SlideShare ist ein Scribd-Unternehmen logo

Sept 2012 data security & cyber liability

D
DFickett
1 von 13
Downloaden Sie, um offline zu lesen
Emerging Risk: Data Security & Cyber Liability Autumn 2012 “For any business that accepts non-cash payments or has a payroll - there is some data at risk.”
By the Numbers... $210,000 Estimated cost of a small data breach involving 1,000 records 40% Surveyed businesses with <500 employees that have experienced a data breach 100% Virtually every business handles at-risk data 2-6 days Number of days within which 25% of businesses will go bankrupt without internet access 42% Breaches caused by factors which cannot be mitigated through IT security measures – rogue employee, theft, and business interruption About Us MidSouth Assurance- on Main Street, for Main Street. We believe that businesses can best be served by an insurance agency that understands the environment in which a particular business operates. Similarly, we represent insurance carriers with a similar philosophy. This, we believe, will result in the most effective insurance programs for our clients. Over fifty years of experience in large and small brokerages, as well as independent agencies, allows us to effectively serve new ventures and growth businesses in the Greater Richmond area. We advise clients on a breadth of risk management issues, and develop appropriate mitigation strategies for them, including specialty insurance programs. Insurance • Risk Management
Relevance Which businesses have this risk? Virtually every business utilizes sensitive According to Accenture, a majority of businesses information, and virtually any business can incur have lost sensitive personal information, and liability from employee’s cyber activities. In fact, among these organizations, the biggest causes are any business which has payroll data or collects internal control failures. In fact, there were over non-cash payments captures Personally eight million computers stolen in the past three Identifiable Information (PII), or that information years; and according to the FBI only 3% are which is protected under law. PII includes an recovered.2 According to Ponemon Institute, each individual’s name in combination with a week there are 10,000 laptop computers lost at credit/debit card numbers, bank account the 36 largest airports in the U.S., with an average information, social security numbers, and driver’s cost of $50,000 per laptop, including: replacement, license numbers. Other sensitive personal detection, forensics, data breach, lost IP rights, lost information includes: IP addresses, vehicle productivity, and legal and regulatory expenses. registration numbers, fingerprints and biometric Moreover, 40% of small businesses have data, address, age, gender, name of school experienced a loss of sensitive information. 3 attended, professional grade or salary, criminal According to NetDiligence, a significant share of record, and health care records.1 Combinations of breaches are attributable to hacking attacks; these data elements are valuable to criminals who however 42% are caused by factors which are not use the information for illegal purposes. mitigated through IT security measures – rogue p. 2
employees, theft or loss of a device, and place. The primary variables include, but are not interruption of internet connectivity or electricity limited to: the definition of the type of data which service.4 Paradoxically, Tower Watson has found constitutes PII, requirements regarding the that amongst businesses who had foregone risk notification timing, the state agencies which must transfer through a liability policy 37% justified the be contacted in the event of a data breach, decision in the belief that their IT departments and applicability of the law to various entity forms, internal controls were sufficient.5 applicability to physical data (not electronic data), provisions for notifying aggrieved parties of While the healthcare, finance, utilities, and recommendations regarding credit freeze or fraud defense sectors are particularly likely targets for alerts, provisions requiring notification to the cyber attacks due to the volume of valuable data, credit monitoring agencies, and safe harbor industry experts still predict that the highest stipulations around the loss of an encrypted mobile likelihood of breaches will occur in small device. In the event of a data breach, complexity businesses, particularly in healthcare, given their can become unwieldy as it is the aggrieved party’s smaller IT security budgets. McAfee recently home state which determines the applicable laws identified “industrial threats” first on its list of to which the breached business must adhere. 2012 predictions, including the manipulation or destruction of industrial controls. These risks are National regulation can increase the complexity of particularly relevant in the physical infrastructure navigating a breach event. Within certain sectors for transportation, energy and organizational contexts a range of regulations can telecommunications. In 2009, the “Night Dragon” apply, these include: Sarbanes Oxley Act of 2002, coordinated attacks demonstrate the level of Gramm-Leach-Bliley Act (GLBA) on financial sophistication which has been achieved when transactions, Payment Card Industry (PCI) Data attacking core infrastructure providers. Within this Security Standard, the Health Insurance Portability incident oil, energy and petrochemical firms were and Accountability Act of 1996 (HIPAA), Health attacked through a combination of social Information Technology for Economic and Clinical engineering, spear phishing, and remote Health (HITECH), the Fair and Accurate Credit administration tools. The attacks are believed to Transactions Act (FACTA), Federal Information have originated from China, and were designed to Security Management Act (FISMA), the Genetic acquire confidential information regarding bidding Information Nondiscrimination Act of 2008 (GINA), and other project finance intelligence related to the Family Education Rights & Privacy Act (FERPA), large development projects.6 the FTC recommendations on protecting consumer privacy, especially section 5A on website data Regulation usage, and the SEC Cyber Security guidance.9 It is What is required under law? important to note that in areas of conflicting Regulatory changes regarding data security and definitions or differing requirements, compliance cyber liability have developed at a rapid pace.7 A with the stricter law is generally required. compromise of confidential PII triggers a requirement under state laws to notify the Depending on the nationality of those for whom aggrieved parties. This notification is designed to data is held, and how the data is used, provide aggrieved parties information related to international law may apply. Several of the most the nature of the incident, the type of PII that was relevant, include: Canada’s Personal Information compromised, remedial actions the company took Protection and Electronic Documents Act, the UK to increase protection, a contact phone number for Data Protection Act of 1998, the U.S. Patriot Act, posing questions regarding the incident, and the U.S. – E.U. Safe Harbour Agreement, the information regarding credit monitoring. 8 European Union Data Protection Regulations, Requirements vary across the 47 states and three Malaysia's Personal Data Protection Act 2010, and territories which have data protection legislation in India's IT Amendments Act.10 p. 3
Contributing Trends Causes of Loss Areas of Exposure Technological Perils Strategic Risk • Social Media & Web 2.0 • Cloud Computing Models • Mysterious • Business Model • Growth in Data Volume Disappearance or Obsolescence • Proliferation of Mobile Theft of Company • IT Vendor Negligence Devices Data • Sophisticated Attacks • Online Operational Risk Collaboration and • Data Breach Legal Social Media • Fraudulent Payment • Consumer Protection Postings • Defamatory Legislation • Phishing Tactics Communications Suit • Financial Transactions • Website • Unfair Trade Practices Suit Legislation Interference • Privacy Violations & Other • Industry Regulation • Unauthorized Employer Practices Liability • Judicial Precedent Network Access • Data Tracking Liability (e.g. Trojans, SQL Socio-Cultural Injections, Other Pure Risk • Increased Awareness of Malware) • Hacking Attacks Identity Theft • Social Activism • Physical Theft • Increased • Rogue Employees • Internet or Electrical Interconnectivity Service Interruption Figure 1: Data Security & Cyber Liability Landscape Scope of the Risks What does “Data Security & Cyber Liability” entail? Data security and cyber liability is a risk family that information that a business is bound to keep encompasses first-party and third-party liability confidential, such as intellectual property and resulting from the use of Information and trade secrets. 12 Regardless of the IT delivery Communication Technologies (ICT). Technological model, the firm as the “data owner” retains and Regulatory trends have brought rise to a group responsibility for protection, even in the case of a of perils, from which the risks arise; and these risks data breach experienced by an outsourced partner. fall within three areas: (a) Strategic Risks; (b) It is also important to bear in mind that pure risks, Operational Risks; and (c) Pure Risks (see figure 1). such as an ICT service interruption or a hacking The risks can result in first party losses, such as attack, increase the risk of data loss – highlighting investigations and remedial action following a data the inter-relatedness of the various risk elements. breach. Also, a number of third-party liabilities are Similarly, theft of mobile devices constitutes present, and are based upon the principle that an another such risk, especially unencrypted data individual has a right to control the collection, use storage. Other relevant risks, include: (1) and disclosure of his/her personal information.11 Defamatory Communications, or social media postings, which held to the legal standards of The Risks: Operational risk is the largest commercial publications, are judged to be component – particularly Data Breach, or the misleading and/or guilty of libel or slander; (2) compromise of personally identifiable information Unfair Trade Practices, or the publication of social (PII) or other sensitive material – whether in media judged to include misleading endorsements electronic form or represented in physical or disparagements; (3) Privacy Violations, documents. “Sensitive information” includes that Harassment and Discrimination, includes a range of data which is protected under the Health Insurance employment practices liabilities within the social Portability and Accountability Act, Fair Credit media space – for example consideration of an Reporting Act, criminal records, and other individual’s social media postings which include p. 4
