2013 cyber risk insights conference slide-deck€¦ · nist issues rfi – february 26, 2013 . 1....
TRANSCRIPT
![Page 1: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/1.jpg)
Welcome!
@Advisen
![Page 2: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/2.jpg)
Table of Contents
This slide deck contains a subset of the slides shown at Advisen’s Cyber Risk Insights Conference. We have removed
duplicative slides for the purposes of brevity.
• Morning General Session: Pages 3-36
• Cyber Insurance Track: Pages 37- 69
• Cyber Threat Landscape Track: Pages 70- 107
• Afternoon General Session: Pages 108- 116
![Page 3: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/3.jpg)
Welcoming Remarks
Tom Ruggieri
CEO
Advisen
@Advisen
![Page 4: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/4.jpg)
Today’s Event Metrics
650 Registrations
41 Speakers
19 Sponsors
10 Presentations
7 Panel Discussions
1 Keynote
@Advisen
![Page 5: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/5.jpg)
Thank you to our 19 sponsors!
![Page 6: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/6.jpg)
Opening Remarks
Bob Parisi Managing Director & National Practice Leader for Technology Network Risk & Telecommunications
Marsh
2013 Conference Chairman
@Advisen
![Page 7: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/7.jpg)
Keynote Address
Adam Sedgewick Senior Information Technology Policy Advisor
@Advisen
![Page 8: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/8.jpg)
• The National Institute of Standards and Technology’s mission is to stimulate innovation, foster industrial competitiveness, and improve the quality of life.
• A non-regulatory agency within the U.S. Department of Commerce.
• Accelerates the development and deployment of systems that are reliable, usable, interoperable, and secure; advances measurement science through innovations in mathematics, statistics, and computer science; and conducts research to develop the measurements and standards infrastructure for emerging information technologies and applications.
Role of the National Institute of Standards and Technology
![Page 9: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/9.jpg)
Executive Order 13636—Improving Critical Infrastructure Cybersecurity •“It is the policy of the United States to enhance the security and
resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality,
privacy, and civil liberties”
• NIST is directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure
• This Cybersecurity Framework is being developed in an open manner with input from stakeholders in industry, academia, and government, including a public review and comment process, workshops, and other means of engagement.
![Page 10: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/10.jpg)
The Cybersecurity Framework
•For the Cybersecurity Framework to meet the requirements of the Executive Order, it must:
• include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
• provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
• identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations able technical innovation and account for organizational differences include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.
![Page 11: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/11.jpg)
Development of the Preliminary Framework Engage the Framework
Stakeholders
Collect, Categorize,
and Post RFI Responses
Analyze RFI Responses
Identify Framework Elements
Prepare and Publish
Preliminary Framework
EO 13636 Issued – February 12, 2013 NIST Issues RFI – February 26, 2013 1st Framework Workshop – April 03, 2013
Completed – April 08, 2013
Identify Common Practices/Themes – May 15, 2013 2nd Framework Workshop at CMU – May 29-31, 2013
Draft Outline of Preliminary Framework – June 2013 3rd Framework Workshop at UCSD – July 10-12, 2013
4th Framework Workshop at UT Dallas – September 11-13, 2013 Publish Preliminary Framework – October 22, 2013
Ongoing
Engagement:
Open public comment and review
encouraged and promoted throughout
the process
![Page 12: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/12.jpg)
NIST issued a Request for Information
• The purpose of the RFI was to: • Gather relevant input from industry and other stakeholders on the many interrelated considerations
in developing the Framework
• Encourage stakeholder participation in the Cybersecurity Framework development process
• Over 240 responses received from industry, associations, academics, and individuals
• NIST presented an initial analysis to describe the methodology used to perform the analysis, and to identify and describe the Cybersecurity Framework themes that emerged as part of the initial analysis.
