Cyber Liability InsuranceWhy we have it & How it works

Doug Selix, MBA, CISSP, CISM, PMP - DES Office of Risk Management

April 9, 2015

SBCTC – IT Commission Meeting

2

1. Cyber Liability Incidents

2. Cyber Liability Risks

3. Cyber Liability Risks Exposure

4. What Happens if “it” Happens?

5. Cyber Liability Insurance

Agenda

3

Cyber Security is defined as:“Measures taken to protect a computer or computer system (as on the Internet) and the data they contain against unauthorized access or attack.”

Cyber Risk is defined as:“The possibility that data will end up in the possession of a party who is not authorized to have that data and who can use it in a manner that is harmful to the individual or organization that is the subject of the data and/or the party that collected and stored the data.”

Doug’s Version - What happens when Cyber Security measures are not effective in protecting an organizations electronic data or computer systems from unauthorized access or attack.”

Key Definitions

4

Cyber Risk Loss Exposure is defined as:“Any condition that presents the possibility of financial loss to an organization from property, net income, or liability losses as a consequence of advanced technology transmissions, operations, maintenance, development, or support.”

Doug’s Version - Costs arising from 1st party damages and 3rd party liabilities resulting from the use of your computer systems.

Key Definitions

5

Why We Need Cyber Liability Insurance

Stuff Happens!Not a matter of “if”, but a matter of “when”

Switch Gears

6

Incidents - The Big PictureSignificant Data Breach Events

The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII).

Source: www.InformationisBeautiful.com

7

Incidents - The Big PictureSignificant Data Breach Events

The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII).

8

Breaches in Academia

Source: www.InformationisBeautiful.com

9

Incidents - EducationInstructional Data Breach Events

Maricopa Community Colleges – as of April 20132.4 Million Student and Employee Records$12 Million costIT Director fired for dereliction of duty2 Lawsuits

Administrator of the Courts – May 20131 Million WDL and 160K SSN’s Web site hacked

University of Washington – 201390,000 patient records.email based attack

Eastern Washington University – 2009130,000 student records.Hack attack

10

What Risks are Covered by

Cyber Liability Insurance?

Switch Gears

11

• Any condition that presents the possibility of financial loss as a consequence of using advanced technology.

• Sample Adverse Impacts – Harm to Operations– Harm to Assets– Harm to Individuals– Harm to Other Organizations– Harm to the Nation

Cyber Liability Risks

Source: NIST SP 800-30

12

• Cost to comply with Breach Notification Regulations

– RCW 42.56.590– FERPA– HIPAA– PCI– IRS Publication 1075

Cyber Liability Risks

13

• Information Security & Privacy Liability• Privacy Notification Costs• Regulatory Defense and Penalties• Website Media Content Liability• Cyber Extortion• First Party Data Protection• First Party Network Business Interruption

Cyber Liability InsuranceCommon Coverage Areas

See APIP Document

14

Cyber Risk – Devils in the Detail

Source: NIST SP 800-30, NIST SP 800-39

15

Cyber Risk Exposure

How Much

Cyber Liability Insurance

do you need?

Switch Gears

16

• Data that can cause financial harm to your agency “if” it is not kept secure, includes:

– Personally identifiable information (RCW 42.56.590)– Electronic personal health information (HIPAA Security Rule)– Credit card information (PCI Data Security Standard)– Bank account information used to process electronic fund transfers

or payments – IRS tax information (IRS 1075)– Student education information (FERPA)– Data protected by attorney client privilege– Criminal justice information (FBI CJIS standards)– Proprietary information (agreement, contract, or license)

Risk Exposure – Mostly About Data

17

Risk Exposure – Cost Factors

• Example: Costs associated with breach notification $3 per record minimum cost – EWU 2009 breach actual cost ~$107 – Estimated public sector cost per record in data breach (

Ponemon Institute 2014 US Cost of a Data Security Breach Report)

Breach Response,

Analysis, and Forensics

Breach Notification

Regulatory Fines

Pre-Claim Loss

Control

Significant 3rd Party

Cost Claims

Post-Claim

Litigation

Cyber Extortion

Credit card information X X X X X X XElectronic personal health Information X X X X X XBank account information X X X X X X X XPersonally identifiable information X X X X X XIRS tax information X X X X X X XStudent education information X X X X X XData protected by attorney-client privilege X X X X X XCriminal justice information X X X X X XProprietary information X X X X X X

Sources of Data Breach Cost

Data Types with Liability Risk Loss of Reputation

18

• SBCTC & Community College View

ORM 2014 Data Survey Results?

