Transcript Slide 1

Protecting Your Business From Information Thieves:
Overview of Security/Privacy Risks and Risk Transfer
EIM conference - February 24, 2009
Emily Freeman
Technology Risks
Executive Director
Lockton International
[email protected]
Lockton Companies International Limited. Authorised and
regulated by the Financial Services Authority. A Lloyd’s
Broker.
Seismic Shift in Risk
“As
operational and security risk change, a
broader gap between the protection of
risk and the reality of risk is being
created.”
with
Daniel Linsker, head of the Americas Desk,
Control Risks, January 12, 2009, interview
The Financial Times
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Network and Privacy Risk Basics – People, Processes,
and Technology in an Ever-Changing Environment
 Security Liability: Was unencrypted computerized information or paper
documents containing personally identifiable non-public information
acquired or accessed by an unauthorized person? (trigger of 44+ state
notification laws with variants; 8-9 states include paper documents)





Responsibility is on the data owner worldwide to its customers and employees
(even if data transferred to business partner or vendor whether located
on/offshore).
It’s not where you are located, but where the affected persons reside.
From nuisance/malicious hacking motives through extortion and terrorism.
Identity theft is a business and heavily involves organized crime around the
world.
Constant evolution of threats and attacks, such as social engineering ruses.
 Privacy Liability: Violation of privacy laws or regulations that permit
individuals to control the collection, access, transmission, use, and
accuracy of their personally identifiable financial information. Laws vary
substantially by country.
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Severity Risk and Getting Worse
 Impact of vicarious liability resulting from increased outsourcing and offshoring.
 Regulatory (particularly U.S. Federal Trade Commission and state attorney
generals) enforcement actions for breaches of privacy and security as
identity theft continues to grow. Canada and EU regulators are also active.
 Significant class action activity and derivative shareholder actions on back
of large security breaches. Largest quantified loss is over $190 ML (T. J.
Maxx).
 Utilities are “creditors” and accept credit cards. Credit card associations are
regulating security practices surrounding credit card information and have
requirements for notice and ability to fine, among other things. Issuing
banks are willing to sue the merchant or processor who caused the security
breach to recover their costs to close compromised credit card accounts
and reopen them.
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Important 2008 Developments
United States:

Minnesota Plastic Card Security Act (Effective 8/1/2007; liability provisions

Red Flags – 2008 FACTA Expansion (Effective 5/1/09) – Board-approved identity theft

California Expansion of Notification Statute to Medical Data – AB1298 (Effective

Identity Theft Enforcement and Restitution Act (federal bill approved by US
Senate, pending in the House of Representatives). The amended bill would impose harsher
8/1/2008) – first state to turn a core requirement of PCI into a law. Companies that suffer
data breaches and are found to have been storing prohibited credit or debit card data on their systems
will have to reimburse banks and credit unions for the costs of blocking and reissuing cards. They could
also be subject to lawsuits filed by individuals claiming to have been affected by violations of the law.
Note: Some packaged payment applications store personal identification numbers and other prohibited
card information by default. .
prevention program - Applies to financial institutions and utilities fit under the definition of “creditor”.
1/1/2008) – expands notification requirements to first initial/last name associated with medical
information and health insurance information to the list of covered data elements.
restrictions on cyber attacks and allows ID theft victims to recoup costs in federal courts associated with
the loss of time and money spent restoring their credit standing.

