Cyber Security Planning: Preparing for a Data Breach

Cyber Security Planning:
Preparing for a
Data Breach
October 28, 2014
Steve Hasse, INSUREtrust
Eugene Slobodzian, Winxnet
Dianna Fletcher, Fletcher Media

+ Our Speakers
 Steve Hasse, CEO, INSUREtrust
 Eugene Slobodzian, PhD, CISSP, Vice President
of Security, Winxnet
 Dianna Fletcher, Fletcher Media
1
Cyber Security Planning: Preparing for a Data Breach October 28, 2014

+ Today’s Agenda
 Before the breach: preparations and planning
 During the breach: the event
 After the breach: managing the aftermath
2

+ Today’s Data Breaches
 The
retail industry was the #1 target: 22% percent of network intrusions occ
urring at retailers (Verizon 2013 Data Breach Investigation Report).
 47% of American adults have been affected by data breaches in the last year
(Ponemon Institute).
 Cybercrime has cost the global economy $575 billion and the US eco
nomy $100 billion, annually. The US is the hardest hit of any country
(Intel Security and the Center for Strategic and International Studies).
3

+ Data Breach Laws & Regulations
 No federal law
 47 states adopted their own
 Me. Rev. Stat. title 10 § 1347 et seq.,
 § 1348. Security breach notice requirements: If an information
broker that maintains computerized data that includes personal
information becomes aware of a breach of the security of the
system, the information broker shall conduct in good faith a
reasonable and prompt investigation to determine the
likelihood that personal information has been or will be
misused and shall give notice of a breach of the security of the
system following discovery or notification of the security
breach to a resident of this State whose personal information
has been, or is reasonably believed to have been, acquired by
an unauthorized person.
4

+ Data Breach Laws & Regulations
 HITECH Breach Notification Interim Final
Rule (500 individuals)
 GLBA, SEC – more generic
 PCI, FERPA, other – no clearly defined
guidance
5

+ Today’s Agenda
Before the Breach:
Preparations and Planning
6

+ Question One
 Have you ever received a breach
notification letter?
7

+ Notification Letter
8

+ Notification Letters
 Over 80% of the people we have
surveyed received at least one breach
notification letter.
9

+ Question Two
 Have you, or has someone you know,
experienced identity theft?
 These occur via stolen digital or paper personal information.
10

+ Identity Theft Reality
11
 Over 90% of the people we talk to have
experienced identity theft or know someone
who has.

+ Insurance Cyber Security Market
 As compared to other products
 Cyber as compared to EPLI
 Cyber as compared to pollution insurance
 What do buyers want?
 Many competing carriers
 All with state-of-the-art broad coverage
 All competing on price and financial strength
What do buyers have?
 Many carriers competing
 All with different coverage
12

+ Insurance Cyber Security Market
The Good News?
 It’s a buyer’s market - possible exception is large retailers
 This makes the insurance buying decision very
difficult; hard to compare policies.
13

+
Revenue Range (£) % Purchasing Cyber
<1.5M 3.8%
1.5M<3M 4.8%
3M<6M 6.6%
6M<15M 7.2%
15M<60M 10%
60M<180M 17.6%
180M<600M 20.5%
600M<3B 21.8%
3B+ 25.9%
14

+ Target Breach: Largest of all Breaches
15

+ Target Breach: Largest of all Breaches
16

+ What Happened After the Breach?
17

+ Every Email
 Email is often over looked, but is a significant
exposure of both personal and corporate
information. Most people have sent and received an
enormous amount of email.
 Almost every company requires a confidentiality statement at
the footer of every sent email. This implies that the recipient
maintains the confidentiality of the content.
 Hackers are now using sophisticated tools to capture your
email as you send it. Then, they use your email to
impersonate you or others in spear phishing attacks.
18

+ Every Email
 Email is often over looked, but is a significant
exposure of both personal and corporate
information. Most people have sent and received an
enormous amount of email.
 Most people know about phishing attacks but, when they get an
email from a known source, they do not expect to be
accidentally downloading malicious code.
 A breach of your email exposes everyone you communicate
with to spear phishing attacks as well as other privacy
breaches.
19

+ Shhh…
20
 Inside information on a new breach that the
“feds” have not made public.

+ Underwriter’s Perspective:
Good Risk vs. Bad Risk
 Vertical Industry/Revenues/Number of
Records
 Completing the application forms
 Dos and Don’ts: Encryption Question
 Need a good story to tell if you go to court
21

+ Before: IT Security Perspective
Most common
22
Incident Response
Plan implementation

 Winning battles before they are fought
 Should be most time-consuming phase
 Is hopefully the most expensive phase
 Minimizes the chances of a breach
 Minimizes the impact of a breach
 “Beef up” security
23

 Preventive: Beef up security controls
 Detective: Implement detection mechanisms
 Assemble Computer Incident Response Team
(CIRT)
 Create an Incident Response Program
 Policy
 Plan
 Procedures
 Practice makes perfect
24

+ Crisis Communications Scenarios
25

+ Crisis Communications: Data Breach
26

+ Crisis Communications:
Team Building
 Know your notification laws
 www.ncsl.org: National Conference of State Legislatures
 Assemble an A-team
 Corporate lead: privacy officer or internal lead
 Legal
 IT partner: internal & incident response team
 Investigatory representative: company liaison
 PR professional: national vs. local
 Customer care
 HR
 Social media manager
 Web master
27

+ Crisis Communications Outreach
 Identify your stakeholders
 Gather your troops: review your internal
social media policies
 Assess your media relations
 Assess your social media outreach to
customers
 Open all channels of communications
 Build your bank of PR
28

+ Train Your Team
 Media-train spokespeople
 Map your messages
 Communicate with transparency and empathy
29

