Click to edit Master title style
9/13/2016 1
9/13/2016 1
Bruce Carlson President & CEO Connecticut Technology Council
Martin
McBride
Frank Rudewicz, Partner in Charge NE Advisory Services Marcum LLP
marcumllp.com
Data Breaches and
Cyber Threats:
Past and Present
6
0914000N
Cybercrime is a clear, present, and permanent danger. While its a permanent condition, however, the actors, threats, and techniques are very dynamic.
Tom Ridge, CEO of Ridge Global and first
secretary of the US Department of Homeland Security
7
0914000N
Data Theft: Past History
Physical in Nature
Shoulder Surfing Surveillance Photos Dumpster Diving
8
0914000N
IT Infrastructure Services
Root Cause: Past History
Laziness Complacency
9
0914000N
Data Theft: Current
Cyber in Nature
Social Media Like-Jacking Link-Jacking Phishing Social Spam Social Engineering
10
0914000N
Changing Attacker Profiles Recreational Criminal Hacktivist Organized
Crime State Sponsored
Fame/ Notoriety
Vandalism Statement Economic Gain Cyberwar, state secrets, Industrial espionage
Limited Technical Resources
Limited Technical Capabilities
Relentless, emotionally committed
Significant Technical Resources/ Capabilities
Highly sophisticated
Known Exploits Vast Networks Established syndicates
Nearly unlimited resources
Targeted Attacks Adware, Crimeware, IP theft
Advanced persistent threats
11
0914000N
IT Infrastructure Services
Root Cause: Current
Laziness
Complacency
12
0914000N
Four Potential Minefields to Worry About
Bring Your Own Device, BYOD
Know Your Employee
Supply Chain Risk
Cyber and Technology Risk
13
0914000N
The 2 Ps to Remember
Everyone is a potential target and it is nearly impossible to totally prevent an attack
If You Cant Prevent
You Must Prepare
Q&A? Final Thoughts
Martin
McBride
Larry Selnick, SVP and Director, Commercial Deposit and Treasury Services Sales, Webster Bank
CTC Cybersecurity Task Force Member
Martin
McBride
Larry Racioppo, SVP Management & Professional Services
USI
2014 USI Insurance Services. All rights reserved.
CONFIDENTIAL AND PROPRIETARY: This presentation and the information contained herein is confidential and proprietary information of USI Insurance Services, LLC ("USI"). Recipient agrees not to copy, reproduce or distribute this document,
in whole or in part, without the prior written consent of USI. Estimates are illustrative given data limitation, may not be cumulative and are subject to change based on carrier underwriting. 2014 USI Insurance Services. All rights reserved.
Larry Racioppo, SVP | Management & Professional Services (MPS) www.usi.com
NETWORK SECURITY & PRIVACY (CYBER) OVERVIEW
Se
pte
mb
er 2
016
2014 USI Insurance Services. All rights reserved.
18
First Party
Other Business Costs
Business interruption
Data repair
/replacement
Cyber-extortion
Social Engineering
First Party
Breach Notice Costs
Forensic Investigation
Crisis management/PR
Notification costs
Credit monitoring
Third Party
Civil Lawsuits
Consumer class action
Corporate or financial
institution suits
Credit card brands
PCI fines, penalties,
and assessments
Third Party
Regulatory Actions
State AG investigations
FTC investigations
Health & Human
Services
Foreign Privacy Entities
Security/Privacy Liability
What Can a Cyber Policy Cover?
2014 USI Insurance Services. All rights reserved.
19
E-mail received from PayPal:
Youve sent a payment of $90 to Youseff Mansouer
Cyber Statistics
Forwarded to PayPal and their response:
Thank you for partnering with PayPal to combat fraudulent emails. We take reports of suspicious email
very seriously. Your submission helps us identify potentially malicious activity and take the appropriate
action needed to protect our customers.
Did you know that approximately 90% of all email sent worldwide falls into the spoof,
phishing, spam, and general junk category? By submitting reports of suspicious email to us you are helping to address this problem.
