1 / 28

GSBA Risk Management Services GASBO Meeting

GSBA Risk Management Services GASBO Meeting. Cyber-Risk for School Districts November 7, 2013. Reasons a Business Officer should NOT buy Cyber-Risk Insurance?. Your budgets are tight and will remain tight for the foreseeable future

admon
Download Presentation

GSBA Risk Management Services GASBO Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. GSBA Risk Management ServicesGASBO Meeting Cyber-Risk for School Districts November 7, 2013

  2. Reasons a Business Officer should NOT buy Cyber-Risk Insurance? • Your budgets are tight and will remain tight for the foreseeable future • Never had a claim involving a breach - at least you don’t think you have had one • Your IT folks assure you the District’s firewalls are sound and present no risk of penetration • I think we already have coverage somewhere else • New coverage being pushed by carriers but really no losses out there • I do not want to be the first one to buy the coverage • It is not on our radar screen – we will look at this next year • We have immunity from this type of loss

  3. Agenda for Today Why Cyber-Risk was developed and what does it protect Your obligations under the law Examine each reason why you should not buy Cyber Risk Coverage Outline the GSBA RMF evolving solution Answer any questions

  4. Why was Cyber-Risk Developed? To protect your electronic assets in the new Cyber-Risk Protection Technological Revolution No different that protecting buildings and other assets except exposure to a loss is growing faster than you are building buildings

  5. Cyber-Risk ProtectionPrivacy & Computer Security ProtectionPrivacy & Data Breach Coverage has many names in the industry but basic risk is the same: School district “mishandles” personal data resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach”; or School district is hacked and the information is stolen resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach” plus any potential liability resulting from the hackers stealing the data

  6. What is Protected? Personally Identifiable Information (PII): It is the combination of a person’s first name (or initial) and last name plus one or more of the following: Social Security Number Driver’s License Number State ID Number Account Number Credit or Debit Card Number Account Passwords or PINS or other access codes

  7. Threats to a School District Internal Threats: Rogue employee who was fired and wants to “hurt” School District “Idealist” who wants to “change” the School District policies by disrupting normal operations Accidental or careless staff who loose the data in either paper format or electronic via a lost laptop External Threats: Outside vendor or business associate with access to School District data who steals personal data sources Organized crime – both foreign and domestic Hackers or “Hacktivists” who do it “to change the world”

  8. Threats to a School District Technology: Viruses, SQL Injections, etc Structural vulnerability to your network Employee use of Social Media / networking “opening the door” for hackers to enter your network Remote teaching putting strain on the security of your internal network firewalls Phishing “Old School”: Dumpster diving for discarded papers that are not shredded Loss or theft of a laptop with personal data on it

  9. Threats to a School District Regulatory/Legal: 47 states now have breach notification laws Georgia is one of the 47 states and it applies to any entity, government or private, that has a breach, the law requires that they notify the people affected by the breach – Georgia Personal Identity Protection Act of 2007 Many breaches do not develop into identifiable theft but the notification and tracking requirement is very expensive to the School District School nurses have to be careful with HIPAA information especially At the present time, it is unclear how immunity would apply if the District were sued by a third party injured by a breach

  10. Georgia Personal Identity Protection Act of 2007O.C.G.A. 10-1-910 through 10-1-912 Amended to included public universities and other state and local agencies The unauthorized acquisition of individual’s electronic data that compromises security, confidentiality or integrity of PII. Can also apply if compromised information is sufficient to perform or attempt identity theft

  11. What would you do if….? Friday September 6, 2013 Atlanta Journal-Constitution

  12. Data Breach – More Recent Examples Boston Public Schools, MA: August 2013 21,054 student files: ID numbers, name, age and a photo, sent families automated phone calls and letters A vendor that makes student ID cards lost a stick drive with the records San Juan Unified School District, CA: May 2011 4,000 employees and former employees notified by letter Compromised personal information when employee inadvertently uploaded all the information from a stick drive to a church website Paulding County Schools, GA Phishing loss that was covered but entailed notification costs which were not covered

