The Institute of Internal AuditorsDetroit Chapter

Presents

P R E S E N T E D B Y T A R A S S H A L A Y

CYBER & PRIVACY LIABILITY

In order to receive CPE credit for this webcast, participants must:

Attend the webcast on individual computers (one person per computer)

Answer polling questions asked throughout the webcast

When answering polling questions, select your answer and the click “Vote” button (next to the “Ask a Question” button) to submit / save your answer.

CPE certificates will be sent to the e-mail address on your BrightTALK account within two weeks of this webinar.

Earning CPE Credit

If You Have Questions…

If you have questions during the webcast:

– If necessary,exit Full Screen Viewby pressing the Esc key

– Submit questionsthrough theAsk a question button

A) Member Detroit ChapterB) Member – Central Region District 2 (Fort Wayne, Toledo,

Michiana, W. Mich., Lansing) C) Member – Other DistrictD) Non-member

Please tell us your member status

Cyber Breach vs. Data Breach

Cyber Liability – the liability that now exists for businesses to protect their personal information of their customers and employees

Cyber Breach - an outside source is able to breach your systems and obtain personal information (data)

Data Breach - although can include Cyber breach, it can also pertain to the accidental release of personal information from within your network. Can be data or paper records.

Sobering statistics

On average it will cost a US organization $225per record breached (5,000 records = $1,125,000)

Consolidated findings show that malicious or criminal attacks are the most costly data breaches - $236 per record

Malicious or criminal attacks are most often the cause of data breach globally (47%).

System Glitch 25%, Human Error 28%

The average financial impact per security incident - $7.35M (Ponemon Institute, sponsored by IBM)

Source: Ponemon Institute: 2015 Cost of Data Breach: Global Analysis

Data Breach Example

A school in California accidentally releases social security numbers of all of its students.

Cyber policy doesn’t respond as personal information of individuals under the age of 18 does not trigger the policy coverage.

$225 PER RECORD?

Typical activities for discovery and the immediate response to the data breach include the following:

• Conducting investigations and forensics to determine the root cause of the data breach

• Determining the probable victims of the data breach

• Organizing the incident response team

• Conducting communication and public relations outreach

• Preparing notice documents and other required disclosures to data breach victims and regulators

• Implementing call center producers and specialized training

Source: Ponemon Institute: 2015 Cost of Data Breach: Global Analysis

$225 PER RECORD?

The following are typical activities conducted in the aftermath of discovering the data breach:

• Audit and consulting services

• Legal services for defense/compliance

• Free or discounted services to victims of the breach

• Identity protection services

• Lost customer business based on calculating customer churn or turnover

• Customer acquisition and loyalty program costs

Source: Ponemon Institute: 2015 Cost of Data Breach: Global Analysis

True or False?

When discussing Cyber Liability, a data breach and a cyber breach can be used interchangeably?

False

Although both terms are commonly used to explain cyber liability, one deals with intrusion into the network via computer (cyber breach) and the other deals with any loss of personal information, even if a mistake by the business (data breach).

INSURANCE

Network Security Endorsement

Endorsement added to GL and Professional Liability policies

Provided only 3rd party class action lawsuit coverage and in most instances sub-limited

Did not respond to following: Notification Costs Credit Monitoring Forensic Investigation Costs PCI/Regulatory Fines and Penalties Cyber Threats/Extortion

Cyber Liability Policy

Responds to both 1st and 3rd party claims (“holds insured’s hand”)

Separate policy form with full limits dedicated to a breach

Separate insuring agreements that detail various areas of a business affected by a cyber breach

AVAILABLE COVERAGE // THE BASICS

First Party-Post breach response: Forensic investigation, proper notification of affected individuals, credit card

monitoring, and establishing a call center. As of August 1, 2017, only Alabama and South Dakota have no laws related to

security breach notification.

