Upload
lawley-insurance
View
163
Download
1
Tags:
Embed Size (px)
Citation preview
C Y B E R S E C U R I T Y I N S U R A N C E S E M I N A R
Can You Afford NOT To Have
Cybersecurity?
March 4, 2015
TODAY’S
PRESENTERS
Reggie Dejean
Specialty Lines Manager
Lawley & Lawley Andolina Verdi
Mary Beth DiBacco
Specialty Insurance Manager
Chubb Insurance
Carl Cadregari
Executive Vice President and Practice
Lead
Bonadio IT/IS Risk Management
DIGITAL HACKING
FORENSICS
HEADLINES
HEADLINES EXPLAINED
Identities left exposed in Indiana salvage yards - items included medical records, bank statements, insurance cards, employee identification cards, car registrations, a signature, a child’s name, dates of birth, and an application for welfare assistance.
Stolen Pioneer bank laptop contained some customers’ data Pioneer Bank over the weekend alerted some of its customers that
an employee’s laptop stolen Jan. 26 contained “secured personal information of certain customers, including names, social security numbers, street addresses, and account and debit card numbers.”
Harel Chiropractic Clinic notifies 3,000 patients of breach
HEADLINES EXPLAINED CONT.
St. Peter’s Health Partners is warning of a possible data breach in its email system, following the theft of a manager’s cellphone.
California Pacific Medical Center discovers employee was improperly accessing patient records for one year
Natural Grocers Investigating Card Breach - traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country
HEADLINES EXPLAINED CONT.
Data Breach Results in $4.8 Million HIPAA Settlements from New York and Presbyterian Hospital
A 214 bed Medical Center laptop stolen with data in an excel spreadsheet -Medical Center says data is safe since the thief would have to know how to unhide columns in Excel spreadsheet to read them
THREATS TO DATA
Internal Threats
External Threats
Have You Heard About Target?
Not just credit card information but also personal identifiable information (PII) is at risk
According to recent surveys Street Cost – Social Security Number……..$ 1.00
Street Cost – Financial Record ……........... $ 0.50
Lost Medical Record………………………..$316.00
CSIRPComputer Secur i ty Incident Response Plan
• Wh a t t o d o wh e n y o u “ t h i n k o r k n o w” y o u h a v e h a d
a d i s c l o s u r e
• T h e wh o , wh a t wh e r e a n d wh e n t o f o l l o w
• S t e p b y s t e p p r o c e s s
• M a y b e r e q u i r e d b y s o m e l a ws a n d r e g u l a t i o n s
CSIRP
You Need a B reach Not i f ica t ion Po l icy
1. NY State, HIPAA, PCI, GLBA requires a documented policy that
includes all factors of breach notification including:
• When to alert persons whose data has been breached
• What you have to pay for
• When to send lost data information to the Attorney General and regulatory bodies
• When you are to place conspicuous notice on your website
• When you are to alert local media and television
CSIRP
You need a p lan to fo l low that inc ludes:
1. What constitutes a breach
2. Who is on the team
3. Who is allowed to talk to any external entity
4. When to involve external crisis management
5. When to trigger your liability policy
CSIRP
1. How to assess the risks (likelihood and severity)
2. Does the breach fall into pre-defined categories
(and what are they)
3. What to do to investigate the breach
4. What to do to minimize the breach
5. What to do to report on the breach
6. What to do to never repeat the breach
7. How to close the incident
AFTER THE INFORMATION
HAS BEEN GATHERED
INFORMATION
WHAT IS THE IMMEDIATE EXPENSE?
• Notification• Creating letter or
other notification• Printing or design• Mailing or other
transmission
• Public Relations• Call Center
operations• Credit Monitoring
or Identity Theft Remediation
• Advertising & Press Releases
• Forensics• Legal Expenses for outside
Attorney• Cost of Forensic
Examination• Cost to Remediate
Discovered Vulnerabilities
KEY COSTS TO A DATA BREACH
DIRECT
COSTSVICTIM COSTS
INDIRECT COSTS
($134)
Cost Per Record $201 (2014)
• Discovery• Data Forensics
• Notification• Call Center• Identity Monitoring• Identity Remediation
• Lawsuits• Regulatory Fines• Additional Security &
Audit Requirements• Reputational
Damage/Lost BusinessSource: Ponemon Institute, LLC and Symantec Corporation. 2014 Annual Study: U.S. Cost of a Data Breach.
March 2014
DATA IS VULNERABLEData can escape your organization in many different ways
Source: Privacy Rights Clearinghouse, Chronology of Data Breaches 2008-2013. www.privacyrights.org
4% 6% 12% 12% 18% 23% 25%
STATIONARY DEVICE
UNKNOWN
PHYSICAL
MALICIOUS INSIDER
NEGLIGENCE
HACKING
PORTABLE DEVICES
COMPUTER SECURITY vs. INFORMATION
SECURITY
COMPUTER SECURITY This means the collective processes and
mechanisms by which sensitive and
valuable information and services are
protected from publication, tampering
ro collapse by unauthorized activiites or
untrustworthy individuals and unplanned
events.
INFORMATION SECURITY This is the practice of defending
information from unauthorized access,
use, disclosure, disruption, modification,
perusal, inspection, recording or
destruction. It is a general term that can
be used regardless of the form the data
may take (electronic, physical, etc.).
