cyber threats and realities: solutions for real estate ... · cyber threats and realities:...
TRANSCRIPT
14BSD25541B#
Cyber Threats and Realities: Solutions for Real Estate & Hospitality STAN STAHL, CITADEL INFORMATION GROUP | JOE DEPAUL, ARTHUR J. GALLAGHER | ALEXANDRA GLICKMAN, ARTHUR J. GALLAGHER June 9, 2014
14BSD25541B#
Overview
Asset Classes and Their Exposures
- Alex Glickman
Financial Implications of Cybercrime; Meeting the Information Security Challenge in the Cyber-Age - Stan Stahl, Ph.D
Cyber Threats & Solutions - Joe DePaul
14BSD25541B# © 2014 ARTHUR J. GALLAGHER & CO.
Asset Classes and Their Exposures ALEX GLICKMAN
14BSD25541B#
Asset Classes and Their Exposures 1) Commercial Office Buildings Key issues are securing and monitoring entry and operations. Very heavy machines, heating, air, chillers, and equipment of which most if not is controlled by computers. Rare for confidential information to be housed in this asset class. Low employee count. Credit cards used for parking fees. 2) Hospitality Key issues are 3rd party credit cards, security via key cards, POS exposure for food/beverage and other services. High employee count with continual turn over. Same exposure as commercial vis-a-vis equipment. High emphasis on security and monitoring of asset. 3) Multifamily, Mini Warehouse and Single Family Homes for rent Tremendous exposure to 3rd party confidential information, rarely secured, and the new trend is to accept rents via credit cards. Relatively high employee count. Security and monitoring is a focus for Multifamily and mini's.
14BSD25541B#
Asset Classes and Their Exposures 4) Industrial Flex Relatively low exposure, though security and ingress/egress are key issues. 5) Retail Massive increase in social media as a marketing tool. Loyalty programs launched to brand the operator of the real estate, not just the retail operator. Credit cards used for parking fees. Relatively high employee count and a keen focus on security and monitoring.
14BSD25541B#
Financial Implications of Cybercrime; Meeting the Information Security
Challenge in the Cyber-Age STAN STAHL, Ph.D
© Copyright 2014. Citadel Information Group. All Rights Reserved.
14BSD25541B#
Citadel Information Group: Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
Stan Stahl, Ph.D Co-Founder & President
30+ Years Experience Reagan White House
Nuclear Missile Control
President, ISSA-LA
Kimberly Pease, CISSP Co-Founder & VP
Former CIO
15+ Years Information Security Experience
David Lam, CISSP, CPP VP Technology
Management Services
Active CIO 20+ Years Information Security Experience
VP, ISSA-LA
14BSD25541B#
Managing Information Risk - Questions 1. How serious is cybercrime and why
should I care?
2. How vulnerable am I, really?
3. What do I need to do about it?
14BSD25541B#
Financial Fraud and Identity Theft Continue to Climb
867,257,654 Financial Records Reported Breached
January 10, 2005 – May 31, 2013
These count only reported breaches. They count neither (1) discovered but unreported breaches nor
(2) undiscovered breaches.
14BSD25541B#
Data Breach Costs Expensive. Money Down the Drain.
$200 Per Compromised Record $5.5 Million Per Event Investigative Costs Breach Disclosure Costs Legal Fees Identity Theft Monitoring Lawsuits - Customers - Shareholders http://www.ponemon.org/index.php
14BSD25541B#
Online Bank Fraud: $1,000,000,000 and Growing. Losses Usually Born by Victim.
Bloomberg, Aug 4, 2011: http://www.bloomberg.com/news/2011-08-04/hackers-take-1-billion-a-year-from-company-accounts-banks-won-t-indemnify.html
14BSD25541B#
CryptoLocker: Your Files Held for Ransom
14BSD25541B#
Web Sites Held for Ransom as Denial of Service Attacks Increase
14BSD25541B#
Smartphones and Tablets Under Increasing Attack. Laptops are Easy to Lose.
14BSD25541B#
Security Vulnerabilities in Building Systems: Security, SCADA, RFID, WiFi
See, e.g., http://www.net-security.org/secworld.php?id=15252
14BSD25541B#
Verizon: 78% of Breaches are “Low Difficulty”
• Take Advantage of People – Social Engineering – Phishing
• Take Advantage of Technology Management Flaws – IT focus is performance, not
security – Defenses are too easily
defeated – Basic computer security
hygiene isn’t followed
• Take Advantage of Management Weaknesses – Security treated as part of
IT – Senior Management often
not involved – Boards often “clueless”
Verizon 2013 Data Breach Investigations Report: http://www.verizonenterprise.com/DBIR/
Boards Are Still Clueless About Cybersecurity. Forbes Magazine, May 16, 2012: http://www.forbes.com/sites/jodywestby/2012/05/16/boards-are-still-clueless-about-cybersecurity/
14BSD25541B#
Cybercrime is Existential: 60% of Small Business Victims Close Within 6 Months
• More than ¾ of small businesses believe their companies are safe from hackers
• 20% - 30% of all cyber-attacks hit small businesses with 250 or fewer employees
• 60% of small businesses close within 6 months of being victimized by cybercrime.