+ Today’s Agenda
During the Breach:
The Event
30

+ Data Breach Notification Costs
31

+ Have a Good Story to Tell
 Consider investigating the breach under
attorney/client privilege:
 What if the FBI requests that you continue to allow the hackers
access so they can catch them? This might be the first step
before you notify the carrier.
 Implement pre-planning
 Loss Prevention: Have a plan, train your people, test your
people
 Crisis Management: Have a plan, have a resource approved by
your insurance carrier; practice-run (i.e. fire drill)
 Collect all computer logs and gather all evidence
32

+ Have a Good Story to Tell
 Report all incidents in a timely basis
 Obtain acknowledgement from the carrier
 Expect a reservation of rights letter
 You may have forgotten how overly broad these policies
are.
 Don’t wait until you are filling out the renewal application
form.
 Do not go public or start notification without all
of the facts. (Ex: DSW)
33

+ Evaluating Coverage/Claims Process
 Gather and review all potentially relevant
policies and indemnity/vendor agreements
 Consider which policies to put on notice –
may be primary and excess layers; may be
cyber policies and/or other lines (e.g., D&O)
 Crime coverage vs. cyber coverage
 Provide timely notice of actual or potential
breaches, claims or losses under appropriate
policies and under appropriate indemnity/
vendor agreements
34

 Promptly obtain consent for expenses
and defense arrangements
 Obtain consent to settle or offer other relief
 Adhere to cooperation obligations and respond to
reasonable requests for information (privilege
issues)
 Resolve coverage issues
 Vast majority of claims are covered
35

+ During: IT Security Actions
 Detect
 Analyze
 Contain
 Eradicate
 Preserve evidence
 Notify
 Recover
36

+ Before the News Breaks
 Determine: “when the clock starts ticking.”
 Message map: What is your end-goal?
 One statement vs. interviews
 First statement: Foundation of ALL
communications
37

+ Determine What You Want to Say
38

+ Sample Press Statement
(For Immediate Release): February 15, 2011: Waterville, ME:
Day’s Jewelers recently became aware of possible unauthorized and illegal
access to credit and debit card information by third parties. Day’s Jewelers
cannot release details about the suspected breach because there is an ongoing
investigation, according to the Maine State Police Computer Crimes Unit.
Investigators have informed Day’s Jewelers that the suspected breach involved
hackers outside of the company. Upon notification, Day’s Jewelers immediately
began taking steps to protect against any unauthorized access. Within hours of
contact by law enforcement, Day’s IT partners were on site, locating any suspect
software. When the company received approval from law enforcement agencies,
Day’s Jewelers contacted the bankcard processing companies.
39

Day’s has hired a nationally recognized computer forensic team to
determine the nature and extent of any unauthorized access to customer
information, and to identify the information that may have been
compromised. As a result of the company’s initial investigation, a likely time
frame of the breach has been determined. This narrows the number of Day’s
customers that may have been affected by any security breach.
40
According to Day’s Jewelers President Jeff Corey, the initial investigation by the
company indicates personal identification was not accessed. Also, the
unauthorized access does not affect customers who made online purchases..

“At Day’s Jewelers, our customers are our primary concern,” said Jeff
Corey. “We are working diligently with law enforcement as it investigates
this criminal activity. We apologize for any concerns this may raise with our
customers. We are talking directly with any consumer who may have
questions or concerns.”
Day’s Jewelers is in contact with its customers. It is recommending
customers review credit and debit card statements. If questionable
transactions appear, consumers should contact their card company
immediately.
Also, consumers can contact Day’s directly at 1-800-439-3297.
41

+ As Notification Begins & News Breaks
 Channels of outreach
 What is required by law
 What is expected by your customers, stakeholders
 Phone banks
 Emails
 Media monitoring: traditional and social
 Website updates
 Determine frequency of updates
42

+ Today’s Agenda
After the Breach:
Managing the Aftermath
43

+ Proper Claims Reporting
 Report all incidents in a timely basis
 Obtain acknowledgement from the carrier
 Expect a reservation of rights letter
 You may have forgotten how overly broad
these policies are.
 Don’t wait until you are filling out the
renewal application form.
44

+ Proper Claims Reporting
 Consider Investigating the Breach under
attorney/client privilege:
 What if the FBI requests that you continue to allow the
hackers access so they can catch them?
 Does insured have “choice of counsel”?
45

 Gather and review all potentially relevant
policies and indemnity/vendor agreements
 Consider which policies to put on notice –
may be primary and excess layers; may be
cyber policies and/or other lines (e.g., D&O)
 Crime coverage vs. cyber coverage
 Provide timely notice of actual or potential
breaches, claims or losses under appropriate
policies and under appropriate indemnity/
vendor agreements
46

 Promptly obtain consent for expenses
and defense arrangements
47
 Adhere to cooperation obligations and respond to
reasonable requests for information (privilege
issues)
 Obtain consent to settle or offer other relief
 Resolve coverage issues
 Vast majority of claims are covered
 Other carrier provided services

+ After: IT Security Actions
 Review actions
 Analyze effectiveness
 Augment Incident Response Program
 Implement additional security measures
 Create incident report
 Review lessons learned
48

+ Reputation Management
 New normal
 Reputation management team
 Media monitoring: traditional and social
49

 Listen to your stakeholders: What do
they need?
 Reputation management team
 Privacy and security statements
50

51

Cyber Security Planning:
Preparing for a
Data Breach
Q & A

Cyber Security Planning: Preparing for a Data Breach

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (12)

Ähnlich wie Cyber Security Planning: Preparing for a Data Breach

Ähnlich wie Cyber Security Planning: Preparing for a Data Breach (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cyber Security Planning: Preparing for a Data Breach