Massachusetts Security Rules (Effective 1/1/10) – strongest state rules regarding protection of
personal data of Mass-based employees and residents, regardless of where the data owner is located.
EU and other countries like Canada and Australia are moving to mandatory notification
requirements.
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Who, Why, and Common Themes Metrics
Who is behind data breaches?
forensic engagements)
(Verizon 2008 Data Breach Investigations Report, based upon 4 years and over 500
•
73% resulted from external sources
•
18% were caused by insiders
•
39% implicated business partners or vendors (rose five-fold over 4 years of the study)
•
30% involved multiple parties
How do breaches occur (many in combination of causes)?
•
62% were attributed to a significant error
•
59% resulted from hacking and intrusions (choice of cyber criminals)
•
31% incorporated malicious code or malware (major target - application layer)
•
22% exploited a vulnerability (90% of such had identifiable patches at least six months prior to the breach)
•
15% were due to physical threats
What commonalities exist in these events?
•
66% involved data the victim did not know was on the system (most common – did not know the data was
on the compromised system, laptop, or other mobile device)
•
75% of breaches were not discovered by the victim (but by others like banks, law enforcement, etc.).
•
83% of attacks were not highly difficult
•
85% of breaches were the result of opportunistic attacks
•
87% were considered avoidable through reasonable controls
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Magnitude?
•
According to the CEO of McAfee (Information Week, 2007): worldwide data losses
now represent $40 billion in losses to affected companies and individuals cyber
crime has become a $105 billion business that now surpasses the value of the illegal
drug trade worldwide.
•
High tech thieves – come armed with a keyboard.
•
By year-end 2008, the total number of breaches on the Identity Theft Resource
Center’s breach list reached 656, reflecting an increase of 47% over last year’s
total of 446. More than 35 million data records have been exposed.
(www.identitytheftresourcecenter.com).
•
Largest incidents/estimated number of records:
•
•
•
•
•
•
•
•
90ML + (Heartland Payments/2009)
94 ML (TJX companies/2007)
40 ML (CardSystems Solutions/2005)
30 ML (AOL/2004)
25 ML (HM Customs and Revenue, UK/2007)
26.5 ML (US VA/2006)
8.5 ML (FNIS/2007)
6.3 ML (TD Ameritrade/2007)
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Direct Loss of Data Breaches
 Data breach front end direct costs are a major component of loss.
 Average direct costs average $6.6 ML. Variance by industry and if
fraud/identity theft involved.
Per capita cost of a data breach has gone up more than 31% in the past year
when four activities associated with detecting and dealing with a breach are
taken into account. (Ponemon 2008 Annual Study of a Data Breach)
Cost
2006
2007
2008
Detection & escalation
$11
$9
$8
Notification
$25
$15
$15
Response
$47
$46
$39
Lost business
$98
$128
$139
Total
$181
$199
$202
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Sample Claim
A financial services provider loses a data tape containing unencrypted customer account data,
not credit cards). A class action lawsuit follows resulting in the following costs:
•
•
•
•
•
•
•
•
Technical Forensics
ID Theft Forensics
Mailing costs
(includes secondary notification to “class”)
Call Center
in-house)
Credit Monitoring
Additional Loss Mitigation
Outside attorney expenses
Additional Settlement Costs
plaintiffs fees)
$ 900,000
$2,900,000
$2,200,000
$
75,000 (most handled
$ 2,500,000
$2,500,000
$1,100,000
$5,000,000 (including
Total – $16,175,000 (average security breach in US is currently $6.3 ML)
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Impact of Cyber Risk
Assets
Operations
Brand
Equity
Your Company
Financial
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Litigation
and
Regulatory
Exposures
Impact on Brand
According to the Javelin Research Survey, Customer Survey on Data
Breach Notification, Javelin Research & Strategy, June 2008, major
findings:
•
For 40% of consumers, security breaches changed their relationships
with the affected institution or business.
•
Confidence and buyer behavior are severely impacted by security
breaches, with 55% of victims trusting the affected organization less, and
30% choosing to never purchase goods or services again from that
organization.
•
Breach victims are beginning to expect fraud protection assistance from
the institution, with 36% already having been offered some kind of
identity fraud protection service.
•
The majority of breach victims (56%) prefer a solution that prevents
fraudulent use of their information, rather than detecting or resolving
fraud after it has occurred.
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Security in An Outsourced World

