the independent insurance agents and brokers of south carolina … · 2018-03-06 · sharon a....

of 29 Hacking and Harassment MP02.2018

Hosted by:

The Independent Insurance Agents and Brokers of South Carolina

Presented by: Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP Managing Performance, LLC March 2018


Program developed by: Sharon A. Koches, CPCU, RPLU, AAI, AU, ITP

Managing Performance, LLC

Cannot be reproduced without permission.


Hacking and Harassment

Part 1 - Data Breach At Risk Regulation Life of a Data Breach Coverage Underwriting Part 2 – Employment Practices Liability In the News At Risk Coverage Underwriting


DATA BREACH

Class Poll: Does your organization have a Data Breach Security Plan?

Yes ________________

No ________________

I’m not sure ________________

Class Poll: Does your organization have a Cyber Liability Insurance Policy?

Yes ________________

No ________________

I’m not sure ________________


Top 10 Malware as of December 2017

1. Kovter – a Trojan via malspam email attachments which evades detection

by hiding in the registry keys. (Malspam – unsolicited emails, which either

direct users to download malware from malicious websites or trick the user

into opening malware through attachments.)

2. CoinMiner – a cryptocurrency miner sent via malvertising. (Malvertising –

Malware introduced through a malicious advertisement.)

3. ZeuS/Zbot – a modular banking Trojan which uses keystroke logging to

compromise victim credentials when the user visits a banking website.

4. Emotet - a modular Trojan with 4 know spreader modules

• Outlook Scraper – a tool that scrapes names and email addresses from the victim’s outlook accounts and uses them to send out phishing emails from the compromised account;

• WebBrowserPassView – a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari and Opera and passes them to the credential enumerator module;

• Mail Passview – a password recovery tool that reveals passwords and account details for various email clients such as Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo Mail and Gmail and passes them to the credential enumerator module;

• Credential Enumerator

5. NanoCore – a RAT – Remote Access Trojan spread via malspam as a malicious Excel XLS spreadsheet.

6. Sharik – a Trojan downloader spread via malspam as a malicious Word document.

7. Ursnif, and its variant Dreambot – banking Trojans


8. Gh0st – a RAT used to control infected endpoints. Gh0st is left by other malware to create a backdoor into a device, allowing an attacker to fully control the infected device.

9. LatentBot – a modular Trojan that also acts as a botnet agent. Once a system is infected, it is able to download additional modules including keyloggers and form grabbers. It is currently being dropped by RIG Exploit Kit.

10. Pushdo – a Trojan downloader that is known to download the Cutwail spam module. It is also able to download other types of malware and is currently being dropped by RIG Exploit Kit.

Types of Cyber Attacks Viruses, worms

Malware

Web-based attacks

Phishing and social engineering

Malicious code

Botnets

Denial of Services

Stolen Devices

Malicious insiders


Data at Risk

PII – Personal Identifiable Information

The US Department of Labor defines PII as:

Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

*Please note, it is important to understand each State’s definition of PII.

PHI – Protected Health Information

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy rule calls this information “Protected Health Information (PHI).”

“Individually identifiable health information” is information, including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition, • the provision of health care to the individual, or • the past, present, or future payment for the provision of health care to the

individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.


As defined by the US Department of Health & Human Services Office for Civil Rights Privacy Brief: Summary of the HIPAA Privacy Rule. https://www.hhs.gov/sites/default/files/privacysummary.pdf For a more complete definition and understanding of HIPAA please refer to www.hhs.gov/hipaa HITECH Act applies to vendors of personal health records and third party service providers.

PCI – Payment Card Industry

To accept, store, process or transmit credit card payments/data you must be in compliance with PCI DSS (Payment Card Industry Data Security Standards)

Intellectual Property

An intangible such as an idea, creation, process.


Top Industries at Risk

Healthcare

Higher Education

Energy

Financial Services

Government

What other industries may be cause for concern?


Legal Fundamentals

Federal Laws

Gramm-Leach-Bliley – personal financial information

HIPAA – Health Insurance Portability & Accountability Act

HITECH – Health Information Technology for Economic & Clinical Health

PCI Security Standards Council – Payment Card Industry Data & Security Standards Compliance

There are least 35 Federal Laws with Data Protection or Privacy Protection.

In October 2017 the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law. The new law creates rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach. It includes maintaining an information security program based on on-going risk assessment, overseeing third party service providers, investigating data breaches and notifying regulators of a cyber security event.

http://www.naic.org/store/free/MDL-668.pdf

International

The General Data Protection Regulation, (GDPR) will be applicable as of May 25, 2018 with new requirements applying to those collecting, storing, or using personal data of EU Citizens. GDPR is a regulation approved by the European Parliament, Council of European Union and the European Committee “to strengthen and unify data protection for all individuals within the EU.”

