Beazley Breach Response Select p g Making the connection on data - - PDF document

beazley breach response select
SMART_READER_LITE
LIVE PREVIEW

Beazley Breach Response Select p g Making the connection on data - - PDF document

Nov 28, 2023 266 likes •538 views

1 Making the connection on data breach complexities Beazley Breach Response Select p g Making the connection on data breach complexities P Presented by d b Jeffrey Norton underwriter Jeffrey Norton, underwriter, Beazley US Private

slide-1
SLIDE 1

Making the connection on data breach complexities g p

Beazley Breach Response Select

1

slide-2
SLIDE 2

Making the connection on data breach complexities

P d b

Jeffrey Norton underwriter

Presented by

Jeffrey Norton, underwriter, Beazley US Private Enterprise Technology, Media & Business Services team jeffrey.norton@beazley.com jeffrey.norton@beazley.com Marcello Antonucci, claims manager, Beazley US Technology, Media & Business Services team Business Services team marcello.antonucci@beazley.com

2

slide-3
SLIDE 3

Making the connection on data breach complexities

  • Data breach exposures

Making the connection on data breach complexities

  • Data breach exposures
  • Data breach costs for small businesses
  • Claims scenarios for small businesses
  • Coverage misconceptions

Coverage misconceptions

  • Beazley Breach Response Select

3

slide-4
SLIDE 4

Making the connection on data breach complexities

Th U S Ch b f C ti t th t

Data breaches are a big concern for small businesses…

  • The U.S. Chamber of Commerce estimates that

employee theft costs American employers more than $50 billion dollars each year, and

  • ne third of all small business failures can be

attributed to employee dishonesty...

  • Based on estimates, cybercriminals steal as

much as US$1 billion a year from SMBs in the United States and Europe alone. Source: TrendMicro

  • Verizon’s 2011 data breach report of 759
  • ccurrences conducted in collaboration with the

US Secret Service shows 63 percent of last year’s breaches involved organizations with less than 100 employees less than 100 employees.

4

slide-5
SLIDE 5

Focus has shifted to small businesses since they are easier targets for cyber they are easier targets for cyber criminals...

5

slide-6
SLIDE 6

Making the connection on data breach complexities Making the connection on data breach complexities

Most small business owners and their employees still lack understanding on the inherent risks and how best to protect their risks and how best to protect their data - and business.

6

slide-7
SLIDE 7

Making the connection on data breach complexities

Response costs add up for a com pany w ith lim ited cash flow Costs for a small business can be as much as that faced by a larger company:

  • Small businesses typically have less internal resources and expertise to handle a

Making the connection on data breach complexities

  • Small businesses typically have less internal resources and expertise to handle a

breach response, so they are more likely to have to pay outside experts such as attorneys, consultants, crisis management and public relations professionals to assist.

  • Complexity of the business will drive costs for legal and forensics

p y g

  • Response costs alone: Hiring a forensics expert to determine the size and scope of a

breach -- can range from $ 1 0 ,0 0 0 to $ 1 0 0 ,0 0 0 - whatever size the business.

  • Once notifications go out – public relations/ damage control is critical to reputation!
  • The lion's share of response costs comes from the duty to notify those whose data has

been breached or potentially breached -an estimated $ 2 0 0 ,0 0 0 in costs associated with breach response services.

7

slide-8
SLIDE 8

Making the connection on data breach complexities

Direct Data Breach Costs in 2 0 1 0

  • $214 per compromised customer/ client record

Making the connection on data breach complexities

p p

  • $7,200,000 in average total per-incident costs (forensics, legal, notification, customer

fallout) (U.S. Cost of a Data Breach Study, PGP Corporation and Ponemon Institute, 2011) S ll b i t i ll h l i t l d ti t h dl

  • Small businesses typically have less internal resources and expertise to handle a

breach response, so they are more likely to have to pay outside experts such as attorneys, consultants, crisis management and public relations professionals.

  • Once customers are notified that their information has been breached, dam age

control is critical control is critical.

  • Leveraging the services of experienced claims professionals is key…

8

slide-9
SLIDE 9

Making the connection on data breach complexities

Regulatory I nvestigations & Third-Party Claim s

  • Mandatory breach notification in 46 states, the District of Columbia, and Puerto Rico.

Making the connection on data breach complexities

y

  • Notification brings potential for AG regulatory action and provides plaintiffs' bar with

tempting lure for putative class actions.

