Click here to load reader

Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series

  • View
    455

  • Download
    0

Embed Size (px)

Text of Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series

  • Click to edit Master title style

    9/13/2016 1

    9/13/2016 1

  • Bruce Carlson President & CEO Connecticut Technology Council

  • Martin

    McBride

    Frank Rudewicz, Partner in Charge NE Advisory Services Marcum LLP

  • marcumllp.com

    Data Breaches and

    Cyber Threats:

    Past and Present

  • 6

    0914000N

    Cybercrime is a clear, present, and permanent danger. While its a permanent condition, however, the actors, threats, and techniques are very dynamic.

    Tom Ridge, CEO of Ridge Global and first

    secretary of the US Department of Homeland Security

  • 7

    0914000N

    Data Theft: Past History

    Physical in Nature

    Shoulder Surfing Surveillance Photos Dumpster Diving

  • 8

    0914000N

    IT Infrastructure Services

    Root Cause: Past History

    Laziness Complacency

  • 9

    0914000N

    Data Theft: Current

    Cyber in Nature

    Social Media Like-Jacking Link-Jacking Phishing Social Spam Social Engineering

  • 10

    0914000N

    Changing Attacker Profiles Recreational Criminal Hacktivist Organized

    Crime State Sponsored

    Fame/ Notoriety

    Vandalism Statement Economic Gain Cyberwar, state secrets, Industrial espionage

    Limited Technical Resources

    Limited Technical Capabilities

    Relentless, emotionally committed

    Significant Technical Resources/ Capabilities

    Highly sophisticated

    Known Exploits Vast Networks Established syndicates

    Nearly unlimited resources

    Targeted Attacks Adware, Crimeware, IP theft

    Advanced persistent threats

  • 11

    0914000N

    IT Infrastructure Services

    Root Cause: Current

    Laziness

    Complacency

  • 12

    0914000N

    Four Potential Minefields to Worry About

    Bring Your Own Device, BYOD

    Know Your Employee

    Supply Chain Risk

    Cyber and Technology Risk

  • 13

    0914000N

    The 2 Ps to Remember

    Everyone is a potential target and it is nearly impossible to totally prevent an attack

    If You Cant Prevent

    You Must Prepare

  • Q&A? Final Thoughts

  • Martin

    McBride

    Larry Selnick, SVP and Director, Commercial Deposit and Treasury Services Sales, Webster Bank

    CTC Cybersecurity Task Force Member

  • Martin

    McBride

    Larry Racioppo, SVP Management & Professional Services

    USI

  • 2014 USI Insurance Services. All rights reserved.

    CONFIDENTIAL AND PROPRIETARY: This presentation and the information contained herein is confidential and proprietary information of USI Insurance Services, LLC ("USI"). Recipient agrees not to copy, reproduce or distribute this document,

    in whole or in part, without the prior written consent of USI. Estimates are illustrative given data limitation, may not be cumulative and are subject to change based on carrier underwriting. 2014 USI Insurance Services. All rights reserved.

    Larry Racioppo, SVP | Management & Professional Services (MPS) www.usi.com

    NETWORK SECURITY & PRIVACY (CYBER) OVERVIEW

    Se

    pte

    mb

    er 2

    016

  • 2014 USI Insurance Services. All rights reserved.

    18

    First Party

    Other Business Costs

    Business interruption

    Data repair

    /replacement

    Cyber-extortion

    Social Engineering

    First Party

    Breach Notice Costs

    Forensic Investigation

    Crisis management/PR

    Notification costs

    Credit monitoring

    Third Party

    Civil Lawsuits

    Consumer class action

    Corporate or financial

    institution suits

    Credit card brands

    PCI fines, penalties,

    and assessments

    Third Party

    Regulatory Actions

    State AG investigations

    FTC investigations

    Health & Human

    Services

    Foreign Privacy Entities

    Security/Privacy Liability

    What Can a Cyber Policy Cover?

  • 2014 USI Insurance Services. All rights reserved.

    19

    E-mail received from PayPal:

    Youve sent a payment of $90 to Youseff Mansouer

    Cyber Statistics

    Forwarded to PayPal and their response:

    Thank you for partnering with PayPal to combat fraudulent emails. We take reports of suspicious email

    very seriously. Your submission helps us identify potentially malicious activity and take the appropriate

    action needed to protect our customers.