INCIDENT RESPONSE PLAN
1. If a company does not have one they are playing with fire
2. Essential for company to have in place in order to effectively respond to a security breach
3. IRP’s should be tested at least on an annual basis using various breach scenarios
4. IRP’s typically include:
1. A. IRP Team (Ideally SR Mgmt. in Info Tech, Customer Service, Legal, Privacy & PR
2. B. Clear guidelines categorizing a risk/threat level
3. C. Documentation Instructions
4. D. Guidelines for getting third parties involved
5. E. Notification Process
-- One of the most important practices --
Sets the security foundation
First measure that must be taken to
reduce the risk of unacceptable use of the company’s information resources
Companies define which assets are critical and ways to protect them
Development and implementation of a security policy turns employees into active participants towards securing company information (helps prevent human factor)
Should be tested and reviewed on
an annual basis
INFORMATION SECURITY POLICY
Key factors to help a company protect their systems
Protection starts with firewalls as they protect resources on a private
network
Anti-virus software can be used to prevent, detect & remove viruses
Intrusion detection software monitors the network for malicious activity or policy violations & reports back (should be reviewed monthly at a minimum)
Penetration tests look for vulnerable access points (preferred but many small companies don’t run.
VIRUS PREVENTION, INTURSION
DETECTION & PENETRATION TESTING
Iphones, Blackberrys & Laptops bring on challenges to protecting data
A mobile device security policy should prohibit the storage of confidential data on mobile devices
If data is stored on a mobile devices, the security policy should mandate the use of data encryption (128 Bit recommended)
Want to see power up passwords, kill switches, and alerts in internal system when PII is sent
MOBILE DEVICE SERCURITY
WHAT WE CAN PROVIDE IN
PROTECTION & PREVENTION
CYBERSECURITY
THE PATH TO UNDERSTANDING
Exposure & Causes of Loss
“You hold private information”
Legal Issues
“You are obligated to protect it”
Costs of a Data Breach
“Breaches are costly and
complicated”
BBR
Key Features
“Coverage is
available”
Consumer Information
Credit cards, debit cards, payment info
Social Security Numbers, ITIN’s, taxpayer records
Protected Healthcare Information (PHI), e.g.
medical records, test results
Personally Identifiable Information (PII), e.g.
Drivers License / Passport details
Non-PII, like email addresses, phone lists, address
Employee Information
Employers have at least some of the above
information
on all of their employees
Business Partners
Sub-contractors and Independent Contractors
Information received from commercial clients as
a part of
commercial transactions or services
B2B exposures like projections, forecasts, M&A
activity,
trade secrets
INFORMATION AT RISK
PII: Personal Identifiable Information
PHI: Personal Health Information
Many people think that without credit cards
or PHI, they don’t have a data breach risk.
But can you think of any business without
any of the above kinds of information?
WHAT IS A DATA BREACH?
Actual release or disclosure of information to an unauthorized individual/entity that relates to a person and that:
May cause the person inconvenience or harm (financial/reputational)
- Personally Identifiable Information (PII)
- Protected Healthcare Information (PHI)
May cause your company inconvenience or harm
(financial/reputational)
- Customer Data, Applicant Data
- Current/Former Employee Data, Applicant Data
- Corporate Information/Intellectual Property
Paper or Electronic
Potential Security Threats
- Compromises to the integrity, security or confidentiality of information
- Circumstances where a data breach may have happened or could happen in the future. (e.g. lost flash drive with PII)
KEY CAUSES OF LOSS
• Lost/Stolen Portable
Computers or Media• Employee Misuse
• Negligent Release
• Improper Disposal of
Paper Records
• Lost/Stolen Backup
Tapes• Computer Hacking• Vendor Negligence• Improper Disposal of
Computer Equipment
Hackers make the headlines, but almost half of data breach incidents result from “insider negligence”.(Ponemon Institute)
815 MILLION
RECORDS
LEAKEDSince Privacy Rights Clearinghouse began tracking US data breaches
in 2005
CAUSES OF LOSS
Malicious or
Criminal
Attack
36%
System
Glitch
29%
Human
Factor
35%
• Hacking• Virus, Malware• Phishing• Spear Phishing• Network Intrusion
• Lost laptops• Improper disposal of backup
tapes• Accidental release• Broken business practices• Un-shredded documents
• Negligent release
Source: 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute , May 2013
64% of breaches
are accidental
TYPICAL COSTS
• Response costs – sending out notices, call center services, and the offer of
credit monitoring:
o Up to $30 per record
• Forensics, to determine the size and scope of the breach:
o $25,000 to more than $500,000
• Legal Costs:
o Very costly: $200,000 up to the millions
• A retailer with just 10 sales a day would pay $781,000 for a year’s worth of
breached records.
• An MRI facility conducting 15 scans a day would face expenses exceeding
$1 million for every year of patient records compromised.
IT TAKES 20
YEARS TO BUILD
A REPUTATION,
AND FIVE
MINUTES TO
DESTROY IT.-- Warren
Buffett
“
”
Q&A Reggie Dejean
Specialty Lines Manager
Lawley & Lawley Andolina Verdi
Mary Beth DiBacco
Specialty Insurance Manager
Chubb Insurance
Carl Cadregari
Executive Vice President and Practice
Lead
Bonadio IT/IS Risk Management
THANK YOU
Lawley Insurance