230 likes | 336 Views
Because it has always been a matter of trust…. NYSTA 2012 Annual Conference Telcom Insurance Group. Presented by: Joyce Hermann, AU, CISR Sr. Account Executive. Insure IT, Manage IT But Never Ignore IT… Network Security and Data Liability. Because it has always been a matter of trust….
E N D
Because it has always been a matter of trust… NYSTA 2012 Annual ConferenceTelcom Insurance Group Presented by: Joyce Hermann, AU, CISR Sr. Account Executive Insure IT, Manage IT But Never Ignore IT…Network Security and Data Liability
Because it has always been a matter of trust… Network Security and Data Liability Risk Management is a great way to deal with any exposure but as we all know it’s not fool proof. One method of risk management is the transfer the exposure and the most common method is insurance. Lets review the exposure to determine if management is enough or does a transfer need to be explored. This exposure is created by a breach. So, what is a breach? Personal information that is an a format that can be easily read and used by a third party is stolen and personal information is in unauthorized hands!
Because it has always been a matter of trust… • Who Is Held Accountable? • Board of Directors and Senior Management • By Contract-- 3rd Parties? • IT Services Providers • Certain laws make those responsible, responsible to do certain things after a breach: • Sarbanes Oxley-Shareholder Notification • State Laws-Consumer Notification
Because it has always been a matter of trust… • Network Security and Data Liability • Flow of a breach and parties involved. State AG Business FTC/FCC Breach Customer Industry
Because it has always been a matter of trust… • Use a Layered Approach to Risk Management and Transfer • Recognize the risk, analyze the exposure, plan for the possibility, implement a plan, and re-visit the issue frequently. • Determine security gaps and fill them with technology or business practice answers. If this still leaves doubt, transfer the risk. • Insurance is a transfer of risk option that allows access to counsel, monitoring, and coverage for all aspects of restoration.
Because it has always been a matter of trust… • Use a Layered Approach to Risk Management and Transfer • Recognizebusiness processes and who has access to what information • Review security processes and procedures • Know what your outside vendors/suppliers/business partners do with your data • Identify VPN, extranets, intranet, Internet exposures
Because it has always been a matter of trust… • Analyze Defense Mechanisms • Virus control (anti-virus updates) • Perimeter defenses (firewalls, remote access) • Physical security (restrict access, passwords, timeout, laptop/smart phone procedures) • Confidentiality (collect/distribute only needed information on employees and customers)
Because it has always been a matter of trust… • Plan and Implement Defense Mechanisms • Security Policy (patches, procedures for distribution of sensitive information) • Disaster Recovery (identify IT resources/ backups) • Incident Response Plan (notification requirements by state if there’s a breach of confidential information)
Because it has always been a matter of trust… • Who, What and Why? • Personal information has street value. Consider a wider use of background checks. Might a clerical employee who is modestly compensated be tempted by easy money for supplying data to another? • Pay special attention to portable devices and set standards/restrictions on the data that can be stored on them and in what format.
Because it has always been a matter of trust… • Basic Business Practices • Limit access to sensitive information and even potentially encrypt it • Watch the disposal of paper records or files. It’s so easy to forget this exposure, but recent claims prove this to be a real risk. Shred paper files and records and destroy old hard drives by drilling holes in them • Keep security patches up to date
Because it has always been a matter of trust… • Network Security and Data Liability • Insurance Protection is available for risk transfer in a few different formats: • General Liability coverage extensions • Monoline NSDL policies • As part of an Errors and Omissions Policy
Because it has always been a matter of trust… • Network Security and Data Liability • Insurance Protection varies but a few of the common coverages that are offered include: • Indemnification of 3rd party claims for damages • Expense Reimbursement to clean-up your system • Expense Reimbursement for required corrective actions to assist victims • Regulatory fine reimbursement
Because it has always been a matter of trust… • Network Security and Data Liability • Insurance Protection varies but a few of the common coverages that are offered include: • Public Relations Expenses • Media and Communications Liability • Errors and Omissions (more on this later) • First party property coverage direct and indirect loss • Extortion
Because it has always been a matter of trust… • Network Security and Data Liability • Insuring Agreement: • We will pay for “loss” that the “insured” becomes legally obligated to pay, and “defense expenses”, as a result of a “claim” first made against the “insured” during the “policy period” or during the applicable Extended Reporting Period for a “wrongful act” or a series of “interrelated wrongful acts” taking place on or after the Retroactive Date, if any, shown in the Declarations, and before the end of the “policy period”.
Because it has always been a matter of trust… • Network Security and Data Liability • A Common Exclusion: • Based upon, attributable to or arising out of any action by a governmental or quasi-governmental authority or agency including, but not limited to, regulatory actions brought against you on behalf of the Federal Trade Commission, Federal Communications Commission, or other regulatory agency. However, this exclusion shall not apply to the actions brought by governmental authority acting solely in its capacity as a customer of the “named insured” or one of its “subsidiaries”.
Because it has always been a matter of trust… • Network Security and Data Liability • What if a third party we use, like a billing entity, has a breach? • “Named insured” means the entity or entities shown in the Declarations and any “subsidiary”. • “Subsidiary” means any organization in which more that 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors, or equivalent position, is owned, in any combination, by one or more “named insured”. • Independent contractors need to be added by endorsement.
Because it has always been a matter of trust… • Where To Start 1st and 3rd Party? • 1st Party- An entity has an insurable interest in property and in the event of damage will have direct loss of value and potentially indirect financial loss of use or lost income. • Examples of 1st Party Property with Data/Network Exposure • Computers (Hardware/Software) and Peripheral Devices • Networks • Data/Records/Paper
Because it has always been a matter of trust… What Coverage Is Available For 1st Party Exposure? Software, Data and Media Coverage Software is covered by most forms but by strict definition that means the cost of the program will be reimbursed and not the value of the data or the time and labor to populate the program to make it useful. Pay careful attention to how your policy is worded in this area. Even if media is covered, is the time and effort to duplicate the data covered? Remember policy construction is very important. If you do not have the hacker related peril coverage do you really have much protection? Finally, does your policy cover data of others and is that important?
Because it has always been a matter of trust… • Additional Coverage Available For 1st Party Exposure Generally Only on Network Security Forms: • Data and Media Coverage Offsite • Voluntary Parting • Access to Your Network is Blocked – “Denial of Service” • Cyber Extortion • Regulatory Proceeding Expense • Crisis Coverage Expense
Because it has always been a matter of trust… What Coverage Is Available For 3rd Party Exposure? Network and Data Liability coverage is available. It will pay for damages incurred by claimants from a breach and expense incurred due to the violation. It will also cover the regulatory fines from failure to abide by laws and regulations and this will include CPNI, Cable TV Operators, and any applicable state issues. Generally, punitive is covered if allowable by state law. It is more than identity theft which is a veneer of protection. ID theft is partial help after a loss of data occurs, but it is not protection before an event happens.
Because it has always been a matter of trust… What Coverage Isn’t Available For 3rd Party Exposure? Network and Data Liability standard coverage exclusions include: fraud, SEC violations, fiduciary claims, RICO and collusion events, ERISA, EPLI, D&O, insured vs. insured, war, terrorism, pollution, and BI/PD.
Because it has always been a matter of trust… Resources www.sans.org www.cert.org www.windowsecurity.com www.slashdog.org www.cio.com www.infosyssec.net www.idtheftcenter.org
Because it has always been a matter of trust… Thank you! Joyce Hermann, AU, CISR 800.222.4664 Ext. 3204 jah@telcominsgrp.com www.telcominsgrp.com