Network Security & Privacy Risk: Are you prepared?

Network Security & Privacy Risk:

Are you prepared?

Wells Fargo Insurance

2015

Products and services are offered through Wells Fargo Insurance Services USA, Inc. and Wells Fargo Insurance Services of West Virginia, Inc., non-bank insurance agency affiliates of Wells Fargo & Company. Products and services are underwritten by unaffiliated insurance companies except crop and flood insurance, which may be underwritten by an affiliate, Rural Community Insurance Company. Some services require additional fees and may be offered directly through third-party providers. Banking and insurance decisions are made independently and do not influence each other. ©2014 Wells Fargo Insurance Services USA, Inc. All rights reserved. Confidential. For discussion and general information purposes only.

1

What is a breach?

2

What is a privacy breach / security breach?

Privacy breach:

The theft, loss or unauthorized disclosure of personally identifiable non-public information (PII) or third party corporate confidential information that is in the care, custody or control of the organization or an agent or independent contractor that is handling, processing, sorting or transferring such information on behalf of the Organization.

Computer security breach:

The inability of a third party, who is authorized to do so, to gain access to an organization’s systems or services;

The failure to prevent unauthorized access to an organization’s computer systems that results in deletion, corruption or theft of data;

A denial of service attack against an organization’s internet sites or computer systems; or

The failure to prevent transmission of malicious code from an organization’s systems to a third party computers and/or systems.

3

How do data breaches occur?

Lost devices and inadvertent

publication of data

Hackers and unsecured websites

Vendors and subcontractors

Disgruntled employees

Accidental Intentional

Inte

rnal

Exte

rnal

4

The C-Suite

Balancing the Needs

Legal &

regulatory

Business &

financial

CIO / CTO

Technology

CLO / CRO

CFO / COO

CEO and Board

5

Statistics

6

Verizon 2014 data breach investigations report

35% web app attacks

22% cyber espionage

9% card skimmers

14% POS intrusions

1,367 confirmed data breaches (up from 621 in 2013)

63,437 reported security incidents (up from 47,000 in 2013)

95 countries represented

(up from 27 in 2013)

Verizon: 2014 Data Breach Investigations Report using 50 contributing global organizations.

By the numbers

7

Verizon 2014 data breach investigations report

1,367 confirmed breaches – top 3 industry classes 63,437 incidents – how did they occur?

Confirmed data breach by industry

8

NetDiligence 2014 claims study

Data Sample size – 120 insured claims

Company size Micro/Nano-cap (under $300 million) organizations experienced the most incidents (47%

combined). Mid-Cap organizations ($2-$10 billion) lost the most records

Preliminary findings

Data type Cause of loss Business sectors

PII - - 41% PHI - 21% PCI - 19%

Hackers - 30% Staff mistakes - 14% Malware virus – 12% *In 2013, stolen laptops were #1

Healthcare sector - 23% Financial services - 22% Retail – 10%

9

NetDiligence 2014 claims study

Percentage of breaches by data type

•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2014 Study (Sample size = 120 insured claims)

10

NetDiligence 2014 claims study

Percentage of breaches by cause of loss

•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2014 Study (Sample size = 120 insured claims)

11

In the headlines…..

AvMed Health March 2014

“Recent Litigation Has Been More Favorable to the Plaintiff’s Bar”

Class action settlement for $3 million offered to 460,000 individuals whose

personal information was contained on two stolen unencrypted laptops.

State of South Carolina October 2012

Approximately 5.7 million Social Security numbers and 387,000 credit card numbers

were compromised via a compromised server.

At last report, the state is earmarking $27 million for the event in total.

Texas Health and Human Services November 2014

A vendor failed to return computer equipment as well as paper records of 2 million Medicaid recipients putting the

Department out of compliance with federal regulations and at risk of fines.

The department made notification to the individuals.

Concentra April 2014

”Concentra, HCA Health Plan HIPAA Settlements Emphasize HHS’ Focus on Breach Risks Relating to Unencrypted

Laptops”

$1.7 million fine plus $250,000 to resolve OCR investigation.

12

Events happen every day

April 2015: Damariscotta (ME) County Sherriff’s Department; Extortion

April 2015: Grapevine Policy Department (TX); Hack to dashboard cam

November 2014: Texas Department of Health and Human Services; unsecured vendor hardware

November 2014:State Compensation Insurance Fund (CA); vendor data breach of Fund records

November 2014: US Weather System (DC); hack to satellite (China)

November 2014: US Postal Service (SC); hack to employee data (China); 800,000 employee records compromised

October 2014: Oregon Employment Department (OR); hack to employment records; 850,000 records compromised

October 2014: Georgia Department of Behavioral and Developmental Disabilities (GA); stolen employee laptop; 3,397 records compromised

October 2014: Department of Human Services Office of Behavioral Health of Denver (CO); postcards for survey included PHI; 15,000 records compromised

September 2014; Health and Human Services Agency; (CA); lost thumb drive containing PHI

13

Current Regulatory and Legal Environment

14

Legal issues and the regulatory environment

Legally mandated:

47 states with privacy breach notification laws ‒ Recent federal executive

orders – will federal legislation finally be passed? Will it preempt?

HIPAA/HITECH regulations

FTC ‒ Federal Trade Commission

Act Section 5, Red Flags

State Consumer Protection Laws ‒ California’s Song-Beverly

Credit Card Act

Foreign laws and regulations ‒ EU Privacy Directive –

Broader than US laws

Other federal laws ‒ SEC Guidance, COPPA, FCRA,

FACTA, etc.

