Cyber Liability Insurance Why we have it & How it works Doug Selix, MBA, CISSP, CISM, PMP - DES Office of Risk Management April 9, 2015 SBCTC – IT Commission Meeting
Jan 19, 2016
Cyber Liability InsuranceWhy we have it & How it works
Doug Selix, MBA, CISSP, CISM, PMP - DES Office of Risk Management
April 9, 2015
SBCTC – IT Commission Meeting
2
1. Cyber Liability Incidents
2. Cyber Liability Risks
3. Cyber Liability Risks Exposure
4. What Happens if “it” Happens?
5. Cyber Liability Insurance
Agenda
3
Cyber Security is defined as:“Measures taken to protect a computer or computer system (as on the Internet) and the data they contain against unauthorized access or attack.”
Cyber Risk is defined as:“The possibility that data will end up in the possession of a party who is not authorized to have that data and who can use it in a manner that is harmful to the individual or organization that is the subject of the data and/or the party that collected and stored the data.”
Doug’s Version - What happens when Cyber Security measures are not effective in protecting an organizations electronic data or computer systems from unauthorized access or attack.”
Key Definitions
4
Cyber Risk Loss Exposure is defined as:“Any condition that presents the possibility of financial loss to an organization from property, net income, or liability losses as a consequence of advanced technology transmissions, operations, maintenance, development, or support.”
Doug’s Version - Costs arising from 1st party damages and 3rd party liabilities resulting from the use of your computer systems.
Key Definitions
5
Why We Need Cyber Liability Insurance
Stuff Happens!Not a matter of “if”, but a matter of “when”
Switch Gears
6
Incidents - The Big PictureSignificant Data Breach Events
The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII).
Source: www.InformationisBeautiful.com
7
Incidents - The Big PictureSignificant Data Breach Events
The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft, or exposure of personally identifiable information (PII).
8
Breaches in Academia
Source: www.InformationisBeautiful.com
9
Incidents - EducationInstructional Data Breach Events
Maricopa Community Colleges – as of April 20132.4 Million Student and Employee Records$12 Million costIT Director fired for dereliction of duty2 Lawsuits
Administrator of the Courts – May 20131 Million WDL and 160K SSN’s Web site hacked
University of Washington – 201390,000 patient records.email based attack
Eastern Washington University – 2009130,000 student records.Hack attack
10
What Risks are Covered by
Cyber Liability Insurance?
Switch Gears
11
• Any condition that presents the possibility of financial loss as a consequence of using advanced technology.
• Sample Adverse Impacts – Harm to Operations– Harm to Assets– Harm to Individuals– Harm to Other Organizations– Harm to the Nation
Cyber Liability Risks
Source: NIST SP 800-30
12
• Cost to comply with Breach Notification Regulations
– RCW 42.56.590– FERPA– HIPAA– PCI– IRS Publication 1075
Cyber Liability Risks
13
• Information Security & Privacy Liability• Privacy Notification Costs• Regulatory Defense and Penalties• Website Media Content Liability• Cyber Extortion• First Party Data Protection• First Party Network Business Interruption
Cyber Liability InsuranceCommon Coverage Areas
See APIP Document
14
Cyber Risk – Devils in the Detail
Source: NIST SP 800-30, NIST SP 800-39
15
Cyber Risk Exposure
How Much
Cyber Liability Insurance
do you need?
Switch Gears
16
• Data that can cause financial harm to your agency “if” it is not kept secure, includes:
– Personally identifiable information (RCW 42.56.590)– Electronic personal health information (HIPAA Security Rule)– Credit card information (PCI Data Security Standard)– Bank account information used to process electronic fund transfers
or payments – IRS tax information (IRS 1075)– Student education information (FERPA)– Data protected by attorney client privilege– Criminal justice information (FBI CJIS standards)– Proprietary information (agreement, contract, or license)
Risk Exposure – Mostly About Data
17
Risk Exposure – Cost Factors
• Example: Costs associated with breach notification $3 per record minimum cost – EWU 2009 breach actual cost ~$107 – Estimated public sector cost per record in data breach (
Ponemon Institute 2014 US Cost of a Data Security Breach Report)
Breach Response,
Analysis, and Forensics
Breach Notification
Regulatory Fines
Pre-Claim Loss
Control
Significant 3rd Party
Cost Claims
Post-Claim
Litigation
Cyber Extortion
Credit card information X X X X X X XElectronic personal health Information X X X X X XBank account information X X X X X X X XPersonally identifiable information X X X X X XIRS tax information X X X X X X XStudent education information X X X X X XData protected by attorney-client privilege X X X X X XCriminal justice information X X X X X XProprietary information X X X X X X
Sources of Data Breach Cost
Data Types with Liability Risk Loss of Reputation
18
• SBCTC & Community College View
ORM 2014 Data Survey Results?