information that would be judged off-limits in an be weighed against cost, efficiency and scalability interview setting; and (4) Data Tracking, or the benefits. collection of data related to consumer behavior, which is conducted unbeknownst to the individual The Causes: There are a range of factors which or which is conducted in a manner which doesn’t cause these losses. The causes can range from the allow a consumer opt-out.13 straight-forward to the complex – employee communications, physical theft or mysterious There is an exposure related to cloud delivery disappearance of data sources (especially mobile models, and the use of outsourced IT providers, devices), skimming credit and debit card numbers with third party mistakes now accounting for 46% at a point of sale, phishing tactics to masquerade of data loss.14 Most cloud providers simply cannot as a trustworthy entity to solicit sensitive afford to indemnify all platform tenants;15 as such information (including counterfeit social media it’s incumbent upon cloud service providers and web pages), website interference or defacement, data center operators to investigate risk transfer and complex network intrusions. Motives for both through technology errors & omissions coverage. negligent and malicious behavior can include As client businesses seek cost efficiencies and political and social activism, financial gain, or deployment speed through cloud delivery models, employee retribution.18 unique risks arise, such as: disruptive force (i.e. business model obsolescence), lack of Contributing Trends: These risks have emerged transparency, reliability and performance issues, from a range of trends, including legislation to strategic business model risks, vendor lock-in, and protect individuals – creating compliance security concerns.16 Moreover, daisy chain effects requirements. The rise of social media and Web of liability have been documented – where the 2.0 collaboration, mobile data communications, primary company utilizes an outsourced IT explosive growth in data volumes, and cloud provider, who in turn outsources some elements of architectures have all contributed to the growth data storage or manipulation to another provider. the growth in data security and cyber liability This chain of data handlers may extend to multiple risks.19 Furthermore, data security is becoming vendors, which increases loss-of-control and increasingly difficult. The advent of quantum overall exposure.17 In short, an evaluation of cloud computing has been predicted to create an architecture and outsourced IT relationships ecosystem in which it will be impossible to keep should include a thorough risk assessment of data secure for any length of time, and that resultant cyber liabilities; and the liabilities should governments and large corporations won’t connect p. 5
to the “red internet.”20 FBI Director, Robert Muller, there have been 2,870 data breaches affecting 543 stated, “But in the not too distant future, we million records. Furthermore, Privacy Rights anticipate that the cyber threat will pose the Clearinghouse reported 535 breaches in 2011 that number one threat to our country.”21 Data stores involved 30.4 million records.24 Historic statistics are growing at an exponential rate,22 and the regarding data breach have been incomplete, with increasing use of Bring-Your-Own device policies many going unreported. It is only in the past are creating further security concerns and reducing several years that notifications have been made the organization’s control over the data for which mandatory. it is legally responsible.23 Lastly, according to the Federal Trade Commission, 9 million Americans Severity become identity theft victims each year. As this How significant are the losses? victimization becomes more prevalent, public When considering statistics related to data awareness of data breaches and confidentiality breaches and other cyber liabilities, it is important issues is increasing. to remember that large breaches skew the average.25 That said the overall average cost of a Frequency breach involving personal data is $7.2 million.26 A How often are losses experienced? recent study by Ponemon revealed that the Data loss has been occurring since records have average cost from a data breach of PII is $214 per been taken; however the collection of statistics record. Consequently, for a small business which regarding data loss is only in its infancy. Since experiences the theft of 1,000 records – we 2005, frequency in data breaches has grown at an estimate damages of approximately $210,000.27 average rate of 27%. In an Accenture survey, 40% Costs vary depending on the cause of the data loss, of small businesses with less than 500 employees and across a wide array of breach scenarios. For experienced a loss of sensitive information, while example, business interruption cost due to denial over half of those respondents with over 1,000 of internet or other technical services has been the employees had experienced a loss. Since 2005, most severe type of loss.28 2 – 14 Days 2+ Years Assessment Short-term & Long-term Crisis Management • Privacy Counsel • Repairs and Upgrades to Impacted Systems • Containment • Credit Monitoring & Call Center Support Potential First • Forensic Data Investigation • Business Interruption Costs Party Losses • Crisis Management / • Legal Defence Reputation Risk Advisory • Fines • Notifications to Aggrieved Parties • Compensatory Damages for Lost Income • Loss of Funds – Fraudulent e-Payment Potential Third • Bodily Injury for Mental Anguish Party Losses • Content Injuries – Loss of IP, Trade Secret • Reputational Damages (i.e. libel, defamation) • Systems Injuries for Security Failures • Impaired Access Damages • Punitive Damages Figure 2: Data Security & Cyber Liability Exposures Response p. 6
In many instances, especially regarding network correlated to the complexity of the IT architecture intrusions, the hacker has had access for an and sophistication of pre-existing security extended period.29 However, it is the moment of measures (not the number of breached files). The awareness of a potential data loss which triggers cost of a forensic examination is typically the crisis response. The costs associated with this $50,000.31 Dependent upon the nature of the initial period, which we estimate at 2 days to 2 breach, ten to thirty hours of crisis management weeks, is incurred through efforts to stop and services may be undertaken by a reputational risk contain an intrusion or other attack including advisory firm or a public relations consultant.32 At security upgrades or other remediation efforts. the end of this period notifications are distributed Awareness of a potential data loss should set in to aggrieved parties in order to comply with motion a precise response methodology. The statutory obligations, and with costs estimated at timeline in figure 2 provides a high-level view of $10 - $15 per record.33 the process the firm will undergo. Within the first 2 days to 2 weeks, a crisis assessment exercise is For the subsequent two years (or more) a range of undertaken – preferably under the guidance of a further first party costs are incurred, including privacy attorney well positioned to provide legal further remediation such as physical security oversight, to limit exposure, and to control the measures and technical changes. These circulation of communications regarding the augmentations may include data restoration, incident. The attorney is generally required for 10 software upgrades, and hardware replacement; or – 30 hours of service. 30 Also, in the case of may be as extensive as fundamental changes in: suspected electronic data loss, a forensic outsourcing relationships and service level examination is required to confirm whether a ag reem ents, dat a models, inf rast ructure breach has occurred, and if so, it’s extent. The architecture, and security-related policy and scope and cost of this examination is most governance protocols. In some instances p. 7
re-certification with PCI standards may be professional negligence.36 Also, relating to other necessitated.34 Also, the ongoing operation of a call risks there are potential third party liabilities center may be required to meet compliance arising from fraudulent electronic payments, requirements. There may also be costs related to damages arising from an unfair trade practices suit business interruption, especially in relation to due to employee social media postings, and denial of data access, website outage, or other liabilities arising from invasion of privacy, especially service outage. Lastly, legal defense costs and in relation to data tracking. Lastly, there is also a regulatory fines of up to $1.5 million may be risk of compensatory damages for employment incurred. One primary exposure, outside data practices liabilities, data breach incidents, or breach scenarios, typically concerns the liability defamatory social media postings. These damages associated with third-party damages.35 As figure 2 can include loss of income, mental anguish, and illustrates, there are a range of potential liabilities punitive damages.37 related to Data Security and Cyber Liability. There are potential claims against the data owner from Recommended Approach employees, potential employees, customers, What should be done to mitigate the risks? suppliers and competitors. Depending upon the Enterprise Risk Management (ERM)has become a nature of the cyber event third party liabilities can sophisticated discipline of coordinated activities to include: investigation, mitigation and remediation mitigate the negative impacts of uncertainty, costs relating to a data breach; costs for including the use of complex regression analyses compliance with various laws and regulations after and probabilistic models.39 Data Security & Cyber a breach; class action lawsuits alleging disclosure of Liability, as a risk family, should be considered PII; business partners alleging breach of contract, within an organization’s ERM efforts, and within negligence or demands for indemnification; or each segment of the ERM framework. Figure 3 What extreme events could happen, and how is a cyber loss related to other risk areas? Do we have sensitive information? What actions can we To what extent are we take to better defend willing to accept the risk against cyber loss? of a data loss? How effective are we at preventing Have we implemented data loss and cyber policies, and defending against assigned accountability attacks? for data crisis response? Do we track the right security Have we determined the scale and information regarding data in use, scope of potential breach scenarios? data transfer and data storage? Figure 3: Risk Management Framework Applied to Data Security & Cyber Liability38 p. 8