http://smallbusiness.foxbusiness.com/technology-web/2013/03/21/most-small-businesses-dont-recover-from-cybercrime/
14BSD25541B#
WHAT WE NEED TO DO
Meeting the Cybercrime Challenge
Distrust and caution are the parents of security. -- Benjamin Franklin
14BSD25541B#
Recognize Information Security Management as an Element of Cyber Risk Management
Information Security Management
Information Security Management is NOT a part of IT
14BSD25541B#
Manage Security of Information as Rigorously as You Manage Finance
Implement Information Security Management System
1. Chief Information Security Officer a) C-Suite Access b) Does Not Report to CIO c) Cross-Functional Support d) Board Governance
2. Implement formal risk-driven information security policies and standards
3. Identify, document and control sensitive information 4. Train and educate personnel 5. Manage IT Infrastructure from an “information
security point of view”
14BSD25541B#
Manage IT Infrastructure from “Information Security Point of View”
IT Infrastructure Security: Firewalls, Anti-Malware, Vulnerability Management, …
Application Security: Websites, Internet-Facing Applications, Internal Apps
Vendor Security Management Network / System Change Control Logging and Review, SIEM, Incident Response, Investigations Back-Up and Recovery, Information Continuity, Disaster
Readiness Access Control and Identity Management Encryption IT Infrastructure Documentation Information Security Training and Education
14BSD25541B#
Follow Basic Computer Security Hygiene
• Keep Computers Patched – Operating systems – Applications
• Run Computers in Limited Mode – Not Administrative
• White List Applications
14BSD25541B#
Know What’s Going On. Sign Up for Citadel’s Free Weekly Newsletter.
If you do not know your enemies nor yourself, you will be imperiled in every single battle. Sun Tzu The Art of War
14BSD25541B#
Use Citadel’s Free Weekly Newsletter to Keep Home Computers Patched and Updated
Information Peace of Mind ®
Information Security is Proactively Managed
Meet Information Security Standard of Care
Lower Total Cost of Information Security SM
14BSD25541B# © 2014 ARTHUR J. GALLAGHER & CO.
Cyber Threats and Solutions JOE DEPAUL
14BSD25541B#
Who is Affected & What Do They Hold?
Who is Affected? Property Managers Brokers/Agents Title Agents Developers Appraisers Multi-service real estate firms REITS
What Do They Hold? Confidential third party
information PII/PHI Corporate confidential
information Rental applications Credit reports Leases Rental Agreements Tax Records, Federal ID
numbers Social Security Numbers
14BSD25541B#
The Regulatory Landscape is Complex, Challenging and Growing
47 State Privacy Laws (County/Local) - Laws or Regulation Foreign Privacy Laws – UK ICO – Information Commissioner’s Office & many others (trans-
border privacy issues) – Federal Trade Commission – FACTA Regulation 114: Red Flags Rule – DOE/NRC/HSA – HIPAA / HITECH
• Standard for smooth, consistent, and secure electronic transmission of health care data. – PII/PHI – personally identifiable information/health information about individuals - PII
includes drivers license #’s, SS #’s, Credit Card #’s, address, account numbers & PIN’s • PHI includes written documents, electronic files, and verbal information. (Even
information from an informal conversation can be considered PHI.) – Examples of PHI include:
» Completed health care claims forms » Detailed claim forms » Explanations of benefits » Notes documenting discussions with plan participants
– SEC/GLB – PCI/DSS
14BSD25541B#
What about Social Media & BYOD? Social Media & Privacy
What is your responsibility to safeguard, monitor and takedown information?
14BSD25541B#
What About The Cloud?
Things to Think About: Where is the data really stored? How is the data protected? What about the provider? Is the provider transferring data or
moving your data around? Indemnification? Contract Review?
14BSD25541B#
Who are the Stakeholders?
Who do you see as the key risk stakeholders within your organization and what have been the challenges in bringing them on board?
