Cyber Security Planning: Preparing for a Data Breach

October 28, 2014Steve Hasse, INSUREtrust

Eugene Slobodzian, Winxnet

Dianna Fletcher, Fletcher Media

Cyber Security Planning:

Preparing for a

Data Breach

+ Our Speakers

Steve Hasse, CEO, INSUREtrust

Eugene Slobodzian, PhD, CISSP, Vice President

of Security, Winxnet

Dianna Fletcher, Fletcher Media

October 28, 2014Cyber Security Planning: Preparing for a Data Breach

1

+ Today’s Agenda

Before the breach: preparations and planning

During the breach: the event

After the breach: managing the aftermath


2

+ Today’s Data Breaches

The

retail industry was the #1 target: 22% percent of network intrusions occ

urring at retailers (Verizon 2013 Data Breach Investigation Report).

47% of American adults have been affected by data breaches in the last year

(Ponemon Institute).

Cybercrime has cost the global economy $575 billion and the US eco

nomy $100 billion, annually. The US is the hardest hit of any country

(Intel Security and the Center for Strategic and International Studies).


3

+ Data Breach Laws & Regulations

No federal law


47 states adopted their own Me. Rev. Stat. title 10 § 1347 et seq., § 1348. Security breach notice requirements: If an information

broker that maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the information broker shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.

4

+ Data Breach Laws & Regulations


HITECH Breach Notification Interim Final

Rule (500 individuals)

GLBA, SEC – more generic

PCI, FERPA, other – no clearly defined

guidance

5

+ Today’s Agenda

Before the Breach:

Preparations and Planning


6

+ Question One

Have you ever received a breach

notification letter?


7

+ Notification Letter


8

+ Notification Letters

Over 80% of the people we have

surveyed received at least one breach

notification letter.


9

+ Question Two

Have you, or has someone you know,

experienced identity theft?


These occur via stolen digital or paper personal information.

10

+ Identity Theft Reality

Over 90% of the people we talk to have

experienced identity theft or know someone

who has.


11

+ Insurance Cyber Security Market


As compared to other products Cyber as compared to EPLI

Cyber as compared to pollution insurance

What do buyers want? Many competing carriers

All with state-of-the-art broad coverage

All competing on price and financial strength

What do buyers have? Many carriers competing

All with different coverage

12

+ Insurance Cyber Security Market


This makes the insurance buying decision very

difficult; hard to compare policies.

The Good News? It’s a buyer’s market - possible exception is large retailers

13

+


Revenue Range (£) % Purchasing Cyber<1.5M 3.8%

1.5M<3M 4.8%

3M<6M 6.6%6M<15M 7.2%15M<60M 10%60M<180M 17.6%

180M<600M 20.5%600M<3B 21.8%3B+ 25.9%

14

+ Target Breach: Largest of all Breaches


15

+ Target Breach: Largest of all Breaches


16

+ What Happened After the Breach?


17

+ Every Email

Email is often over looked, but is a significant

exposure of both personal and corporate

information. Most people have sent and received an

enormous amount of email.


Almost every company requires a confidentiality statement at

the footer of every sent email. This implies that the recipient

maintains the confidentiality of the content.

Hackers are now using sophisticated tools to capture your email as you send it. Then, they use your email to impersonate you or others in spear phishing attacks.

18

+ Every Email

Email is often over looked, but is a significant

exposure of both personal and corporate

information. Most people have sent and received an

enormous amount of email.


Most people know about phishing attacks but, when they get an

email from a known source, they do not expect to be

accidentally downloading malicious code.

A breach of your email exposes everyone you communicate

with to spear phishing attacks as well as other privacy

breaches.

19

+ Shhh…


Inside information on a new breach that the

“feds” have not made public.

20

+ Underwriter’s Perspective:

Good Risk vs. Bad Risk

Vertical Industry/Revenues/Number of

Records


Completing the application forms Dos and Don’ts: Encryption Question

Need a good story to tell if you go to court

21

+ Before: IT Security Perspective


Most common

Incident Response

Plan implementation

22


Winning battles before they are fought


Should be most time-consuming phase

Is hopefully the most expensive phase

Minimizes the chances of a breach

Minimizes the impact of a breach

“Beef up” security

23


Preventive: Beef up security controls


Detective: Implement detection mechanisms

Assemble Computer Incident Response Team

(CIRT)

Create an Incident Response Program Policy

Plan

Procedures

Practice makes perfect

24

+ Crisis Communications Scenarios


25

+ Crisis Communications: Data Breach


26

+ Crisis Communications:

Team Building

Know your notification laws www.ncsl.org: National Conference of State Legislatures


Assemble an A-team Corporate lead: privacy officer or internal lead

Legal

IT partner: internal & incident response team

Investigatory representative: company liaison

PR professional: national vs. local

Customer care

HR

Social media manager

Web master

27

http://www.ncsl.org

+ Crisis Communications Outreach

Identify your stakeholders


Gather your troops: review your internal

social media policies

Assess your media relations

Assess your social media outreach to

customers

Open all channels of communications

Build your bank of PR

28

+ Train Your Team

Media-train spokespeople


Map your messages

Communicate with transparency and empathy

29

+ Today’s Agenda

During the Breach:

The Event


30

+ Data Breach Notification Costs


31

+ Have a Good Story to Tell

Consider investigating the breach under

attorney/client privilege:


What if the FBI requests that you continue to allow the hackers access so they can catch them? This might be the first step before you notify the carrier.