Business Associates/Partners

BPO

ITO such as IT programming/code maintenance

Hosting, IT security management and support

Accounting

Customer relations

Call center

Customer support

Fulfillment

Telemarketing

HR and Payroll

Employee Benefits

Data storage/repository
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
India is the leading offshore destination for
Business Process Outsourcing Services
Global BPO market size 2008 estimate: $270 billion
Growing 7-10% annually
Source: Everest Research Institute ) and Gartner
C&EE
4%
Others
6%
India
33%
Canada
33%
Ireland
5% China
2%
Philippines
14%
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Mexico
3%
Vendor Management and Contract
Governance
Lockton client service offering providing guidance in setting up vendor management plan
to address security and data breaches including:
• Checklist for due diligence; IT security questionnaire
• Ideas for contractual provisions (to be referred to attorneys in the legal department)
• Insurance clause provisions
• Workshops
• Outside resources
Sample Insurance Clause
“Vendor agrees to purchase and maintain throughout the term of this Agreement
technology/professional liability insurance, intellectual property infringement, and data protection
liability insurance (cyber liability) covering liabilities for financial loss resulting or arising from acts,
errors, or omissions, in rendering [type of service] or in connection with the services provided under
this agreement:
• intellectual property infringement arising out of software and/or content (excluding patent
infringement and misappropriation of trade secrets);
• breaches of security;
• violation or infringement of any right privacy, breach of federal, state, or foreign security and/or
privacy laws or regulations including but not limited to [specific regulations];
• data theft, damage, destruction, or corruption, including without limitation, unauthorized access,
unauthorized use, identity theft, theft of personally identifiable information or confidential
corporate information, transmission of a computer virus or other type of malicious code; and
participation in a denial of service attack on a third party
with a minimum limit of [$X,000,000] each and every claim and in the aggregate. Such insurance
must address all of the foregoing without limitation if caused by an employee of the Vendor or an
independent contractor working on behalf of the Vendor in performing services under this contract.
Policy must provide coverage for wrongful acts, claims, and lawsuits anywhere in the world.
Insurer must have a Best's rating of [ ] or better. Any material change in the policy or cancellation
must be reported to the Client with not less than thirty (30) days prior written notice. The policy
must be kept in force during the life of the contract and for [ ] years (either as a policy in force or
extended reporting period) after contract termination. Vendor shall provide a Certificate of
Insurance in compliance with these requirements and client reserves the right to obtain a copy of
the professional liability and data protection liability insurance policy.”
Additional Issues: Additional Insured Status, Waivers of Subrogation, Primary,
Separation of Insureds, etc.
Security Breach Incident Response
Lockton client service offering providing guidance in setting up a risk management plan
and process to address data breaches including:
• Process guidelines
• Content and scope of plan
• Workshops and meetings to assist client team
• Outside resources (legal, forensics, credit protection resources, etc.)
Why should you transfer data protection risks
through your own insurance program?
 Many functions are conducted by outside vendors and contractors who
may lack insurance and assets to respond. What if the vendor makes a
systemic mistake? What if they fail to purchase insurance or keep it? What
if they are located in a country where this insurance cannot be obtained?
What if the policy they purchased denies coverage or has inadequate
limits?
 PCI (which is the credit card industry security standards) compliant
companies have had their security compromised from processes lapse,
human error, or criminal insider.
 No system can be designed to eliminate the potential for loss, as people
and processes failures cannot be eliminated. Insiders may be perpetrators.
 Responsibility rests with the data owner from a legal, regulatory
perspective, and credit card association operating regulations.
 Investor fallout from uncovered losses with large claim and class action
potential and major impact on brand and reputation.
 Traditional insurance does not cover security liability or adequately cover
privacy risks – we provide gap analysis assistance to support this
conclusion.
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Network and Privacy Insurance

There is no common insurance language – each underwriter offers a different base
product. We modify and manuscript language to meet client needs quite often.

Focus on the quality of the coverage, experience of the underwriter, approach to
managing claims, and insurance limits for severity exposure.

Cyber Liability capacity - $150 ML +
First Party capacity - $50 ML

We have a standard of coverage expressed as specifications or coverage requests
that we use to analyze quote options provided by insurers/underwriters. We
organize these by criticality to make sure our coverage comparison highlights these
issues.

