lockton companies international limited. authorised and regulated by the financial services...

Lockton Companies International Limited. Authorised and regulated by the Financial

Services Authority. A Lloyd’s Broker.

Emily FreemanTechnology RisksExecutive DirectorLockton International

[email protected]

Protecting Your Business From Information Thieves: Overview of Security/Privacy Risks and Risk TransferEIM conference - February 24, 2009

S:/UNIT50/UNIT FILES/SEMINARS/2008/FEB 2008 CYBER/RETAILINDUSTRYCYBERupdated.PPT

Seismic Shift in Risk

“As operational and security risk change, a broader gap between the protection of risk and the reality of risk is being created.”

Daniel Linsker, head of the Americas Desk, Control Risks, January 12, 2009,

interview with The Financial Times


Network and Privacy Risk Basics – People, Processes, and Technology in an Ever-Changing Environment

Security Liability: Was unencrypted computerized information or paper documents containing personally identifiable non-public information acquired or accessed by an unauthorized person? (trigger of 44+ state notification laws with variants; 8-9 states include paper documents)

Responsibility is on the data owner worldwide to its customers and employees

(even if data transferred to business partner or vendor whether located on/offshore).

It’s not where you are located, but where the affected persons reside. From nuisance/malicious hacking motives through extortion and terrorism. Identity theft is a business and heavily involves organized crime around the

world. Constant evolution of threats and attacks, such as social engineering ruses.

Privacy Liability: Violation of privacy laws or regulations that permit individuals to control the collection, access, transmission, use, and accuracy of their personally identifiable financial information. Laws vary substantially by country.


Severity Risk and Getting Worse

Impact of vicarious liability resulting from increased outsourcing and off-shoring.

Regulatory (particularly U.S. Federal Trade Commission and state attorney generals) enforcement actions for breaches of privacy and security as identity theft continues to grow. Canada and EU regulators are also active.

Significant class action activity and derivative shareholder actions on back of large security breaches. Largest quantified loss is over $190 ML (T. J. Maxx).

Utilities are “creditors” and accept credit cards. Credit card associations are regulating security practices surrounding credit card information and have requirements for notice and ability to fine, among other things. Issuing banks are willing to sue the merchant or processor who caused the security breach to recover their costs to close compromised credit card accounts and reopen them.


Important 2008 Developments

United States: Minnesota Plastic Card Security Act (Effective 8/1/2007; liability provisions

8/1/2008) – first state to turn a core requirement of PCI into a law. Companies that suffer data breaches and are found to have been storing prohibited credit or debit card data on their systems will have to reimburse banks and credit unions for the costs of blocking and reissuing cards. They could also be subject to lawsuits filed by individuals claiming to have been affected by violations of the law. Note: Some packaged payment applications store personal identification numbers and other prohibited card information by default. .

Red Flags – 2008 FACTA Expansion (Effective 5/1/09) – Board-approved identity theft prevention program - Applies to financial institutions and utilities fit under the definition of “creditor”.

California Expansion of Notification Statute to Medical Data – AB1298 (Effective 1/1/2008) – expands notification requirements to first initial/last name associated with medical information and health insurance information to the list of covered data elements.

Identity Theft Enforcement and Restitution Act (federal bill approved by US Senate, pending in the House of Representatives). The amended bill would impose harsher restrictions on cyber attacks and allows ID theft victims to recoup costs in federal courts associated with the loss of time and money spent restoring their credit standing.

Massachusetts Security Rules (Effective 1/1/10) – strongest state rules regarding protection of personal data of Mass-based employees and residents, regardless of where the data owner is located.

EU and other countries like Canada and Australia are moving to mandatory notification requirements.


Who, Why, and Common Themes Metrics

Who is behind data breaches? (Verizon 2008 Data Breach Investigations Report, based upon 4 years and over 500 forensic engagements)

• 73% resulted from external sources

• 18% were caused by insiders

• 39% implicated business partners or vendors (rose five-fold over 4 years of the study)

• 30% involved multiple parties

How do breaches occur (many in combination of causes)?• 62% were attributed to a significant error

• 59% resulted from hacking and intrusions (choice of cyber criminals)

• 31% incorporated malicious code or malware (major target - application layer)

• 22% exploited a vulnerability (90% of such had identifiable patches at least six months prior to the breach)

• 15% were due to physical threats

What commonalities exist in these events? • 66% involved data the victim did not know was on the system (most common – did not know the

data was on the compromised system, laptop, or other mobile device)

• 75% of breaches were not discovered by the victim (but by others like banks, law enforcement, etc.).

• 83% of attacks were not highly difficult

• 85% of breaches were the result of opportunistic attacks

• 87% were considered avoidable through reasonable controls


Magnitude?

• According to the CEO of McAfee (Information Week, 2007): worldwide data losses now represent $40 billion in losses to affected companies and individuals cyber crime has become a $105 billion business that now surpasses the value of the illegal drug trade worldwide.

• High tech thieves – come armed with a keyboard.

• By year-end 2008, the total number of breaches on the Identity Theft Resource Center’s breach list reached 656, reflecting an increase of 47% over last year’s total of 446. More than 35 million data records have been exposed. (www.identitytheftresourcecenter.com).

