is Cyber Risk Systemic, December 2016 92

AIG Survey

How likely is it that one systemic attack will impact multiple companies in the next 12 months?

More than 90% responded cyber systemic event is possible ◦ 5% say > than 50% chance ◦ 10% say 10% to 50% chance ◦ 85% say < 10% chance


Started in 2006

Today over $10 billion in revenue

31% market share next closest competitor at 10%

Provides 143 million hours a month of service

Over 1 million customers in over 190 countries

Entering the IoT market (announced October, 2015)

93 Source: Business Insider, March 14, 2016, Julie Bort


WWW.AWS.Amazon.com 94

US East: Virginia (5), Ohio (3)

US West: N California (3), Oregon (3)

Sao Paulo (3)

Green circles: Coming soon


Google Map Data 2015 95


Can a cyber corollary be made with the 2007- 2008 financial crisis? Will a cyber event cause another financial crisis moment?

The interconnectivity (systemic risk or contagion) of the financial system almost caused its collapse ◦ Systemic risk* - the collapse of an entire financial system or entire market, as

opposed to risk associated with any one individual entity, group or component of a system

◦ Contagion* – The spread of mostly downside market disturbances from one country to the other

The failure of Lehman (Indy Mac Bank) and near failure of Bear

Sterns created a real and/or perceived liquidity crises and near financial collapse of the world financial system

96

Source: Wikipedia.com


97

Source: International Monetary Fund, Financial system Stability Assessment, Germany, June 10, 2016


Consider the parallel between the financial system and the cloud:

98

Mortgage problem

Lehman falls spreads to other

banks and providers

Liquidity/ credit flow problem hits others

Sovereign debt hit as

governments bails out banks

Major recessions, government

loss of support and US, EU crisis

Can it happen again?

Cloud Problem

Can it happen?

Widespread losses,

contingent BI, government

loss of support, no

trust in Internet

Large sections of the

economy suffer and spreads globally

Many companies depending on just in time

supplies, key process support

are impacted

Companies depending on cloud provider

that fails, include logistics, those

supplying critical support and

process

Source: Risk Nexus – Beyond Data Breaches: Global Interconnections of Cyber Risk. Zurich and Atlantic Council, April 2014


The Seven Aggregations of Cyber Risk 1. Your Internal IT department - Internal IT hardware, software, routers, people 2. Counterparties / partners – Outsiders such as banks, associations 3. Outsourced and contract partners – Contracts for cloud, HR, legal, etc 4. Supply Chain – IT /cyber supply/ logistics /products/ country 5. Disruptive, new technology, old technology – IoT, smart grid, Tesla 6. Upstream infrastructure – Submarine cables, Internet exchange, government 7. External shocks – International conflicts, malware pandemic

99

Source: Risk Nexus – Beyond Data Breaches: Global Interconnections of Cyber Risk. Zurich and Atlantic Council, April 2014


Maersk IT systems crippled by Petya/Not Petya

Maersk – leader with 18% of market share, high regard for cyber-security

Books 3,300 TEU every hour for $2,700,000 revenue each hour

Bookings impacted for two days (to date as of June 30, 2017)

Estimated two (2) day revenue loss: $129,600,000

Further, consider the systemic supply chain risk: ◦ Global container supply could be in chaos

◦ Maersk may not be able to load, unload, so containers will pile up on docks

◦ Customers looking for other modes of shipping being told there is no space,

‘we’re full’! International Shipping News, June 30, 2017

100


So What Is The Potential Dollar Cost Impact? Business blackout simulation on the power grid

A Trillion-Dollar Risk?