Implement pre-planning

Loss Prevention: Have a plan, train your people, test your

people

Crisis Management: Have a plan, have a resource approved by

your insurance carrier; practice-run (i.e. fire drill)

Collect all computer logs and gather all evidence

32

+ Have a Good Story to Tell


Report all incidents in a timely basis

Obtain acknowledgement from the carrier

Expect a reservation of rights letter

You may have forgotten how overly broad these policies

are.

Don’t wait until you are filling out the renewal application

form.

Do not go public or start notification without all of the facts. (Ex: DSW)

33

+ Evaluating Coverage/Claims Process

Gather and review all potentially relevant policies and indemnity/vendor agreements


Consider which policies to put on notice –may be primary and excess layers; may be cyber policies and/or other lines (e.g., D&O)

Crime coverage vs. cyber coverage

Provide timely notice of actual or potential breaches, claims or losses under appropriate policies and under appropriate indemnity/ vendor agreements

34



Promptly obtain consent for expenses and defense arrangements

Adhere to cooperation obligations and respond to reasonable requests for information (privilege issues)

Obtain consent to settle or offer other relief

Resolve coverage issues

Vast majority of claims are covered

35

+ During: IT Security Actions

Detect


Analyze

Contain

Eradicate

Preserve evidence

Notify

Recover

36

+ Before the News Breaks

Determine: “when the clock starts ticking.”


Message map: What is your end-goal?

One statement vs. interviews

First statement: Foundation of ALL

communications

37

+ Determine What You Want to Say


38

+ Sample Press Statement


(For Immediate Release): February 15, 2011: Waterville, ME:

Day’s Jewelers recently became aware of possible unauthorized and illegal

access to credit and debit card information by third parties. Day’s Jewelers

cannot release details about the suspected breach because there is an ongoing

investigation, according to the Maine State Police Computer Crimes Unit.

Investigators have informed Day’s Jewelers that the suspected breach involved

hackers outside of the company. Upon notification, Day’s Jewelers immediately

began taking steps to protect against any unauthorized access. Within hours of

contact by law enforcement, Day’s IT partners were on site, locating any suspect

software. When the company received approval from law enforcement agencies,

Day’s Jewelers contacted the bankcard processing companies.

39



Day’s has hired a nationally recognized computer forensic team to

determine the nature and extent of any unauthorized access to customer

information, and to identify the information that may have been

compromised. As a result of the company’s initial investigation, a likely time

frame of the breach has been determined. This narrows the number of Day’s

customers that may have been affected by any security breach.

According to Day’s Jewelers President Jeff Corey, the initial investigation by the

company indicates personal identification was not accessed. Also, the

unauthorized access does not affect customers who made online purchases..

40



“At Day’s Jewelers, our customers are our primary concern,” said Jeff

Corey. “We are working diligently with law enforcement as it investigates

this criminal activity. We apologize for any concerns this may raise with our

customers. We are talking directly with any consumer who may have

questions or concerns.”

Day’s Jewelers is in contact with its customers. It is recommending

customers review credit and debit card statements. If questionable

transactions appear, consumers should contact their card company

immediately.

Also, consumers can contact Day’s directly at 1-800-439-3297.

41

+ As Notification Begins & News Breaks

Channels of outreach


What is required by law

What is expected by your customers, stakeholders

Phone banks

Emails

Media monitoring: traditional and social

Website updates

Determine frequency of updates

42

+ Today’s Agenda

After the Breach:

Managing the Aftermath


43

+ Proper Claims Reporting

Report all incidents in a timely basis

Obtain acknowledgement from the carrier

Expect a reservation of rights letter

You may have forgotten how overly broad

these policies are.

Don’t wait until you are filling out the

renewal application form.


44

+ Proper Claims Reporting


Consider Investigating the Breach under

attorney/client privilege: What if the FBI requests that you continue to allow the

hackers access so they can catch them?

Does insured have “choice of counsel”?

45


Gather and review all potentially relevant policies and indemnity/vendor agreements


Consider which policies to put on notice –may be primary and excess layers; may be cyber policies and/or other lines (e.g., D&O)

Crime coverage vs. cyber coverage

Provide timely notice of actual or potential breaches, claims or losses under appropriate policies and under appropriate indemnity/ vendor agreements

46



Promptly obtain consent for expenses and defense arrangements

Adhere to cooperation obligations and respond to reasonable requests for information (privilege issues)

Obtain consent to settle or offer other relief

Resolve coverage issues

Vast majority of claims are covered

Other carrier provided services

47

+ After: IT Security Actions

Review actions


Analyze effectiveness

Augment Incident Response Program

Implement additional security measures

Create incident report

Review lessons learned

48

+ Reputation Management

New normal


Reputation management team

Media monitoring: traditional and social

49



Reputation management team

Listen to your stakeholders: What do

they need?

Privacy and security statements

50



51

Cyber Security Planning:

Preparing for a

Data Breach

Q & A

Technology

Cyber Security Planning: Preparing for a Data Breach