Collect, Categorize,
and Post RFI Responses
![Page 13: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/13.jpg)
Draft Outline - Preliminary Framework • In June, NIST presented the following for community
feedback: • Draft outline that defines the overall Framework structure
• Executive Overview and Summary
• How to Use the Framework
• Role of Risk Management Processes
• Framework Core Elements
• A high-level view of key functions, categories, and subcategories of an organization’s approach to managing cybersecurity risk
• Framework Implementation Levels
• Compendium of Informative References
• Non-exhaustive listing of submitted informative references (e.g., standards, guidelines, and best practices) to assist with specific implementation
• Illustrative resource; not intended as an endorsement of any reference
Identify Framework Elements
![Page 14: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/14.jpg)
Framework Core Prepare and Publish
Preliminary Framework
![Page 15: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/15.jpg)
Risk Management and the Cybersecurity Framework
• While not a risk management process itself, the Framework enables the integration of cybersecurity risk management into the organization’s overall risk management process.
• The Framework fosters:
• Cybersecurity risk management approaches that take into account the interaction of multiple risks;
• Cybersecurity risk management approaches that address both traditional information technology and operational technology (industrial control systems);
• Cybersecurity risk management practices that encompass the entire organization, exposing dependencies that often exist within large, mature, and/or diverse entities, and with the interaction between the entities and their partners, vendors, suppliers, and others;
• Cybersecurity risk management practices that are internalized by the organization to ensure that decision making is conducted by a risk-informed process of continuous improvement; and
• Cybersecurity standards that can be used to support risk management activities
![Page 16: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/16.jpg)
Framework Core: Functions • The five Framework Core Functions provide the highest level of structure:
• Identify – Develop the institutional understanding of which organizational systems,
assets, data, and capabilities need to be protected, determine priority in light of organizational mission, and establish processes to achieve risk management goals.
• Protect – Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services.
• Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
• Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event.
• Recover - Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the appropriate capabilities that were impaired through a cybersecurity event.
![Page 17: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/17.jpg)
Framework Core: Categories • Categories are the subdivisions of a Function into groups of
cybersecurity activities, more closely tied to programmatic needs
![Page 18: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/18.jpg)
The Framework Core
![Page 19: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/19.jpg)
Getting from the Preliminary Framework to the Final Framework and Beyond
Framework Governance
Additional Ongoing Public
Engagement
Public Comment
Period
Final Cybersecurity Framework
Prepare and Publish
Preliminary Framework
Publish Preliminary Framework – October 22, 2013 Begin 45 day Public Comment Period
Stakeholder outreach discussion continue
Public comment period closes
Complete comment resolution and disposition Publish Final Cybersecurity Framework – February
2014
Framework maintenance and updates
Ongoing
Engagement:
Open public comment and review
encouraged and promoted throughout
the process
![Page 20: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/20.jpg)
Q & A
•The Preliminary Cybersecurity Framework and other material is available at http://www.nist.gov/itl/cyberframework.cfm
•Please send us your observations and further suggestions at [email protected]
![Page 21: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/21.jpg)
Advisen’s Statistical View of the Cyber Insurance Market
Jim Blinn
Executive Vice President
Advisen
@Advisen
Mark Hoffmann Insurance & Actuarial
Advisor Ernst & Young
![Page 22: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/22.jpg)
Revenue Range ($) % Purchasing Cyber
<2.5M 3.4%
2.5M<5M 4.1%
5M<10M 5.4%
10M<25M 6.9%
25M<100M 9.0%
100M<300M 16.1%
300M<1B 19.2%
1B<5B 19.3%
5B+ 21.9%
![Page 23: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/23.jpg)
U.S. Companies (excl. sole proprietorships)
Source: IRS
--
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
8,000,000
9,000,000
10,000,000
2005 2006 2007 2008
C-Corps
S-Corps
LLCs
Limited Partnerships
Gen Partnerships
![Page 24: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/24.jpg)
$0
$1,000
$2,000
$3,000
$4,000
$5,000
$6,000
2011 2012 Today Potential
Potential Assumptions:
• Today’s rates
• 5% of companies under $5M revenue buy coverage
• 90% of companies over $50M revenue buy coverage
• $5 billion GWP
Market Potential ($ thousands)
![Page 25: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/25.jpg)
Cyber Data Analytics
Data considerations
Jim Blinn, Advisen
![Page 26: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/26.jpg)
Source of Data • Automatic Teller Machine (ATM) • CD-ROM • Cloud derived data • Desktop • Email • Hard Drive (portable) • Laptop • Point of Sale (POS) • Printed Records • Server • Social Media • Software • Tape • Thumb Drive • Website
• Type of Data Lost • Personal Financial Identity • Personal Privacy • Corporate Loss of Business Income • Corporate Loss of Digital Assets
![Page 27: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/27.jpg)
![Page 28: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/28.jpg)
Catherine Mulligan
Senior Vice President, Specialty E&O Underwriting Manager
Zurich
“And the survey says…” Sponsored by
@Advisen
![Page 29: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/29.jpg)
Perceptions of risk
0
50
100
150
200
250
300
350
Board of Directors C-Suite Executives Suppliers/Customers
In your experience, are cyber risks viewed as a significant threat to your organization by:
Yes
No
Don't Know
N/A
![Page 30: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/30.jpg)
Data Breach Response
0% 1%
34%
25%
5%
13%
11%
6%
1%
4%
In the event of a data breach, which department in your organization is PRIMARILY responsible for assuring compliance with all applicable federal, state, or local privacy laws including state breach notification laws?