As of 6/3/2014

Data Types with Liability Risk "Yes" "No" TotalCredit Card Data at Rest in Agency 32 0 32Electronic Personal Health Information 24 8 32Bank Account Information 25 7 32Personally Identifiable Information 31 1 32IRS Tax Information 31 1 32Student Education Information 32 0 32Attorney-Client Privilege 28 4 32Criminal J ustice Information 14 18 32Proprietary Information 21 11 32

19

• Compute Cyber Liability Risk Exposure• Need to Document Your Confidential Data• Use Risk Assessment Worksheet

Estimating Your Cyber Risk Exposure

Sample - Data Breach Risk Exposure Worksheet

Type of Data Unique Records Data Source Data Location Data Shared WithApplicable Data

Security RegulationNotification

Root Cause Investigation

Regulatory Fines

Credit Monitoring for

3rd PartiesLegal Defense

Damages to 3rd Parties

Cost per Record to Notify

2014 Public Sector Market

Cost per Record (Note 1)

Regulatory Fine Cost (Note 2)

Min Cost Estimate Max Cost EstimateMost Likely Cost for full notification and

credit services

Notice Cost Limit(RCW

42.56.590.7c)(Note 3)

Regulatory FinesMost Likely Cost

(Net)Agency Budget

PEPIP Cyber Liability

Insurance

Cyber Liability Insurance AIG Layer

System 1 (PII) 0 RCW 42.56.590 Yes Yes No No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0System 2 (HIPAA) 0 HIPAA Yes Yes Yes No No No $3 $107 1,000,000 $1,000,000 $1,000,000 $1,000,000 $0 $1,000,000 $1,000,000 $100,000 $900,000 $0System 3(Credit Card) 0 PCI Yes Yes Yes Yes Yes Yes $3 $107 0 $0 $0 $0 $0 $0 $0 $0 $0 $0System 4 (Bank Accounts) 0 RCW 42.56.590 Yes Yes No No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0System 5( IRS Pub 1075) 0 IRS Publication 1075 Yes Yes Yes No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0System 6 (FERPA) 0 FERPA Yes Yes No No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0

Maximum Data Breach Risk Exposure

0 $1,000,000 $1,000,000 $1,000,000 $250,000 $1,000,000 $0

NOTES --->

Data Breach Impact Cost of a Data Breach Estimate Funding Source

NOTE - 2a) IRS Fine based on $25/recordb) HIPAA Fine - Arbitrary estimate based on HHS/OCR cases

NOTE - 3RCW 42.56.590 allows agencies to use mass media for notification if cost is over $250,000 or the number of notices exceed 5000,000. Estimate assumes we would use this provision in the event of a breach

UninsuredRisk Exposure if Agency is in the Master Property Insurance Program

Security Breach Risk Exposure if Agency is NOT in the Master Property Insurance Program

NOTE - 1The high estimate is based on $172 per record cost for the Public Sector that comes from the 2014 Ponemon Institute Cost of a Data Breach Study. That study also breaks down the elements of this cost. One element they include is "Lost Customer Business". We have removed this from the estimate above because the State is a monopoly. If we have a breach we will not loose business. Our planning number is $107.

Call Me, we can do this together. See HandoutNo. 1

20

What Happens if “it” Happens?

Security Event Incident Response

Switch Gears

21

Follow Your Plan, Right?

Incident Response Team Follows the Plan

Who’s Got The Plan?

22

• Use the NIST Cyber Security Framework

http://www.nist.gov/cyberframework/

“Good” Security is Planned

Breach Response

23

• We can deal with whatever comes up…..

Or Maybe Not

24

• NIST – Computer Security Incident

Handling Guide (SP 800-61 R2)

“Good” Computer Security Incident Response is also Planned

25

• IT Security Incident Communication Policy1. Agencies shall report all IT security incidents to the

OCIO

2. CTS Security shall investigate to determine degree of severity and assist with mitigation

3. CTS Security shall notify the OCIO (if required)

4. OCIO will convene a Security Incident Communication Team (if required)

5. OCIO will authorized coordinated release of public notification with breached agency(s) (if required)

The OCIO Has a Plan

26

Step 3. - CTS Security shall notify the OCIO (if required)

– CTS Security will notify OCIO and AGG for OCIO– At this time the CTS Security Officer, in

conjunction with the Washington State Office of the Attorney General, will also provide the CISO with an informed opinion as to whether or not the severity of the incident’s impact warrants public notification as required by law

The OCIO Has a Plan

27

Focus tends to be on putting out

the flame.