provides several illustrative questions the risk A strong response to data security and cyber management professional should consider when liability results in effective internal controls to incorporating Data Privacy and Cyber Liability mitigate risk; a plan for a crisis event (pre- and within an ERM program. post-claim); and robust risk transfer through insurance designed to address the risks. Like all Our approach to Data Security and Cyber Liability risk management efforts, the challenge is in the applies the breadth of the ERM Framework, while details. Businessowners Policies (BOPs) and grounding action within traditional project Commercial Package Policies generally exclude management methodology. For example, within potential exposures. Endorsements may be the first tranche of work firms should focus efforts available, but are typically limited in their scope of on identifying all relevant risks, including sources coverage given the nature of these risks. The savvy of the risk, areas of impact, estimates of frequency firm will seek effective risk transfer through and severity and preliminary findings on appropriate policies designed to cover their interdependencies. By surfacing all relevant data specific risk exposures. The most effective plan for security and cyber liability risks, the firm is well managing the risk and related response will be positioned to conduct a robust analysis, covering: specifically tailored to the firm, and companies that factors that affect the likelihood of realization, combine a contingency plan and an appropriately existing controls, interdependencies, and crafted policy are best positioned to survive the sensitivities. risks. Objective Effectively Manage Data Security & Cyber Liability Risks Project Management & Communications Activities Risk Risk Risk Risk Identification Analysis Evaluation Treatment A B C D Milestone A Milestone B Milestone C Milestone D • Existing risk • IT security • Compliance • Risk evaluations framework, measures requirements • Existing insurance communications, • Related Human • Risk criteria policies Inputs and context Resources policies • Risk analysis • Existing disaster documentation • Cyber risk log outcomes recovery plans • Industry • Industry data on intelligence retained risks • Exhaustive log of all • Frequency and • Prioritization of • Pre- and post-claim relevant risks and severity mapping required response plan Outputs Objective risks discounted • Sensitivities, treatments • Enhanced insurance • Existing treatments scenarios and • Outcomes of risk coverage dependencies technique decisions • Implemented risk Figure 4: Our Approach to Data Privacy & Cyber Liability controls Figure 4: Approach to Data Security & Cyber Liability p. 9
Endnotes 1. Virginia Code § 18.2-186.6. Breach of personal information notification. 2008. See also: Sophos. (2010). Protecting Personally Identifiable Information: What data is at risk and what you can do about it. Boston: Stinger, J. Retrieved from: http://www.sophos.com/sophos/docs/eng/dst/sophos-protecting-pii-wpna.pdf 2. Brigadoon Security Group. Retrieved September 10, 2012, from: http://www.pcphonehome.com/ 3. Accenture. (2009). How Global Organizations Approach the Challenge of Protecting Personal Data. Retrieved from: http://www.accenture.com/nl-en/Documents/PDF/Accenture_Data_privacy_reportLD.pdf Note: The included survey defines small businesses as those with less than 500 employees, p. 14. 4. NetDiligence. (2011, June). Cyber Liability & Data Breach Claims. 5. Towers Watson. (2011). Risk and Finance Manager Survey – Full Report. Retrieved from: http://www.towerswatson.com/assets/pdf/4481/Towers-Watson-Risk-Financial-Manager-Survey-Report.pdf 6. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4. 7. Gartner. (2011). Gartner Says Half of all Organizations Will Revise Their Privacy Policies by End-2012. Retrieved September 10, 2012, from: http://www.gartner.com/it/page.jsp?id=1761414 8. Virginia Code § 18.2-186.6. Breach of personal information notification. 2008. 9. Federal Trade Commission. (2012, March). Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policymakers. Retrieved September 10, 2012, from: http://ftc.gov/os/2012/03/120326privacyreport.pdf See also: U.S. Securities & Exchange Commission, Division of Corporation Finance. (2011). CF Disclosure Guidance: Topic No. 2 Cybersecurity. Retrieved September 10, 2012, from: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm See also: Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca 10. Capgemini. (2010, March 16). Putting Cloud Security in Perspective. Retrieved September 10, 2012, from: http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security-in-perspective/ See also: Committee of Sponsoring Organizations of the Treadway Commission: Enterprise Risk Management for Cloud Computing. Chicago, Crowe Horwath LLP: Chan, W., Leung, E. and Pili, H. Retrieved September 10, 2012, from: http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf 11. Information & Privacy Commissioner. (2010, April). Privacy Risk Management. Ontario, Canada: Cavoukian, A. Retrieved September 10, 2012, from: http://www.ipc.on.ca/images/Resources/pbd-priv-risk-mgmt.pdf 12. Godes, S. (2012, March 19). Surprising Sources of Coverage. Business Insurance, 46(12), p. 10. 13. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches 14. Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca 15. Zurich Insurance Group. (2012). Cyber Risk in 2012: Get Your Head in the Cloud. New Salem, Massachusetts: DeWitt, J. Retrieved September 10, 2012, from: http://img.sbmedia.com/Perm/LH/PC360/Zurich/Cloud.pdf 16. Committee of Sponsoring Organizations of the Treadway Commission: Enterprise Risk Management for Cloud Computing. Chicago, Crowe Horwath LLP: Chan, W., Leung, E. and Pili, H. Retrieved September 10, 2012, from: http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf See also: Capgemini. (2010, March 16). Putting Cloud Security in Perspective. Retrieved September 10, 2012, from: http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security- in-perspective/ 17. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches 18. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4. See also: U.S. Securities & Exchange Commission, Division of Corporation Finance. (2011). CF Disclosure Guidance: Topic No. 2 Cybersecurity. Retrieved September 10, 2012, from: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm 19. Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca 20. The Futures Company. (2012). Public Worlds: How Digital Technology Will Transform Identity, Work and the City. London: Galgey, W. Retrieved September 10, 2012, from: http://www.marketingpower.com/ResourceLibrary/Documents/Content%20Partner%20Documents/The%20Futures%20Company/2012/future- perspectives-public-worlds.pdf 21. Hoffman, M. (2012, March 19). Cyber Crime is Now a National Threat. Business Insurance, 46(12), p. 8. 22. IDC. (2009, May). As the Economy Contracts, the Digital Universe Expands. Framingham, Massachusetts: Grantz, J. and Reinsel, D. Retrieved September 10, 2012, from: http://www.emc.com/collateral/leadership/digital-universe/2009DU_final.pdf See also: Deloitte. (2011). Technology, Media and Telecommunications Predictions 2012. Retrieved September 10, 2012, from: http://www.deloitte.com/assets/Dcom- Australia/Local%20Assets/Documents/Industries/TMT/Deloitte_TMT_Predictions_2012.pdf 23. Capgemini. (2011, October 17). Bring Your Own. Gillam, R. Retrieved September 10, 2012, from: http://www.at.capgemini.com/insights/publikationen/bring-your-own/ p. 10
24. Property Casualty 360⁰. (2012, March 4). What’s Driving the Rise in Data Breaches? Kam, R. and Henley, J. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/03/14/whats-driving-the-rise-in-data-breaches#.T2zn3hJnP5g.email 25. Ricardo, A. Beazley. (personal communication, September 6, 2012). 26. Anonymous (2012, March 19). Cyber Risks 2012. Business Insurance, 46(12), pp. 16 - 17. See also: Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca 27. Ponemon Institute. (2010, January). 2009 Annual Study: Cost of a Data Breach. Traverse City, Michigan. Retrieved September 10, 2012, from: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf 28. Ponemon Institute. (2011, August). Second Annual Cost of Cyber Crime Study. Traverse City, Michigan. Retrieved September 10, 2012, from: http://www.hpenterprisesecurity.com/collateral/report/2011_Cost_of_Cyber_Crime_Study_August.pdf 29. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches 30. Ricardo, A. Beazley. (personal communication, September 6, 2012). 31. Ibid 32. Ibid 33. Ibid 34. Ibid 35. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4. 36. Property Casualty 360⁰. (2012, February 2). A Lawyer’s Advice for Evaluating Your Cyber Coverage, Godes, S. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/a-lawyers-advice-for-evaluating-your-cyber-coverag#.TzlYfgGr-8s.email 37. Cyber Liability: Data, Privacy and the Perils of Social Networking. Available through Professional Liability Attorney Network. See: http://www.planattorney.org/ 38. Note: Figure 3 illustrate some of the questions to be posed across the Enterprise Risk Management Framework, as the segments apply to Data Security and Cyber Liability. See: http://www.rmahq.org/risk-management/enterprise-risk 39. International Organization for Standardization. (2009, November 15). Risk Management – Principles and Guidelines (ISO 31000:2009). Geneva. Retrieved September 10, 2012, from: http://www.imeny.comyr.com/file/pdf/ISO-31000.pdf Disclaimer This document is not a representation that coverage does or does not exist for any particular claim or loss under any insurance policy. It is not intended as legal advice. A company should always seek the advice of a qualified attorney when evaluating legal or statutory considerations. This document is not intended as insurance advice. A company should always seek the advice of a qualified insurance agent or broker when considering their insurance coverage. p. 11
Contact For more information about our Data Security & Cyber Liability Services, please contact : Max Koehler Principal (804) 477-3073 mkoehler@midsouthassurance.com Dale Fickett Director – Risk Advisory (805) 335-7198 dfickett@midsouthassurance.com Copyright © 2012 Midsouth About MidSouth Assurance Assurance, LLC. All rights reserved. Midsouth Assurance is a broker of commercial Midsouth Assurance and its logo insurance and an advisor in Risk Management. are trademarks of Midsouth Businesses are best served by an agency that Assurance. understands the local business environment, and that leverages strong industry points of view. Through our focus on small to medium enterprises in the Greater Richmond area, we collaborate to address client risks and provide the appropriate insurance. By being responsive to our clients’ needs, we build lasting relationships. Visit us at: www.midsouthassurance.com