Sales
Customer Service
Information Technology (IT)
General Counsel
Risk Management/Insurance
Compliance
Chief Privacy Officer
Don’t Know
![Page 31: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/31.jpg)
Risk Management
75%
2%
2%
0% 9%
1% 6%
3% 2%
Which department is PRIMARILY responsible for spearheading the information security risk management
effort?
Information Technology (IT)
General Counsel’s Office
Treasury or CFO’s Office
Internal Audit
Risk Management/Insurance
Human Resources (HR)
Chief Privacy Officer
Don't Know
![Page 32: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/32.jpg)
Emerging Risks
• Social media
• Mobile devices
• Cloud Computing
![Page 33: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/33.jpg)
Insurance
2011 2012 2013
Yes 35% 44% 52%
No 60% 50% 38%
0%
10%
20%
30%
40%
50%
60%
70%
Does your organization purchase cyber liability insurance?
![Page 34: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/34.jpg)
The Risk Manager’s Perspective
@Advisen
![Page 35: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/35.jpg)
The Risk Manager’s Perspective
Bob Parisi
Managing Director & National Practice Leader for Technology
Network Risk & Telecommunications
Marsh
Moderator @Advisen
![Page 36: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/36.jpg)
• Bob Parisi, Managing Director & National Technology Practice Leader, Marsh
• Emily Cummins, Director of Tax and Risk Management, NRA
• Jimmy Kirtland, VP, Corporate Risk Management, ING U.S.
• Nicholas Parillo, Vice President, Global Insurance, Royal Ahold N.V.
The Risk Manager’s Perspective
@Advisen
![Page 37: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/37.jpg)
CYBER INSURANCE TRACK
Moderated by David Bradford, Advisen
@Advisen
![Page 38: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/38.jpg)
Why the Board of Directors should be Concerned About
Cyber Liability Insurance
@Advisen
![Page 39: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/39.jpg)
Why the Board of Directors should be Concerned About Cyber Liability Insurance
Ty Sagalow
President
Innovation Insurance Group
@Advisen
![Page 40: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/40.jpg)
• Ty Sagalow, President, Innovation Insurance Group
• Ben Beeson, Partner, Head of Global Technology and Privacy Practice, Lockton
• Gerald Ferguson, Partner, BakerHostetler
• Kirstin Simonson, Second Vice President, Travelers Global Technology, Travelers
• Jody Westby, CEO, Global Cyber Risk
Why the Board of Directors should be Concerned About Cyber Liability Insurance
![Page 41: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/41.jpg)
Cost, Capacity and Coverage: The Broker’s Perspective
@Advisen
![Page 42: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/42.jpg)
Cost, Capacity and Coverage: The Broker’s Perspective
Jeff Cohen Executive Vice President
Advisen
@Advisen
![Page 43: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/43.jpg)
Cost, Capacity and Coverage: The Broker’s Perspective
• Jeff Cohen, Executive Vice President, Advisen
• John Doernberg, VP, William Gallagher Associates
• Dave Perkins, Executive Vice President, U.S. Risk
• Steve Robinson, National Practice Leader, Risk Placement Services, RPS Technology & Cyber
• Peter Taffae, Managing Director, ExecutivePerils
![Page 44: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/44.jpg)
Is cyber risk the future?
@Advisen
![Page 45: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/45.jpg)
Beyond Data Breaches: What Coverages are Provided by
Cyber Liability Policies?