As of 6/3/2014
Data Types with Liability Risk "Yes" "No" TotalCredit Card Data at Rest in Agency 32 0 32Electronic Personal Health Information 24 8 32Bank Account Information 25 7 32Personally Identifiable Information 31 1 32IRS Tax Information 31 1 32Student Education Information 32 0 32Attorney-Client Privilege 28 4 32Criminal J ustice Information 14 18 32Proprietary Information 21 11 32
19
• Compute Cyber Liability Risk Exposure• Need to Document Your Confidential Data• Use Risk Assessment Worksheet
Estimating Your Cyber Risk Exposure
Sample - Data Breach Risk Exposure Worksheet
Type of Data Unique Records Data Source Data Location Data Shared WithApplicable Data
Security RegulationNotification
Root Cause Investigation
Regulatory Fines
Credit Monitoring for
3rd PartiesLegal Defense
Damages to 3rd Parties
Cost per Record to Notify
2014 Public Sector Market
Cost per Record (Note 1)
Regulatory Fine Cost (Note 2)
Min Cost Estimate Max Cost EstimateMost Likely Cost for full notification and
credit services
Notice Cost Limit(RCW
42.56.590.7c)(Note 3)
Regulatory FinesMost Likely Cost
(Net)Agency Budget
PEPIP Cyber Liability
Insurance
Cyber Liability Insurance AIG Layer
System 1 (PII) 0 RCW 42.56.590 Yes Yes No No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0System 2 (HIPAA) 0 HIPAA Yes Yes Yes No No No $3 $107 1,000,000 $1,000,000 $1,000,000 $1,000,000 $0 $1,000,000 $1,000,000 $100,000 $900,000 $0System 3(Credit Card) 0 PCI Yes Yes Yes Yes Yes Yes $3 $107 0 $0 $0 $0 $0 $0 $0 $0 $0 $0System 4 (Bank Accounts) 0 RCW 42.56.590 Yes Yes No No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0System 5( IRS Pub 1075) 0 IRS Publication 1075 Yes Yes Yes No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0System 6 (FERPA) 0 FERPA Yes Yes No No No No $3 $107 0 $0 $0 $0 $250,000 $0 $250,000 $100,000 $150,000 $0
Maximum Data Breach Risk Exposure
0 $1,000,000 $1,000,000 $1,000,000 $250,000 $1,000,000 $0
NOTES --->
Data Breach Impact Cost of a Data Breach Estimate Funding Source
NOTE - 2a) IRS Fine based on $25/recordb) HIPAA Fine - Arbitrary estimate based on HHS/OCR cases
NOTE - 3RCW 42.56.590 allows agencies to use mass media for notification if cost is over $250,000 or the number of notices exceed 5000,000. Estimate assumes we would use this provision in the event of a breach
UninsuredRisk Exposure if Agency is in the Master Property Insurance Program
Security Breach Risk Exposure if Agency is NOT in the Master Property Insurance Program
NOTE - 1The high estimate is based on $172 per record cost for the Public Sector that comes from the 2014 Ponemon Institute Cost of a Data Breach Study. That study also breaks down the elements of this cost. One element they include is "Lost Customer Business". We have removed this from the estimate above because the State is a monopoly. If we have a breach we will not loose business. Our planning number is $107.
Call Me, we can do this together. See HandoutNo. 1
20
What Happens if “it” Happens?
Security Event Incident Response
Switch Gears
21
Follow Your Plan, Right?
Incident Response Team Follows the Plan
Who’s Got The Plan?
22
• Use the NIST Cyber Security Framework
http://www.nist.gov/cyberframework/
“Good” Security is Planned
Breach Response
23
• We can deal with whatever comes up…..
