Transcript Slide 1

Cyber Liability Insurance
Why we have it & How it works
DRAFT – Version 3
May 28, 2015
SBCTC – BAR Commission Meeting
Doug Selix, MBA, CISSP, CISM, PMP
DES Office of Risk Management
Cyber Liability
IT Security Context
• A Security Incident that results in the:
– Loss of “Data Confidentiality”
– Loss of “Data Integrity”
– Loss of “Data Availability
2
The “Liability” Comes From:
• Loss of Data Confidentiality
– Damages from a data breach
• Loss of Data Integrity
– Damages from corrupt or destroyed data
• Loss of Data Availability
– Damages from data we or our customers
cannot use or systems we cannot access
3
Incidents Happen - The Big Picture
Significant Data Breach Events
The Open
Security
Foundation's
DataLossDB
gathers
information
about events
involving the
loss, theft, or
exposure of
personally
identifiable
information
(PII).
Source: www.InformationisBeautiful.com
4
Incidents Happen - The Big Picture
Significant Data Breach Events
The Open
Security
Foundation's
DataLossDB
gathers
information
about events
involving the
loss, theft, or
exposure of
personally
identifiable
information
(PII).
5
Data Breach
Incident Example – Deeper Dive
Idaho State University – August 2011
• Direct Costs:
• $52,500 - Cost to notify (~$3/Name)
• $36,750 - Cost to offer credit monitoring
(~$14/Name, 15% opt in)
2,625 @ $14/Ea. = $36,750
• $400,000 - HIPAA Fine
• Indirect Costs:
• Effort to respond to the incident
• ISU Worked with DHH/OCR for over a year
• Effort to gain compliance
• Effort to correct underlying security problems that lead
to the breach
• Root cause: Human Error
• System administrator turned off the firewall protecting a
university server storing the ePHI.
6
Data Breach
Other Incident Examples
Maricopa Community Colleges – as of April 2013
2.4 Million Student and Employee Records
$12 Million cost
IT Director fired for dereliction of duty
2 Lawsuits
University of Washington – 2013
90,000 patient records (HIPAA).
email based attack
Eastern Washington University – 2009
130,000 student records.
Hack attack
$750,000 Cost ($250K Direct)
7
Washington College Incidents
•
•
•
•
Denial of Service Attack
Cyber Extortion
Point of Sale System Breach
Lost / Stolen Laptop Computers
8
Insurance Context
• Cyber Liability Insurance covers:
1st Party Damages
3rd Party Liabilities
9
Insurance Context
Cyber Liability Risks
• 1st Party Damages – Common Insurable
Losses
– Cost for forensic investigation to find the
cause of the damage
– Cost to figure out if/what data was breached
– Cost to comply with Breach Notification
Regulations (RCW, HIPAA, FERPA, etc.)
– Cost for customer Risk Mitigation Services
10
Insurance Context
Cyber Liability Risks
• 1st Party Damages – Continued
– Expert Legal Advice
– Expert Public Relations Advice
– Expert Crisis Management Advice
– Cyber Extortion Payments
– Cost to Restore Data Integrity or Availability
– Lost Income and Extra Operating Cost due to
network interruption
11
Insurance Context
Cyber Liability Risks
• 3rd Party Liability
– 3rd party damage claims
– 3rd party litigation
– Web media damage claims (e.g. copyright or
trademark infringement, defamation, invasion
of privacy)
– Regulatory defense and penalties
12
Switch Gears
Cyber Risk Exposure
How Much
Cyber Liability Insurance
do you need?
13
Insurance Context
Cyber Risk Loss Exposure is defined as:
“Any condition that presents the possibility of financial
loss to an organization from property, net income, or
liability losses as a consequence of advanced technology
transmissions, operations, maintenance, development, or
support.”
st
rd
Doug’s Version - Costs arising from 1 party damages and 3
party liabilities resulting from the use of your computer systems.