Empfohlen

4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
SafeNet
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry
BrianHuntMSFCPACRISC
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
Paul Ferrillo
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to Know
Act-On Software
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud Privacy
Act-On Software
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
Patrick Bouillaud
 
Data Breaches
Data BreachesData Breaches
Data Breaches
sstose
 
Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E Commerce
EamonnORagh
 

Empfohlen

4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
SafeNet
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry
BrianHuntMSFCPACRISC
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
Paul Ferrillo
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to Know
Act-On Software
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud Privacy
Act-On Software
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
Patrick Bouillaud
 
Data Breaches
Data BreachesData Breaches
Data Breaches
sstose
 
Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E Commerce
EamonnORagh
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
Echoworx
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
David Sweigert
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
Lifeline Data Centers
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van Symons
Clear Technologies
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
BYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data EverywhereBYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data Everywhere
Jim Brashear
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
Jonny Nässlander
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
American Chamber of Commerce in Bahrain
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
NetIQ
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBaker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in Cybersecurity
BakerTillyConsulting
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Raleigh ISSA
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory Lansdcape
Brian Bauer
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019
ENC
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019
Ulf Mattsson
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage Devices
GFI Software
 
CIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survivalCIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survival
Morgan Jones
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
CompTIA
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Paige Rasid
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government Sector
Rapid7
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
Protected Harbor
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
Ulf Mattsson
 

Weitere ähnliche Inhalte

Was ist angesagt?

Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
Echoworx
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van Symons
Clear Technologies
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019
Ulf Mattsson
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Paige Rasid
 

Was ist angesagt? (20)

Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van Symons
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
BYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data EverywhereBYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data Everywhere
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in CybersecurityBaker Tilly Presents: Emerging Trends in Cybersecurity
Baker Tilly Presents: Emerging Trends in Cybersecurity
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory Lansdcape
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage Devices
 
CIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survivalCIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survival
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government Sector
 

Ähnlich wie Sept 2012 data security & cyber liability

Final cyber risk report 24 feb
Final cyber risk report 24 febFinal cyber risk report 24 feb
Final cyber risk report 24 feb
mharbpavia
 
Cyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care IndustryCyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care Industry
FerrariT1
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Stanford GSB Corporate Governance Research Initiative
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
Don Grauel
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Ethan S. Burger
 

Ähnlich wie Sept 2012 data security & cyber liability (20)

The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
 
Final cyber risk report 24 feb
Final cyber risk report 24 febFinal cyber risk report 24 feb
Final cyber risk report 24 feb
 
Cyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care IndustryCyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care Industry
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
 
Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
 
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48
 

Mehr von DFickett

Brennan & Fickett IIIS Paper
Brennan & Fickett IIIS PaperBrennan & Fickett IIIS Paper
Brennan & Fickett IIIS Paper
DFickett
 
Wharton MSME Fund Recommendations
Wharton MSME Fund RecommendationsWharton MSME Fund Recommendations
Wharton MSME Fund Recommendations
DFickett
 
RVA Works Highlights Spring 2016
RVA Works Highlights Spring 2016RVA Works Highlights Spring 2016
RVA Works Highlights Spring 2016
DFickett
 
Technologies for Development 19Apr2015 DF
Technologies for Development 19Apr2015 DFTechnologies for Development 19Apr2015 DF
Technologies for Development 19Apr2015 DF
DFickett
 
2. RVA Works Impact-ographic May20151
2. RVA Works Impact-ographic May201512. RVA Works Impact-ographic May20151
2. RVA Works Impact-ographic May20151
DFickett
 
1. RVA Works Overview 20151
1. RVA Works Overview 201511. RVA Works Overview 20151
1. RVA Works Overview 20151
DFickett
 
Democratic Capitalism Stems from Catholicism
Democratic Capitalism Stems from CatholicismDemocratic Capitalism Stems from Catholicism
Democratic Capitalism Stems from Catholicism
DFickett
 
new-virginia-economy-12052014
new-virginia-economy-12052014new-virginia-economy-12052014
new-virginia-economy-12052014
DFickett
 
Faith & Sustainable Development 2015 - Coming Soon
Faith & Sustainable Development 2015 - Coming SoonFaith & Sustainable Development 2015 - Coming Soon
Faith & Sustainable Development 2015 - Coming Soon
DFickett
 
Sept 2009 introduction to incubator-fund model
Sept 2009 introduction to incubator-fund modelSept 2009 introduction to incubator-fund model
Sept 2009 introduction to incubator-fund model
DFickett
 
Nov 2011 developmental entrepreneurship in ssa
Nov 2011 developmental entrepreneurship in ssaNov 2011 developmental entrepreneurship in ssa
Nov 2011 developmental entrepreneurship in ssa
DFickett
 
Nov 2010 villanova developmental entrepreneurship
Nov 2010 villanova developmental entrepreneurshipNov 2010 villanova developmental entrepreneurship
Nov 2010 villanova developmental entrepreneurship
DFickett
 
Nov 2010 opportunity assessment
Nov 2010 opportunity assessmentNov 2010 opportunity assessment
Nov 2010 opportunity assessment
DFickett
 
Nov 2007 accenture sepa implementation
Nov 2007 accenture sepa implementationNov 2007 accenture sepa implementation
Nov 2007 accenture sepa implementation
DFickett
 
Nov 2007 accenture making payments deliver
Nov 2007 accenture making payments deliverNov 2007 accenture making payments deliver
Nov 2007 accenture making payments deliver
DFickett
 
May 2011 soquent market research program
May 2011 soquent market research programMay 2011 soquent market research program
May 2011 soquent market research program
DFickett
 
June 2010 trinity research proposal
June 2010 trinity research proposalJune 2010 trinity research proposal
June 2010 trinity research proposal
DFickett
 
Dec 2011 wharton msme fund recommendations
Dec 2011 wharton msme fund recommendationsDec 2011 wharton msme fund recommendations
Dec 2011 wharton msme fund recommendations
DFickett
 
Dec 2003 business plan for d'lectables
Dec 2003 business plan for d'lectablesDec 2003 business plan for d'lectables
Dec 2003 business plan for d'lectables
DFickett
 
April 2012 randomized evaluation sme access to finance
April 2012 randomized evaluation sme access to financeApril 2012 randomized evaluation sme access to finance
April 2012 randomized evaluation sme access to finance
DFickett
 

Mehr von DFickett (20)

Brennan & Fickett IIIS Paper
Brennan & Fickett IIIS PaperBrennan & Fickett IIIS Paper
Brennan & Fickett IIIS Paper
 
Wharton MSME Fund Recommendations
Wharton MSME Fund RecommendationsWharton MSME Fund Recommendations
Wharton MSME Fund Recommendations
 
RVA Works Highlights Spring 2016
RVA Works Highlights Spring 2016RVA Works Highlights Spring 2016
RVA Works Highlights Spring 2016
 
Technologies for Development 19Apr2015 DF
Technologies for Development 19Apr2015 DFTechnologies for Development 19Apr2015 DF
Technologies for Development 19Apr2015 DF
 
2. RVA Works Impact-ographic May20151
2. RVA Works Impact-ographic May201512. RVA Works Impact-ographic May20151
2. RVA Works Impact-ographic May20151
 
1. RVA Works Overview 20151
1. RVA Works Overview 201511. RVA Works Overview 20151
1. RVA Works Overview 20151
 
Democratic Capitalism Stems from Catholicism
Democratic Capitalism Stems from CatholicismDemocratic Capitalism Stems from Catholicism
Democratic Capitalism Stems from Catholicism
 
new-virginia-economy-12052014
new-virginia-economy-12052014new-virginia-economy-12052014
new-virginia-economy-12052014
 
Faith & Sustainable Development 2015 - Coming Soon
Faith & Sustainable Development 2015 - Coming SoonFaith & Sustainable Development 2015 - Coming Soon
Faith & Sustainable Development 2015 - Coming Soon
 
Sept 2009 introduction to incubator-fund model
Sept 2009 introduction to incubator-fund modelSept 2009 introduction to incubator-fund model
Sept 2009 introduction to incubator-fund model
 
Nov 2011 developmental entrepreneurship in ssa
Nov 2011 developmental entrepreneurship in ssaNov 2011 developmental entrepreneurship in ssa
Nov 2011 developmental entrepreneurship in ssa
 
Nov 2010 villanova developmental entrepreneurship
Nov 2010 villanova developmental entrepreneurshipNov 2010 villanova developmental entrepreneurship
Nov 2010 villanova developmental entrepreneurship
 
Nov 2010 opportunity assessment
Nov 2010 opportunity assessmentNov 2010 opportunity assessment
Nov 2010 opportunity assessment
 
Nov 2007 accenture sepa implementation
Nov 2007 accenture sepa implementationNov 2007 accenture sepa implementation
Nov 2007 accenture sepa implementation
 
Nov 2007 accenture making payments deliver
Nov 2007 accenture making payments deliverNov 2007 accenture making payments deliver
Nov 2007 accenture making payments deliver
 
May 2011 soquent market research program
May 2011 soquent market research programMay 2011 soquent market research program
May 2011 soquent market research program
 
June 2010 trinity research proposal
June 2010 trinity research proposalJune 2010 trinity research proposal
June 2010 trinity research proposal
 
Dec 2011 wharton msme fund recommendations
Dec 2011 wharton msme fund recommendationsDec 2011 wharton msme fund recommendations
Dec 2011 wharton msme fund recommendations
 
Dec 2003 business plan for d'lectables
Dec 2003 business plan for d'lectablesDec 2003 business plan for d'lectables
Dec 2003 business plan for d'lectables
 
April 2012 randomized evaluation sme access to finance
April 2012 randomized evaluation sme access to financeApril 2012 randomized evaluation sme access to finance
April 2012 randomized evaluation sme access to finance
 