Third Party: Coverage for financial damages to clients resulting from a security breach of your data

or data for which you are responsible

Business Interruption: Reimbursement for your reduction in profit during a system outage period

System Damage: Rectification costs for retrieving, restoring or replacing any of your computer programs

AVAILABLE COVERAGE // THE BASICS

Threats/extortion: Ransom payment to prevent unauthorized access to your computer system, introduction

of a virus, revealing confidential data including protected health information, and reputational harm by posting false or misleading comments about you on social media sites

Multimedia: Intellectual property rights infringement (no patent), Defamation (libel, slander),

misappropriation of content and trade secrets

Cyber Crime: Unauthorized electronic funds transfer, theft of money or other financial assets

Public Relations: Crisis and reputation management

COVERAGE // KEY ITEMS

Contractual Liability

PCI Fines

Regulatory fines & penalties

Future loss of customers

(Poneman-2014 Cost of Data Breach Study)

KEY ITEMS // CONTINUED

Full prior acts

Insured identity theft (not clients)

Phishing

True World Wide coverage

True or False?

Adding a Network Security endorsement will provide the same coverage as a Cyber Liability Policy?

False

Network Security endorsement primarily provides coverage in the event of a class action lawsuit or suits from third parties, but does not typically provide 1st

party coverage to assist with dealing with a breach.

CLAIMS BROUGHT BY WHO?

1) Customers whose information was compromised

2) Financial institutions such as banks/credit unions that service these consumers

3) Derivative actions brought by company shareholders

TARGET

In April of 2014, these cases were consolidated in the United States District Court for the District of Minnesota.

As of May 7, the consolidated case consisted of roughly 81 class actions brought by consumers, 28 class actions brought by financial institutions, and 4 shareholder derivative actions.

No media attention?

Shaker Clinic State: OH Breach Type: Paper Breach Category: Medical/Healthcare # of record reported – 617

Shaker Clinic in Ohio, a psychiatric care facility for adults and seniors, reported that 617 patients were notified of loss of paper records on February 18.

617 compromised records x $359 (healthcare related) = $221,503 organizational cost.

Publication: phiprivacy.net / hhs.gov

JIMMY JOHNS // 2014

216 of 2,000 stores affected

Breached entry was caused through POS system provided by third party

Damages have not been disclosed, but Jimmy Johns forced to front computer forensic costs as well as customer satisfaction

http://krebsonsecurity.com/2014/09/jimmy-johns-confirms-breach-at-216-stores/

OBJECTION

A breach won’t happen to us – We are not a target 40% of all cyber attacks target business with fewer than

500 employees - National Cybersecurity Awareness Campaign:

Homeland Security

Only a small percentage of cyber attacks are considered targeted attacks, meaning the attacker group is going after a particular company or group of companies in order to steal specific data

“It’s easy for small businesses to become lax in regards to their Internet security, thinking they’re too small for hackers to bother with. However, according to the Minnesota Cyber Crime Task Force, these are the businesses which are squarely in the crosshairs of cyber criminals.”

Dana Badgerow, President and CEO of the Better Business Bureau

OBJECTION

I do not store sensitive informationWhat is your definition of sensitive Biometric data Email address Employee data

Use of the cloud/outsourcing? You are the ultimate data owner. If there is a breach, who will your

clients come to first? What does your vendor contract look like? Who is assuming

responsibility in the event of a breach? Does your vendor have the proper resources should a breach occur?

OBJECTION

I have coverage under other policies (GL, D&O)See Sony PlayStation case: New York trial court recently ruled in a (CGL) policy

coverage case that Zurich American Insurance Co. has no duty to defend Sony Corp. of America

Justice Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.

Source: http://www.insurancejournal.com/news/east/2014/03/17/323551.htm

OBJECTION

Applications are too long/confusing Applications have evolved-one page apps available

Cost prohibitive Significant competition between carriers has driven down price while

expanding upon available coverages

True or False?

My other insurance policies will respond to a breach if I do not carry Cyber Liability coverage.

False

Sony and other companies have tried to rely on General Liability and D&O policies in the past to provide coverage for a breach, but have failed. It is not excluded on all of these forms and requires the business owner to purchase a separate Cyber Liability policy.

THANK YOU

Taras Shalay // Allied Insurance Managers

Tshalay@AlliedInsMgr.com

586.344.1982