@Advisen
![Page 46: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/46.jpg)
Beyond Data Breaches: What Coverages are Provided by
Cyber Liability Policies?
Tom Srail Senior Vice President, Cyber and E&O Team, FINEX
Willis
@Advisen
![Page 47: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/47.jpg)
Cyber Insurance Policy “Buckets”
Privacy Expenses Privacy Liability Other Liability 1st Party
Forensics Defense Costs Network Security Data Restoration
Notice/Monitoring Regulatory Fines Media Business Interruption
Call Centers PCI Fines E&O/Professional System/Admin Failure
Crisis Expenses Extortion
Privacy Expenses Liability 1st Party
![Page 48: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/48.jpg)
What’s in a name? Costs to notify a breached individual
Privacy Breach Response Services Data Breach Fund Expenses Tier 1 (via endorsement) Event Management Coverage Section (sublimit shared with other coverages) Breach Event Insuring Agreement Privacy Notification Expenses Notification and Credit Monitoring Expense Coverage Enterprise Security Event Crisis Management Expense Breach Costs Module Public Relations Event Expenses Crisis Management Expenses
![Page 49: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/49.jpg)
Liability • Network Security Liability
– Hacker/Sabotage – Virus Transmission
• Media Liability – Copyright, Trademark – Libel, Slander, Defamation – Violations of Publicity
• E&O/Professional – Tech/Telecom – Media/Broadcasting – Miscellaneous
![Page 50: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/50.jpg)
First Party Cyber Coverage • Data Restoration
– Hacker/Virus/Employee Sabotage
• Business Interruption (due to security breach)
– Lost Income – Extra Expense
• System Failure/Admin Failure – Unplanned outage of Computer System
• Cyber Extortion – Ransom Demand – Investigative Expenses
• “Your Computer System” definition is key – IT Vendor/Cloud
![Page 52: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/52.jpg)
A Global Perspective
@Advisen
![Page 53: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/53.jpg)
Tracie Grella
Global Head of Professional Liability, Financial Lines AIG
A Global Perspective
@Advisen
![Page 54: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/54.jpg)
State of the International Market
![Page 55: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/55.jpg)
State of the International Market Data and Privacy Regulation
![Page 56: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/56.jpg)
State of the International Market Data and Privacy Regulation
Coverage Beyond Data Breach Response
![Page 57: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/57.jpg)
State of the International Market Data and Privacy Regulation
Coverage Beyond Data Breach Response Global Service Offerings and Claims
![Page 58: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/58.jpg)
The Cyber Claim Process: What to Expect from your Insurer
@Advisen
![Page 59: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/59.jpg)
The Cyber Claim Process: What to Expect from your Insurer
Beth Diamond
Claims Team Leader, Technology, Media and
Business Services
Beazley
@Advisen
![Page 60: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/60.jpg)
Every Insured Should . . . .
• Benefit from the experience, knowledge and resources the carrier can provide
• Understand how coverage will work in the circumstances presented
• Maximize coverage by complying with the relevant policy requirements
![Page 61: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/61.jpg)
You Think You Might Be Experiencing A Breach Incident
• Report it – early and often!
• No penalty for reporting an incident that turns out not to be a legal breach, but there might be an impact to coverage if you take action before notifying your insurer
![Page 62: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/62.jpg)
Once Your Insurer Knows . . .
• Benefit – experience – avoid being a first timer (for example, knowing which AG reads “30 days” into the statute or deciding to pre-notify a particular state regulator)
• Benefit – knowledge – even an experienced insured needs to know the latest and greatest
• Benefit – resources – only work with experts in the field and do so at market competitive prices
![Page 63: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/63.jpg)
Once Your Insurer Knows . . .