Sept 2012 data security & cyber liability

  • 1. Emerging Risk: Data Security & Cyber Liability Autumn 2012 “For any business that accepts non-cash payments or has a payroll - there is some data at risk.”
  • 2. By the Numbers... $210,000 Estimated cost of a small data breach involving 1,000 records 40% Surveyed businesses with <500 employees that have experienced a data breach 100% Virtually every business handles at-risk data 2-6 days Number of days within which 25% of businesses will go bankrupt without internet access 42% Breaches caused by factors which cannot be mitigated through IT security measures – rogue employee, theft, and business interruption About Us MidSouth Assurance- on Main Street, for Main Street. We believe that businesses can best be served by an insurance agency that understands the environment in which a particular business operates. Similarly, we represent insurance carriers with a similar philosophy. This, we believe, will result in the most effective insurance programs for our clients. Over fifty years of experience in large and small brokerages, as well as independent agencies, allows us to effectively serve new ventures and growth businesses in the Greater Richmond area. We advise clients on a breadth of risk management issues, and develop appropriate mitigation strategies for them, including specialty insurance programs. Insurance • Risk Management
  • 3. Relevance Which businesses have this risk? Virtually every business utilizes sensitive According to Accenture, a majority of businesses information, and virtually any business can incur have lost sensitive personal information, and liability from employee’s cyber activities. In fact, among these organizations, the biggest causes are any business which has payroll data or collects internal control failures. In fact, there were over non-cash payments captures Personally eight million computers stolen in the past three Identifiable Information (PII), or that information years; and according to the FBI only 3% are which is protected under law. PII includes an recovered.2 According to Ponemon Institute, each individual’s name in combination with a week there are 10,000 laptop computers lost at credit/debit card numbers, bank account the 36 largest airports in the U.S., with an average information, social security numbers, and driver’s cost of $50,000 per laptop, including: replacement, license numbers. Other sensitive personal detection, forensics, data breach, lost IP rights, lost information includes: IP addresses, vehicle productivity, and legal and regulatory expenses. registration numbers, fingerprints and biometric Moreover, 40% of small businesses have data, address, age, gender, name of school experienced a loss of sensitive information. 3 attended, professional grade or salary, criminal According to NetDiligence, a significant share of record, and health care records.1 Combinations of breaches are attributable to hacking attacks; these data elements are valuable to criminals who however 42% are caused by factors which are not use the information for illegal purposes. mitigated through IT security measures – rogue p. 2
  • 4. employees, theft or loss of a device, and place. The primary variables include, but are not interruption of internet connectivity or electricity limited to: the definition of the type of data which service.4 Paradoxically, Tower Watson has found constitutes PII, requirements regarding the that amongst businesses who had foregone risk notification timing, the state agencies which must transfer through a liability policy 37% justified the be contacted in the event of a data breach, decision in the belief that their IT departments and applicability of the law to various entity forms, internal controls were sufficient.5 applicability to physical data (not electronic data), provisions for notifying aggrieved parties of While the healthcare, finance, utilities, and recommendations regarding credit freeze or fraud defense sectors are particularly likely targets for alerts, provisions requiring notification to the cyber attacks due to the volume of valuable data, credit monitoring agencies, and safe harbor industry experts still predict that the highest stipulations around the loss of an encrypted mobile likelihood of breaches will occur in small device. In the event of a data breach, complexity businesses, particularly in healthcare, given their can become unwieldy as it is the aggrieved party’s smaller IT security budgets. McAfee recently home state which determines the applicable laws identified “industrial threats” first on its list of to which the breached business must adhere. 2012 predictions, including the manipulation or destruction of industrial controls. These risks are National regulation can increase the complexity of particularly relevant in the physical infrastructure navigating a breach event. Within certain sectors for transportation, energy and organizational contexts a range of regulations can telecommunications. In 2009, the “Night Dragon” apply, these include: Sarbanes Oxley Act of 2002, coordinated attacks demonstrate the level of Gramm-Leach-Bliley Act (GLBA) on financial sophistication which has been achieved when transactions, Payment Card Industry (PCI) Data attacking core infrastructure providers. Within this Security Standard, the Health Insurance Portability incident oil, energy and petrochemical firms were and Accountability Act of 1996 (HIPAA), Health attacked through a combination of social Information Technology for Economic and Clinical engineering, spear phishing, and remote Health (HITECH), the Fair and Accurate Credit administration tools. The attacks are believed to Transactions Act (FACTA), Federal Information have originated from China, and were designed to Security Management Act (FISMA), the Genetic acquire confidential information regarding bidding Information Nondiscrimination Act of 2008 (GINA), and other project finance intelligence related to the Family Education Rights & Privacy Act (FERPA), large development projects.6 the FTC recommendations on protecting consumer privacy, especially section 5A on website data Regulation usage, and the SEC Cyber Security guidance.9 It is What is required under law? important to note that in areas of conflicting Regulatory changes regarding data security and definitions or differing requirements, compliance cyber liability have developed at a rapid pace.7 A with the stricter law is generally required. compromise of confidential PII triggers a requirement under state laws to notify the Depending on the nationality of those for whom aggrieved parties. This notification is designed to data is held, and how the data is used, provide aggrieved parties information related to international law may apply. Several of the most the nature of the incident, the type of PII that was relevant, include: Canada’s Personal Information compromised, remedial actions the company took Protection and Electronic Documents Act, the UK to increase protection, a contact phone number for Data Protection Act of 1998, the U.S. Patriot Act, posing questions regarding the incident, and the U.S. – E.U. Safe Harbour Agreement, the information regarding credit monitoring. 8 European Union Data Protection Regulations, Requirements vary across the 47 states and three Malaysia's Personal Data Protection Act 2010, and territories which have data protection legislation in India's IT Amendments Act.10 p. 3
  • 5. Contributing Trends Causes of Loss Areas of Exposure Technological Perils Strategic Risk • Social Media & Web 2.0 • Cloud Computing Models • Mysterious • Business Model • Growth in Data Volume Disappearance or Obsolescence • Proliferation of Mobile Theft of Company • IT Vendor Negligence Devices Data • Sophisticated Attacks • Online Operational Risk Collaboration and • Data Breach Legal Social Media • Fraudulent Payment • Consumer Protection Postings • Defamatory Legislation • Phishing Tactics Communications Suit • Financial Transactions • Website • Unfair Trade Practices Suit Legislation Interference • Privacy Violations & Other • Industry Regulation • Unauthorized Employer Practices Liability • Judicial Precedent Network Access • Data Tracking Liability (e.g. Trojans, SQL Socio-Cultural Injections, Other Pure Risk • Increased Awareness of Malware) • Hacking Attacks Identity Theft • Social Activism • Physical Theft • Increased • Rogue Employees • Internet or Electrical Interconnectivity Service Interruption Figure 1: Data Security & Cyber Liability Landscape Scope of the Risks What does “Data Security & Cyber Liability” entail? Data security and cyber liability is a risk family that information that a business is bound to keep encompasses first-party and third-party liability confidential, such as intellectual property and resulting from the use of Information and trade secrets. 12 Regardless of the IT delivery Communication Technologies (ICT). Technological model, the firm as the “data owner” retains and Regulatory trends have brought rise to a group responsibility for protection, even in the case of a of perils, from which the risks arise; and these risks data breach experienced by an outsourced partner. fall within three areas: (a) Strategic Risks; (b) It is also important to bear in mind that pure risks, Operational Risks; and (c) Pure Risks (see figure 1). such as an ICT service interruption or a hacking The risks can result in first party losses, such as attack, increase the risk of data loss – highlighting investigations and remedial action following a data the inter-relatedness of the various risk elements. breach. Also, a number of third-party liabilities are Similarly, theft of mobile devices constitutes present, and are based upon the principle that an another such risk, especially unencrypted data individual has a right to control the collection, use storage. Other relevant risks, include: (1) and disclosure of his/her personal information.11 Defamatory Communications, or social media postings, which held to the legal standards of The Risks: Operational risk is the largest commercial publications, are judged to be component – particularly Data Breach, or the misleading and/or guilty of libel or slander; (2) compromise of personally identifiable information Unfair Trade Practices, or the publication of social (PII) or other sensitive material – whether in media judged to include misleading endorsements electronic form or represented in physical or disparagements; (3) Privacy Violations, documents. “Sensitive information” includes that Harassment and Discrimination, includes a range of data which is protected under the Health Insurance employment practices liabilities within the social Portability and Accountability Act, Fair Credit media space – for example consideration of an Reporting Act, criminal records, and other individual’s social media postings which include p. 4