State Regulation

48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have Data Breach Laws. States with no Data Breach Laws to date:

Alabama and South Dakota.

*Residence of affected individual determines notice law. www.ncsl.org is an excellent

resource for state regulations.


IMPORTANT: Do you do business or are you licensed in New York? New York effected a Cybersecurity Regulation as of March 1, 2017. http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

Members of IIABA state associations have access to information on the Big “I” New York website under Quick Links- Cyber: https://www.biginy.org/default.aspx

South Carolina

Code of Laws – Title 39 – Chapter 1 – General Provisions – 90.

Breach of security of business data; notification; definitions; penalties; exception as to certain banks and financial institutions; notice to Consumer Protection Division.

“Shall notify IMMEDIATELY following discovery”

http://www.scstatehouse.gov/code/t39c001.php

North Carolina

N.C. Gen. Stat §§ 75-61, 75-65

“without unreasonable delay”

https://www.ncga.state.nc.us/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-61.html

https://www.ncga.state.nc.us/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html


Small Business and Cyber

According to a November 2017 Insurance Information Institute whitepaper titled Small Business and Cyber Insurance:

• ½ of all small and mid-sized businesses have experienced a data breach in the past

year and 55% experienced a cyber attack

• Nearly 40% of business experienced a ransomware attack in the last year (more than 1/3 losing revenue)

Class Poll: What do you believe are the reasons your clients do NOT buy Cyber Insurance?

Lack of Understanding about cyber risk _______________

Cost of Insurance _______________

Lack of understanding about cyber insurance _______________

Believe it won’t happen to them _______________

What can you do to encourage your clients to purchase Cyber Insurance?


Class Poll: Do you offer Cyber Liability/Data Breach coverage to your commercial clients?

Yes, to all __________________

Yes, to some __________________

NO __________________

How can your carriers assist you?


Life Cycle of a Data Breach

Cost of a Data Breach

Discover Breach

Investigateand

RemediateNotify* Risk

MitigationResume Business


Coverage Considerations • Claims Made Policy

ISO updated eCommerce form – discovery

• Standalone policy or endorsement

• Application interpretations

• Application is a warranty

• Coverage trigger – suspected or confirmed breach?

• Definitions

• Is defense inside or outside the limit?

• Sublimit reduction of aggregate?

• First Party – expenses included?

• Voluntary notification (not just minimum legal requirements)

• Encryption requirements

• Does it cover social media?

• Transmission of computer viruses

• Third party – i.e.: the cloud

• Contractual Liability

• Intentional acts

• Other than electronic data (paper)

• Package or ala carte

• Pricing

• Capacity

• Risk Management Services

• Notification on number of records breached vs. dollar limit (aggregate issues)

• Notification expenses separate from limit of liability

• Sublimits part of the aggregate


• Liability for loss of personally identifiable information

Not just electronic, but all types of data, including paper

Corporate information, not just individuals

All types of data, not just financial

Some cover loss of data when in the possession of a 3rd

party such as a

vendor

Coverage – First Party

Direct loss to your organization. Can Include:

Forensic analysis and remediation of breach

Damage to computer systems and networks

Notification Expenses

Data Restoration

Business Income (eCommerce)

Contingent Business Income

Regulatory Fines and Penalties

PCI Fines and Penalties

Cyber Extortion

Crisis Management – Legal, Public Relations

Credit Monitoring

Identity Monitoring

Intellectual Property – Copyright, Trademarks, other

IMPORTANT:


Coverage – Third Party

Liability imposed due to negligence

• Breach or Privacy Liability

• Advertising Injury

• Personal Injury

• Professional Liability – “in the business of”

Software development

Network maintenance

Security Services

IMPORTANT:


Underwriting

Underwriting Information

Type of data stored

Types of controls in place

o Firewalls

o Encryptions

o Detection Systems

o Risk Management Plans

o Vendors

Type of exposure (retail, public entity, medical, financial, etc)

Type of web presence (interactive vs. informational)

Claims History

Primary Rating and Premium Factors

Industry

Revenue

Number of records stored

Limits purchased

Retention

Coverage endorsements


https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime


Experian’s 2018 Data Breach Industry Forecast

Experian Forecast of the top data breach trends of 2018 include:

The US may experience its first large-scale attack on critical infrastructure, causing

chaos for governments, companies and private citizens.