Or Maybe Not
24
• NIST – Computer Security Incident
Handling Guide (SP 800-61 R2)
“Good” Computer Security Incident Response is also Planned
25
• IT Security Incident Communication Policy1. Agencies shall report all IT security incidents to the
OCIO
2. CTS Security shall investigate to determine degree of severity and assist with mitigation
3. CTS Security shall notify the OCIO (if required)
4. OCIO will convene a Security Incident Communication Team (if required)
5. OCIO will authorized coordinated release of public notification with breached agency(s) (if required)
The OCIO Has a Plan
26
Step 3. - CTS Security shall notify the OCIO (if required)
– CTS Security will notify OCIO and AGG for OCIO– At this time the CTS Security Officer, in
conjunction with the Washington State Office of the Attorney General, will also provide the CISO with an informed opinion as to whether or not the severity of the incident’s impact warrants public notification as required by law
The OCIO Has a Plan
27
Focus tends to be on putting out
the flame.
Most IT/IR Guidance Stops Short
28
• Policy to prevent breaches by implementing security best practices
• Resources (CTS Security) to react to the breach.• State policy to manage public notification when
breaches do occur.
What we have so far:
Fire is out, who cleans up the mess?
29
• A State level plan for dealing with the impact from a breach that includes:– Access to highly skilled legal and public
relations resources to advise the OCIO, AGO, and agency leadership during a breach event.
– Access to risk financing resources to recover losses from the breach
– Access to production capacity to do the work necessary to comply with breach notification regulations
What we Don’t Have:
30
• Who cleans up the mess?– The Affected Agency
• How will they do it?– Small breach – Deal with it internally– Big breach – Depends??????????
• May have Cyber Liability Insurance• May not – have to dip into reserves or ask for
budget
Today
31
Cyber Liability Insurance?
(Provides Response Resources)
Switch Gears
32
• Current Policy (APIP) - “Alliant Property Insurance Program”
• Agency must be on the State Master Property Insurance Policy to have APIP Cyber Liability Insurance
• Aggregate limits apply
$25M for APIP Pool
$2M for State of Washington
Cyber Liability Insurance
33
Not All Colleges and Universities have this policy
Warning
Agencies on this list have some Cyber Liability Insurance4 Year University
or College2 Yr College
BOARD OF INDUSTRIAL INSURANCE APPEALS XEASTERN WASHINGTON UNIVERSITY XEVERGREEN STATE COLLEGE XWESTERN WASHINGTON UNIVERSITY XBELLEVUE COLLEGE XBELLINGHAM TECHNICAL COLLEGE XBIG BEND COMMUNITY COLLEGE XCENTRAL WASHINGTON UNIVERSITY XCENTRALIA COLLEGE XCLARK COLLEGE XCLOVER PARK TECHNICAL COLLEGE XCOLUMBIA BASIN COMMUNITY COLLEGE XCOMMUNITY COLLEGES OF SPOKANE XEDMONDS COMMUNITY COLLEGE XEVERETT COMMUNITY COLLEGE XGRAYS HARBOR COLLEGE XGREEN RIVER COMMUNITY COLLEGE XHIGHLINE COMMUNITY COLLEGE XLOWER COLUMBIA COMMUNITY COLLEGE XOLYMPIC COLLEGE XPENINSULA COLLEGE XPIERCE COLLEGE XRENTON TECHNICAL COLLEGE XSEATTLE COLLEGES (NORTH SEATTLE COLLEGE) XSEATTLE COLLEGES (SEATTLE CENTRAL COLLEGE) XSHORELINE COMMUNITY COLLEGE XSKAGIT VALLEY COLLEGE XSOUTH PUGET SOUND COMMUNITY COLLEGE XTACOMA COMMUNITY COLLEGE XWALLA WALLA COMMUNITY COLLEGE XWHATCOM COMMUNITY COLLEGE XYAKIMA VALLEY COMMUNITY COLLEGE X
34
• Cyber Liability General Coverages($100K Deductible)
$2M Information Security & Privacy Liability
$500K Privacy Notification Cost, $1M if carrier's preferred vendors are utilized
$2M Regulatory Defense and Penalties
$2M Website Media Content Liability
$2M Cyber Extortion Loss
$2M Data Protection Loss and Business Interruption Loss
APIP Cyber Liability Insurance
35
APIP Details
• Sent Details to your Risk Manager
• And to You
36
• APIP Cyber Liability Insurance Worked
• Response Services Worked• Rapid Response• Event Management• Forensic Analysis
– Root Cause– Determine Data Exposure
• Legal Services• Public Relations Services• Notification Production• Call Center Operation• Manage Internal Reporting (Gov)
