Statewide Insurance Brokers - Cyber Insurance 101

Cyber Insurance 101: Learn How Cyber Risk Insurance Can Help

Small-Midsized Businesses Stay in Business

Presented by:

Christine Marciano, President, Cyber Data-Risk Managers, LLC -and-

Richard Santalesa, Senior Counsel, InfoLawGroup LLP

www.DataPrivacyInsurance.com ww.InfoLawGroup.com

© 2013 by Cyber Data Risk Managers. All rights reserved

NEW “How SMBs Can Prepare for a Data Breach” Whitepaper

Utilizing Cyber Insurance as One Component of a Data Breach Incident Response Plan

*Request your Free Whitepaper – Email: [email protected]

www.DataPrivacyInsurance.com www.InfoLawGroup.com

Outline• What is sensitive data?• Review of Key Findings from the National Cyber Security Alliance

(NCSA) and Symantec SMB Survey• Review of recent data breaches• Costs associated with a Data Breach• How to contain and minimize risks• Define an Incident Response Plan• Legal issues surrounding Data Breach notification mandates• Risk Assessment and Risk Management• Cyber Insurance 101: Cyber Insurance Introduction and How an

SMB can use cyber insurance as one component of an Incident Response Plan


Know and protect your sensitive data

What is sensitive data?– Personally Identifiable Information (PII)– Protected Health Information (PHI)– Credit Card Numbers and/or Financial Information– Intellectual property – copyrights, trademarks & patents– Trade secrets - business plans, customer lists, etc.


Key Findings from the National Cyber Security Alliance (NCSA) And Symantec “National Small Business” survey showrespondents cited :

• 86% of the 1,015 businesses (250 employees or fewer) said they are "satisfied" with the level of security they have in place to defend customer or employee data,

• 87% of respondents have not written a formal security policy for employees,

• 83% lack any security blueprint at all and • 59% have no plan in place to respond to a security incident.

Small Enterprises Don't Perceive They'll be Attacked


A look at recent security and data breach incidents

• Credit Card Data Breach at Barnes & Noble Stores• Hackers stole credit card information for

customers who shopped at 63 Barnes & Noble stores across the country.

• TD Bank Data Breach Hits 260,000 customers• Unencrypted backup data tapes including

account information and Social Security numbers were misplaced in March.


Costs associated with a data breach• Attorney Fees

– Breach guidance– Investigation– Notification– Litigation prep– e-discovery– Contractual review– Defense

• Fines– Federal – State

• Plaintiff Demands– Fraud reimbursement– Credit card replacement– Credit monitoring/ repair/

insurance– Civil fines/ penalties– Time

• Response Costs– Forensics vendor– Notification vendor– Call centers – PR vendor– ID theft insurance– Credit monitoring – Attorney oversight


Risks and Liabilities


Hidden Costs of a Data Breach

How to contain and minimize risks • Take stock– Know what is PII & Other Sensitive Data– Where is it in your organization

• Scale down– Only collect what you need

• Lock it– Secure, encrypt, protect

• Proper Disposal– Securely dispose of documents per your retention

schedule –Plan ahead– Know your security incident response procedure


Define an incident response plan• Management

– Who takes the lead?• Reporting

– Inform the proper channels (regulating bodies)• Customer Notification

– Notify customers– Outline plan of action

• Corrective Actions– How can it be corrected or minimized

• Communication– Regular communication to keep customers and channels

informed of actions and results


Legal Issues surrounding Data Breach Notification Mandates


Responding to a Data Breach can be an overwhelming process for SMBs

•46 U.S. State breach notification laws and numerous sectoral and federal laws•Class Action suits quite common•High legal defense costs and potential legal settlements

Risk Assessment and Risk Management

Got Data? Now What?

•Conduct a Risk Assessment Analysis•Identify the types of data your SMB collects– Are you collecting sensitive data?– Are you encrypting data at rest or in motion?

•Learn what types of threats your SMB may be vulnerable to and the risk levels of your data•Take proactive steps to secure your data and manage and mitigate risks.


Data Security Myths Held by Small-Midsized Businesses

• Myth 1 - “A data breach or cyber attack could never happen to our SMB.” – Wrong. See, Infosecurity Magazine, “SMBs more vulnerable to data breaches than

larger brethren,” Oct. 11, 2012, at http://bit.ly/TAOqKh

• Myth 2 – “We will worry about how to pay for a data breach if one happens.”– With an average cost of $194 per record and an average organization cost of $5.5

million per data beach, according to the Ponemon Institute’s latest 2011 annual Data Breach Study, the average SMB may not have adequate fiscal resources on hand.

• Myth 3 – “Small-midsized businesses are not a target for cyber attacks. Criminals only go after larger companies.” – Not so, unfortunately. Nearly 72 percent of data breaches investigated by Verizon

Communications’ forensic analysis unit in 2011 occurred at companies with less than 100 employees. See, Combating Small Business Security Threats, McAffee Associates, at http://bit.ly/PPBSOI

• Myth 4 – “We are covered under our existing CGL insurance policy.”


Utilizing Cyber Insurance as One Component of an Incident Response Plan

Every business that collects data should develop a written incident response plan.

Cyber Insurance offers SMBs:•Help with managing the “aftermath” of a data breach/security incident•An incident response team•A “Data Breach Coach”•Help with discovery and reporting and notifying those affected of your data breach/security incident.