Failure to comply with new European Union regulations will result in large penalties

for US companies

Perpetrators of cyberattacks will continue to zero in on governments, which could

lead to a shift in world power

Attackers will use artificial intelligence (AI) to render traditional multifactor

authentication methods useless

Vulnerabilities in internet of things (IoT) devices will create mass confusion leading

to new security regulations

Resource: http://www.experian.com/assets/data-breach/white-papers/2018-experian-data-

breach-industry-forecast.pdf


Resources

IIABA’s ACT (Agency Council on Technology) https://www.independentagent.com/Resources/AgencyManagement/ACT/Pages/planning/SecurityPrivacy/ACTCyberGuide.aspx#

12 Cyber Security Regulations:

www.IRMI.com http://www.experian.com/assets/data-breach/white-papers/2018-experian-data-breach-industry-forecast.pdf https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime https://www.iii.org/white-paper/protecting-against-cyberfail-small-business-and-cyber-insurance-103017 https://www2.deloitte.com/insights/us/en/industry/financial-services/demystifying-cybersecurity-insurance.html https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html


Sexual Harassment in the News

• The entertainment industry

o Bill Cosby

o “The Weinstein Effect”

• The political scene

• The “Me too!” Movement


In 2016 the Equal Employment opportunity Commission (EEOC) received

more than 28,000 charges alleging harassment ~ including sexual harassment. This

does not include charges filed with state or local Fair Employment Practices Agencies.

There are two types of Sexual Harassment:

o Quid Pro Quo (Latin for “something for something”)

o Sexual favors for job benefits such employment, promotion, raises

o Rejection of sexual advances leading to loss of employment, demotion

o Hostile Workplace or Environment

o Sexual pictures, jokes, gestures

o Suggestive touching, grabbing

Top trending EPLI Claims:

• Pregnancy Discrimination

• Illegal background checks

• Invasion of Employee Privacy

• Unpaid Internships

• Genetic Discrimination

Class Poll: How vulnerable do you think family businesses are to EEOC

litigation?

Less than other types of organizations ____________

More than other types of organizations ____________

About the same __________


What are Risks?

Reputational Risk

Loss of focus

Loss of productivity

Defense Costs

Settlements and Jury Awards

Class Poll: What percentage of your Commercial Insureds have some type of

EPLI Coverage?

Under 10% ____________

Greater than 10% but lower than 25% ____________

Between 25% and 50% ____________

Greater than 50% lower than 75% ____________

Between 75% and 100% ____________

I’m not sure ____________


Coverage

Claims Made

By endorsement or Stand Alone policy

Warranty Application

Retro Active Date

Defense within the limits

First Party Coverage

Third Party Coverage

“Employment Practices Wrongful Act” usually includes:

o Discrimination

o Wrongful Termination

o Harassment

“Employment Practices Wrongful Act” may include:

o Retaliation

o Inappropriate employment conduct

o Constructive discharge

Optional Endorsements

o Wage and Hour

o Immigration

o Additional Defense Limit of Liability

IMPORTANT:


Definitions

Definitions are a critical part of the policy:

• Insured(s)

o Who are the Covered Organizations?

Predecessor coverage

Newly acquired

Newly created

o Who is a covered person?

Leased

Seasonal

Part-Time

Temporary

Interns

Volunteers

Former/future employees

Applicants

Independent Contractors

Board members

Shareholders

Other

• Wrongful Act or Covered Act

• Claim

• Damages

IMPORTANT:


Coverage Considerations

• Defense Costs

o Duty to Defend vs Non-Duty to Defend

o Defense within the limits

o Additional Defense limit of Liability

o Deductible?

o Counsel Selection

• Limits of Liability IMPORTANT:

o Defense within the limits

o Sublimits

o Deductibles

• Retroactive date

• Tail or ERP

• Territory

• Settlement provisions

• Exclusions

• Duties in the Event of a Claim

• Conditions


Underwriting • Industry

• Prior Claims

• Strong Anti-Harassment Policy

• Risk Management

o Validated Risk Assessment

o Employee Handbook

o Training

Primary Rating and Premium Factors o Industry

o Number of Employees

o Limits purchased

o Coverage endorsements

o If the company has anti-discrimination and anti-harassment HR policies

o Past EEOC complaints or lawsuits


Resources

www.irmi.com

https://www.irmi.com/online/eplic/default.aspx

www.plusweb.org

https://www.iii.org/article/employment-practices-liability-insurance http://blog.amtrustgroup.com/policywire/top-trends-in-employment-practices-liability-claims https://www.trustedchoice.com/business-insurance/liability/epli/

https://www.mcafee.com/us/resources/reports/restricted/rp-beyond-gdpr.pdf

Thank you for attending.

the independent insurance agents and brokers of south carolina … · 2018-03-06 · sharon a....

Documents