Montana Lessons LearnedMay 2014 HIPAA Breach
1.3 Million Dept. of Health Patient Records.
37
We have a Plan
Day-To-Day IT Security Events
Data Security Incident Response
Process
Technical Investigation Continues
Activate Business Incident Response
Team
Data Breach Suspected or Detected
CTS S.O.C. Surveillance
Agency Learns of Breach
CTS S.O.C and Agency. Investigation
CTS S.O.C. Notifies OCIO & AGO
Law Enforcement
Root Cause Analysis
CTS S.O.C Incident Report
AGO Response Team
OCIO Response Team
Assess Need for Beazley Provided
Expertise with Dept. Head and Governor
Determine if Compliance
Regulations are In-Play
AGO Activates Risk Management Resources
If “YES”
Notify Beazley of Potential Cyber Liability Incident
Notify Agency Risk Manager
State Risk Management
Office
Determine Scope of Data Breach
AGO Appoints Available Beazley Provided Legal Services Panel
Council
Beazley Informs Office of Risk
Management about Available Support
Resources
Beazley Computer Expert Service
Resource works with effected Agency and
CTS S.O.C to Determine Incident Scope (What Data)
Inform Agency, AGO and State Risk
Manager of Determination
If Needed – Engage Beazley Notification
Sercives
If Needed - Engage Beazley Breach Resolution and
Mitigation Services
If Needed – File a Claim with Beazley
Regulatory Defense and Penalties
Information Security and Privacy Liability
Website Content Liability
Cyber Extortion
First Party Data Protection
First Party Network Business
Interruption
Assumptions: - Current OCIO Incident Communications Policy in Place - AGO will facilitate preliminary business decision regarding Cyber Insurance Assistance - AGO will communicate to ORM requesting Cyber Insurance Assistance - S.O.C means CTS Security Operations Center
Beazley Provided ResourcesGreen = Financial ResourcesBrown = Services
NOTES: - We pay Beazley provided resources if the cost for the response effort exceeds the amount of available insurance coverage less retention.
Cyber Liability Insurance Activation Process (DRAFT) V5
Cyber liability general coverage ($100K Deductible):
O $2M Information Security & Privacy LiabilityO $1M if carrier's preferred vendors are utilizedO $2M Regulatory Defense and PenaltiesO $2M Website Media Content LiabilityO $2M Cyber Extortion LossO $2M Data Protection Loss and Business Interruption Loss
Notify ORM
Provide Legal Services to Agency
Risk Manager
Print and Mail Notices
Stand-Up Call Center
Provide Credit Monitoring Services
Beazley Services Provided to
Affected Agency
Beazley Cost Recovery
Provided to Affected Agency
See HandoutNo. 2
38
• Based on decision in Step 3 of the OCIO Incident Communication Plan– AGO will notify the Office of Risk
Management if we need to file a claim with our Cyber Liability Insurance carrier.
– Cyber Liability Insurance will provide resources to the Agency
How will APIP Work for you?
39
• No, APIP is all we have• 2014 – Decision Package for $30M CL
Policy • Did not make it into Governor’s Budget• ASK ME “WHY”
Is There State Level Cyber Liability Insurance
OCIO IT Budget Requests Prioritized for FY 15-17
40
Academic Point
• Insurance is about “Risk Finance”• Risks can be Avoided, Reduced, Accepted, or
Transferred.• Insurance is how we transfer Financial Risk
Exposure• Cyber Liability Insurance is not a Technology
Topic, it is a Finance Topic
41
Cyber Insurance Lumped With IT ProposalsNext to Last Priority
42
Can Your Agency Buy More
Cyber Liability Insurance?
Switch Gears
43
• Each Agency must decide how much is needed based on your Risk Exposure
• Agency completes an application • Get application from Office of Risk Management (ORM)• Return to ORM, ORM Submits to Broker
• Broker will develop a quote• Advantages:
• No aggregate Limits• Lower retention possible• Sized to fit the agency risk exposure
• Example: CWU AIG Quote ($3M for $33K, $5M for $44K)
Additional Cyber Liability Insurance is Available
44
• We need to measure your Cyber Liability Risk Exposure – Send me your completed spreadsheets
• IT Commission could recommend more Cyber Liability Insurance– Each College buy their own policy– Buy one policy for all 34 Colleges
• Call me if you need help telling this story to your management
Next Steps
45
Questions
Thank you!
46
Doug Selix, CISM, CISSP, PMPCyber Liability Program Manager
Department of Enterprise Services
Office of Risk Management
Office Phone: 360-407-8081
Email: [email protected]
Cyber Liability Program