  13. Cost of Breach Ponemon Institute – 2013 Cost of a Data Breach Study Studied breaches in 277 companies in nine countries over ten month in 2012 Average Cost per Record in US $188, second highest to Germany Significantly lower per record Public Services : $81 Education : $111 If you had 4,457 records released like the State of Georgia On your own, based on above cost projections, cost is $494,727 Cost of insurance is a premium based on size of district but works out to about $1 for each current student in District

  14. Reasons a Business Officer should NOT buy Cyber-Risk Insurance? • Your budgets are tight and will remain tight for the foreseeable future • They are tight and it will cost more money but as you will see shortly, very affordable – approximately one loss every 15 years payback • Will cover not only current PII records (students, employees, & applicants) but will also cover historical records retained by District • Never had a claim involving a breach - at least you don’t think you have had one • Not a liability issue as much as an internal cost issue if you have a breach and need to comply with the law • Buying the expertise on how to handle a breach unlike the State of Georgia case • Your IT folks assure you the District’s firewalls are sound and present no risk of penetration • Not an IT / Firewall issue – it is a mishandle issue

  15. Reasons a Business Officer should NOT buy Cyber-Risk Insurance? • I think we already have coverage somewhere else • Excluded under the GSBA RMF Coverage Agreement and ISO policy forms • Intent is not to provide the coverage but silent on some of the liability exposures • Will be absolutely excluded as of 7/1/2014 • New coverage being pushed by carriers but really no losses out there • We’ve shown you some examples of actual losses • Beazley has 2500 policies and is expecting 800 breaches this year alone • Few and far between but when they happen, could be very large and confusing for the District involved

  16. Reasons a Business Officer should NOT buy Cyber-Risk Insurance? • I do not want to be the first one to buy the coverage • You are not – already have 12-13 districts buying from the GSBA RMF solution • It is not on our radar screen – we will look at this next year • Perfectly acceptable to prepare and budget for it • Be aware that full clarifying exclusions go into effect on July 1, 2014 • The current proposals provided to all GSBA RMF members are effective till 12/31/2013 and then new members will be re-evaluated as of July 1, 2014 • We have immunity from this type of loss • From a liability standpoint – probably but from a first party notification standpoint, you must comply with the law

  17. The GSBA Solution Conservative approach but one based in making sure School Districts in Georgia have a competitive, broad coverage option to address this growing exposure RMF has worked with Beazley, a prominent carrier in the Cyber Insurance space, to initially offer a group purchased option for each School District in RMF Over the next couple of years, RMF will assume some of the risk via the pool to make sure pricing remains stable and any underwriting profits accrue to the benefit of School Districts Beazley will issue policies and has the infrastructure to guide a Member through any type of breach and how to help reduce the exposure of a breach

  18. The GSBA Solution The goal is to adopt the Beazley form into the RMF coverage document as of July 1st, 2014 so that we have an affirmative grant of coverage in the coverage document For July 1st, 2013, coverage purchased will be on a stand-alone basis with a policy issued from Beazley Quotes were provided in late June to all RMF Members Quotes are open to bind through 12/31/2013 on pro-rata basis Even once the form is adopted into the RMF coverage document, and RMF assumes a layer of risk like it does now on the property and liability coverage lines, Beazley will provide the specialty claims and risk control services to the Members

  19. The GSBA Solution There are six coverage parts in the policy that has been negotiated with Beazley In keeping with the pool approach, there is some sharing of limits amongst all the Members in exchange for more competitive pricing for each Member Overview of Program Structure: Coverage Part 1.A. – Information Security and Privacy Liability Liability to a third party as a result of a failure of your network security to protect against identified threats Liability to a third party as a result of the disclosure of confidential information