Most IT/IR Guidance Stops Short

28

• Policy to prevent breaches by implementing security best practices

• Resources (CTS Security) to react to the breach.• State policy to manage public notification when

breaches do occur.

What we have so far:

Fire is out, who cleans up the mess?

29

• A State level plan for dealing with the impact from a breach that includes:– Access to highly skilled legal and public

relations resources to advise the OCIO, AGO, and agency leadership during a breach event.

– Access to risk financing resources to recover losses from the breach

– Access to production capacity to do the work necessary to comply with breach notification regulations

What we Don’t Have:

30

• Who cleans up the mess?– The Affected Agency

• How will they do it?– Small breach – Deal with it internally– Big breach – Depends??????????

• May have Cyber Liability Insurance• May not – have to dip into reserves or ask for

budget

Today

31

Cyber Liability Insurance?

(Provides Response Resources)

Switch Gears

32

• Current Policy (APIP) - “Alliant Property Insurance Program”

• Agency must be on the State Master Property Insurance Policy to have APIP Cyber Liability Insurance

• Aggregate limits apply

$25M for APIP Pool

$2M for State of Washington

Cyber Liability Insurance

33

Not All Colleges and Universities have this policy

Warning

Agencies on this list have some Cyber Liability Insurance4 Year University

or College2 Yr College

BOARD OF INDUSTRIAL INSURANCE APPEALS XEASTERN WASHINGTON UNIVERSITY XEVERGREEN STATE COLLEGE XWESTERN WASHINGTON UNIVERSITY XBELLEVUE COLLEGE XBELLINGHAM TECHNICAL COLLEGE XBIG BEND COMMUNITY COLLEGE XCENTRAL WASHINGTON UNIVERSITY XCENTRALIA COLLEGE XCLARK COLLEGE XCLOVER PARK TECHNICAL COLLEGE XCOLUMBIA BASIN COMMUNITY COLLEGE XCOMMUNITY COLLEGES OF SPOKANE XEDMONDS COMMUNITY COLLEGE XEVERETT COMMUNITY COLLEGE XGRAYS HARBOR COLLEGE XGREEN RIVER COMMUNITY COLLEGE XHIGHLINE COMMUNITY COLLEGE XLOWER COLUMBIA COMMUNITY COLLEGE XOLYMPIC COLLEGE XPENINSULA COLLEGE XPIERCE COLLEGE XRENTON TECHNICAL COLLEGE XSEATTLE COLLEGES (NORTH SEATTLE COLLEGE) XSEATTLE COLLEGES (SEATTLE CENTRAL COLLEGE) XSHORELINE COMMUNITY COLLEGE XSKAGIT VALLEY COLLEGE XSOUTH PUGET SOUND COMMUNITY COLLEGE XTACOMA COMMUNITY COLLEGE XWALLA WALLA COMMUNITY COLLEGE XWHATCOM COMMUNITY COLLEGE XYAKIMA VALLEY COMMUNITY COLLEGE X

34

• Cyber Liability General Coverages($100K Deductible)

$2M Information Security & Privacy Liability

$500K Privacy Notification Cost, $1M if carrier's preferred vendors are utilized

$2M Regulatory Defense and Penalties

$2M Website Media Content Liability

$2M Cyber Extortion Loss

$2M Data Protection Loss and Business Interruption Loss

APIP Cyber Liability Insurance

35

APIP Details

• Sent Details to your Risk Manager

• And to You

36

• APIP Cyber Liability Insurance Worked

• Response Services Worked• Rapid Response• Event Management• Forensic Analysis

– Root Cause– Determine Data Exposure

• Legal Services• Public Relations Services• Notification Production• Call Center Operation• Manage Internal Reporting (Gov)