Economic impact $22 billion to more than $1trillion

Not a cyber peril but consider the similarities to a cyber

Armageddon

Loss of power, with all things connected, would be a very big insurance claim

“US Power Grid Called Easy Cyber Target” – Department of Energy Report 2017

Source: Lloyds and Cambridge Centre for Risk Studies, Business Blackout, Emerging Risk Report 2015

101


Is a large loss on the way? ◦ The concentration of risk(s) / exposure(s) at a cloud and/or other

interconnected locations raises the potential of a large loss

◦ Financial System – Bank of Bangladesh (Swift) was $81million and could have been $1 Billion but for a typo error

Integration and especially the Supply Chain Impact

◦ You rely on Amazon, so do your suppliers, so do their suppliers, so do their-

their suppliers…

◦ The contingent business interruption supply chain impact could be substantial

Privacy Issues ◦ The IoT will allow massive collection of PII information ◦ One device touches another device and another ◦ Many, many issues will surface related to privacy rights with location devices

102


Potential for increased crime ◦ As more homes and business become connected and secured remotely will this allow

for more break-ins due to a cyber security breach? Medical devices and other equipment increase the risk of bodily injury

related claims ◦ Already reports of pace-makers connecting online becoming hacked ◦ What about hospital medical devices delivering medicines, etc

Will insurers figure a way to price and underwrite the risk? ◦ Capacity and coverage will not be available to handle the changing risk exposure

Will the Catastrophe Bond Market provide needed capacity more quickly? ◦ If the insurance industry does not respond, will the capital markets do so? ◦ Cat bonds have already been issued to insure large cyber breach exposures

103


Will the Article III Standing threshold break open the floodgates? ◦ Spokeo v Robbins – must have some proof of concrete harm

◦ Since Spokeo, rather inconsistent rulings on concrete harm: Church vs. Accretive Health, Inc. U.S. Eleventh Circuit) Hancock vs. Urban Outfitters, Inc. (U.S Court of Appeals, District Columbia) Carlsen vs. Gamestop, Inc. (U.S. Eighth Circuit) Braitberg vs. Charter Communications, Inc. (U.S. Eighth Circuit) Galaria vs. Nationwide Mutual Insurance Co. (U.S. Sixth Circuit) Perry vs. Cable News Network (U.S. Eleventh Circuit) Christina Graham, et al vs. Michael’s Stores, Inc. (US District New Jersey) Michael T Dreher vs. Experian Information Solutions, Inc, Equifax, Inc. Trans-Union

Inc. et al (U.S Fourth Circuit) Ahmed Kamal vs. J. Crew Group (US District New Jersey)

◦ Plaintiff bar will continue to push new and old theories such as overpayment for services ‘not’ provided (e.g. not protecting PII)

104


The statutory penalty per each ‘willful’ or ‘knowing’ non-compliance is a big concern: e.g. F.C.R.A. up to $1,000 each

Do the math:

100,000 ‘knowing’ non-compliance records X $1,000 per record = $100,000,000 exposure!

105


Are WannaCry and Petya simply smokescreens?

Guised as ransom demands but are they worming systems undetected?

DoublePulsar, a cyber weapon developed by N.S.A has been detected on tens of thousands of computer machines

DoublePulsar mostly flys under the rader, undetectable by most virus and malware scans

Undetected it can then steal credentials giving hackers free reign

To what extent can private business compete and stop state sponsored cyber weapons?

A Cyber Attack the World Isn’t Ready For – NY Times Online June 25, 2017 106


1. Criminals harness IoT devices as botnets to attack infrastructure

2. Nation state cyber espionage and information war influences global

politics and policy

3. Data integrity attacks rise

4. Spear-phishing and social engineering tactics become more crafty, more targeted and more advanced

5. Regulatory pressures make red teaming the global gold standard with cyber-security talent development recognized as a key challenge

6. Industry first-movers embrace pre-M&A cyber-security due diligence

Stroz Friedberg, 2017 Cyber-Security Predictions, January 2017

107


1. Privacy litigation and disputes will increase mostly due to IoT devices

2. Two or more nation states will be on the brink of declaring cyber-war

3. ‘Latency’ issues will begin to surface (long-term but unknown data theft or credential compromise, similar to latency product defects)

4. A major cloud provider or utility will be under a serious and sustained cyber attack

5. Companies will begin to re-evaluate its security posture and protocol – is what we are doing the right approach?

6. Blockchain will become a tool for one or more major financial institution

108


Questions? Thank You!

109

Source: iStock Photos

Documents

What Can Go Wrong in the Digital Age? Cyberthreats, Data ...iframe.dri.org/DRI/course-materials/2017-AM/pdfs/31_Goetz.pdf · lenges associated with cyberliability, cyberterrorism,