Transcript www.umal.co.uk

Protecting Your Business from Information Thieves:
Overview of Security/Privacy Risks and Risks Transfer
Malcolm Randles
[email protected]
Lockton Companies International Limited. Authorised and
regulated by the Financial Services Authority. A Lloyd’s
Broker.
Some Key Discovery Questions?
•
Does your business model, services, or solutions involve (collecting, storing,
using, transmitting, selling, etc.) personally identifiable information of
individuals?
•
Do you outsource or offshore important elements of your IT management or
business infrastucture (such as fulfillment, customer service, etc.)?
•
How many employees do you have? Are you self-insured for your employee
medical plan?
•
Have you had any incidents, losses, or regulatory investigations concerning
privacy or security?
•
Is your computer network very time sensitive if it were down? Does it vary by
season or time of year?
•
Do you indemnify your customers under contract for breach of confidentiality
or security?
•
Does any of your products or services have a patent infringement exposure,
whether the patent is for design, physical product, software, or business
process?
2
Cyber Liability Risk Basics – People, Processes, and
Technology in an Ever-Changing Environment

Security Liability: Someone (including an associate, vendor or an
independent contractor) attacks or accesses/uses your computer
network in an unauthorised manner…..or someone steals mobile
computer equipment to perpetrate data theft.







Responsibility is on the data owner worldwide to its consumers and
employees
Insiders are the most frequent perpetrators
Constant new threats
Identity and data theft (cyber crime) biggest issue
From nuisance/malicious hacking motives through extortion and
terrorism
Transmission of malicious code
Denial of service attack (against your network or co-opting your
computers to participate in an attack on others)
3
Cyber Liability Risk Basics – People, Processes, and
Technology in an Ever-Changing Environment

Privacy Liability: Violation of privacy laws or regulations
that permit individuals to control the collection, access,
transmission, use, and accuracy of their personally
identifiable financial information
4
Severity Risk and Getting Worse

Responsibility to warn consumers (and employees) of potential
security breach to their personal information.

Identity theft is a business and heavily involves organized crime around the
world. (phishing and pharming). CEO of McAfee suggests it is now bigger then
the illicit drug trade.

Impact of vicarious liability resulting from increased outsourcing and offshoring.

Regulators like Financial Services Authority & ICO bring enforcement actions
for breaches of privacy and security as identity theft continues to grow.
NATIONWIDE

Significant class action activity and derivative shareholder actions
on back of large security breaches. Largest loss is over $150 ML
(T. J. Maxx).
5
Why purchase cyber insurance?

Investor fallout from uncovered losses with large claim. Major
impact on brand and reputation.

Traditional insurance does not cover security liability or
adequately cover privacy risks.

No system can be designed to eliminate the potential for loss,
as people and processes failures cannot be eliminated. Insiders
may be perpetrators.

Many functions are conducted by outside vendors and
contractors who may lack insurance and assets to respond.

Responsibility rests with the merchant from a legal, regulatory
perspective, and credit card association operating regulations.
6
Cyber Liability Coverages

Civil Liability
- Defense Costs
- Single/class action
- Potential plaintiffs can include owners, other third parties, and employees

Privacy/Security Regulatory Actions (Sublimit)
- Defense Costs
- Payment of civil fine or penalty

Notification and Crisis Management Costs (Sublimit)
-
mailing costs
offers of free credit report and credit monitoring to affected group
outside PR and legal advice
professional call center
other costs associated with VISA/MasterCard credit card rules.
7
Cyber First Party Coverages
Data/Electronic Information Loss
•
Covers the cost of recollecting or retrieving data destroyed, damaged or
corrupted due to a computer attack.
Business Interruption or Network Failure Expenses
•
Covers cost of lost net revenue and extra expense arising from a computer
attack and other human-related perils. Especially valuable for computer
networks with high availability needs.
Cyber-extortion
•
Covers both the cost of investigation and the extortion demand amount
related a threat to commit a computer attack, implant a virus, etc.
8
Summary

Identifying, preventing, mitigating and transferring privacy/security is a
major priority for any company that accepts a debit or credit card as a form
of payment, and public traded companies.

Outsourcing and offshoring is a fact of life, but definitely increases data
protection risks. Vendor management process is needed which includes
due diligence, contract protections, and vendor insurance requirements.

This is a risk of survivability, not invincibility. Develop a team and plan for a
data breach incident response, just like your contingency plans for other
threats.

Client should consider insurance protection, either on a combination with
professional liability coverage or stand-alone coverage. Insurance is not a
substitute for best security practices, but deals with the potential severity
risk you cannot prevent.

Quality of coverage and management of claims very important, as well as
experience of the underwriter; be a thoughtful buyer.
9
Contact Details

Lockton International

Malcolm Randles

[email protected]

0207 933 2711
10