    Did you know that approximately 90% of all email sent worldwide falls into the spoof,

    phishing, spam, and general junk category? By submitting reports of suspicious email to us you are helping to address this problem.

  • 2014 USI Insurance Services. All rights reserved.

    20

    The most prevalent attacks against smaller businesses are Web-based and phishing/social engineering.

    Negligent employees or contractors and third parties cause most data breaches.

    Cyber Statistics

    In June, 2016, the Ponemon Institute surveyed

    600 small to medium sized companies. 55

    percent of these respondents indicated their

    companies experienced a cyber attack in the

    past 12 months and more than half reported a

    data breach involving the release of customer

    and/or employee information.

    % of Organizations experiencing a cyber attack

    or data breach in the past 12 months:

    Source:

  • 2014 USI Insurance Services. All rights reserved.

    21

    Social Engineering

    Hackers use trickery, based on internal or vendor communication, to induce employees to

    process fraudulent wire transfers

    Average Social Engineering related loss is $130,000

    Claims of $100,000 to $500,000 are the norm for mid-size businesses

    Top 5 include:

    Xoom Corp. - $30M (January 2015)

    Scouler Co. - $17.2M (February 2015)

    Ubiquiti Networks - $46.7M (August 2015)

    FACC (Austria) - $54M (January 2016)

    Crelan Bank (Belgium) - $76M (February 2016)

    Cyber Statistics

    Cyber Extortion (aka Ransomware)

    Cyber attack that involves a demand for $$ to avoid or stop a network attack/data breach

    On average, in 2016 there are approx. 4,000 ransomware attacks per dayup from 1,000 in 2015

    77% of attacks b/w $500 - $10,000

    20% of attacks sought over $10,000

    Only 1% sought excess of $150,000

  • 2014 USI Insurance Services. All rights reserved.

    22

    Breach Response Costs coverage

    - Offered at full policy limit or sub-limited?

    - Inclusive of overall limit or Outside the limit?

    - Dollar amount or on a per record basis

    Other things to consider:

    - Regulatory coverage (seek full limit and defense/penalties)

    - Seek full unknown prior acts coverage

    - Avoid Unencrypted portable device exclusions

    - Data restoration/business interruption cover (waiting period)?

    - Cyber extortion/ransomware coverage?

    - Social Engineering sub-limit offered?

    Negotiating a cyber placement

  • 2014 USI Insurance Services. All rights reserved.

    23

    Fills gaps in traditional property/casualty insurance

    Acts as a financial backstop to protect your budget

    Be out in front with continuity planning

    Assist in establishing relationships with key vendors

    Demonstrates an organizational commitment to network security/privacy

    Access to wide range of resources at time of loss:

    Forensics firm who, what, where, when

    Attorney for various state requirement compliance

    Contractual indemnification obligations

    Public Relations expense brand protection

    Credit monitoring, notification assistance

    ID restoration services

    Licensed investigator/fraud specialist

    Cyber Insurance as a Last Line of Defense

  • Martin

    McBride

    Matt Prevost, Vice President, North American Financial Lines Chubb

  • State of Cyber Risk & Cyber Litigation CTC September 14th

    September, 2016 Matt Prevost

  • Cyber Insurance Market An Opportunity for Growth

    What is Cyber Insurance?

    First Party Data Breach Expense Digital Recovery Loss Business Interruption Loss Contingent Business Interruption Loss

    Crime Cyber Extortion Electronic/Deceptive Funds Transfer Telephone Toll Fraud

    Third Party Privacy Liability Network Security Liability Internet Media Liability

    What about other lines?

    This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.

    26

    26

    13%

    Market Share

    Cyber Market Estimated at $3.5 billion (up from $500M 08 / Approximately $3bn in US)

    Market Penetration Estimates: Major Accounts 27-50% Commercial Insurance 17-35% Small Commercial 3-6%

    Primary Industries: Financial Technology

    New Chubb (13%)

    Professional Services Retail/Hospitality Healthcare Life Sciences Education Public Entity

    AIG

    Beazley Rest of Market

  • Key Emerging Trends

    July, 2016

    27

    Internet of Things

    Post-Incident

    Shifts

    Credential Harvesting

    Ransomware

    Social Engineering

    This pres

Search related