  20. The GSBA Solution Overview of Program Structure: Coverage Part 1.B. – Privacy Breach Response Services Crisis Management and Identify Theft response services and expense coverage in order to comply with regulatory compliance issues This also includes the expense for retaining a crisis management firm to perform a forensic investigation to protect or restore the School District’s reputation as a result of a breach of privacy event Based on number of individuals to notify and not a limit of liability Coverage Part 1.C. – Regulatory Defense and Penalties Fines and penalties associated with School District’s violation of a Privacy Law related to an insured breach Coverage Part 1.D. – Website Media Content Liability Expansion for Cyber exposures of the coverage provided for under Personal Injury and School Leaders Liability coverage but without some of the electronic means limitations

  21. The GSBA Solution Overview of Program Structure: Coverage Part 1.E. – Crisis Management and Public Relations To pay for the Public Relations and Crisis Management expenses associated with the costs to manage a breach that gets into the public eye via newspaper, radio, television in order to re-build the School District’s reputation or to avoid undue damage in the reporting of the breach event Coverage Part 1.F. – PCI Fines and Costs Coverage for direct monetary fines and penalties owed by the School District under the terms of a Merchant Services Agreement and where the alleged breach was due to the result of a non-compliance with the published PCI Data Security Standards

  22. The GSBA Solution Limits of Liability to Members: Any one claim limit combined from all sections except Privacy Breach Response Services, is $1,000,000 Subject to no more than $500,000 from Regulatory Defense and Penalties and $50,000 each from Crisis Management and PCI Fines and Costs The overall RMF fund aggregate limits for all Members from all coverage lines except Privacy Breach Response Services is 10 times each of these limits ($10,000,000 , $5,000,000, and $500,000 respectfully) For Privacy Breach Response Services, there is no limit of liability as the coverage is based on the number of Notified Individuals The RMF fund has an aggregate of 500,000 Notified Individuals subject to sub-limits for the legal and forensic expense coverage part which is limited to 250,000 and the foreign Notified Individuals extension which is limited to 50,000 Overall RMF fund aggregate limits is again 10 times

  23. The GSBA Solution Retention / Deductibles for Members: Any one claim limit combined from all sections except Privacy Breach Response Services, is $25,000 For Privacy Breach Response Services, the retention is broken into two parts: All costs and services under the legal and forensic services combined with the notification costs would be $10,000 combined subject to a sub-retention of no more than $5,000 in legal expenses exposed Under the Call Center Services and Credit Monitoring Program, the retenion of any expenses are limited based on the size of the district: Small Members, which are less than 1,000 FTE’s, would be responsible for any breaches involving less than 25 individuals Medium Members, which are more than 1,000 FTE’s but less than 10,000 FTE’s, would be responsible for any breaches involving less than 50 individuals Large Members, which are those Members with more than 10,000 FTE’s, would be responsible for any breaches involving less than 100 individuals

  24. The GSBA Solution Premium Brackets Premium is based on FTE (current student and staff combined) Includes coverage for alumni records even though alumni count is not included in the FTE for premium determination Here are the proposed pricing ranges based on Student Enrollment: 30,000 plus $29,638 to $31,453 0 20,000 to 29,999 $24,432 to $28,227 0 10,000 to 19,999 $13,903 to $21,683 0 5,000 to 9,999 $7,111 to 11,504 2 2,500 to 4,999 $4,392 to $6,658 3 GWP To-Date:$45,467 1,000 to 2,499 $1,942 to $4,005 4 999 or less $500 to $1,628 3

  25. Conclusion The exposure is here to stay Computers and mobile devices that store personal information about your employees and your students are an integral part of your District Accidental loss of, or criminal appropriation of, that personal information will continue to happen whether you have good firewall protection or not Attacks are getting more frequent and more sophisticated Accidents are getting more frequent as we ask staff to do more in a day than ever before GSBA RMF and Beazley offer you broad coverage at a reasonable premium and a team ready to respond when necessary

More Related