Best Practices for Insuring

Medical Practices from

Cyber Risk

Karin LandrySpring Consulting Group, LLC

Managing Partner

3

“There are two kinds of companies today, those who know they have been hacked, and those who don’t.”

James ComeyFBI Director

(USA Today, May 2014)

4

Cyber Risk Trend/Statistics2013 Verizon Data Breach Study

• Organized crime accounts for 55% of all breaches studied

• Organizations under 100 employees account for 31% of all breaches

• 66% of breaches took months to discover

• 69% of breaches are discovered by external party

• 78% of the breaches are considered low to very low difficulty

• Method of action: – 40% Malware – 52% Hacking

• Most desired data for organized crime:– Payment card information– Authentication credentials– Bank account information

• 48% of the 47,000 security incidents studied were attributed to errors such as:– Lost devices– Publishing errors– Mis-delivered email/mail

5

True Cost of a Data Breach

$188 Per Record for U.S.*

Forensics (determining where, what and how much data was breached)

Notification (as required by law)

Fines/Penalties

Loss of Customers/ Donors

Damage Control Expenses

(to retain clients, restore confidence in org. and

restore reputation)

NOTE: This study DOES NOT factor in costs associated with defense costs or liability payments made*Source: 2013 Cost of a Data Breach Study – Ponemon Institute

6

Anatomy of a Data Breach

Incident• Malicious attack, employee error, or theft

Discovery• Victims are sometimes the last to know. Usually

discovered within months

Forensics Analysis• What, Where and How

Response• Compliance to regulatory requirements for notification

Damage Control• Offering credit monitoring /fraud monitoring to

impacted parties

7

Common Cyber Risk Coverages

Media/Website Publishing Liability

8

Regulatory Considerations: Data Breach Notification Laws

• In effect in 47 states except: – Alabama– New Mexico– South Dakota

• Subject to statutory fines/penalties– Exemptions and notification deadlines vary by state

• HIPAA /HITECH law to entities that keep patient health information– Enforced by the Department of Health/Human Services

9

Social Media Exposures

Content • Potentially liable for content (i.e., Facebook page, YouTube video, blog on your website)

Privacy • Content posted can breach a person’s privacy or lead to identity theft

Intellectual Property Infringement • Copyright/trademark

Virus/Malware • Could be uploaded to your social media site that infects other members who click on that link

Reputational/Public Relations Risk

• Certain negative content can go viral and reach a critical mass of people in a very short time

10

Risk Management View

• Cyber viewed as very high profile risk by CEOs, CFOs, treasurers and risk managers

• Captive may be an excellent alternative to fill gaps between self insurance and true risk transfer– Cyber risk may diversify a

captive’s more traditional risk

*Source: Business Insurance Survey

56% of risk managers cite

cyber risk as “top concern”*

52% of risk managers have dedicated cyber

risk insurance policy*

11

How to Price Cyber Insurance

• The market for network, information security, and privacy (cyber) insurance remained stable in 2013

• Recent events will define the market for the next several years

• Pricing sources:– Commercial market quotes– Broker indications based on:

• Industry (retail, manufacturing, financial institution)• Exposure (credit cards, healthcare personal data,

SSNs, HIPAA exposures)• Company size (# of customers, # of transactions)

– Actuary– Transfer pricing study

Case Study: Nittany Insurance Company

13

Nittany Insurance Company

• Single-parent Vermont-based captive, owned by The Pennsylvania State University

1992Established as funding

vehicle for hospital professional liability

insurance

2000Expanded to include

reinsurance of primary GL and auto coverage

Later in 2000’s Added more coverages for convenience of University (i.e. deductible reimbursement for master insurance programs)

14

Penn State University

• Flagship land-grant University in the Commonwealth of Pennsylvania– However, NOT owned by the State

• Operating Budget 2013/14: $5 Billion• 25,000 full-time faculty and staff, plus another

15,000 part-time employees• 93,000 students at 20 campuses• Two hotel/conference centers• One very large football stadium

15

The Situation

Decentralized educational

departments and IT

networks/ systems

• Insurers not interested in covering large research institution with open computing philosophy

• Commercially available policy forms did not provide needed coverage

• Wanted a single funnel to accumulate expenses and manage responses to breaches

• Wanted behavior modification: – Incentivize decentralized units to

use good computer security practices

16

The Solution

• Placed risk in owned captive• Key feature of the coverage is a two-tiered

deductible– If a unit employs certain “good practices” advocated by

IT Security Operation Services, but has a breach anyway, $25,000 deductible

– If a unit did not employ “good practices”, and that led or contributed to a breach, $100,000 deductible

17

The Results

• Firewalls more reliably installed, maintained and patched

• Security software updated real-time• Software contracts routinely scrutinized and

include security requirements • Actual compromises decreased significantly• Release of SSN’s declined from 10,000 at a time to

5-10 in isolated instance

18

Contact Information

w w w . s p r i n g g r o u p . c o m

Karin LandryManaging PartnerSpring Consulting Group, LLCKarin.Landry@springgroup.comPhone: 617-589-0930; ext.

102