• Ensure you understand how your coverage works in the specific situation, including sub-limits, response requirements and options
• Comply with the policy requirements, obtain the consents and establish a relationship with your breach and/or claim manager
![Page 64: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/64.jpg)
Establish the Relationship
• A good carrier knows when to muster resources and when to get out of the way
• A good carrier will help you navigate the breach response, think ahead to understand what to expect next, and ensure a strategic and compliant response helps mitigate third-party liability
• Avoid just “showing up with the receipts” to first haggle over reimbursement
![Page 65: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/65.jpg)
The Regulators and Plaintiff Firms Have Arrived
• Identifying and vetting defense counsel
• Learning insights as to what other similarly situated companies have done
• Keeping abreast of trends and legal developments
![Page 66: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/66.jpg)
Understand Your Coverage • Ask for a call early on to understand how your
third-party cyber coverage works
• Identify when consent is required
• Know whether there are defense counsel guidelines
• Be transparent if/when you are considering the possibility of settlement; the earlier you start the dialogue with your carrier, the better for obtaining the authority level you are seeking
![Page 67: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/67.jpg)
A Few Additional Thoughts
• Many cyber carriers offer education and risk management/risk mitigation tools – take advantage!
![Page 68: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/68.jpg)
A Few Additional Thoughts
• Many cyber carriers offer crisis management coverage – if there is a legal obligation to notify, you do not
have the right to remain silent -- what you say can and will be used against you
– effective external crisis communications can help mitigate loss of good will
– conversely, failure to approach communications strategically can be damaging
![Page 69: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/69.jpg)
A Few Additional Thoughts
• Report early and often -- make use of the expertise available at your cyber carrier.
![Page 70: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/70.jpg)
CYBER THREAT LANDSCAPE TRACK
Moderated by Alan Brill, Kroll
@Advisen
![Page 71: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/71.jpg)
Outspent, Outmanned and Outgunned by the Bad Guys:
Implications for U.S. Businesses
@Advisen
![Page 72: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/72.jpg)
Alan Brill
Senior Managing Director
Kroll
Outspent, Outmanned and Outgunned by the Bad Guys: Implications for U.S. Businesses
@Advisen
![Page 73: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/73.jpg)
Outspent, Outmanned and Outgunned by the Bad Guys: Implications for U.S. Businesses
• Alan Brill, Senior Managing Director, Kroll
• Stephen Boyer, Founder & Chief Technology Officer, Bitsight
• Michael Bruemmer, Vice President, Data Breach Resolution Group, Experian
• Carol Rizzo, Consultant, Rizzo Advisory Services
@Advisen
![Page 74: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/74.jpg)
Scanning Behavior at the Entity Level
![Page 75: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/75.jpg)
Spam Behavior at the Entity Level
![Page 76: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/76.jpg)
IP Port Scanning Behavior
![Page 77: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/77.jpg)
Spam IP Behavior
![Page 78: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/78.jpg)
Industry Indices B
itS
igh
t R
ati
ng
![Page 79: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/79.jpg)
BYOE (Beware of Your Own Employees): The Shifting Risk Landscape of BYOD and
Social Media
@Advisen
![Page 80: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/80.jpg)
BYOE (Beware of Your Own Employees): The Shifting Risk Landscape of BYOD and
Social Media
Brad Gow
Vice President
Endurance Pro
@Advisen
![Page 81: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/81.jpg)
• Brad Gow, Vice President, Endurance Pro
• John Coletti, Vice President, Underwriting Manager, XL
• Eduard Goodman, Chief Privacy Officer, IDT911
• Laurie Kamaiko, Partner, Edwards Wildman & Palmer
BYOE (Beware of Your Own Employees): The Shifting Risk Landscape of BYOD and
Social Media
![Page 82: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/82.jpg)
![Page 83: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/83.jpg)
![Page 84: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/84.jpg)
The FTC’s Role in Consumer Privacy & Data Security
@Advisen
![Page 85: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/85.jpg)
The FTC’s Role in Consumer Privacy & Data Security
Jonathan Zimmerman
Senior Attorney, Division of Privacy & Identity Protection
FTC
@Advisen
![Page 86: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/86.jpg)
The Federal Trade Commission’s Role in Consumer Privacy & Data Security
Jonathan Zimmerman Senior Attorney
Division of Privacy & Identity Protection Federal Trade Commission
The views expressed are those of the speaker and not necessarily those of the FTC
![Page 87: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/87.jpg)
Overview • Federal Trade Commission Background
– Section 5 of the FTC Act
– Approach to Data Security
• Enforcement
– Overview
– Recent Case Highlights
• What’s on the Horizon
![Page 88: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/88.jpg)
FTC Background Information • FTC is an independent law enforcement agency
– Five Commissioners appointed by President and confirmed by Senate
• Consumer protection and competition mandate
• Section 5 of the FTC Act
– Broad authority to prohibit deceptive or unfair acts or practices
• Deceptive practices are representations, omissions, or practices that:
– Are likely to mislead consumers acting reasonably under the circumstances
– Representation, omission, or practice must be material
• Unfair practices are those that:
– Cause or are likely to cause substantial injury
– Are not outweighed by the benefits to consumers and/or competition, and
– Are not reasonably avoidable by the consumer
• In addition to Section 5, the FTC enforces several sector-specific privacy laws (e.g., Fair Credit Reporting Act, Children’s Online Privacy Protection Act)
![Page 89: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/89.jpg)
FTC’s Approach to Data Security • In Data Security Cases The FTC Recognizes:
– Information security is an ongoing process
– A company’s security procedures must be reasonable and appropriate in light of the circumstances
• Did the company have effective security measures in place to protect personal information?