Sample major issues:




Control of defense and appointment of counsel
Full vicarious liability, as well as direct liability
Scope and limits of notification/crisis management
Exclusions that may warranty specific security practices or carve back coverage
(Hiscox contractual and encryption exclusions or AIG “shortcomings in security”
for example).
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Cyber Liability Coverages

Worldwide coverage

Civil Liability




Privacy/Security Regulation Actions (aggregate sublimit)




Defense Costs
Single/class action
Potential plaintiffs can include affected group, financial institutions, etc.
Defense Costs
Payment of civil fine or penalty
Regulatory compensatory award
Notification and Crisis Management Costs (aggregate sublimit). In 2009, limits
available are well above $1 ML.






Mailing costs
Offers of services to affected group (which may be voluntary) including credit reports, credit
monitoring, credit protection, identity theft insurance, etc.
Computer forensics outside experts
Outside PR and legal advice
Professional call center
Others costs associated with credit card association rules
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
First Party Network and Data Risks
Wide variety of coverage in the marketplace, some monoline and others as
separate coverage parts/modules in a combination first/third party policy, including:

Cyber Extortion

Reputational harm from data breach coverage (Lockton London line slip)

Electronic information assets (data, programs, etc) damaged, corrupted, deleted, etc.
by computer attacks, media damage, operational mistakes, and other causes

Direct non-physical damage to network – look carefully at the waiting period, scope of
coverage, and any indemnity limit per hour!




Operational mistakes (Lockton London line slip)
Malicious Code (viruses), Vandalism/Malicious Acts, and Terrorism
Denial of Service
Contingent Business Interruption (caused by non-physical damage)


Co-dependency on Other Vendors Infrastructure (BPO and IT)
Off-shoring extra expense (Lockton London line slip)
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Underwriting Process
Submission:
 Application
 Supporting documents – IT security questionnaire (typical); may
include PCI certification, third party security assessments, BCP plan,
claim/circumstance/mitigation, SAS70, etc.
 Lockton specifications and coverage requests
 Underwriters (and perhaps their IT security consultant) request a
security conference call with the IT security officer of the applicant to
discuss controls in more detail prior to binding.
 For more complex accounts, Lockton hosts an underwriter conference
call or meeting to provide more comprehensive overview of
operations, controls, and coverage requirements.
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Summary Points
•
Identifying, preventing, mitigating and transferring privacy/security is a major
priority, particularly in high compliance industries (such as utilities), any company
that accepts a debit or credit card as a form of payment, and public traded
companies.
•
Outsourcing and offshoring is a fact of life, but definitely increases data protection
risks. Vendor management process is needed which includes due diligence,
contract protections, and vendor insurance requirements.
•
This is a risk of survivability, not invincibility. Develop a team and plan for a data
breach incident response, just like your contingency plans for other threats.
•
Client should consider insurance protection, either on a combination with
professional liability coverage or stand-alone coverage. Insurance is not a
substitute for best security practices, but deals with the potential severity risk you
cannot prevent.
•
Quality of coverage and management of claims very important, as well as
experience of the underwriter; be a thoughtful buyer.
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT
Lockton Resources

Contact information: [email protected]

Specialization within Lockton’s Financial Services (LFS) with network of technology
specialists and Lockton International’s Professions Practice

LFS is a national practice group specializing in D&O, EPL, Fiduciary, Crime, Special
Crime, and Cyber Liability

Core team is comprised of professionals in London with specialized technology and
cyber experience, linking with team of technology/cyber specialists throughout the
U.S.

Risk management services to include:



Incident Breach Response Plan
Vendor Risk Management Program
Customized insurance solutions include:






Technology and telecom errors and omissions
Multimedia Liability
Intellectual property infringement including patents
Operational Risk – first party coverage for data, programs, and networks
Data Protection Liability (Security and Privacy Liability)
Reputational Harm
S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT