the independent insurance agents and brokers of south carolina … · 2018-03-06 · sharon a....
TRANSCRIPT
Page 1 of 29 Hacking and Harassment MP02.2018
Hosted by:
The Independent Insurance Agents and Brokers of South Carolina
Presented by: Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Managing Performance, LLC March 2018
Page 2 of 29 Hacking and Harassment MP02.2018
Program developed by: Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP
Managing Performance, LLC
Cannot be reproduced without permission.
Page 3 of 29 Hacking and Harassment MP02.2018
Hacking and Harassment
Part 1 - Data Breach At Risk Regulation Life of a Data Breach Coverage Underwriting Part 2 – Employment Practices Liability In the News At Risk Coverage Underwriting
Page 4 of 29 Hacking and Harassment MP02.2018
DATA BREACH
Class Poll: Does your organization have a Data Breach Security Plan?
Yes ________________
No ________________
I’m not sure ________________
Class Poll: Does your organization have a Cyber Liability Insurance Policy?
Yes ________________
No ________________
I’m not sure ________________
Page 5 of 29 Hacking and Harassment MP02.2018
Top 10 Malware as of December 2017
1. Kovter – a Trojan via malspam email attachments which evades detection
by hiding in the registry keys. (Malspam – unsolicited emails, which either
direct users to download malware from malicious websites or trick the user
into opening malware through attachments.)
2. CoinMiner – a cryptocurrency miner sent via malvertising. (Malvertising –
Malware introduced through a malicious advertisement.)
3. ZeuS/Zbot – a modular banking Trojan which uses keystroke logging to
compromise victim credentials when the user visits a banking website.
4. Emotet - a modular Trojan with 4 know spreader modules
• Outlook Scraper – a tool that scrapes names and email addresses from the victim’s outlook accounts and uses them to send out phishing emails from the compromised account;
• WebBrowserPassView – a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari and Opera and passes them to the credential enumerator module;
• Mail Passview – a password recovery tool that reveals passwords and account details for various email clients such as Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo Mail and Gmail and passes them to the credential enumerator module;
• Credential Enumerator
5. NanoCore – a RAT – Remote Access Trojan spread via malspam as a malicious Excel XLS spreadsheet.
6. Sharik – a Trojan downloader spread via malspam as a malicious Word document.
7. Ursnif, and its variant Dreambot – banking Trojans
Page 6 of 29 Hacking and Harassment MP02.2018
8. Gh0st – a RAT used to control infected endpoints. Gh0st is left by other malware to create a backdoor into a device, allowing an attacker to fully control the infected device.
9. LatentBot – a modular Trojan that also acts as a botnet agent. Once a system is infected, it is able to download additional modules including keyloggers and form grabbers. It is currently being dropped by RIG Exploit Kit.
10. Pushdo – a Trojan downloader that is known to download the Cutwail spam module. It is also able to download other types of malware and is currently being dropped by RIG Exploit Kit.
Types of Cyber Attacks Viruses, worms
Malware
Web-based attacks
Phishing and social engineering
Malicious code
Botnets
Denial of Services
Stolen Devices
Malicious insiders
Page 7 of 29 Hacking and Harassment MP02.2018
Data at Risk
PII – Personal Identifiable Information
The US Department of Labor defines PII as:
Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
*Please note, it is important to understand each State’s definition of PII.
PHI – Protected Health Information
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy rule calls this information “Protected Health Information (PHI).”
“Individually identifiable health information” is information, including demographic data, that relates to:
• the individual’s past, present or future physical or mental health or condition, • the provision of health care to the individual, or • the past, present, or future payment for the provision of health care to the
individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
Page 8 of 29 Hacking and Harassment MP02.2018
As defined by the US Department of Health & Human Services Office for Civil Rights Privacy Brief: Summary of the HIPAA Privacy Rule. https://www.hhs.gov/sites/default/files/privacysummary.pdf For a more complete definition and understanding of HIPAA please refer to www.hhs.gov/hipaa HITECH Act applies to vendors of personal health records and third party service providers.