• If not, could the information have been protected at a reasonable cost?
• Were the security vulnerabilities at issue well-known within the information technology industry?
• Are there simple, readily-available low cost measures to protect against those vulnerabilities?
– There is no such thing as perfect security:
• A breach does not necessarily show that a company failed to have reasonable security measures
• But a company’s practices may be unreasonable and subject to FTC enforcement even without a known security breach
![Page 90: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/90.jpg)
FTC Enforcement: Privacy and Data Security
![Page 91: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/91.jpg)
Recent Enforcement Highlights
• HTC, America (2013)
– First software security case
– Focused on HTC’s lack of a software security program as evidenced by security flaws HTC introduced into its Android and Windows Phone and Windows Mobile devices that could have allowed malware to access sensitive device functionality and user information
– Order Provisions: HTC required to provide security patches for millions of devices, set up a software security program, and is subject to security audits for the next 20 years
![Page 92: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/92.jpg)
Recent Enforcement Highlights
• Twitter (June 2010)
– Failure to secure administrative access
• Weak passwords permitted
• Administrative login page publicly accessible
• Account not disabled after multiple failed login attempts
– Consumers’ tweets were not private, as promised
– Order provisions: Honor the privacy choices made by consumers and establish a comprehensive information security program, with biennial independent audit
![Page 93: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/93.jpg)
Current Litigation
• FTC v. Wyndham et al., (D.N.J.) – Complaint alleges Wyndham violated Section 5 by failing to implement
reasonable network security, which led to multiple hacking attacks in which hundreds of thousands of consumers’ payment cards were compromised
• FTC v. LabMD (Administrative Proceeding) – Complaint alleges systemic security failures including failing to detect the
installation or use of an unauthorized file sharing application on its networks
– A LabMD file with personal information about approx. 9,300 consumers including social security numbers, birth dates, and medical information, was found on a P2P file sharing network
![Page 94: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/94.jpg)
What’s on the Horizon • More and more data:
– As companies collect more and more data on consumers their data security will have to keep pace
– We encourage companies to follow data minimization practices, to only collect what they need, and to think hard about how long they need to keep it
– And we encourage companies to be upfront and transparent with consumers concerning the uses to which they will put the information they collect
• More and more devices: – It’s not just desktops and databases anymore
– Between mobile devices and the increasing interconnectedness of everything from cars to refrigerators, companies need to think strategically about security across a broader spectrum of devices with which consumers interact
![Page 95: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/95.jpg)
Questions?