  • 6. information that would be judged off-limits in an be weighed against cost, efficiency and scalability interview setting; and (4) Data Tracking, or the benefits. collection of data related to consumer behavior, which is conducted unbeknownst to the individual The Causes: There are a range of factors which or which is conducted in a manner which doesn’t cause these losses. The causes can range from the allow a consumer opt-out.13 straight-forward to the complex – employee communications, physical theft or mysterious There is an exposure related to cloud delivery disappearance of data sources (especially mobile models, and the use of outsourced IT providers, devices), skimming credit and debit card numbers with third party mistakes now accounting for 46% at a point of sale, phishing tactics to masquerade of data loss.14 Most cloud providers simply cannot as a trustworthy entity to solicit sensitive afford to indemnify all platform tenants;15 as such information (including counterfeit social media it’s incumbent upon cloud service providers and web pages), website interference or defacement, data center operators to investigate risk transfer and complex network intrusions. Motives for both through technology errors & omissions coverage. negligent and malicious behavior can include As client businesses seek cost efficiencies and political and social activism, financial gain, or deployment speed through cloud delivery models, employee retribution.18 unique risks arise, such as: disruptive force (i.e. business model obsolescence), lack of Contributing Trends: These risks have emerged transparency, reliability and performance issues, from a range of trends, including legislation to strategic business model risks, vendor lock-in, and protect individuals – creating compliance security concerns.16 Moreover, daisy chain effects requirements. The rise of social media and Web of liability have been documented – where the 2.0 collaboration, mobile data communications, primary company utilizes an outsourced IT explosive growth in data volumes, and cloud provider, who in turn outsources some elements of architectures have all contributed to the growth data storage or manipulation to another provider. the growth in data security and cyber liability This chain of data handlers may extend to multiple risks.19 Furthermore, data security is becoming vendors, which increases loss-of-control and increasingly difficult. The advent of quantum overall exposure.17 In short, an evaluation of cloud computing has been predicted to create an architecture and outsourced IT relationships ecosystem in which it will be impossible to keep should include a thorough risk assessment of data secure for any length of time, and that resultant cyber liabilities; and the liabilities should governments and large corporations won’t connect p. 5
  • 7. to the “red internet.”20 FBI Director, Robert Muller, there have been 2,870 data breaches affecting 543 stated, “But in the not too distant future, we million records. Furthermore, Privacy Rights anticipate that the cyber threat will pose the Clearinghouse reported 535 breaches in 2011 that number one threat to our country.”21 Data stores involved 30.4 million records.24 Historic statistics are growing at an exponential rate,22 and the regarding data breach have been incomplete, with increasing use of Bring-Your-Own device policies many going unreported. It is only in the past are creating further security concerns and reducing several years that notifications have been made the organization’s control over the data for which mandatory. it is legally responsible.23 Lastly, according to the Federal Trade Commission, 9 million Americans Severity become identity theft victims each year. As this How significant are the losses? victimization becomes more prevalent, public When considering statistics related to data awareness of data breaches and confidentiality breaches and other cyber liabilities, it is important issues is increasing. to remember that large breaches skew the average.25 That said the overall average cost of a Frequency breach involving personal data is $7.2 million.26 A How often are losses experienced? recent study by Ponemon revealed that the Data loss has been occurring since records have average cost from a data breach of PII is $214 per been taken; however the collection of statistics record. Consequently, for a small business which regarding data loss is only in its infancy. Since experiences the theft of 1,000 records – we 2005, frequency in data breaches has grown at an estimate damages of approximately $210,000.27 average rate of 27%. In an Accenture survey, 40% Costs vary depending on the cause of the data loss, of small businesses with less than 500 employees and across a wide array of breach scenarios. For experienced a loss of sensitive information, while example, business interruption cost due to denial over half of those respondents with over 1,000 of internet or other technical services has been the employees had experienced a loss. Since 2005, most severe type of loss.28 2 – 14 Days 2+ Years Assessment Short-term & Long-term Crisis Management • Privacy Counsel • Repairs and Upgrades to Impacted Systems • Containment • Credit Monitoring & Call Center Support Potential First • Forensic Data Investigation • Business Interruption Costs Party Losses • Crisis Management / • Legal Defence Reputation Risk Advisory • Fines • Notifications to Aggrieved Parties • Compensatory Damages for Lost Income • Loss of Funds – Fraudulent e-Payment Potential Third • Bodily Injury for Mental Anguish Party Losses • Content Injuries – Loss of IP, Trade Secret • Reputational Damages (i.e. libel, defamation) • Systems Injuries for Security Failures • Impaired Access Damages • Punitive Damages Figure 2: Data Security & Cyber Liability Exposures Response p. 6
  • 8. In many instances, especially regarding network correlated to the complexity of the IT architecture intrusions, the hacker has had access for an and sophistication of pre-existing security extended period.29 However, it is the moment of measures (not the number of breached files). The awareness of a potential data loss which triggers cost of a forensic examination is typically the crisis response. The costs associated with this $50,000.31 Dependent upon the nature of the initial period, which we estimate at 2 days to 2 breach, ten to thirty hours of crisis management weeks, is incurred through efforts to stop and services may be undertaken by a reputational risk contain an intrusion or other attack including advisory firm or a public relations consultant.32 At security upgrades or other remediation efforts. the end of this period notifications are distributed Awareness of a potential data loss should set in to aggrieved parties in order to comply with motion a precise response methodology. The statutory obligations, and with costs estimated at timeline in figure 2 provides a high-level view of $10 - $15 per record.33 the process the firm will undergo. Within the first 2 days to 2 weeks, a crisis assessment exercise is For the subsequent two years (or more) a range of undertaken – preferably under the guidance of a further first party costs are incurred, including privacy attorney well positioned to provide legal further remediation such as physical security oversight, to limit exposure, and to control the measures and technical changes. These circulation of communications regarding the augmentations may include data restoration, incident. The attorney is generally required for 10 software upgrades, and hardware replacement; or – 30 hours of service. 30 Also, in the case of may be as extensive as fundamental changes in: suspected electronic data loss, a forensic outsourcing relationships and service level examination is required to confirm whether a ag reem ents, dat a models, inf rast ructure breach has occurred, and if so, it’s extent. The architecture, and security-related policy and scope and cost of this examination is most governance protocols. In some instances p. 7
  • 9. re-certification with PCI standards may be professional negligence.36 Also, relating to other necessitated.34 Also, the ongoing operation of a call risks there are potential third party liabilities center may be required to meet compliance arising from fraudulent electronic payments, requirements. There may also be costs related to damages arising from an unfair trade practices suit business interruption, especially in relation to due to employee social media postings, and denial of data access, website outage, or other liabilities arising from invasion of privacy, especially service outage. Lastly, legal defense costs and in relation to data tracking. Lastly, there is also a regulatory fines of up to $1.5 million may be risk of compensatory damages for employment incurred. One primary exposure, outside data practices liabilities, data breach incidents, or breach scenarios, typically concerns the liability defamatory social media postings. These damages associated with third-party damages.35 As figure 2 can include loss of income, mental anguish, and illustrates, there are a range of potential liabilities punitive damages.37 related to Data Security and Cyber Liability. There are potential claims against the data owner from Recommended Approach employees, potential employees, customers, What should be done to mitigate the risks? suppliers and competitors. Depending upon the Enterprise Risk Management (ERM)has become a nature of the cyber event third party liabilities can sophisticated discipline of coordinated activities to include: investigation, mitigation and remediation mitigate the negative impacts of uncertainty, costs relating to a data breach; costs for including the use of complex regression analyses compliance with various laws and regulations after and probabilistic models.39 Data Security & Cyber a breach; class action lawsuits alleging disclosure of Liability, as a risk family, should be considered PII; business partners alleging breach of contract, within an organization’s ERM efforts, and within negligence or demands for indemnification; or each segment of the ERM framework. Figure 3 What extreme events could happen, and how is a cyber loss related to other risk areas? Do we have sensitive information? What actions can we To what extent are we take to better defend willing to accept the risk against cyber loss? of a data loss? How effective are we at preventing Have we implemented data loss and cyber policies, and defending against assigned accountability attacks? for data crisis response? Do we track the right security Have we determined the scale and information regarding data in use, scope of potential breach scenarios? data transfer and data storage? Figure 3: Risk Management Framework Applied to Data Security & Cyber Liability38 p. 8