14
Risk Exposure – Mostly About Data
• Data that can cause financial harm to your
agency “if” it is not kept secure, includes:
–
–
–
–
–
–
–
–
–
Personally identifiable information (RCW 42.56.590)
Electronic personal health information (HIPAA Security Rule)
Credit card information (PCI Data Security Standard)
Bank account information used to process electronic fund
transfers or payments
IRS tax information (IRS 1075)
Student education information (FERPA)
Data protected by attorney client privilege
Criminal justice information (FBI CJIS standards)
Proprietary information (agreement, contract, or license)
15
Data Breach
Incident Example – Deeper Dive
Idaho State University – August 2011
• 17,500 individuals ePHI exposed
• “On November 22, 2011, HHS notified ISU of its investigation
regarding ISU’s compliance with the Privacy, Security, and Breach
Notification Rules. HHS’ investigation indicated that the following
conduct occurred (“Covered Conduct”).
•
•
•
ISU did not conduct an analysis of the risk to the confidentiality of
ePHI as part of its security management process;
ISU did not adequately implement security measures sufficient to
reduce the risks and vulnerabilities to a reasonable and appropriate
level; and
ISU did not adequately implement procedures to regularly review
records of information system activity to determine if any ePHI was
used or disclosed in an inappropriate.”
16
ORM 2014 Data Survey Results?
• SBCTC & Community College View
Data Types with Liability Risk
Credit Card Data at Rest in Agency
Electronic Personal Health Information
Bank Account Information
Personally Identifiable Information
IRS Tax Information
Student Education Information
Attorney-Client Privilege
Criminal Justice Information
Proprietary Information
"Yes"
"No"
Total
32
24
25
31
31
32
28
14
21
0
8
7
1
1
0
4
18
11
32
32
32
32
32
32
32
32
32
As of 6/3/2014
17
Risk Exposure – Cost Factors
Sources of Data Breach Cost
Data Types with Liability Risk
Credit card information
Electronic personal health Information
Bank account information
Personally identifiable information
IRS tax information
Student education information
Data protected by attorney-client privilege
Criminal justice information
Proprietary information
Breach
Significant
Loss of
Pre-Claim
PostResponse,
Breach Regulatory
3rd Party
Cyber Reputation
Loss
Claim
Analysis, and Notification
Fines
Cost
Extortion
Control
Litigation
Forensics
Claims
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
• Example: Costs associated with breach notification
 $3 per record minimum cost – EWU 2009 breach actual cost
 ~$107 – Estimated public sector cost per record in data breach
(Ponemon Institute 2014 US Cost of a Data Security Breach Report)
18
X
X
X
X
X
X
X
X
X
Do You Know How Much
Cyber Liability Risk You Have Today?
• Quantify Your Confidential Data
• Compute Cyber Liability Risk Exposure $$
Sample - Data Breach Risk Exposure Worksheet
Data Breach Impact
Type of Data
System 1 (PII)
System 2 (HIPAA)
System 3(Credit Card)
System 4 (Bank Accounts)
System 5( IRS Pub 1075)
System 6 (FERPA)
Maximum Data Breach Risk
Exposure
NOTES --->
Unique Records
Data Source
Data Location
Data Shared With
0
0
0
0
0
0
0
Applicable Data
Security Regulation
RCW 42.56.590
HIPAA
PCI
RCW 42.56.590
IRS Publication 1075
FERPA
NOTE - 1
The high estimate is based on $172 per record cost for the Public
Sector that comes from the 2014 Ponemon Institute Cost of a Data
Breach Study. That study also breaks down the elements of this cost.
One element they include is "Lost Customer Business". We have
removed this from the estimate above because the State is a
monopoly. If we have a breach we will not loose business. Our
planning number is $107.
