- Slides: 15
Why Do I Need Cyber Liability Insura nce?
Cyber Liability Risks Data Theft Denial of Service Extortion Cyber. Crime Electronic Theft Network Damage
Organized Hacking • 108 Countries with dedicated cyber attack capabilities (FBI 2007) • Main source of revenue for Eastern Bloc gangs • Russian and Sicilian mafias actively recruiting “hacking” experts
Notable Trends in Cyber Crime • Motivation : Huge financial potential is making attackers more sophisticated • Methods : Attacks are becoming more targeted • Targets : The workstation (desktop or laptop) and the user is the easiest path into the network
Sources of Data Breaches
Potential Cyber Crime Scenario During his lunch break, an employee opens an “Important Security Update” supposedly from your IT department. Ø The email contains malicious code designed to discreetly take control of the employee’s desktop. Ø A remote attacker leverages the desktop to launch subsequent attacks on your backend network. Ø The attacker gains access to systems with increasing levels of security – eventually compromising a customer database. Ø Your CEO then receives an email containing the names, addresses and social security numbers of 5, 000 of your customers. Ø The hacker will publish the email on an Internet bulletin board unless he is paid $250, 000
Don’t Think That Can Happen? • AUGUST 22, 2000 SECURITY NET By Alex Salkever Cyber-Extortion: When Data Is Held Hostage Here's an issue facing more and more ebusinesses -- malicious hackers who demand a payoff to keep their security breaches secret Under most circumstances, a business decision involving $200, 000 wouldn't be important enough to require a personal appearance from the CEO of a $2 billion corporation, let alone a special trip to London from New York. But media titan Michael Bloomberg made such a trip Aug. 10. And he did it to prove that cyber-extortion will not go unpunished at his company. Bloomberg went to meet with two Kazahks named Oleg Zezov, 27, and Igor Yarimaka, 37, who were allegedly demanding $200, 000 in "consulting" fees. For this, they would reveal how they had allegedly compromised the Byzantine Bloomberg computer systems, an exploit the Kazakhs allegedly proved by e-mailing Bloomberg the photograph from his own corporate ID badge. With thousands of financial institutions and other customers trading billions of dollars daily in stocks and bonds based on information from Bloomberg terminals, the threat of a hacked system could have proven catastrophic for both the media company and its Wall Street customers.
Another Likely Scenario • Jack’s laptop computer is stolen when he leaves it unattended in an airline club at the Philadelphia Airport. On the laptop are the names, account numbers, credit card numbers, social security numbers and birthdates of 2500 of Galway Bank’s Gold Level customers. The laptop thief is able to quickly sell the customer data to an organized group that makes large purchases over the internet
Notification Expenses • 44 states, the District of Columbia and Puerto Rico have enacted legislation requiring notification of security breaches involving personal information* * National Conference of State Legislature
What’s the Notification Cost? Ø Notification Expenses average $13 per data record Ø Provided credit monitoring service for affected customers averages $24 per data record Ø Miscellaneous expenses average $22 per data record = $59 per data record!
Any other costs? Ø Ø Ø Third-party damages for identity theft Lawsuit defense costs Reimbursement to credit card companies Replacement of damaged network Reward expense Lost business revenue do to compromised network Ø Crisis management expense
Won’t My Insurance Cover That? ØProperty and Crime Policies generally: Ø Respond only to loss of or damage to tangible property; Ø Exclude indirect or consequential loss Ø Liability Insurance Policies generally: Respond only to loss from defined professional services or defined acts or offenses; Ø Ø Exclude Loss from violations of privacy
Ø Covers liability for monetary damages sustained by a person arising from the actual or potential unauthorized access to that person’s personal information. Includes mental anguish & emotional distress. Ø E-Business Income Loss Ø Cyber Extortion Expense Ø E-Vandalism Expense Ø Violation of Privacy Notification Expense Ø Covers unauthorized access by employees
Security is a Process Ø Identify information assets Ø Conduct periodic risk assessments to identify the specific vulnerabilities your company faces Ø Develop and implement a security program to manage and control the risks identified Ø Monitor and test the program to ensure that it is effective Ø Continually review and adjust the program in light of ongoing changes Ø Oversee third party service provider arrangements Ø Maintain training for all staff on Information Security
Christopher L. Strickland Senior Risk Advisor Larkin Insurance Group World Headquarters: 310 West Front St. Traverse City, Mi Phone: 231. 947. 8800 Email: [email protected] com Blog: http: //cyberinsurance. wordpress. com