  • 10. provides several illustrative questions the risk A strong response to data security and cyber management professional should consider when liability results in effective internal controls to incorporating Data Privacy and Cyber Liability mitigate risk; a plan for a crisis event (pre- and within an ERM program. post-claim); and robust risk transfer through insurance designed to address the risks. Like all Our approach to Data Security and Cyber Liability risk management efforts, the challenge is in the applies the breadth of the ERM Framework, while details. Businessowners Policies (BOPs) and grounding action within traditional project Commercial Package Policies generally exclude management methodology. For example, within potential exposures. Endorsements may be the first tranche of work firms should focus efforts available, but are typically limited in their scope of on identifying all relevant risks, including sources coverage given the nature of these risks. The savvy of the risk, areas of impact, estimates of frequency firm will seek effective risk transfer through and severity and preliminary findings on appropriate policies designed to cover their interdependencies. By surfacing all relevant data specific risk exposures. The most effective plan for security and cyber liability risks, the firm is well managing the risk and related response will be positioned to conduct a robust analysis, covering: specifically tailored to the firm, and companies that factors that affect the likelihood of realization, combine a contingency plan and an appropriately existing controls, interdependencies, and crafted policy are best positioned to survive the sensitivities. risks. Objective Effectively Manage Data Security & Cyber Liability Risks Project Management & Communications Activities Risk Risk Risk Risk Identification Analysis Evaluation Treatment A B C D Milestone A Milestone B Milestone C Milestone D • Existing risk • IT security • Compliance • Risk evaluations framework, measures requirements • Existing insurance communications, • Related Human • Risk criteria policies Inputs and context Resources policies • Risk analysis • Existing disaster documentation • Cyber risk log outcomes recovery plans • Industry • Industry data on intelligence retained risks • Exhaustive log of all • Frequency and • Prioritization of • Pre- and post-claim relevant risks and severity mapping required response plan Outputs Objective risks discounted • Sensitivities, treatments • Enhanced insurance • Existing treatments scenarios and • Outcomes of risk coverage dependencies technique decisions • Implemented risk Figure 4: Our Approach to Data Privacy & Cyber Liability controls Figure 4: Approach to Data Security & Cyber Liability p. 9
  • 11. Endnotes 1. Virginia Code § 18.2-186.6. Breach of personal information notification. 2008. See also: Sophos. (2010). Protecting Personally Identifiable Information: What data is at risk and what you can do about it. Boston: Stinger, J. Retrieved from: http://www.sophos.com/sophos/docs/eng/dst/sophos-protecting-pii-wpna.pdf 2. Brigadoon Security Group. Retrieved September 10, 2012, from: http://www.pcphonehome.com/ 3. Accenture. (2009). How Global Organizations Approach the Challenge of Protecting Personal Data. Retrieved from: http://www.accenture.com/nl-en/Documents/PDF/Accenture_Data_privacy_reportLD.pdf Note: The included survey defines small businesses as those with less than 500 employees, p. 14. 4. NetDiligence. (2011, June). Cyber Liability & Data Breach Claims. 5. Towers Watson. (2011). Risk and Finance Manager Survey – Full Report. Retrieved from: http://www.towerswatson.com/assets/pdf/4481/Towers-Watson-Risk-Financial-Manager-Survey-Report.pdf 6. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4. 7. Gartner. (2011). Gartner Says Half of all Organizations Will Revise Their Privacy Policies by End-2012. Retrieved September 10, 2012, from: http://www.gartner.com/it/page.jsp?id=1761414 8. Virginia Code § 18.2-186.6. Breach of personal information notification. 2008. 9. Federal Trade Commission. (2012, March). Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policymakers. Retrieved September 10, 2012, from: http://ftc.gov/os/2012/03/120326privacyreport.pdf See also: U.S. Securities & Exchange Commission, Division of Corporation Finance. (2011). CF Disclosure Guidance: Topic No. 2 Cybersecurity. Retrieved September 10, 2012, from: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm See also: Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca 10. Capgemini. (2010, March 16). Putting Cloud Security in Perspective. Retrieved September 10, 2012, from: http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security-in-perspective/ See also: Committee of Sponsoring Organizations of the Treadway Commission: Enterprise Risk Management for Cloud Computing. Chicago, Crowe Horwath LLP: Chan, W., Leung, E. and Pili, H. Retrieved September 10, 2012, from: http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf 11. Information & Privacy Commissioner. (2010, April). Privacy Risk Management. Ontario, Canada: Cavoukian, A. Retrieved September 10, 2012, from: http://www.ipc.on.ca/images/Resources/pbd-priv-risk-mgmt.pdf 12. Godes, S. (2012, March 19). Surprising Sources of Coverage. Business Insurance, 46(12), p. 10. 13. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches 14. Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca 15. Zurich Insurance Group. (2012). Cyber Risk in 2012: Get Your Head in the Cloud. New Salem, Massachusetts: DeWitt, J. Retrieved September 10, 2012, from: http://img.sbmedia.com/Perm/LH/PC360/Zurich/Cloud.pdf 16. Committee of Sponsoring Organizations of the Treadway Commission: Enterprise Risk Management for Cloud Computing. Chicago, Crowe Horwath LLP: Chan, W., Leung, E. and Pili, H. Retrieved September 10, 2012, from: http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf See also: Capgemini. (2010, March 16). Putting Cloud Security in Perspective. Retrieved September 10, 2012, from: http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security- in-perspective/ 17. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches 18. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4. See also: U.S. Securities & Exchange Commission, Division of Corporation Finance. (2011). CF Disclosure Guidance: Topic No. 2 Cybersecurity. Retrieved September 10, 2012, from: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm 19. Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca 20. The Futures Company. (2012). Public Worlds: How Digital Technology Will Transform Identity, Work and the City. London: Galgey, W. Retrieved September 10, 2012, from: http://www.marketingpower.com/ResourceLibrary/Documents/Content%20Partner%20Documents/The%20Futures%20Company/2012/future- perspectives-public-worlds.pdf 21. Hoffman, M. (2012, March 19). Cyber Crime is Now a National Threat. Business Insurance, 46(12), p. 8. 22. IDC. (2009, May). As the Economy Contracts, the Digital Universe Expands. Framingham, Massachusetts: Grantz, J. and Reinsel, D. Retrieved September 10, 2012, from: http://www.emc.com/collateral/leadership/digital-universe/2009DU_final.pdf See also: Deloitte. (2011). Technology, Media and Telecommunications Predictions 2012. Retrieved September 10, 2012, from: http://www.deloitte.com/assets/Dcom- Australia/Local%20Assets/Documents/Industries/TMT/Deloitte_TMT_Predictions_2012.pdf 23. Capgemini. (2011, October 17). Bring Your Own. Gillam, R. Retrieved September 10, 2012, from: http://www.at.capgemini.com/insights/publikationen/bring-your-own/ p. 10
  • 12. 24. Property Casualty 360⁰. (2012, March 4). What’s Driving the Rise in Data Breaches? Kam, R. and Henley, J. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/03/14/whats-driving-the-rise-in-data-breaches#.T2zn3hJnP5g.email 25. Ricardo, A. Beazley. (personal communication, September 6, 2012). 26. Anonymous (2012, March 19). Cyber Risks 2012. Business Insurance, 46(12), pp. 16 - 17. See also: Property Casualty 360⁰. (2012, February 2). After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks. Voelker, M. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca 27. Ponemon Institute. (2010, January). 2009 Annual Study: Cost of a Data Breach. Traverse City, Michigan. Retrieved September 10, 2012, from: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf 28. Ponemon Institute. (2011, August). Second Annual Cost of Cyber Crime Study. Traverse City, Michigan. Retrieved September 10, 2012, from: http://www.hpenterprisesecurity.com/collateral/report/2011_Cost_of_Cyber_Crime_Study_August.pdf 29. Property & Casualty 360⁰. (2012, August 28). Cyber Liability: A View from the Trenches. Web Seminar in partnership with Zurich Insurance Group. Retrieved September 10, 2012 from: http://www.propertycasualty360.com/webseminars/cyber-liability-a-view-from-the-trenches 30. Ricardo, A. Beazley. (personal communication, September 6, 2012). 31. Ibid 32. Ibid 33. Ibid 34. Ibid 35. Greenwald, J. (2012, March 19). Data Breaches Evolve from Nuisance to Major Business Threat. Business Insurance, 46(12), p. 4. 36. Property Casualty 360⁰. (2012, February 2). A Lawyer’s Advice for Evaluating Your Cyber Coverage, Godes, S. Retrieved September 10, 2012, from: http://www.propertycasualty360.com/2012/02/02/a-lawyers-advice-for-evaluating-your-cyber-coverag#.TzlYfgGr-8s.email 37. Cyber Liability: Data, Privacy and the Perils of Social Networking. Available through Professional Liability Attorney Network. See: http://www.planattorney.org/ 38. Note: Figure 3 illustrate some of the questions to be posed across the Enterprise Risk Management Framework, as the segments apply to Data Security and Cyber Liability. See: http://www.rmahq.org/risk-management/enterprise-risk 39. International Organization for Standardization. (2009, November 15). Risk Management – Principles and Guidelines (ISO 31000:2009). Geneva. Retrieved September 10, 2012, from: http://www.imeny.comyr.com/file/pdf/ISO-31000.pdf Disclaimer This document is not a representation that coverage does or does not exist for any particular claim or loss under any insurance policy. It is not intended as legal advice. A company should always seek the advice of a qualified attorney when evaluating legal or statutory considerations. This document is not intended as insurance advice. A company should always seek the advice of a qualified insurance agent or broker when considering their insurance coverage. p. 11
  • 13. Contact For more information about our Data Security & Cyber Liability Services, please contact : Max Koehler Principal (804) 477-3073 mkoehler@midsouthassurance.com Dale Fickett Director – Risk Advisory (805) 335-7198 dfickett@midsouthassurance.com Copyright © 2012 Midsouth About MidSouth Assurance Assurance, LLC. All rights reserved. Midsouth Assurance is a broker of commercial Midsouth Assurance and its logo insurance and an advisor in Risk Management. are trademarks of Midsouth Businesses are best served by an agency that Assurance. understands the local business environment, and that leverages strong industry points of view. Through our focus on small to medium enterprises in the Greater Richmond area, we collaborate to address client risks and provide the appropriate insurance. By being responsive to our clients’ needs, we build lasting relationships. Visit us at: www.midsouthassurance.com