PCI – Payment Card Industry
To accept, store, process or transmit credit card payments/data you must be in compliance with PCI DSS (Payment Card Industry Data Security Standards)
Intellectual Property
An intangible such as an idea, creation, process.
Page 9 of 29 Hacking and Harassment MP02.2018
Top Industries at Risk
Healthcare
Higher Education
Energy
Financial Services
Government
What other industries may be cause for concern?
Page 10 of 29 Hacking and Harassment MP02.2018
Legal Fundamentals
Federal Laws
Gramm-Leach-Bliley – personal financial information
HIPAA – Health Insurance Portability & Accountability Act
HITECH – Health Information Technology for Economic & Clinical Health
PCI Security Standards Council – Payment Card Industry Data & Security Standards Compliance
There are least 35 Federal Laws with Data Protection or Privacy Protection.
In October 2017 the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law. The new law creates rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach. It includes maintaining an information security program based on on-going risk assessment, overseeing third party service providers, investigating data breaches and notifying regulators of a cyber security event.
http://www.naic.org/store/free/MDL-668.pdf
International
The General Data Protection Regulation, (GDPR) will be applicable as of May 25, 2018 with new requirements applying to those collecting, storing, or using personal data of EU Citizens. GDPR is a regulation approved by the European Parliament, Council of European Union and the European Committee “to strengthen and unify data protection for all individuals within the EU.”
State Regulation
48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have Data Breach Laws. States with no Data Breach Laws to date:
Alabama and South Dakota.
*Residence of affected individual determines notice law. www.ncsl.org is an excellent
resource for state regulations.
Page 11 of 29 Hacking and Harassment MP02.2018
IMPORTANT: Do you do business or are you licensed in New York? New York effected a Cybersecurity Regulation as of March 1, 2017. http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
Members of IIABA state associations have access to information on the Big “I” New York website under Quick Links- Cyber: https://www.biginy.org/default.aspx
South Carolina
Code of Laws – Title 39 – Chapter 1 – General Provisions – 90.
Breach of security of business data; notification; definitions; penalties; exception as to certain banks and financial institutions; notice to Consumer Protection Division.
“Shall notify IMMEDIATELY following discovery”
http://www.scstatehouse.gov/code/t39c001.php
North Carolina
N.C. Gen. Stat §§ 75-61, 75-65
“without unreasonable delay”
https://www.ncga.state.nc.us/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-61.html
https://www.ncga.state.nc.us/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html
Page 12 of 29 Hacking and Harassment MP02.2018
Small Business and Cyber
According to a November 2017 Insurance Information Institute whitepaper titled Small Business and Cyber Insurance:
• ½ of all small and mid-sized businesses have experienced a data breach in the past
year and 55% experienced a cyber attack
• Nearly 40% of business experienced a ransomware attack in the last year (more than 1/3 losing revenue)
Class Poll: What do you believe are the reasons your clients do NOT buy Cyber Insurance?
Lack of Understanding about cyber risk _______________
Cost of Insurance _______________
Lack of understanding about cyber insurance _______________
Believe it won’t happen to them _______________
What can you do to encourage your clients to purchase Cyber Insurance?
Page 13 of 29 Hacking and Harassment MP02.2018
Class Poll: Do you offer Cyber Liability/Data Breach coverage to your commercial clients?
Yes, to all __________________
Yes, to some __________________
NO __________________
How can your carriers assist you?
Page 14 of 29 Hacking and Harassment MP02.2018
Life Cycle of a Data Breach
Cost of a Data Breach
Discover Breach
Investigateand
RemediateNotify* Risk
MitigationResume Business
Page 15 of 29 Hacking and Harassment MP02.2018
Coverage Considerations • Claims Made Policy
ISO updated eCommerce form – discovery
• Standalone policy or endorsement
• Application interpretations
• Application is a warranty
• Coverage trigger – suspected or confirmed breach?