  • PHI: HIPPA and HiTech

R l t di lt i fi d ti ti l th t i

  • Regulatory proceedings can result in fines and corrective action plans that require

significant expenditures on administrative, technical, and physical safeguards for data.

  • Third-party class action lawsuits entail potentially enormous exposure, and at the very

least, cost a lot of money to defend. AI M of BBR Services: m itigate any potential regulatory investigations and respond clearly and w ith confidence

9

slide-10
SLIDE 10

Making the connection on data breach complexities

How Do Breaches Occur?

  • Employee loses a portable device (blackberry, laptop, thumb drive, backup tape)
  • Stray faxes emails

Making the connection on data breach complexities

  • Stray faxes, emails
  • Property crimes (computers prime targets)
  • Inside job (employee steals information, particularly upon separation)
  • Phishing scams (“Nigerian prince”), and increasingly, Spear-Phishing (social

s g s a s ( g a p ), a d as g y, Sp a s g (so a engineering)

  • Malware / virus attacks (especially when working remotely on an unsecured

network)

10

slide-11
SLIDE 11

Making the connection on data breach complexities

Exam ples of Publically Reported Breaches ( continued)

  • The Briar Group LLC: owner of a number of bars and restaurants in the Boston area

used default usernames and passwords on its point-of-sale system, which were shared

Making the connection on data breach complexities

by employees on an unsecured w ifi netw ork. Malware quickly made its way onto the network, and several custom ers began experiencing credit card fraud. The Massachusetts Attorney General learned of the incident from affected customers, and filed a lawsuit resulting in a $ 1 1 0 ,0 0 0 penalty and mandatory compliance with the rigorous Payment Card Industry Data Security Standards. g y y y

  • Roanoke State Community College: A USB drive and a personal handheld device

were stolen from an employee's car when he took information home to do after-hours

  • work. The nam es and Social Security num bers of 9,747 current or former students

were on the handheld device, along with 1,194 current or former employees. Credit it i l f b h f thi i ld t i ll d $100 000 m onitoring alone for a breach of this size would typically exceed $100,000.

11

slide-12
SLIDE 12

Making the connection on data breach complexities

Exam ples of Publically Reported Breaches

  • The Surgeons of Lake County ("SLC"): a medical facility in northern Illinois, had

hackers breach its computer network, infiltrating a server where e-mails and electronic

Making the connection on data breach complexities

medical records were stored. Hackers encrypted access to the system, and tried to exhort m oney from SLC in exchange for the decryption key. Hackers threatened to start spamming pornography from SLC's email addresses if not paid within 72 hours. SLC had to purge all systems and notify over 7 ,0 0 0 patients of the incident.

  • Phoenix Cardiac Surgery ("PCS"): a five physician practice posted clinical and surgical
  • Phoenix Cardiac Surgery ( PCS ): a five-physician practice posted clinical and surgical

appointments for its patients on an Internet-based calendar that was publicly

  • accessible. One patient Googled her own name, discovered the calendar, and reported

the incident to federal regulators. In turn, regulators fined PCS $ 1 0 0 ,0 0 0 , and instituted a m andatory corrective action plan with the ability to audit PCS for six years. Just the tip of the iceberg: in five out of every six breaches, the infiltration rem ained undetected for w eeks at a tim e. See, “2 0 1 2 Data Breach I nvestigations Report,” Verizon Com m unications, at 3 ( 2 0 1 2 ) ( http:/ / bit ly/ GFfpdk) ( http:/ / bit.ly/ GFfpdk) .

12

slide-13
SLIDE 13

Top five list of small businesses misconceptions

5) Most breaches happen to big companies 4) The cost to respond to a breach is a postage stamp to mail a letter

Top five list of small businesses misconceptions

) p p g p 3) Our information is well-protected by our IT consultants 2) My employees would never act maliciously, and know how to protect our data

And the top m isconception is…

13

slide-14
SLIDE 14

Top five list of small businesses misconceptions

# 1 – Every security breach is covered by m y general liability policy

Top five list of small businesses misconceptions

14

slide-15
SLIDE 15

Beazley Breach Response Select: What makes it different? Beazley Breach Response Select: What makes it different?

Our top tw o reasons: p

1)

Very few businesses have the resources to manage a breach (we do it all!)

