Transcript Best Practices for Insuring Medical Practices from Cyber Risk

Best Practices for
Insuring Medical
Practices from Cyber
Risk
Karin Landry
Spring Consulting Group, LLC
Managing Partner
“There are two kinds of
companies today, those who
know they have been hacked,
and those who don’t.”
James Comey
FBI Director
(USA Today, May 2014)
3
Cyber Risk Trend/Statistics
2013 Verizon Data Breach Study
• Organized crime accounts
for 55% of all breaches
studied
• Organizations under 100
employees account for 31%
of all breaches
• 66% of breaches took
months to discover
• 69% of breaches are
discovered by external party
• 78% of the breaches are
considered low to very low
difficulty
• Method of action:
– 40% Malware
– 52% Hacking
• Most desired data for
organized crime:
– Payment card information
– Authentication credentials
– Bank account information
• 48% of the 47,000 security
incidents studied were
attributed to errors such as:
– Lost devices
– Publishing errors
– Mis-delivered email/mail
4
True Cost of a Data Breach
Fines/Penalties
Loss of
Customers/
Donors
Notification
(as required by law)
Forensics
(determining where,
what and how much
data was breached)
$188 Per
Record for
U.S.*
Damage Control
Expenses
(to retain clients, restore
confidence in org. and
restore reputation)
NOTE: This study DOES NOT factor in costs associated with defense costs or liability payments made
*Source: 2013 Cost of a Data Breach Study – Ponemon Institute
5
Anatomy of a Data Breach
Incident
• Malicious attack, employee error, or theft
Discovery
• Victims are sometimes the last to know. Usually discovered
within months
Forensics Analysis
• What, Where and How
Response
• Compliance to regulatory requirements for notification
Damage Control
• Offering credit monitoring /fraud monitoring to impacted
parties
6
Common Cyber Risk Coverages
Business
Income/Extra
Expense
Crime Extortion and
computer
fraud/funds
transfer fraud
Employee
Privacy Liability
Restoration/
Replacement of
Electronic Data
Security Breach
Liability
Media/Website
Publishing
Liability
Security Breach
Expense
Public
Relations
Expense
Fines/Penalties
- Regulatory
proceedings
and payment
card industry
7
Regulatory Considerations:
Data Breach Notification Laws
• In effect in 47 states except:
– Alabama
– New Mexico
– South Dakota
• Subject to statutory fines/penalties
– Exemptions and notification deadlines vary by state
• HIPAA /HITECH law to entities that keep patient health
information
– Enforced by the Department of Health/Human Services
8
Social Media Exposures
Content
• Potentially liable for content (i.e., Facebook page, YouTube
video, blog on your website)
Privacy
• Content posted can breach a person’s privacy or lead to identity
theft
Intellectual Property
Infringement
• Copyright/trademark
Virus/Malware
• Could be uploaded to your social media site that infects other
members who click on that link
Reputational/Public
Relations Risk
• Certain negative content can go viral and reach a critical mass of
people in a very short time
9
Risk Management View
52% of risk
managers have
dedicated cyber
risk insurance
policy*
• Cyber viewed as very high
profile risk by CEOs, CFOs,
treasurers and risk managers
• Captive may be an excellent
alternative to fill gaps between
self insurance and true risk
transfer
– Cyber risk may diversify a
captive’s more traditional risk
56% of risk
managers cite
cyber risk as “top
concern”*
*Source: Business Insurance Survey
10
How to Price Cyber Insurance
• The market for network, information security, and privacy
(cyber) insurance remained stable in 2013
• Recent events will define the market for the next several years
• Pricing sources:
– Commercial market quotes
– Broker indications based on:
• Industry (retail, manufacturing, financial institution)
• Exposure (credit cards, healthcare personal data,
SSNs, HIPAA exposures)
• Company size (# of customers, # of transactions)
– Actuary
– Transfer pricing study
11
Case Study:
Nittany Insurance Company
Nittany Insurance Company
• Single-parent Vermont-based captive, owned by The
Pennsylvania State University
1992
Established as funding
vehicle for hospital
professional liability
insurance
2000
Later in 2000’s
Expanded to include
reinsurance of primary GL
and auto coverage
Added more coverages for
convenience of University
(i.e. deductible reimbursement
for master insurance programs)
13
Penn State University
• Flagship land-grant University in the Commonwealth of
Pennsylvania
– However, NOT owned by the State
• Operating Budget 2013/14: $5 Billion
• 25,000 full-time faculty and staff, plus another 15,000
part-time employees
• 93,000 students at 20 campuses
• Two hotel/conference centers
• One very large football stadium
14
The Situation
22 million
overtly-hostile
computer
intrusions
blocked daily
Decentralized
educational
departments
and IT
networks/
systems
Over 95
million spam
emails blocked
daily
170,000 email
accounts
receive 3.2
million emails
daily
• Insurers not interested in
covering large research
institution with open computing
philosophy
• Commercially available policy
forms did not provide needed
coverage
• Wanted a single funnel to
accumulate expenses and
manage responses to
breaches
• Wanted behavior modification:
– Incentivize decentralized units
to use good computer security
practices
15
The Solution
• Placed risk in owned captive
• Key feature of the coverage is a two-tiered deductible
– If a unit employs certain “good practices” advocated by IT
Security Operation Services, but has a breach anyway, $25,000
deductible
– If a unit did not employ “good practices”, and that led or
contributed to a breach, $100,000 deductible
16
The Results
• Firewalls more reliably installed, maintained and patched
• Security software updated real-time
• Software contracts routinely scrutinized and include
security requirements
• Actual compromises decreased significantly
• Release of SSN’s declined from 10,000 at a time to 5-10
in isolated instance
17
Contact Information
Karin Landry
Managing Partner
Spring Consulting Group, LLC
[email protected]
Phone: 617-589-0930; ext. 102
w w w . s p r i n g g r o u p . c o m
18