Utilizing Cyber Insurance as One Component of an Incident Response Plan

• Rule 1 – Risk management solutions don’t “eliminate” risk, but help minimize them to otherwise “acceptable” levels

• Rule 2 – Insurance is, fundamentally, a “transfer” of identified risks

A cyber risk insurance policy that includes incident response coverage (i.e., Data Breach Response Services) provides one golden arrow in the quiver of a comprehensive risk management solution that will hit the target when everything is moving very quickly during a data incident.

By pro-actively detailing and enacting a range of benefits, payments and services in advance such a policy can uniquely serve as a valuable component of any incident response plan.


Cyber Insurance can help Mitigate the Risk and Costs Associated with a Data

Breach • By planning in advance, small-midsized businesses

can minimize their risks, costs and the impact of a breach to their customers and the reputation of their company and brand.

• Insurance carriers have already pre-negotiated associated costs with various pre-approved vendors, saving SMBs money and the hassle of scrambling around and trying to put together an Incident Response team at the time of an incident.


How Can Cyber Insurance Help SMBs Stay in Business after a Security Incident?• Small-to-midsized businesses can utilize appropriate cyber

risk insurance coverages to minimize the impact of a data incident on (i) the reputational damage to their companies and “brand,” as well as (ii) potentially crippling financial penalties and response expenses.

• Cyber Insurance Policies with “Data Breach Response Service” coverage can help offload the uncertainty of managing a comprehensive and effective response - that complies fully with potentially numerous statutory requirements - in the aftermath of an actual or suspected data incident event.

• May act to “save” the company from bankruptcy or liquidation in face of large regulatory penalties.


Commonly Offered Cyber Insurance Coverages

• Crisis management and customer notification expenses• Credit/identity theft monitoring• Privacy and security liability claims coverage• Expenses for data privacy security defense and regulatory

penalties• Computer security expert services and forensic investigation• Costs of a “Data Breach Coach” (a/k/a “Privacy” and Infosec

attorney)• Pre-incident planning services – selection of vetted, pre-

approved partners and resources * Note: Not every policy will necessarily include all of the above coverages or items.


Solutions

Response Solutions: •Cyber Security Insurance with Data Breach Response – Coverage features may include privacy liability, computer information security, lost income coverage, electronic media liability and first party coverage for losses from network security breaches.•Data Breach Response Services – Coverage features may include breach notification and credit monitoring services, forensic investigation, legal assistance, crisis management help, regulatory civil action coverage, cyber extortion coverage and content liability. *This description is for preliminary informational purposes only. Please note that insurance policy coverage's vary by insurance carrier. In all cases, actual policy wording will determine the coverage and services provided.


SolutionsLegal Information Security Review and Preparation•Integrated Risk Assessment (IRA) – Comprehensively identify data and information security issues, risks and legal/compliance obligations.

– Serves as a foundation for additional cost/benefit risk analysis to guide security programs, policies, systems and compliance obligations.

– Insurance premiums may be higher in absence of demonstrating that an IRA has been conducted

•Incident Response Plan (IRP) – Increasing required under many state and federal regulatory regimes, most notably HIPAA/HITECH for securing and protecting PHI.

– IRPs serve as quick response road map in the event of a data incident or breach– There’s typically little time in a data event to “figure out” what needs to be done on the fly; missteps can

prove costly (i.e., a well-meaning, but ill conceived forensic effort can, for example, modify meta data that would be helpful in “proving” whether data has been accessed, etc.)

– Many resources available to guide creating an IRP, including aid from cyber risk insurance carriers (see, e.g., NIST SP 800-61, Computer Security Incident Handling Guide (Jan. 2012, rev. 2) - http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf)

•Comprehensive Legal Analyses – Rise of “legally defensible” security analysis by courts where info security professionals have to adequately defend security decisions in the legal context with the ultimate goal of reducing legal risk. *This description is for preliminary informational purposes only. Please note that insurance policy coverage's vary by insurance carrier. In all cases, actual policy wording will determine the coverage and services provided.

AboutCyber Data Risk Managers LLC is an Independent Insurance Agency specializing in Data Privacy, Cyber Liability risk, D&O insurance and (IP) Intellectual Property protection.Web: www.DataPrivacyInsurance.comPhone: 1-(855) CUT-RISK

InfoLawGroup LLP was established in October 2009 to provide efficient and high quality legal services. The firm concentrates on legal issues concerning privacy, data security, traditional and emerging media, advertising and promotions, consumer protection matters, information technology, e-commerce and intellectual property. InfoLawGroup addresses a broad spectrum of legal matters, including transactions and e-commerce, compliance, enforcement, breach notice, incident response and litigation.Web: www.InfoLawGroup.comPhone: 1-(203) 292-0667


Contact Information:

Christine Marciano CIPP/USCyber Data Risk Managers LLCPhone: (855) CUT-RISKWeb: www.DataPrivacyInsurance.com Email: [email protected]

Richard Santalesa, Esq. CIPP/USInformation Law Group LLPPhone: (203) 292-0667Web: www.InfoLawGroup.comEmail: [email protected]


Small Business & Entrepreneurship

Statewide Insurance Brokers - Cyber Insurance 101