Montana Lessons LearnedMay 2014 HIPAA Breach

1.3 Million Dept. of Health Patient Records.

37

We have a Plan

Day-To-Day IT Security Events

Data Security Incident Response

Process

Technical Investigation Continues

Activate Business Incident Response

Team

Data Breach Suspected or Detected

CTS S.O.C. Surveillance

Agency Learns of Breach

CTS S.O.C and Agency. Investigation

CTS S.O.C. Notifies OCIO & AGO

Law Enforcement

Root Cause Analysis

CTS S.O.C Incident Report

AGO Response Team

OCIO Response Team

Assess Need for Beazley Provided

Expertise with Dept. Head and Governor

Determine if Compliance

Regulations are In-Play

AGO Activates Risk Management Resources

If “YES”

Notify Beazley of Potential Cyber Liability Incident

Notify Agency Risk Manager

State Risk Management

Office

Determine Scope of Data Breach

AGO Appoints Available Beazley Provided Legal Services Panel

Council

Beazley Informs Office of Risk

Management about Available Support

Resources

Beazley Computer Expert Service

Resource works with effected Agency and

CTS S.O.C to Determine Incident Scope (What Data)

Inform Agency, AGO and State Risk

Manager of Determination

If Needed – Engage Beazley Notification

Sercives

If Needed - Engage Beazley Breach Resolution and

Mitigation Services

If Needed – File a Claim with Beazley

Regulatory Defense and Penalties

Information Security and Privacy Liability

Website Content Liability

Cyber Extortion

First Party Data Protection

First Party Network Business

Interruption

Assumptions: - Current OCIO Incident Communications Policy in Place - AGO will facilitate preliminary business decision regarding Cyber Insurance Assistance - AGO will communicate to ORM requesting Cyber Insurance Assistance - S.O.C means CTS Security Operations Center

Beazley Provided ResourcesGreen = Financial ResourcesBrown = Services

NOTES: - We pay Beazley provided resources if the cost for the response effort exceeds the amount of available insurance coverage less retention.

Cyber Liability Insurance Activation Process (DRAFT) V5

Cyber liability general coverage ($100K Deductible):

O $2M Information Security & Privacy LiabilityO $1M if carrier's preferred vendors are utilizedO $2M Regulatory Defense and PenaltiesO $2M Website Media Content LiabilityO $2M Cyber Extortion LossO $2M Data Protection Loss and Business Interruption Loss

Notify ORM

Provide Legal Services to Agency

Risk Manager

Print and Mail Notices

Stand-Up Call Center

Provide Credit Monitoring Services

Beazley Services Provided to

Affected Agency

Beazley Cost Recovery

Provided to Affected Agency

See HandoutNo. 2

38

• Based on decision in Step 3 of the OCIO Incident Communication Plan– AGO will notify the Office of Risk

Management if we need to file a claim with our Cyber Liability Insurance carrier.

– Cyber Liability Insurance will provide resources to the Agency

How will APIP Work for you?

39

• No, APIP is all we have• 2014 – Decision Package for $30M CL

Policy • Did not make it into Governor’s Budget• ASK ME “WHY”

Is There State Level Cyber Liability Insurance

OCIO IT Budget Requests Prioritized for FY 15-17

40

Academic Point

• Insurance is about “Risk Finance”• Risks can be Avoided, Reduced, Accepted, or

Transferred.• Insurance is how we transfer Financial Risk

Exposure• Cyber Liability Insurance is not a Technology

Topic, it is a Finance Topic

41

Cyber Insurance Lumped With IT ProposalsNext to Last Priority

42

Can Your Agency Buy More

Cyber Liability Insurance?

Switch Gears

43

• Each Agency must decide how much is needed based on your Risk Exposure

• Agency completes an application • Get application from Office of Risk Management (ORM)• Return to ORM, ORM Submits to Broker

• Broker will develop a quote• Advantages:

• No aggregate Limits• Lower retention possible• Sized to fit the agency risk exposure

• Example: CWU AIG Quote ($3M for $33K, $5M for $44K)

Additional Cyber Liability Insurance is Available

44

• We need to measure your Cyber Liability Risk Exposure – Send me your completed spreadsheets

• IT Commission could recommend more Cyber Liability Insurance– Each College buy their own policy– Buy one policy for all 34 Colleges

• Call me if you need help telling this story to your management

Next Steps

45

Questions

Thank you!

46

Doug Selix, CISM, CISSP, PMPCyber Liability Program Manager

Department of Enterprise Services

Office of Risk Management

Office Phone: 360-407-8081

Email: doug.selix@des.wa.gov

Cyber Liability Program