Educa&onal Event Spring What Are Today s Biggest Cyber Risks and How Can Cyber Insurance Help

Educa&onal

 Event

  Spring

  2015

What Are Today’s Biggest Cyber Risks and

How Can Cyber Insurance Help

Judy  Selby  –  BakerHostetler

Sco4  Ernst  –  Wells  Fargo  Insurance  Services  USA  

Amie  Taal  –  Deutsche  Bank  AG

Jennifer  Rothstein  –  Kroll  

I  co-­‐chair  BakerHostetler’s  InformaIon  Governance  Team,  founded  the  eDiscovery  &  Technology  Management   Team  and  counsel  clients  on  ways  to  avoid  informaIon-­‐related  liability.  I  handle  cuOng  edge  privacy,  data   breach,  informaIon  governance,  cyber  insurance  and  insurance  coverage  ma4ers.  

I  frequently  speak  and  write  about  informaIon-­‐related  strategies  and  best  pracIces.    I  have  successfully   completed  a  course  on  Tackling  the  Challenges  of  Big  Data  with  MIT  and  co-­‐chair  the  Claims  and  LiIgaIon   Management  Alliance  (CLM)  Cyber  Liability  Commi4ee.    I  am  a  member  of  the  ABA  Big  Data  Commi4ee  and   the  Sedona  Conference  Data  Security  and  Privacy  Liability  Working  Group  11.    

I  also  have  over  20  years  of  experience  in  large  scale  first-­‐  and  third-­‐party  complex  insurance  coverage  ma4ers.     I  am  a  member  of  the  Law360  Insurance  Editorial  Advisory  Board,  the  Editorial  Advisory  Board  of  Law  

Technology  News,  the  Professional  Liability  Underwriters  AssociaIon,  and  the  Defense  Research  InsItute  and   was  selected  to  be  a  contributor  to  InsuranceThoughtLeadership.com.  

 I  also  was  honored  as  LawCrossing's  Law  Job  Star  in  July  2014,  featured  in  Law  Technology  News  as  a  leading   woman  in  technology,  and  was  recently  quoted  in  Reuters  with  regard  to  data  breach  class  acIons  against   Target.  

Email:  jselby@bakerlaw.com     Twi4er:  @judy_selby  

Amie  is  a  remarkably  talented  and  highly  driven  professional  offering  over  30  years  of  experience  

working  with  computers  and  over  twenty-­‐four  years'  experience  as  a  digital  forensic  invesIgator  

and  IT  Security  Specialist  dealing  with  civil  and  criminal  ma4er  within  the  public  and  private  

sector  including  the  Big  4  and  other  accounIng  firms.  

Ms.  Taal  has  an  excellent  track  record  in  building  and  growing  digital  forensic,  IT  Security  and  

eDiscovery  pracIces.  Amie  has  been  a  key  invesIgator  on  high  profile  cases  involving  the  

Metropolitan  Police,  City  of  London  Police  and  the  Serious  Fraud  Office,  with  the  value  of  the  

alleged  frauds  exceeding  £2  million.  She  has  led  number  of  high  profile  cases  and  spent  several  

years  working  in  and  with  various  government  prosecuIng  authoriIes  in  the  UK  and  overseas.    

Ms.  Taal’s  responsibiliIes  have  included  providing  internal  and  external  training  on  legal  pracIce  

and  procedures,  data  protect  rules  and  regulaIons  and  evidence  handling.  Amie  has  several  

professional  and  academic  qualificaIon  in  the  field  of  Digital  Forensic,  InformaIon  Security,  

Forensic  Science  and  Data  AnalyIcs.    

Email:      amie33_uk@yahoo.co.uk  

Sco6  Ernst  

Sco4  Ernst  is  a  Vice  President  with  Wells  Fargo  Insurance  Services.  With  127  offices  in  36  

states  it  serves  a  wide  range  of  consumers,  high-­‐net-­‐worth  individuals,  small  businesses,  

middle-­‐market,  and  large-­‐corporate  customers.  Wells  Fargo  Insurance  writes  or  places  $15  

billion  of  risk  premiums  annually  in  property,  casualty,  benefits,  internaIonal,  personal  lines,  

crop,  and  life  products.  

 Sco4’s  specializaIon  includes  technology  errors  &  omissions  liability,  technology  products  

liability,  new  media  liability,  data  and  systems  failure,  technology-­‐related  business  

interrupIon  risks,  intellectual  property  exposures,  and  the  escalaIng  liability  and  exposures  

related  to  data  security  and  privacy.  