Leadership Team/ Board
Customers Employees Information Technology
CFO General Counsel
Chief Security Officer Risk
Management
14BSD25541B#
Litigation Trends
• Plaintiffs’ Bar (Class Actions) • Individuals (Identity Theft Education) • Government (Privacy Laws & Investigations) • Impacted Businesses (Banks/Trading Partners) • Third Parties
14BSD25541B#
Response Costs
Third & First Party Claims Defense Notification Credit Monitoring Public Relations/
Reputational Harm Forensic Investigations Call Center Support Identity Theft Education
14BSD25541B#
Available Coverages
14BSD25541B#
3rd Party Coverage
Network and Privacy Liability Coverage for:
- Claims arising from the unauthorized access to data containing identity information,
- Failure to protect non-public information (PII/PHI/Corporate Confidential Information in your care, custody and control
- Transmission of a computer virus, and
- Liability associated with the failure to provide authorized users with access to the company’s website
14BSD25541B#
3rd Party Coverage
Media Liability – Including online and offline Media Coverage for Claims arising online/offline content:
- Libel - Slander - Defamation - Emotional Distress - Infringement of copyright/trademark/etc. - Invasion of Privacy
14BSD25541B#
3rd Party Coverage
Technology Products/Services Errors & Omissions Coverage for:
- Claims arising from the failure of a technology product or service to perform as indicated.
14BSD25541B#
1st Party Coverage
Crisis Management/Security Breach Remediation and Notification Expenses Coverage for Crisis Management Expenses:
- Covers expenses to obtain legal assistance to navigate the event, determine which regulatory bodies need to be notified and which laws would apply
- Public relations services to mitigate negative publicity as a result of cyber liability
- Forensic costs incurred to determine the scope of a failure of Network Security and determine whose information was accessed
- Notification to those individuals of the security breach - Credit monitoring - Call center to handle inquiries - Identity fraud expense reimbursement for those individuals affected
by the breach
14BSD25541B#
1st Party Coverage
Computer Program and Electronic Data Restoration Expenses Coverage for:
- Expenses incurred to restore data lost from damage to computer systems due to computer virus or unauthorized access
Computer Program and Electronic Data Restoration Expenses Coverage for:
- Money paid due to threats made regarding an intent to fraudulently transfer funds, destroy data, introduce a virus or attack on computer system, or disclose electronic data/information
Business Interruption and Additional Expense Coverage for:
- Loss of income, and the extra expense incurred to restore operations, as result of a computer system disruption caused by a virus or other unauthorized computer attack
14BSD25541B# © 2014 ARTHUR J. GALLAGHER & CO.
Carriers
14BSD25541B#
Cyber Insurance Market
A very robust insurance marketplace – expecting growth in 2014 of 40% (+/-)
Domestic and International
Value = Financial Loss Mitigation
• Expertise/Professionals • Choice by Insured • Breach Coach • Preparedness Plans • Security Audits • eRisk Hub
14BSD25541B#
CGL Policies……Now What?
14BSD25541B#
Network and Privacy Insurance
14BSD25541B#
Breach Examples
• PREIT (Pennsylvania Real Estate Investment Trust) became the latest firm to disclose that its Human Resources information on employees and their dependents and beneficiaries had been accessed by an unknown third party from an UltiPro-hosted system. PREIT learned of the breach on April 16.
• Real estate management company JCM Partners recently began notifying an undisclosed number of housing applicants that their personal information had been exposed online. On March 6, 2014, the company learned that a file containing housing applicants' names, Social Security numbers, driver's license numbers, e-mail addresses and mailing addresses had been taken from a JCM database and posted on an "unauthorized Web site.“
• Computer hackers stole some Las Vegas Sands customers' Social Security and driver's license numbers during a data breach earlier this month, the casino company said Friday. Las Vegas Sands Corp. said in a statement that the information about some patrons at its Bethlehem, Pa., hotel-casino was compromised during the Feb. 10 attack. It was unclear whether credit card information was also taken. Sands said it was still working to determine whether customer information from other properties was breached. The company runs the Italian-themed Venetian and Palazzo on the Las Vegas Strip, and several hotel-casinos in China and Singapore.
• White Lodging Services Corporation White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, KrebsOnSecurity has learned.
• Wyndham Worldwide Corporation – 619,000 Lack of appropriate security measures allowed hackers to steal sensitive personal and financial information data from over 619,000 of the company’s customers.
14BSD25541B# © 2014 ARTHUR J. GALLAGHER & CO.
CyberRisk Services – What We Do
14BSD25541B#
What does the CyberRisk Services Group do?
Educate Analyze Exposures/Risks Analyze coverage gaps –
present/future Analyze current coverage Benchmark Recommend Experts to assist in
analysis – all aspects Security Assessments & Analysis Legal
Design Risk Transfer Solutions to match Exposures/Risks Dovetail with client appetite
THE BROKERAGE RUN BY BROKERSTHE BROKERAGE RUN BY BROKERS
Why Should Educational Institutions Consider Cyber Insurance?
Frequency of Privacy Breaches are on the rise
Network threats and vulnerabilities are getting dramatically worse
Over 46 states have enacted Privacy Laws in response to frequency of Privacy Breaches – Let’s not forget FERPA!