Notification
Root Cause
Investigation
Regulatory
Fines
Credit
Monitoring for
3rd Parties
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
No
Yes
No
No
No
Yes
No
No
No
NOTE - 2
a) IRS Fine based on $25/record
b) HIPAA Fine - Arbitrary estimate based on HHS/OCR cases
Cost of a Data Breach Estimate
2014 Public
Damages to 3rd Cost per Record Sector Market
Legal Defense
Parties
to Notify
Cost per Record
(Note 1)
No
No
Yes
No
No
No
No
No
Yes
No
No
No
$3
$3
$3
$3
$3
$3
$107
$107
$107
$107
$107
$107
Regulatory Fine
Cost (Note 2)
Min Cost Estimate
0
1,000,000
0
0
0
0
Max Cost Estimate
$0
$1,000,000
$0
$0
$0
$0
$1,000,000
$0
$1,000,000
$0
$0
$0
$0
$1,000,000
Most Likely Cost for
full notification and
credit services
Funding Source
Notice Cost Limit
(RCW
Regulatory Fines
42.56.590.7c)
(Note 3)
$0
$1,000,000
$0
$0
$0
$0
$250,000
$0
$0
$250,000
$250,000
$250,000
$1,000,000
$250,000
$0
$1,000,000
$0
$0
$0
$0
Most Likely Cost
(Net)
$250,000
$1,000,000
$0
$250,000
$250,000
$250,000
19
$100,000
$100,000
$0
$100,000
$100,000
$100,000
PEPIP
Cyber Liability
Insurance
$150,000
$900,000
$0
$150,000
$150,000
$150,000
$1,000,000
Cyber Liability
Insurance
AIG Layer
$0
$0
$0
$0
$0
$0
$0
NOTE - 3
RCW 42.56.590 allows agencies to use mass media for notification if cost is over $250,000 or
the number of notices exceed 5000,000. Estimate assumes we would use this provision in
the event of a breach
Security Breach
Risk Exposure if Agency is
NOT in the Master
Property Insurance
Program
See Handout
Agency Budget
Uninsured
Risk Exposure if Agency is in
the Master Property
Insurance Program
Your Risk Manager & IT Manager
have been asked to complete this
spreadsheet.
What we are learning about your Risk
• All of you have PII / FERPA Data
–
–
–
–
All of the Colleges have significant amounts of this data
RCW 42.56.590 - Breach Notice Context
House Bill 1078 – 45 days to give notice
Substitute notice may be available
• Some of you have HIPAA Data (High Risk Data)
–
–
–
–
HIPAA - Breach Notice Context
Must send notice to all individuals
60 days to complete notice
Risk of regulatory penalties
• No College Should Have (High Risk Data)
– IRS FTI Data, PCI Data, or Bank Account Data
20
IRS FTI Data – IRS Publication 1075
•
(IRS Pub 1075 Link) provides the following definition:
1.4.1 Federal Tax Information (FTI)
Safeguarding FTI is critically important to continuously protect taxpayer confidentiality
as required by the IRC 6103. FTI may consist of returns or return information and may
contain personally identifiable information (PII).
FTI is any return or return information received from the IRS or secondary source, such
as SSA, Federal Office of Child Support Enforcement or Bureau of Fiscal Service. FTI
includes any information created by the recipient that is derived from return or return
information.
•
The highlighted part is what determines if you do or do not have IRS data.
•
This standard applies to data received from the IRS not data sent to the
IRS.
•
It is my belief that colleges do not have this class of data.
21
Other Data Types
• Credit Card Data (PCI)
– All Credit Card Data should be outsourced to
third-party credit card processor
– This is the view of the State Treasurer
• Bank Account Data
– SBCTC holds records for electronic ACH
payments to vendors and employees
– Colleges should sanitize data pulled from the
SBCTC systems – e.g. delete the bank
account data from your local systems.
22
Switch Gears
What Happens if “it” Happens?
Security Event Incident
Response
23
Working Analogy
• Think of an IT security incident like a
house fire:
– Call 911 and ask for help
– Fire department puts out the flame
– Property owner cleans up the mess
• If insured then there is help provided by the
insurance company
– Resources to clean-up and reconstruct
– Funds to pay out of pocket costs over the deductible up
to the policy limit
• If not, the property owner pays all costs.
24
Follow Your Incident Response Plan,
Right?
Incident Response
Team Follows the Plan
Who’s Got The Plan?
25
Or Maybe Not
• We can deal with whatever comes up…..
26
Most IT/IR Plans Stops Short
Focus tends to
be on putting out
the flame.