• Largest incidents/estimated number of records: • 90ML + (Heartland Payments/2009)• 94 ML (TJX companies/2007)• 40 ML (CardSystems Solutions/2005)• 30 ML (AOL/2004)• 25 ML (HM Customs and Revenue, UK/2007)• 26.5 ML (US VA/2006)• 8.5 ML (FNIS/2007)• 6.3 ML (TD Ameritrade/2007)

http://www.identitytheftresourcecenter.com/




Direct Loss of Data Breaches

Data breach front end direct costs are a major component of loss.

Average direct costs average $6.6 ML. Variance by industry and if fraud/identity theft involved.

Per capita cost of a data breach has gone up more than 31% in the past year when four activities associated with detecting and dealing with a breach are taken into account. (Ponemon 2008 Annual Study of a Data Breach)

Cost 2006 2007 2008

Detection & escalation $11 $9 $8

Notification $25 $15 $15

Response $47 $46 $39

Lost business $98 $128 $139

Total $181 $199 $202


Sample Claim

A financial services provider loses a data tape containing unencrypted customer account data, not credit cards). A class action lawsuit follows resulting in the following costs:

• Technical Forensics $ 900,000• ID Theft Forensics $2,900,000• Mailing costs $2,200,000 (includes secondary notification to “class”)• Call Center $ 75,000 (most

handled in-house)• Credit Monitoring $ 2,500,000• Additional Loss Mitigation $2,500,000• Outside attorney expenses $1,100,000• Additional Settlement Costs $5,000,000

(including plaintiffs fees)

Total – $16,175,000 (average security breach in US is currently $6.3 ML)


Impact of Cyber Risk

Operations

Litigation and

Regulatory Exposures

Financial

Brand Equity

Assets

Your Company


Impact on Brand

According to the Javelin Research Survey, Customer Survey on Data Breach Notification, Javelin Research & Strategy, June 2008, major findings:

• For 40% of consumers, security breaches changed their relationships with the affected institution or business.

• Confidence and buyer behavior are severely impacted by security breaches, with 55% of victims trusting the affected organization less, and 30% choosing to never purchase goods or services again from that organization.

• Breach victims are beginning to expect fraud protection assistance from the institution, with 36% already having been offered some kind of identity fraud protection service.

• The majority of breach victims (56%) prefer a solution that prevents fraudulent use of their information, rather than detecting or resolving fraud after it has occurred.


Security in An Outsourced World

Business Associates/Partners

BPO

ITO such as IT programming/code maintenance

Hosting, IT security management and support

Accounting

Customer relations

Call center

Customer support

Fulfillment

Telemarketing

HR and Payroll

Employee Benefits

Data storage/repository


Global BPO market size 2008 estimate: $270 billion

Growing 7-10% annuallySource: Everest Research Institute ) and Gartner

India is the leading offshore destination for Business Process Outsourcing Services

Vendor Management and Contract Governance

Lockton client service offering providing guidance in setting up vendor management plan to address security and data breaches including:

• Checklist for due diligence; IT security questionnaire

• Ideas for contractual provisions (to be referred to attorneys in the legal department)

• Insurance clause provisions

• Workshops

• Outside resources

Sample Insurance Clause

“Vendor agrees to purchase and maintain throughout the term of this Agreement technology/professional liability insurance, intellectual property infringement, and data protection liability insurance (cyber liability) covering liabilities for financial loss resulting or arising from acts, errors, or omissions, in rendering [type of service] or in connection with the services provided under this agreement:

• intellectual property infringement arising out of software and/or content (excluding patent infringement and misappropriation of trade secrets);

• breaches of security;

• violation or infringement of any right privacy, breach of federal, state, or foreign security and/or privacy laws or regulations including but not limited to [specific regulations];

• data theft, damage, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, identity theft, theft of personally identifiable information or confidential corporate information, transmission of a computer virus or other type of malicious code; and participation in a denial of service attack on a third party

with a minimum limit of [$X,000,000] each and every claim and in the aggregate. Such insurance must address all of the foregoing without limitation if caused by an employee of the Vendor or an independent contractor working on behalf of the Vendor in performing services under this contract. Policy must provide coverage for wrongful acts, claims, and lawsuits anywhere in the world. Insurer must have a Best's rating of [ ] or better. Any material change in the policy or cancellation must be reported to the Client with not less than thirty (30) days prior written notice. The policy must be kept in force during the life of the contract and for [ ] years (either as a policy in force or extended reporting period) after contract termination. Vendor shall provide a Certificate of Insurance in compliance with these requirements and client reserves the right to obtain a copy of the professional liability and data protection liability insurance policy.”

Additional Issues: Additional Insured Status, Waivers of Subrogation, Primary, Separation of Insureds, etc.

Security Breach Incident Response

Lockton client service offering providing guidance in setting up a risk management plan and process to address data breaches including:

• Process guidelines

• Content and scope of plan

• Workshops and meetings to assist client team

• Outside resources (legal, forensics, credit protection resources, etc.)


