nysta 2012 annual conference telcom insurance group presented by: joyce hermann, au, cisr sr....

NYSTA 2012 Annual ConferenceTelcom Insurance Group

Presented by:Joyce Hermann, AU, CISRSr. Account Executive

Insure IT, Manage IT But Never Ignore IT…

Network Security and Data Liability

Because it has always been a matter of trust…



Risk Management is a great way to deal with any exposure but as we all know it’s not fool proof. One method of risk management is the transfer the exposure and the most common method is insurance. Lets review the exposure to determine if management is enough or does a transfer need to be explored.

This exposure is created by a breach. So, what is a breach?

Personal information that is an a format that can be easily read and used by a third party is stolen and personal information is in unauthorized hands!


Who Is Held Accountable?• Board of Directors and Senior Management• By Contract-- 3rd Parties?•IT Services Providers

Certain laws make those responsible, responsible to do certain things after a breach:• Sarbanes Oxley-Shareholder Notification• State Laws-Consumer Notification



Flow of a breach and parties involved.

Business

Customer

Breach

State AG

FTC/FCC

Industry


Use a Layered Approach to Risk Management and Transfer

•Recognize the risk, analyze the exposure, plan for the possibility, implement a plan, and re-visit the issue frequently.

•Determine security gaps and fill them with technology or business practice answers. If this still leaves doubt, transfer the risk.

• Insurance is a transfer of risk option that allows access to counsel, monitoring, and coverage for all aspects of restoration.


Use a Layered Approach to Risk Management and Transfer

• Recognize business processes and who has access to what information

• Review security processes and procedures

• Know what your outside vendors/suppliers/business partners do with your data

• Identify VPN, extranets, intranet, Internet exposures


Analyze Defense Mechanisms

• Virus control (anti-virus updates)

• Perimeter defenses (firewalls, remote access)

• Physical security (restrict access, passwords, timeout, laptop/smart phone procedures)

• Confidentiality (collect/distribute only needed information on employees and customers)


Plan and Implement Defense Mechanisms

• Security Policy (patches, procedures for distribution of sensitive information)

• Disaster Recovery (identify IT resources/ backups)

• Incident Response Plan (notification requirements by state if there’s a breach of confidential information)


Who, What and Why?

• Personal information has street value. Consider a wider use of background checks. Might a clerical employee who is modestly compensated be tempted by easy money for supplying data to another?

• Pay special attention to portable devices and set standards/restrictions on the data that can be stored on them and in what format.


Basic Business Practices

• Limit access to sensitive information and even potentially encrypt it

• Watch the disposal of paper records or files. It’s so easy to forget this exposure, but recent claims prove this to be a real risk. Shred paper files and records and destroy old hard drives by drilling holes in them

• Keep security patches up to date



Insurance Protection is available for risk transfer in a few different formats:

•General Liability coverage extensions

•Monoline NSDL policies

•As part of an Errors and Omissions Policy



Insurance Protection varies but a few of the common coverages that are offered include:

•Indemnification of 3rd party claims for damages

•Expense Reimbursement to clean-up your system

•Expense Reimbursement for required corrective actions to assist victims

•Regulatory fine reimbursement



Insurance Protection varies but a few of the common coverages that are offered include:

•Public Relations Expenses

•Media and Communications Liability

•Errors and Omissions (more on this later)

•First party property coverage direct and indirect loss

•Extortion



Insuring Agreement:

We will pay for “loss” that the “insured” becomes legally obligated to pay, and “defense expenses”, as a result of a “claim” first made against the “insured” during the “policy period” or during the applicable Extended Reporting Period for a “wrongful act” or a series of “interrelated wrongful acts” taking place on or after the Retroactive Date, if any, shown in the Declarations, and before the end of the “policy period”.



A Common Exclusion:

Based upon, attributable to or arising out of any action by a governmental or quasi-governmental authority or agency including, but not limited to, regulatory actions brought against you on behalf of the Federal Trade Commission, Federal Communications Commission, or other regulatory agency. However, this exclusion shall not apply to the actions brought by governmental authority acting solely in its capacity as a customer of the “named insured” or one of its “subsidiaries”.



What if a third party we use, like a billing entity, has a breach?

“Named insured” means the entity or entities shown in the Declarations and any “subsidiary”.

“Subsidiary” means any organization in which more that 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors, or equivalent position, is owned, in any combination, by one or more “named insured”.

Independent contractors need to be added by endorsement.


Where To Start 1st and 3rd Party?

1st Party- An entity has an insurable interest in property and in the event of damage will have direct loss of value and potentially indirect financial loss of use or lost income.

Examples of 1st Party Property with Data/Network Exposure

• Computers (Hardware/Software) and Peripheral Devices

• Networks

• Data/Records/Paper


What Coverage Is Available For 1st Party Exposure?Software, Data and Media CoverageSoftware is covered by most forms but by strict definition that means the cost of the program will be reimbursed and not the value of the data or the time and labor to populate the program to make it useful. Pay careful attention to how your policy is worded in this area. Even if media is covered, is the time and effort to duplicate the data covered? Remember policy construction is very important. If you do not have the hacker related peril coverage do you really have much protection? Finally, does your policy cover data of others and is that important?


Additional Coverage Available For 1st Party Exposure Generally Only on Network Security Forms:

• Data and Media Coverage Offsite

• Voluntary Parting

• Access to Your Network is Blocked – “Denial of Service”

• Cyber Extortion

• Regulatory Proceeding Expense

• Crisis Coverage Expense


What Coverage Is Available For 3rd Party Exposure?

Network and Data Liability coverage is available. It will pay for damages incurred by claimants from a breach and expense incurred due to the violation. It will also cover the regulatory fines from failure to abide by laws and regulations and this will include CPNI, Cable TV Operators, and any applicable state issues. Generally, punitive is covered if allowable by state law.

It is more than identity theft which is a veneer of protection. ID theft is partial help after a loss of data occurs, but it is not protection before an event happens.


What Coverage Isn’t Available For 3rd Party Exposure?

Network and Data Liability standard coverage exclusions include: fraud, SEC violations, fiduciary claims, RICO and collusion events, ERISA, EPLI, D&O, insured vs. insured, war, terrorism, pollution, and BI/PD.


Resourceswww.sans.orgwww.cert.orgwww.windowsecurity.comwww.slashdog.orgwww.cio.comwww.infosyssec.netwww.idtheftcenter.org

http://www.sans.org/

http://www.cert.org/

http://www.windowsecurity.com/


Thank you!

Joyce Hermann, AU, CISR 800.222.4664 Ext. 3204

[email protected] www.telcominsgrp.com

nysta 2012 annual conference telcom insurance group presented by: joyce hermann, au, cisr sr....

Documents

matter of trustuse

matter of trustwho

matter of trustplan

matter of trustbecause

method of risk management

data liabilityrisk management

transfer of risk option

senior management