Was there a data
security breach?
27
Our Working Assumption:
• It is rare to find a Cyber Security Incident
Response Plan that includes steps to be taken in
the event of a data security breach. Most
organizations wing it…..
Fire is out, who cleans
up the mess?
28
Switch Gears
Insurance as a tool to
Clean Up the Mess
29
Academic Point
• Insurance is about “Risk Finance”
• Risks can be Avoided, Reduced, Accepted, or
Transferred.
• Insurance is how we transfer Financial Risk
Exposure
• Cyber Liability Insurance is not a Technology
Topic, it is a Finance Topic
30
Cyber Liability Insurance
Cleaning Up the Data Breach Mess
• Current Policy (APIP) - “Alliant Property Insurance
Program”
• Agency must be on the State Master Property Insurance
Policy to have APIP Cyber Liability Insurance
Not All Colleges have this policy
• Aggregate limits apply
$25M for APIP Pool
$2M for State of Washington
• Cost < $24,000 for all state agencies in APIP Program
31
APIP Cyber Liability Insurance
• Cyber Liability General Coverages
($100K Deductible)
$2M Information Security & Privacy Liability
$500K Privacy Notification Cost, $1M if carrier's preferred
vendors are utilized
$2M Regulatory Defense and Penalties
$2M Website Media Content Liability
$2M Cyber Extortion Loss
$2M Data Protection Loss and Business Interruption Loss
32
APIP Details
•
33
Look at the
Handout
Montana Lessons Learned
May 2014 HIPAA Breach
• APIP Cyber Liability
Insurance Worked
• Response Services Worked
• Rapid Response
• Event/Crises Management
• Forensic Analysis
– Root Cause
– Determine Data Exposure
1.3 Million Dept. of Health
Patient Records.
$5M Cost
$3M Insured
No HIPAA Fine To-Date
•
•
•
•
•
34
Legal Services
Public Relations Services
Notification Production
Call Center Operation
Manage Internal Reporting (Gov)
Key Question:
• Do you have data at your college that can
produce expensive cyber liability events?
– Student / Employee Data (Yes)
– Credit Card Data (No)
– IRS Data (No)
– HIPAA Data (Yes)
• Nursing Programs (None So Far)
• Dental Programs (Yes)
• Counseling Centers (Yes)
35
Do You Have Enough Cyber Liability
Insurance Today?
• Risk Exposure Estimate Worksheets will
help all of us have a better understanding
of how much cyber liability risk we have
among the colleges.
• This will in turn help us understand how
much cyber liability insurance would be
appropriate for Washington’s colleges to
purchase.
36
Additional Cyber Liability Insurance
is Available
• Each Agency must decide how much is
needed based on your Risk Exposure
• Agency completes an application
• Get application from Office of Risk Management (ORM)
• Return to ORM, ORM Submits to Broker
• Broker will develop a quote
• Advantages:
• No aggregate Limits
• Lower retention possible
• Sized to fit the agency risk exposure
37
Cost for Additional
Cyber Liability Insurance
• Recent Quotes $50K Retention:
$2M Limits - $21K Annual Premium
$3M Limits - $33K
$5M Limits - $44K
• Aggregate Limits Equal Policy Limits
38
Cost for Additional
Cyber Liability Insurance
• Recent Quotes $50K Retention
• Annual Premium:
$2M Limits - $21K
$3M Limits - $33K
$5M Limits - $44K
• Aggregate Limits Equal Policy Limits
• Would be “Excess Insurance” over the
APIP Cyber Liability Insurance if it were
available.
39
What if – One Policy for all Colleges?
• We can use the Risk Exposure information
we are collecting to size a policy
• You would have to advise us:
– Single incident limit, how much insurance is
enough? Max per breach.
– Aggregate limits, Total insurance for all
colleges?
– Retention, what size deductible?
40
Questions
Thank you!
41
Cyber Liability Program
Doug Selix, CISM, CISSP, PMP
Cyber Liability Program Manager
Department of Enterprise Services
Office of Risk Management
Office Phone:
360-407-8081
Email:
[email protected]
42