Why should you transfer data protection risks through your own insurance program? Many functions are conducted by outside vendors and contractors

who may lack insurance and assets to respond. What if the vendor makes a systemic mistake? What if they fail to purchase insurance or keep it? What if they are located in a country where this insurance cannot be obtained? What if the policy they purchased denies coverage or has inadequate limits?

PCI (which is the credit card industry security standards) compliant companies have had their security compromised from processes lapse, human error, or criminal insider.

No system can be designed to eliminate the potential for loss, as people and processes failures cannot be eliminated. Insiders may be perpetrators.

Responsibility rests with the data owner from a legal, regulatory perspective, and credit card association operating regulations.

Investor fallout from uncovered losses with large claim and class action potential and major impact on brand and reputation.

Traditional insurance does not cover security liability or adequately cover privacy risks – we provide gap analysis assistance to support this conclusion.


Network and Privacy Insurance

There is no common insurance language – each underwriter offers a different base product. We modify and manuscript language to meet client needs quite often.

Focus on the quality of the coverage, experience of the underwriter, approach to managing claims, and insurance limits for severity exposure.

Cyber Liability capacity - $150 ML +

First Party capacity - $50 ML

We have a standard of coverage expressed as specifications or coverage requests that we use to analyze quote options provided by insurers/underwriters. We organize these by criticality to make sure our coverage comparison highlights these issues.

Sample major issues: Control of defense and appointment of counsel Full vicarious liability, as well as direct liability Scope and limits of notification/crisis management Exclusions that may warranty specific security practices or carve back

coverage (Hiscox contractual and encryption exclusions or AIG “shortcomings in security” for example).


Cyber Liability Coverages

Worldwide coverage

Civil Liability Defense Costs Single/class action Potential plaintiffs can include affected group, financial institutions, etc.

Privacy/Security Regulation Actions (aggregate sublimit) Defense Costs Payment of civil fine or penalty Regulatory compensatory award

Notification and Crisis Management Costs (aggregate sublimit). In 2009, limits available are well above $1 ML.

Mailing costs Offers of services to affected group (which may be voluntary) including credit

reports, credit monitoring, credit protection, identity theft insurance, etc. Computer forensics outside experts Outside PR and legal advice Professional call center Others costs associated with credit card association rules


First Party Network and Data Risks

Wide variety of coverage in the marketplace, some monoline and others as separate coverage parts/modules in a combination first/third party policy, including:

Cyber Extortion

Reputational harm from data breach coverage (Lockton London line slip)

Electronic information assets (data, programs, etc) damaged, corrupted, deleted, etc. by computer attacks, media damage, operational mistakes, and other causes

Direct non-physical damage to network – look carefully at the waiting period, scope of coverage, and any indemnity limit per hour!

Operational mistakes (Lockton London line slip) Malicious Code (viruses), Vandalism/Malicious Acts, and Terrorism Denial of Service

Contingent Business Interruption (caused by non-physical damage) Co-dependency on Other Vendors Infrastructure (BPO and IT) Off-shoring extra expense (Lockton London line slip)


Underwriting Process

Submission: Application Supporting documents – IT security questionnaire (typical);

may include PCI certification, third party security assessments, BCP plan, claim/circumstance/mitigation, SAS70, etc.

Lockton specifications and coverage requests Underwriters (and perhaps their IT security consultant)

request a security conference call with the IT security officer of the applicant to discuss controls in more detail prior to binding.

For more complex accounts, Lockton hosts an underwriter conference call or meeting to provide more comprehensive overview of operations, controls, and coverage requirements.


Summary Points

• Identifying, preventing, mitigating and transferring privacy/security is a major priority, particularly in high compliance industries (such as utilities), any company that accepts a debit or credit card as a form of payment, and public traded companies.

• Outsourcing and offshoring is a fact of life, but definitely increases data protection risks. Vendor management process is needed which includes due diligence, contract protections, and vendor insurance requirements.

• This is a risk of survivability, not invincibility. Develop a team and plan for a data breach incident response, just like your contingency plans for other threats.

• Client should consider insurance protection, either on a combination with professional liability coverage or stand-alone coverage. Insurance is not a substitute for best security practices, but deals with the potential severity risk you cannot prevent.

• Quality of coverage and management of claims very important, as well as experience of the underwriter; be a thoughtful buyer.


Lockton Resources

Contact information: [email protected]

Specialization within Lockton’s Financial Services (LFS) with network of technology specialists and Lockton International’s Professions Practice

LFS is a national practice group specializing in D&O, EPL, Fiduciary, Crime, Special Crime, and Cyber Liability

Core team is comprised of professionals in London with specialized technology and cyber experience, linking with team of technology/cyber specialists throughout the U.S.

Risk management services to include: Incident Breach Response Plan Vendor Risk Management Program

Customized insurance solutions include: Technology and telecom errors and omissions Multimedia Liability Intellectual property infringement including patents Operational Risk – first party coverage for data, programs, and networks Data Protection Liability (Security and Privacy Liability) Reputational Harm

mailto:[email protected]






lockton companies international limited. authorised and regulated by the financial services...

Documents

security risk change

credit card information

security practices

privacy liability

severity risk

protection of risk

reality of risk

large security breaches