Why Do I Need Cyber Liability Insurance?

Cyber Liability Risks

Denial of Service

Electronic Theft

Network Damage

Extortion

Data Theft

CyberCrime

Organized Hacking• 108 Countries with

dedicated cyber attack capabilities (FBI 2007)

• Main source of revenue for Eastern Bloc gangs

• Russian and Sicilian mafias actively recruiting “hacking” experts

Notable Trends Notable Trends in Cyber Crimein Cyber Crime

• Motivation : Huge financial potential is making attackers more sophisticated

• Methods : Attacks are becoming more targeted

• Targets : The workstation (desktop or laptop) and the user is the easiest path into the network

Sources of Data Sources of Data BreachesBreaches

48%

16%

9%

9%

7%5% 4%2%

Laptop/SmartphoneThird PartyPaper RecordsInsiderBackupHacked SystemsMalicious CodeUndisclosed

Potential Cyber Potential Cyber Crime ScenarioCrime Scenario

During his lunch break, an employee opens an “Important Security Update” supposedly from your IT department.

The email contains malicious code designed to discreetly take control of the employee’s desktop.

A remote attacker leverages the desktop to launch subsequent attacks on your backend network.

The attacker gains access to systems with increasing levels of security – eventually compromising a customer database.

Your CEO then receives an email containing the names, addresses and social security numbers of 5,000 of your customers.

The hacker will publish the email on an Internet bulletin board unless he is paid $250,000

Don’t Think That Can Happen?Don’t Think That Can Happen?• AUGUST 22, 2000

SECURITY NET By Alex Salkever

Cyber-Extortion: When Data Is Held Hostage Here's an issue facing more and more e-businesses -- malicious hackers who demand a payoff to keep their security breaches secret

   Under most circumstances, a business decision involving $200,000 wouldn't be important enough to require a personal appearance from the CEO of a $2 billion corporation, let alone a special trip to London from New York. But media titan Michael Bloomberg made such a trip Aug. 10. And he did it to prove that cyber-extortion will not go unpunished at his company.

Bloomberg went to meet with two Kazahks named Oleg Zezov, 27, and Igor Yarimaka, 37, who were allegedly demanding $200,000 in "consulting" fees. For this, they would reveal how they had allegedly compromised the Byzantine Bloomberg computer systems, an exploit the Kazakhs allegedly proved by e-mailing Bloomberg the photograph from his own corporate ID badge.

With thousands of financial institutions and other customers trading billions of dollars daily in stocks and bonds based on information from Bloomberg terminals, the threat of a hacked system could have proven catastrophic for both the media company and its Wall Street customers.

Another Likely Another Likely ScenarioScenario

• Jack’s laptop computer is stolen when he leaves it unattended in an airline club at the Philadelphia Airport. On the laptop are the names, account numbers, credit card numbers, social security numbers and birthdates of 2500 of Galway Bank’s Gold Level customers.The laptop thief is able to quickly sell the customer data to an organized group that makes large purchases over the internet

Notification Notification ExpensesExpenses

• 44 states, the District of Columbia and Puerto Rico have enacted legislation requiring notification of security breaches involving personal information*

* National Conference of State Legislature

What’s the What’s the Notification Notification

Cost?Cost? Notification Expenses average $13

per data record Provided credit monitoring service for

affected customers averages $24 per data record

Miscellaneous expenses average $22 per data record

= $59 per data record!

Any other costs?Any other costs?

Third-party damages for identity theft Lawsuit defense costs Reimbursement to credit card companies Replacement of damaged network Reward expense Lost business revenue do to compromised

network Crisis management expense

Property and Crime Policies generally: Respond only to loss of or damage to tangible property; Exclude indirect or consequential loss Liability Insurance Policies generally: Respond only to loss from defined professional services or defined acts or offenses; Exclude Loss from violations of privacy

Won’t My Insurance Cover That?

Covers liability for monetary damages sustained by a person arising from the actual or potential unauthorized access to that person’s personal information. Includes mental anguish & emotional distress.

E-Business Income Loss Cyber Extortion Expense E-Vandalism Expense Violation of Privacy Notification Expense Covers unauthorized access by employees

Cyber Insurance

Policy Features

Security is a Process

Identify information assets Conduct periodic risk assessments to identify the specific

vulnerabilities your company faces Develop and implement a security program to manage and control

the risks identified Monitor and test the program to ensure that it is effective Continually review and adjust the program in light of ongoing

changes Oversee third party service provider arrangements Maintain training for all staff on Information Security

Christopher L. StricklandChristopher L. StricklandSenior Risk Advisor

Larkin Insurance GroupWorld Headquarters:

310 West Front St. Traverse City,MiPhone: 231.947.8800

Email: cstrickland@larkingrp.comBlog: http://cyberinsurance.wordpress.com