2)

Notify by number of affected individuals outside the liability limit

15

slide-16
SLIDE 16

Beazley Breach Response Select: What makes it different? Services, services, services…

  • Best in Class Breach Response Services: forensic, legal, notification, credit monitoring and

health record restoration services, call center services

  • Hand-picked, vetted vendors, because expertise makes a big difference for claim outcome,

but most companies don’t have the in-house expertise to respond to a breach. You can be confident in our breach response services!

  • Ensures that when a breach or suspected breach occurs the insured can move swiftly and sure
  • Ensures that when a breach or suspected breach occurs the insured can move swiftly and sure-

footedly to protect its reputation with its customers. Your client can be confident in our breach response services!

16

slide-17
SLIDE 17

BBR Select Timeline

17

slide-18
SLIDE 18

BBR Select Timeline

18

slide-19
SLIDE 19

Beazley Breach Response Select: What makes it different?

  • Notification/ Credit m onitoring lim it provided on a num ber of affected

individuals basis not a dollar amount 25 000; 50 000 or up to 100 000 limits for individuals basis, not a dollar amount. 25,000; 50,000 or up to 100,000 limits for most small businesses make it easy to ensure adequate limits!

  • Dedicated / Outside the Liability Lim it Breach Response Services, since breaches

are very different from liability claims (a large breach will not exhaust the policy y y ( g p y liability limits!)

  • Free loss control inform ation service (nodatabreach.com ), including compliance

and data security policy information, email alerts of key legal and regulatory developments and expert on line support for client questions on data security issues developments, and expert on-line support for client questions on data security issues.

  • Unm atched liability coverages, including PCI fines and costs, crisis management

and public relations, Red Flags Rule coverage, and much, much more!

  • All of this with low retentions and affordable prem ium s for small businesses!

19

slide-20
SLIDE 20

BBR Select- Target Market BBR Select- Target Market

  • Any business with the legal duty to notify the consumer/ patient in the

event of a data breach.

  • Sample industries include:
  • Healthcare (doctors, dentists, nursing homes, long-term care, hospitals etc)
  • Retail

Higher education or K 12 schools

  • Higher education or K-12 schools
  • Hospitality (hotels, motels, restaurants, property managers)
  • Small commercial banks
  • Law firms
  • Manufacturers / Wholesale distributors
  • Insurance agents/ Brokers
  • Staffing firms / Employment agencies
  • CPA/ tax preparation/ wealth management/ financial advisory firms

20

slide-21
SLIDE 21

BBR Select Product Offering

  • Usual liability limits offered:
  • $1 000 000 or $2 000 000

BBR Select Product Offering

  • Usual notifications limit offered:
  • 25 000 50 000 or up to 100 000
  • $1,000,000 or $2,000,000
  • Usual Regulatory Defense &

Penalties limits offered:

  • $250,000 or $500,000
  • 25,000, 50,000 or up to 100,000
  • Legal/ forensics limits offered:
  • $50,000 or $100,000
  • Minimum retention:
  • Usual Crisis Management and

Public Relations limits offered:

  • $100,000
  • Usual PCI Fines & Costs limits

Minimum retention:

  • $1,000
  • In-house breach response team
  • Usual PCI Fines & Costs limits
  • ffered:
  • $50,000 or $100,000
  • use b eac

espo se tea

21

slide-22
SLIDE 22

BBR Select Product Offering

  • Additional Coverage available:

BBR Select Product Offering

  • Additional Coverage available:
  • Cyber Extortion
  • First Party Data Protection
  • First Party Netw ork Business I nterruption
  • First Party Netw ork Business I nterruption

22

slide-23
SLIDE 23

BBR Select Product Offering

  • Premiums Starting at:

BBR Select Product Offering

  • Premiums Starting at:
  • $1,000 for non-healthcare accounts
  • $2,000 for healthcare accounts

23

slide-24
SLIDE 24

For more information

Jeffrey Norton Beazley USA 1+ 215 446 8453 1+ 215 446 8453 jeffrey.norton@beazley.com Or go to: www.beazley.com/ pe

24

slide-25
SLIDE 25

Official Notice

The descriptions contained in this presentation are for preliminary informational The descriptions contained in this presentation are for preliminary informational purposes only. The exact coverage afforded by the products described herein is subject to and governed by the terms and conditions of each policy issued. The publication and delivery of the information contained herein is not intended as a solicitation for the purchase of insurance on any US risk.

25