• Definitions
• Is defense inside or outside the limit?
• Sublimit reduction of aggregate?
• First Party – expenses included?
• Voluntary notification (not just minimum legal requirements)
• Encryption requirements
• Does it cover social media?
• Transmission of computer viruses
• Third party – i.e.: the cloud
• Contractual Liability
• Intentional acts
• Other than electronic data (paper)
• Package or ala carte
• Pricing
• Capacity
• Risk Management Services
• Notification on number of records breached vs. dollar limit (aggregate issues)
• Notification expenses separate from limit of liability
• Sublimits part of the aggregate
Page 16 of 29 Hacking and Harassment MP02.2018
• Liability for loss of personally identifiable information
Not just electronic, but all types of data, including paper
Corporate information, not just individuals
All types of data, not just financial
Some cover loss of data when in the possession of a 3rd
party such as a
vendor
Coverage – First Party
Direct loss to your organization. Can Include:
Forensic analysis and remediation of breach
Damage to computer systems and networks
Notification Expenses
Data Restoration
Business Income (eCommerce)
Contingent Business Income
Regulatory Fines and Penalties
PCI Fines and Penalties
Cyber Extortion
Crisis Management – Legal, Public Relations
Credit Monitoring
Identity Monitoring
Intellectual Property – Copyright, Trademarks, other
IMPORTANT:
Page 17 of 29 Hacking and Harassment MP02.2018
Coverage – Third Party
Liability imposed due to negligence
• Breach or Privacy Liability
• Advertising Injury
• Personal Injury
• Professional Liability – “in the business of”
Software development
Network maintenance
Security Services
IMPORTANT:
Page 18 of 29 Hacking and Harassment MP02.2018
Underwriting
Underwriting Information
Type of data stored
Types of controls in place
o Firewalls
o Encryptions
o Detection Systems
o Risk Management Plans
o Vendors
Type of exposure (retail, public entity, medical, financial, etc)
Type of web presence (interactive vs. informational)
Claims History
Primary Rating and Premium Factors
Industry
Revenue
Number of records stored
Limits purchased
Retention
Coverage endorsements
Page 19 of 29 Hacking and Harassment MP02.2018
https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime
Page 20 of 29 Hacking and Harassment MP02.2018
Experian’s 2018 Data Breach Industry Forecast
Experian Forecast of the top data breach trends of 2018 include:
The US may experience its first large-scale attack on critical infrastructure, causing
chaos for governments, companies and private citizens.
Failure to comply with new European Union regulations will result in large penalties
for US companies
Perpetrators of cyberattacks will continue to zero in on governments, which could
lead to a shift in world power
Attackers will use artificial intelligence (AI) to render traditional multifactor
authentication methods useless
Vulnerabilities in internet of things (IoT) devices will create mass confusion leading
to new security regulations
Resource: http://www.experian.com/assets/data-breach/white-papers/2018-experian-data-
breach-industry-forecast.pdf
Page 21 of 29 Hacking and Harassment MP02.2018
Resources
IIABA’s ACT (Agency Council on Technology) https://www.independentagent.com/Resources/AgencyManagement/ACT/Pages/planning/SecurityPrivacy/ACTCyberGuide.aspx#
12 Cyber Security Regulations:
www.IRMI.com http://www.experian.com/assets/data-breach/white-papers/2018-experian-data-breach-industry-forecast.pdf https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime https://www.iii.org/white-paper/protecting-against-cyberfail-small-business-and-cyber-insurance-103017 https://www2.deloitte.com/insights/us/en/industry/financial-services/demystifying-cybersecurity-insurance.html https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html
Page 22 of 29 Hacking and Harassment MP02.2018
Sexual Harassment in the News
• The entertainment industry
o Bill Cosby
o “The Weinstein Effect”
• The political scene
• The “Me too!” Movement
Page 23 of 29 Hacking and Harassment MP02.2018
In 2016 the Equal Employment opportunity Commission (EEOC) received
more than 28,000 charges alleging harassment ~ including sexual harassment. This
does not include charges filed with state or local Fair Employment Practices Agencies.