2014 USI Insurance Services. All rights reserved.
20
The most prevalent attacks against smaller businesses are Web-based and phishing/social engineering.
Negligent employees or contractors and third parties cause most data breaches.
Cyber Statistics
In June, 2016, the Ponemon Institute surveyed
600 small to medium sized companies. 55
percent of these respondents indicated their
companies experienced a cyber attack in the
past 12 months and more than half reported a
data breach involving the release of customer
and/or employee information.
% of Organizations experiencing a cyber attack
or data breach in the past 12 months:
Source:
2014 USI Insurance Services. All rights reserved.
21
Social Engineering
Hackers use trickery, based on internal or vendor communication, to induce employees to
process fraudulent wire transfers
Average Social Engineering related loss is $130,000
Claims of $100,000 to $500,000 are the norm for mid-size businesses
Top 5 include:
Xoom Corp. - $30M (January 2015)
Scouler Co. - $17.2M (February 2015)
Ubiquiti Networks - $46.7M (August 2015)
FACC (Austria) - $54M (January 2016)
Crelan Bank (Belgium) - $76M (February 2016)
Cyber Statistics
Cyber Extortion (aka Ransomware)
Cyber attack that involves a demand for $$ to avoid or stop a network attack/data breach
On average, in 2016 there are approx. 4,000 ransomware attacks per dayup from 1,000 in 2015
77% of attacks b/w $500 - $10,000
20% of attacks sought over $10,000
Only 1% sought excess of $150,000
2014 USI Insurance Services. All rights reserved.
22
Breach Response Costs coverage
- Offered at full policy limit or sub-limited?
- Inclusive of overall limit or Outside the limit?
- Dollar amount or on a per record basis
Other things to consider:
- Regulatory coverage (seek full limit and defense/penalties)
- Seek full unknown prior acts coverage
- Avoid Unencrypted portable device exclusions
- Data restoration/business interruption cover (waiting period)?
- Cyber extortion/ransomware coverage?
- Social Engineering sub-limit offered?
Negotiating a cyber placement
2014 USI Insurance Services. All rights reserved.
23
Fills gaps in traditional property/casualty insurance
Acts as a financial backstop to protect your budget
Be out in front with continuity planning
Assist in establishing relationships with key vendors
Demonstrates an organizational commitment to network security/privacy
Access to wide range of resources at time of loss:
Forensics firm who, what, where, when
Attorney for various state requirement compliance
Contractual indemnification obligations
Public Relations expense brand protection
Credit monitoring, notification assistance
ID restoration services
Licensed investigator/fraud specialist
Cyber Insurance as a Last Line of Defense
Martin
McBride
Matt Prevost, Vice President, North American Financial Lines Chubb
State of Cyber Risk & Cyber Litigation CTC September 14th
September, 2016 Matt Prevost
Cyber Insurance Market An Opportunity for Growth
What is Cyber Insurance?
First Party Data Breach Expense Digital Recovery Loss Business Interruption Loss Contingent Business Interruption Loss
Crime Cyber Extortion Electronic/Deceptive Funds Transfer Telephone Toll Fraud
Third Party Privacy Liability Network Security Liability Internet Media Liability
What about other lines?
This presentation is an internal document and is not for external distribution. It is solely for informational purposes and is not intended as legal advice. It may not be copied or disseminated in any way without the permission of a member of Chubb Group.
26
26
13%
Market Share
Cyber Market Estimated at $3.5 billion (up from $500M 08 / Approximately $3bn in US)
Market Penetration Estimates: Major Accounts 27-50% Commercial Insurance 17-35% Small Commercial 3-6%
Primary Industries: Financial Technology
New Chubb (13%)
Professional Services Retail/Hospitality Healthcare Life Sciences Education Public Entity
AIG
Beazley Rest of Market
Key Emerging Trends
July, 2016
27
Internet of Things
Post-Incident
Shifts
Credential Harvesting
Ransomware
Social Engineering
This pres