Open networks pose challenges for Information Security
An increasing technologically sophisticated student population
Trustees recognize the catastrophic nature of Cyber Risks
Students, faculty, alumni demand prudent Risk Management that protects the institution
The plaintiffs’ bar is becoming more active in pursuing class action litigation
Contracts may require Cyber Insurance
Cyber Insurance can mitigate financial impact a breach may have on an institution
What is the financial loss of a security/privacy breach?
Cost to defend and/or settle litigation from Identity Theft
Cost to defend and/or settle litigation from banks to recover the value of re-issuing credit cards or fraudulent transactions
Cost to defend and/or settle regulatory investigations and litigation
Cost to respond to regulatory laws
Cost to defend and/or settle unauthorized access or unauthorized use
Cost to defend and/or settle allegations that malicious code (such as viruses) caused harm to the data or computer systems of 3rd parties
Cost to defend and/or settle allegations that an insured's computer system denied a third party the ability to conduct transactions
It is estimated that the average cost of a security/privacy breach is approx. $194 per record and $5.5m to the entity.
Joe DePaul, Managing Director – CyberRisk ServicesSenior Vice, President Management & Professional LiabilityPhone: 212-994-7054Fax: 212-994-7021Email: [email protected]
Adam CottiniArea Vice President
Management & Professional LiabilityPhone: 212-994-7048
Fax: 212-994-7021Email: [email protected]
What cyber services are available for Educational Institutions?
The most vigilant network security and most comprehensive privacy policies are vulnerable to hackers, rogue employees, social engineering, and human error
Cyber Insurance for Higher Educational Institutions
Gallagher CyberRisk in coordination with Gallagher’s Higher Education Practice offers Information Risk Management Services and Products specifically designed for the unique cyber exposures of educational institutions.
Coverage is available for:
Network Security Liability – Provides liability coverage if an Insured’s Computer System fails to prevent a Security Breach or a Privacy Breach
Privacy Liability – Provides liability coverage if an Insured fails to protect electronic or non-electronic information in their care custody and control
Media Liability – Covers the Insured for Intellectual Property and Personal Injury perils resulting from an error or omission in content (coverage for Patent and Trade Secrets are generally not provided)
Regulatory Liability – Coverage for lawsuits or investigations by Federal, State, or Foreign regulators relating to Privacy Laws
Notification Expense – 1st Party expenses to comply with Privacy Law notification requirements
Credit Monitoring Expense – 1st Party expenses to comply with Privacy Law Credit Monitoring requirements
Crisis Management – 1st Party expenses to hire a Public Relations firm
Data Recovery – 1st party expenses to recover data damaged on an Insured Computer System as a result of a Failure of Security
Business Interruption- 1st party expenses for lost income from an interruption to an Insured Computer System as a result of a Failure of Security
Cyber Extortion – Payments made to a party threatening to attack an Insureds’ Computer System in order to avert a cyber attack
Professional Errors & Omission Liability –Miscellaneous E&O can be added to a policy when applicable
(The above descriptions are a summary of available coverages and do not replace actual policy language)
Arthur J. Gallagher Risk Management Services, Inc. ~ 250 Park Avenue ~ New York, New York 10177 212-994-7100
Arthur J. Gallagher Risk Management Services, Inc.
14BSD25541B#
Gallagher eRisk Hub
As an Arthur J. Gallagher policyholder, you will receive complimentary access to the eRisk Hub® portal, powered by NetDiligence®. eRisk Hub provides tools and resources to help you understand your exposures, establish a response plan and minimize the effects of a breach on your organization.
Key Features of the eRisk Hub Portal Incident Roadmap – includes suggested steps to
take following a network or data breach incident, free consultation with a Breach Coach® and access to a breach response team
News Center – cyber risk stories, security and compliance blogs, security news, risk management events and helpful industry links
Learning Center – best-practices articles, white papers and webinars from leading technical and legal practitioners
Risk Manager Tools – assists you in managing your cyber risk including a self-assessment , sample policies and state breach notification laws
eRisk Resources – a directory to quickly find external resources with expertise in pre- and post-breach disciplines
The eRisk Hub portal is an effective way to combat cyber losses with minimal, controlled and predictable costs.
14BSD25541B#
“Many company
networks are
compromised…
without them
even knowing it.”
14BSD25541B# © 2014 ARTHUR J. GALLAGHER & CO.
THANK YOU
Q&A
Alexandra Glickman Area Vice Chairman and Managing Director-Practice Leader Arthur J. Gallagher & Co. Phone: 818.539.1303 [email protected]
Stan Stahl, Ph.D President
Citadel Information Group Phone: 323.428.0441
[email protected] www.Citadel-Information.com
Joe DePaul Managing Director
Cyber Risk Services Arthur J. Gallagher & Co.
Phone: 973.939.3646 [email protected]