There are two types of Sexual Harassment:
o Quid Pro Quo (Latin for “something for something”)
o Sexual favors for job benefits such employment, promotion, raises
o Rejection of sexual advances leading to loss of employment, demotion
o Hostile Workplace or Environment
o Sexual pictures, jokes, gestures
o Suggestive touching, grabbing
Top trending EPLI Claims:
• Pregnancy Discrimination
• Illegal background checks
• Invasion of Employee Privacy
• Unpaid Internships
• Genetic Discrimination
Class Poll: How vulnerable do you think family businesses are to EEOC
litigation?
Less than other types of organizations ____________
More than other types of organizations ____________
About the same __________
Page 24 of 29 Hacking and Harassment MP02.2018
What are Risks?
Reputational Risk
Loss of focus
Loss of productivity
Defense Costs
Settlements and Jury Awards
Class Poll: What percentage of your Commercial Insureds have some type of
EPLI Coverage?
Under 10% ____________
Greater than 10% but lower than 25% ____________
Between 25% and 50% ____________
Greater than 50% lower than 75% ____________
Between 75% and 100% ____________
I’m not sure ____________
Page 25 of 29 Hacking and Harassment MP02.2018
Coverage
Claims Made
By endorsement or Stand Alone policy
Warranty Application
Retro Active Date
Defense within the limits
First Party Coverage
Third Party Coverage
“Employment Practices Wrongful Act” usually includes:
o Discrimination
o Wrongful Termination
o Harassment
“Employment Practices Wrongful Act” may include:
o Retaliation
o Inappropriate employment conduct
o Constructive discharge
Optional Endorsements
o Wage and Hour
o Immigration
o Additional Defense Limit of Liability
IMPORTANT:
Page 26 of 29 Hacking and Harassment MP02.2018
Definitions
Definitions are a critical part of the policy:
• Insured(s)
o Who are the Covered Organizations?
Predecessor coverage
Newly acquired
Newly created
o Who is a covered person?
Leased
Seasonal
Part-Time
Temporary
Interns
Volunteers
Former/future employees
Applicants
Independent Contractors
Board members
Shareholders
Other
• Wrongful Act or Covered Act
• Claim
• Damages
IMPORTANT:
Page 27 of 29 Hacking and Harassment MP02.2018
Coverage Considerations
• Defense Costs
o Duty to Defend vs Non-Duty to Defend
o Defense within the limits
o Additional Defense limit of Liability
o Deductible?
o Counsel Selection
• Limits of Liability IMPORTANT:
o Defense within the limits
o Sublimits
o Deductibles
• Retroactive date
• Tail or ERP
• Territory
• Settlement provisions
• Exclusions
• Duties in the Event of a Claim
• Conditions
Page 28 of 29 Hacking and Harassment MP02.2018
Underwriting • Industry
• Prior Claims
• Strong Anti-Harassment Policy
• Risk Management
o Validated Risk Assessment
o Employee Handbook
o Training
Primary Rating and Premium Factors o Industry
o Number of Employees
o Limits purchased
o Coverage endorsements
o If the company has anti-discrimination and anti-harassment HR policies
o Past EEOC complaints or lawsuits
Page 29 of 29 Hacking and Harassment MP02.2018
Resources
www.irmi.com
https://www.irmi.com/online/eplic/default.aspx
www.plusweb.org
https://www.iii.org/article/employment-practices-liability-insurance http://blog.amtrustgroup.com/policywire/top-trends-in-employment-practices-liability-claims https://www.trustedchoice.com/business-insurance/liability/epli/
https://www.mcafee.com/us/resources/reports/restricted/rp-beyond-gdpr.pdf
Thank you for attending.