 Sco4  is  a  frequent  speaker  on  tech  and  professional  liability  insurance  topics  at  seminars  

sponsored  by  the  Professional  Liability  UnderwriIng  Society  (PLUS),  the  New  York  State  Bar  

AssociaIon,  the  New  Jersey  State  Bar  AssociaIon,  and  the  New  Jersey  Insurance  Coverage  

InsItute.    Mr.  Ernst  is  a  past  Chairman  of  Professional  Liability  UnderwriIng  Society’  Eastern  

Region  Chapter.  

Jennifer  Rothstein  is  a  director  with  Kroll’s  Cyber  Security  pracIce.  She  joins  Kroll  aoer  a  disInguished  career  in   professional  liability  program  management,  e-­‐discovery  product  development  and  intellectual  property  

ownership  rights  management.  At  Kroll,  Jennifer  will  maintain  and  broaden  the  strategic  partnerships  

established  with  insurance  companies,  brokers  and  insureds.  She  will  lead  cross-­‐funcIonal  acIvity  to  facilitate   new  business  opportuniIes  and  targeted  product  development  as  it  relates  to  cyber  liability.  

Previously,  Jennifer  directed  the  development  and  growth  of  professional  lines  programs  for  business  

segments  including  lawyers,  broker  dealers,  accountants,  real  estate  agents  and  architects  &  engineers.  She   also  was  co-­‐creator  of  the  insurance  market’s  first  e-­‐Discovery  services  endorsement  for  over  10  lines  of  

business  for  a  major  internaIonal  carrier.  She  co-­‐developed  an  exclusive  patent  liability  defense  program  with   a  naIonal  broker  for  the  tech  sector’s  top  industry  leaders.  Jennifer  began  her  career  in  the  insurance  industry   at  AIG.  In  that  role,  she  facilitated  the  underwriIng  of  electronic  and  intangible  risks  into  corporate  insurance   policies.  Her  role  also  included  the  enforcement  of  the  LiIgaIon  Management  Guidelines  and  the  review  and   approval  of  panel  counsel  invoices.  

Phone:  (212)  833-­‐3456   Email:  jrothstein@kroll.com  

• 

Data  Explosion    

• 

90%  of  data  created  within  last  2  years  

• 

50X  growth  by  2020  

• 

Rise  of  Mobility  

• 

6  Billion  mobile  subscribers  

• 

Social  is  Business  

• 

Consumers  driving  experience  

• 

SophisIcated  Consumers  

• 

DifferenIated  Experiences  

• 

Internet  of  Things    

• 

9  Billion  Internet  Devices  in  2012  

• 

50  Billion  by  2020  

• 

How  important  is  Data  ProtecIon/

Privacy  to  a  Company?  

• 

How  important  is  it  for  RM  officers  to  

have  business  knowledge?  

Evolving  Role  of  Records  Management  

(RM)  Personnel  in  the  Age  of  ESI

Causes  of  Security  Incidents  

Source: Ponemon Institute

2013 Cost of Data Breach

Study – United States

• 

Disclosure

–  Hacking

–  Malware

–  Phishing

• 

Negligence

–  Lost laptops

–  Disposal of IT assets

–  Paper

–  Snooping

–  Disgruntled

/Malicious

employees

–  Social Engineering

How  Do  Security  Incidents  Arise?  

• 

Misuse

–  Violations of law or

regulations

–  Violation of privacy policy

or disclosure

–  Violation of consent

–  Improper collection of

Privacy  Rights  Clearinghouse:  

www.privacyrights.org  

• 

Since  2005  

– 

1,012,730,026    records  breached  (as  of  2/7/15)  

– 

4,487  data  breaches  made  public  

• 

Tracks  the  following  reported  incidents:  

– 

Unintended  disclosure  

– 

Hacking  or  malware  

– 

Payment  card  fraud  

– 

Insider  

– 

Physical  loss  

– 

Portable  device  

– 

StaIonary  device  

– 

Unknown    

Security  Incidents  

Consumer  Cybercrime  Across  the  

Globe  

(2013  Norton  Cybercrime  Report)  

1M+  

Cybercrime  

vic&ms  per  day  

378M    

Cybercrime  

vic&ms  per  year    

$113B  

Cost  of  cybercrime  

annually  

12  

Cybercrime  

vic&ms  per  

second  

_{Cost  of  cybercrime}  

$13B  

• 

_{How  important  is  it  for  RM  Officers  to  keep  up}  

to  date  with  security  innovaIons?  