• More information available at: www.ftc.gov
Jonathan E. Zimmerman Federal Trade Commission [email protected]
![Page 96: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/96.jpg)
The Privacy Risks of Big Data Balancing Innovation and Risk
@Advisen
![Page 97: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/97.jpg)
The Privacy Risks of Big Data
Paul Miskovich
Senior Vice President, Cyber/Tech Product Manager
AXIS Pro
Balancing Innovation and Risk
@Advisen
![Page 98: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/98.jpg)
The Privacy Risks of Big Data
• Big Data
• Economic Theories
• Obscurity, Correlation and Cognitive Dissonance
• Anonymized Data
• Monetization (Gathering, Use and Control)
– Security & Privacy
– Financial Loss
![Page 99: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/99.jpg)
National Policy
• Omnibus Crime Control and Safe Streets Act (Wiretap Statute)
• Electronic Communications Privacy Act (ECPA)
• Stored Communications Act (SCA)
• Video Privacy Protection Act (VPPA)
• Gramm Leach Bliley (GLB) Financial Services Modernization Act
• Children’s Online Protection Privacy Act (COPPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Federal Trade Commission (FTC) - Enforcement Actions
• Consumer Privacy Bill of Rights
![Page 100: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/100.jpg)
Privacy & Security • Notification Laws
• California
– Song Beverly Credit Card Act
– Medical Privacy A.B. 211 and S.B. 541
– Shine The Light
– Browsing History
– California Online Privacy Protection Act (CalOPPA) - Do Not Track
– In re Apple Inc. – Consumer Privacy Litigation
• Michigan
– Video Rental Protection Act (VPRA)
– Consumer Protection Act (CPA)
• Massachusetts
– Tyler v. Michaels Stores - Zip codes constitute personal identifiable information
– Compliance obligation to prevent data breaches
• Common Law
– Public Disclosure of Embarrassing Private Facts (Invasion of Privacy)
– Intrusion Upon Seclusion or Solitude or into Private Affairs
![Page 101: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/101.jpg)
The Privacy Risks of Big Data
• Evolving Insurance Products – General Liability, Media, E&O and Cyber
• Personal Injury
• Information Gathering
• Emerging Market Behavior
![Page 102: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/102.jpg)
Operational Cyber Risk
@Advisen
![Page 103: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/103.jpg)
Operational Cyber Risk
Lori Bailey
Global Head of Professional Liability
Zurich
@Advisen
![Page 104: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/104.jpg)
Entities which suffered a Supply Chain Disruption in
2012
Supply Chain Disruptions that occur from IT Outages
Approximate Shareholder Impact from Supplier
Disruptions
73%
10-30%
52%
![Page 105: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/105.jpg)
Financial Risks People Risks Market Risks
Strategic Risks Operational Risks
![Page 106: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/106.jpg)
Risk Management
Compliance
Legal / Dispute Resolution
Contract Management
Crisis Management
Portfolio Management
Human Resources
Executive Management
![Page 107: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/107.jpg)
![Page 108: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/108.jpg)
General Session
![Page 109: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/109.jpg)
Cloud Computing and the Risks of IT Outsourcing
@Advisen
![Page 110: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/110.jpg)
Cloud Computing and the Risks of IT Outsourcing
John Mullen
Partner, Chair of Complex Liability Practice Group
Nelson Levine de Luca & Hamilton
@Advisen
![Page 111: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/111.jpg)
• John Mullen, Partner, Chair of Complex Liability Practice Group, Nelson Levine de Luca & Hamilton
• Alan Brill, Senior Managing Director, Kroll
• Anthony Dagostino, Vice President, Professional Risk, ACE
• John Merchant, Lead Cyber Specialist, US & Canada, AIG
• Michael Palotay, Senior Vice President, Underwriting, NAS
Cloud Computing and the Risks of IT Outsourcing
@Advisen
![Page 112: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/112.jpg)
![Page 113: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/113.jpg)
TYPES OF CLOUD DEPLOYMENT
• PUBLIC
• HYBRID
• PRIVATE
PROBLEM AREAS
• SECURITY/PRIVACY
• BACKUP/RECOVERY
• CLOUDBURSTING
• PHYSICAL VENUES/JURISDICTION
• E-DISCOVERY ISSUES
• COMPLIANCE
![Page 114: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/114.jpg)
The View from the Top
@Advisen
![Page 115: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/115.jpg)
The View from the Top
Tom Ruggieri
CEO
Advisen
@Advisen
![Page 116: 2013 Cyber Risk Insights Conference Slide-Deck€¦ · NIST Issues RFI – February 26, 2013 . 1. st. Framework Workshop – April 03, 2013 . Completed – April 08, 2013 . Identify](https://reader034.vdocument.in/reader034/viewer/2022042303/5ece51edb6177848982ae546/html5/thumbnails/116.jpg)
The View from the Top
• Tom Ruggieri, CEO, Advisen
• Mark Wood, Managing Director, Financial Risks Division, JLT
• Mike Smith, President, Global Financial Lines, AIG
• Mike Karmilowicz, Executive Vice President, Zurich North America
• Eric Joost, Chief Operating Officer, Willis NA
@Advisen