Industry standard:

PCI DSS compliance

‒ Required if storing, processing or transmitting payment card data

‒ Significant fines, penalties and costs assessed

Contractual obligations

‒ Increasingly included in insurance provisions of customer/vendor contracts

15

State regulations: notice

47 states and 4 U.S. jurisdictions require notice to customers after unauthorized access to PII

Follow timing requirements for notifying resident consumers ‒ “without unreasonable delay” but not

later than 45 days

Notify State Attorneys General, law enforcement, consumer protection agencies and credit reporting agencies

Follow timing requirements for notifying regulators and credit reporting agencies ‒ 48 hours; fourteen days; before

notice to residents

16

Lawsuits and actions

Banks Subrogation/

Indemnity PCI

Single plaintiff

Government action

Class action

17

Network Security & Privacy Insurance

18

Network security and privacy insurance

Continue to see insurers grow their loss prevention and loss mitigation services for midsize companies

Network security risk is not going away

For any market that has pulled capacity, or has been hesitant to enter, another has stepped in

Most organizations looking to transfer the risk to an insurance product

19

Network security and privacy GAP analysis

Property General Liability

Crime K&R E&O Network Security & Privacy

1st Party Privacy / Network Risks

Physical damage to data only x x

Virus/hacker damage to data only x x x

Denial of service (DOS) attack x x x

Business interruption loss from security event x x x x

Extortion or threat x x x x

Employee sabotage of data only x x x

3rd Party Privacy / Network Risks

Theft/disclosure of private information x x x

Confidential corporate information breach x x x

Technology E&O x x x x x

Media liability (electronic content) x x x

Privacy breach expense and notification x x x x

Damage to 3rd party’s data only x x

Regulatory privacy defense / fines x x x x

Virus/malicious code transmission x x x

x - No Coverage - Possible Coverage - Coverage

20

Network security and privacy liability

Different names depending on who you talk to…

Cyber Risk, Cyber Security, Data Security, Privacy Liability, Security Liability, Network Risk, etc.

They all essentially refer to the same thing.

Combines third party liability with first party reimbursement insurance, and first party business interruption and data asset loss.

Over 30+ markets with primary policy forms - which carriers will be around 5 years from now?

21

Insurance solutions

Privacy liability

Network security

Media liability

Regulatory action* (sub-limit may apply)

Third party liability coverage

Privacy notification costs

Crisis management expenses

Credit monitoring costs

Forensic investigation

Regulatory Expenses, Notification Expenses, Credit Monitoring and other Crisis Management Expenses are generally offered on a sub-limited basis and varies by carrier.

First party reimbursement

coverage

Cyber extortion

Business interruption

Data Restoration

Other first party reimbursement

coverages

22

Recent shareholder actions have followed closely upon the heels of a disclosed data breach

In the context of a company failing to manage a business risk and then failing to properly disclose it: D&O 101

The D&O policy will respond just as it would had the event not been a “cyber” incident

Network security risk and directors and officers liability (D&O)

23

Managing the risks

24

The digital shadow

Age

Plan ID

Assets schedule

Credit card number

Bank routing

DOB

SSN

City

Race

Can you answer the following questions:

1. What information is being captured?

2. Where is information being captured?

3. What is the value of our information set?

4. With whom is our information shared?

5. How do we protect it?

6. What do we do if it is compromised?

25

Where is the payroll file?

Dropbox

Thumb drives, external portable hard drives

Printer

System servers

Text messaging services

Laptops

Email

Payroll

Cloud

26

Managing the risks

Response:

Discovery of data event/ timing

Incident Response Plan

Facts

Law

Vendors

Regulatory investigation

Overreact or underreact?

Quick responders spend 54% more than slow responders.

but…

Response can factor into lawsuits and reputational

harm!

Source: Ponemon Institute

27

Managing the risks

Limit online access to

data storage servers

Destruction of hard drives to remove all PII

Mock breaches –

aka “tabletop exercises”

Limit data maintained or

made available

Encrypting laptops,

smartphones, etc.

Education

Awareness of exposure of “internal”

data

Handheld devices

BYOD

Policies not enough

Managing the risks

28

Wells Fargo Insurance

Dena L. Magyar Tel: (704) 553-6002 Email: [email protected]

Lou Ann Dent Tel: (202) 416-2520 Email: [email protected]

29

Thank you

This material is provided for informational purposes only based on our understanding of applicable guidance in effect at the time of publication, and should not be construed as being legal advice or as establishing a privileged attorney-client relationship. Customers and other interested parties must consult and rely solely upon their own independent professional advisors regarding their particular situation and the concepts presented here. Although care has been taken in preparing and presenting this material accurately, Wells Fargo Insurance disclaims any express or implied warranty as to the accuracy of any material contained herein and any liability with respect to it, and any responsibility to update this material for subsequent developments. Products and services are offered through Wells Fargo Insurance Services USA, Inc. a non-bank insurance agency affiliate of Wells Fargo & Company. Products and services are underwritten by unaffiliated insurance companies except crop and flood insurance, which may be underwritten by an affiliate, Rural Community Insurance Company. Some services require additional fees and may be offered directly through third-party providers. Banking and insurance decisions are made independently and do not influence each other. ©2014 Wells Fargo Insurance Services USA, Inc. All rights reserved. Confidential.