cyber insurance: what is your - main page - abais · 2018-10-31 · cyber insurance: what is your...

aba.com 1-800-BANKERS

Cyber Insurance: What is your

bank doing to manage risk?presented by

David Kitchen Lisa Micciche


Today’s Agenda

• Claims Statistics

• Common Types of Cyber Attacks

• Typical Costs Incurred to Respond to an Incident

• Prevention and Remediation Tips

• We will not cover:

– Overview of notification laws (US State, HIPAA, GDPR, etc.)

– Communication strategies

– Regulatory notifications and investigations


2017 Cyber Claims

5%

5%

8%

8%

8%

10%

10%

12%

18%

18%

Hospitality

Public Entity & Non-Profit

Media & Technology

Energy & Transportation

Other

Business Services

Manufacturing

Retail/Wholesale

Professional Sector

Financial Sector

Reported Claims by Industry

Source: AIG Cyber Claims Study 2018


2017 Cyber Claims

2%

4%

6%

8%

8%

9%

15%

19%

29%

Denial of Service Attack

Regulatory Issues

Physical Loss of Assets

Virus Infection (Non-Ransomware)

Other

Impersonation Fraud

Security Failures

Data Breach

Extortion

Reported Claims by Type, Across Industries

Source: AIG Cyber Claims Study 2018


2017 Cyber Claims

Ransomware2%

Phishing3%

Physical Data Loss8%

Data / System Breach

13%

Impersonation Fraud

14%Intellectual

Property23%

ADA37%

Ransomware7%

Data / System Breach

35%Impersonation Fraud51%

Intellectual Property

1%ADA6%

Reported Claims by TypeCommunity Banks

Claims Losses by TypeCommunity Banks


Top 3 Security Risks

• Remote access ability

• Weak password requirements

• Lack of education (phishing)


What happened?


Industries Affected

Source: BakerHostetler Data Security Incident Response Report 2018


Data at Risk



Timeline: Incident Response Trends



Overall



W-2 and Business Email Compromise

• Scammers use emails from a target organization’s CEO, asking HR

and accounting personnel for employee W-2 information.

• Scammers last year also phished online payroll management

account credentials used by corporate HR professionals.


Business Email Compromise Examples

Version 1: “Bogus Invoice,” “Supplier Swindle,” and “Invoice Modification”

A business, with a long standing relationship with a supplier, is asked to wire funds for invoice payment

to an alternate, fraudulent account. If an e-mail is received, the subject will spoof the e-mail request so it

appears similar to a legitimate account that takes close scrutiny to determine it was fraudulent. If a fax or

call is received, it will mimic a legitimate request.

Version 2: “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and

“Financial Industry Wire Frauds”

Email accounts of business executives (CFO, CTO, etc.) are compromised. The account may be

spoofed or hacked. "A request for a wire transfer from the compromised account is made to a second

employee who is normally responsible for processing these requests. In some instances, a request for a

wire transfer from the compromised account is sent directly to the financial institution with instructions to

urgently send funds to bank “X” for reason “Y.”

Version 3

An employee has his/her personal e-mail hacked. Requests for invoice payments to fraudster-controlled

bank accounts are sent from the employee’s personal e-mail to vendors identified from the contact list.

The business may not become aware of the fraudulent requests until they are contacted by the vendors

to follow up on the status of their invoice payment.


Account Takeovers


Phishing Statistics


Threat Vector Tactics:

The Most Used Email Lures

2016 Proofpoint “The Human Factor”


Ransomware on the Rise

• On April 29, 2016, the FBI issued a warning that

ransomware attacks are on the rise.

• Cyber-criminals collected $209 million in the first three

months of 2016 by extorting businesses and institutions

to unlock computer servers.

• Hollywood Presbyterian Medical Center paid 40 bitcoins

–about $17,000 – to hackers who were holding its

computer network hostage.


Ransomware is here to stay

• Critical reliance on technology

• New iterations affect mobile and IoT devices

• Low entry cost for cybercriminals

• Business oriented ransomware models are:– Developing new strains

– Engaging in customer service

– Data mining


A Simplified View of a Data Breach

Handling the Long-Term

Consequences

Managing the Short-Term

Crisis

Evaluation of the Data Breach

Discovery of a Data Breach

Theft, loss, or Unauthorized

Disclosure of PHI, PII, PCI

Forensic Investigation and

Legal Review

Notification and Credit Monitoring

Class-Action Lawsuits

Regulatory Fines, Penalties, and

Consumer Redress

Public Relations

Reputational Damage

Income Loss


Responding to Security Incidents is Costly



Be “Compromise Ready”

• Threat information gathering

• Technology – preventative & detective

• Personnel – awareness & training

• Security assessments– Understand where assets and sensitive data are located

– Implement reasonable safeguards

– Increase detection capabilities

• Vendor management

• Incident response plan and tabletop exercises

• Insurance

• Ongoing diligence and oversight


Incident Response Trends

1. Increase awareness of cybersecurity issues

2. Identify and implement basic security measures

3. Create a forensics plan

4. Build business continuity into your incident response plan

5. Manage your vendors

6. Combat ransomware

7. Purchase the right cyber insurance policy

8. Implement a strong, top-down risk management program

9. Adopt updated password guidance, and implement MFA or other risk-based authentication controls

10. Keep data secure in the cloud

11. Prepare for more regulatory inquiries


We welcome your questions at this time.


Thanks for your participation

Contact informationDavid Kitchen, BakerHostetler

[email protected]

216-861-7060

Lisa Micciche, ABA Insurance Services

[email protected]

216-220-1297

mailto:[email protected]

mailto:[email protected]

cyber insurance: what is your - main page - abais · 2018-10-31 · cyber insurance: what is your...

Documents