220 likes | 422 Views
Cyber, Computer Fraud & Electronics Funds Transfer Exposures. A detailed look at hacking, bank accounts, stolen funds & recovery. Speakers. Matt Prevost, RPLU AVP, Underwriting D&O, E&O, Cyber Products-Western Territory Eric Zehnpfennig, CPCU, RPLU Underwriting Supervisor, Underwriting
E N D
Cyber, Computer Fraud & Electronics Funds Transfer Exposures A detailed look at hacking, bank accounts, stolen funds & recovery
Speakers Matt Prevost, RPLU AVP, Underwriting D&O, E&O, Cyber Products-Western Territory Eric Zehnpfennig, CPCU, RPLU Underwriting Supervisor, Underwriting D&O,E&O, Cyber Products-Pacific Northwest and Rocky Mountain Regions
Purpose “Organizations may choose to handle the risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk…” Framework for Improving Critical InfastructureCybersecurity Version 1.0 National Institute of Standards and Technology Released 2/12/2014 Increase Awareness w/information sharing
Today’s Agenda 15 Minutes How(and why) is this happening… 15 Minutes Who is responsible/exposed… 20 Minutes Insurance Coverage Impact… 5 Minutes Questions/Answers
Intro to Tech Terms Hack: computer based intrusion Mule: entity(ies) or individuals used as middleman in fraudulent transactions Phishing: masquerading as a trustworthy entity in an electronic communication to obtain data PCI DSS: Payment Card Industry Data Security Standard Skimming: using electronic device to swipe CC numbers Compromised: unauthorized point of entry
Why is this happening? 2012 Business Banking Trust Trends Survey(Ponemon Institute August 2012): - 48% of respondents say their business conduct at least 50% of their banking online(increasing from 29% and 39% in previous years. - 43% say their bank take appropriate steps to proactively limit risky banking transactions - 42% agree that their bank makes it too difficult to access bank accounts and conduct online transactions - businesses are basically keeping the same technologies in place despite the increased scale and sophistication of fraud attacks “Any financial institution can put all of the controls they want in place, but if their client isn’t following the instructions or doing things properly, there are certain challenges,” Robbins said. “We do look for all of our clients to use dual controls. and we want to make sure there are multiple points of control. Because what we’re seeing today is that a malware compromise can happen at a single point in the system, and so there have to be multiple controls in place on the customer’s side.” –Virginia Robbins, CAO California Bank of commerce*
‘The Smartest Ways to Get Paid’ Inc. Magazine November 2013 A bank is no longer just ‘a bank’… Examples of different payment methods:
How it happens every time… http://www.youtube.com/watch?v=HHXYCPNJtvw
How is this happening? *Graphic provided by the FBI
Incident Examples Marketing Firm Example: http://krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss Plumbing Supply Company Example: Cyber-crooks stole $1.2 million from Unique Industrial Product Co., a Sugar Land, Texas-based plumbing equipment supply company. The company's operations manager said a forensic analysis showed the attackers used malware planted on its computers to initiate 43 transfers out of the company's account within 30 minutes. Experi-Metal, Inc.http://www.yourmoneyisnotsafeinthebank.org/bank_v_customer.php http://krebsonsecurity.com/2010/06/the-case-for-cybersecurity-insurance-part-i/ Mt. Gox Example: Bitcoin exchange that was hacked faced 150,000 hack attacks every second. During a DDOS attack, which lasted for several days an estimated $575mm was stolen from the firm. The Tokyo-based exchange, which filed for bankruptcy protection in February 2014, has been sued by a British law firm in a class action suit.
Who is responsible? Marketing Firm Example: ‘We don’t see the error on our side.’-TD Bank in response to Little & King, LLC etheft loss http://krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/ “They feel that because [the thieves] compromised my computer that it’s my responsibility and that I should look into my insurance, but I don’t have insurance”- Little & King President Utah Pizza Place Example: Cisero’s Pizza Sues US BANK(1st such suit in the US; 2011) http://www.wired.com/images_blogs/threatlevel/2012/01/Cisero-PCI-Countersuit.pdf “the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.”
Coverages potentially ‘in play’ Impacted Entity: Commercial Crime Stand alone Cyber Products Commercial General Liability D&O(failure to maintain or SH/derivative claims) Cyber endorsements Other(potentially responsible parties): Technology providers(E&O) Banks’ Financial Institution Coverage General E&O policies of others Certification Entities Lawyers E&O(drafting contractual language)
Detailed Look at Crime EE Theft(rogue employee) Computer Fraud Electronic Funds Transfer Coverage Exclusions
Detailed Look at Stand Alone Cyber Chubb Cybersecurity Policy Definitions
Detailed Look at Cyber CFC C&P
Detailed Look at Cyber Exclusions For, arising out of or resulting from any of the following: (1) trading losses, trading liabilities or change in value of accounts; any loss, transfer or theft of monies, securities or tangible property of others in the care, custody or control of the Insured Organization; (2) the monetary value of any transactions or electronic fund transfers by or on behalf of the Insured which is lost, diminished, or damaged during transfer from, into or between accounts; or (3) the value of coupons, price discounts, prizes, awards, or any other valuable consideration given in excess of the total contracted or expected amount;
Impact on Claims handling • Various levels of urgency • Who is primary? • Contractual needs/requirements • Third party contracts and information hoarding • Allocation • Case-law is constantly changing • Experience of E&O/CGL adjusters with cyber-related events when cyber coverage is present • Separation of responsbilities(breach coach versus defense attorney) • PCI fines and penalties; but aren’t regulatory fines uninsurable? • Subrogation opportunity?
Who (8wns) this exposure? Underwriting standpoint… Agent standpoint… Entity standpoint…
Why ‘what if’ coverage scenarios are relevant… Start to gather a list of ideas from the technology team, legal team, CFO’s biggest concern and see how the coverage(s) interact. If your CTO asked you… If your CMO asked you… If your CEO’s son wants to use his computer… If your CMO thinks he can build revenue by accepting Bitcoins as payment…
Where to learn more… Conferences: Netdiligence Cyber Conference(East and West Coast) PLUS RIMS Websites: www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf www.netdiligence.com www.datalossdb.com Other: Cyber underwriters Crime underwriters Agents/Brokers Case Law
Questions? This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy issued by the Philadelphia Insurance Companies. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy provisions, and any applicable law. Availability of coverage referenced in this document can depend on underwriting qualifications and state regulations.