• 

_{Is  the  RM  role  becoming  exInct  due  to}  

current  developments  in  IT  security?  

• 

_{What  can  those  in  the  IT  security  and  digital}  

forensic  industry  do  to  help  those  entering  the  

RM  profession?  

Cyber  Security  Impact  on  the  Risk  

Manager  Role  

• 

Alert  breach  response  team  

−  Lawyer,  carrier,  PR  

• 

Conduct  forensic  invesIgaIon  

• 

DisIll  the  data  

• 

Drao  noIficaIon  le4ers    

−  Congruent  with  state  laws  

−  Congruent  with  audience  

−  Don’t  over  noIfy!  

• 

Consumer  remediaIon    

• 

Monitor  and  report  on  returned  mail  

*Defensible  proof  of  steps  

First  Party  

• 

Forensic  ExaminaIon/PCI/PFI  Audits  

• 

Privacy  NoIficaIon  Costs  

– 

Privacy  counsel  

– 

Mailing  

– 

NoIficaIon  

• 

Credit  Monitoring  /  Call  Center  Services  

• 

Business  InterrupIon  

• 

Intellectual  Property  Loss  

– 

Public  RelaIons  

– 

ExtorIon  

Third  Party  

• 

Claims  by  Private  LiIgants  

– 

Consumers  

– 

Other  businesses  

• 

Claims  by  State  A4orney  Generals  

• 

Claims  by  FTC  

• 

Regulatory  Fines  &  PenalIes  

• 

PCI  Fines  &  PenalIes  

• 

Loss  of  Business  

• 

Damage  to  ReputaIon  

Addi.onal  Coverages  

• 

Business  interrupIon  

– 

System  Failure/AdministraIve  Error  

– 

ConIngent  Business  InterrupIon  

• 

Media  Liability  

Addi.onal  Features  

• 

Loss  Control  Services  

Emerging  Coverages  

• 

Bodily  Injury  

• 

Property  Damage  

• 

Fines  &  PenalIes  Wrap  

Breaking  Down  the  Applica&on  

• 

_{What  data  do  you  have?}  

• 

_{Do  you  know  where  it  is?}  

• 

_{Privacy  Policy}  

• 

_{Network  Security}  

• 

_{Employees:  Screening/Training/TerminaIon}  

• 

_{Social  Media  Policy}  

• 

What  are  the  underwriters  looking  for?  

• 

Roadblocks  to  coverage  

• 

Common  objecIons  to  purchasing  coverage  

• 

Who  should  be  involved?  

– 

Compliance  Officers  

– 

Risk  Manager  

– 

Human  Resources  

– 

InformaIon  Technology  

– 

Records  Management  

– 

General  Counsel  

– 

Chief  Financial  Office

r  

Roadblocks  to  Coverage  

• 

_{Inadequate  network  security}  

• 

_{Poor  records  management}  

• 

_{Inadequate  or  no  privacy  policy}  

• 

_{No  clear  data  usage  policies}  

• 

_{Inadequate  or  no  employee  training}  

• 

_{Prior  data  breaches  and  security  incidents}  

• 

_{Untested  response  plan}  

• 

_{Get  you  data  house  in  order}  

• 

_{Ascertain  your  unique  cyber  risks}  

• 

_{Examine  your  current  insurance  program}  

• 

_{Work  with  qualified  brokers  and  coverage}  

counsel  

• 

Clear  documentaIon  of  where  all  data  is  located  

• 

Integrated  records  management  with  business  systems  and  

processes  

• 

Clear  coordinated  access  procedures  for  data  use  internal  and  

external  of  the  organizaIon  

• 

Good  governance  of  records  throughout  the  enIre  life  cycle  

• 

Proven  track  record  for  idenIficaIon,  classificaIon,  prioriIzaIon,  

storing,  securing,  archiving,  preserving,  retrieving,  tracking  and  

destroying  of  records      

• 

Records  retenIon  schedules    

• 

Privacy  and  data  security  pracIces    

• 

Policy  for  disposal  of  records  

RMs  Role  In  Cyber  Insurance  

Applica&on  Process  

• 

How  can  RMs  best  help  prevent  

security  incidents  in  the  first  

place?  

• 

How  can  RMs  appropriately  

respond  to  a  breach  event?  

Judy Selby – BakerHostetler

Amie Taal – Deutsche Bank AG

Scott Ernst – Wells Fargo Insurance Services USA

Jennifer Rothstein – Kroll