Welcome to NEOnets Cyber Security Executive Briefing If you havent - - PowerPoint PPT Presentation

Welcome to NEOnet’s Cyber Security Executive Briefing

If you haven’t yet been hacked, you will

• be. In fact, you already may have been

hacked, but don’t know it yet.”

Stu Davis, Chief Information Officer, Ohio Department of Administrative Services

But before we begin …. What is NEOnet?

• A public entity

– established via Ohio Revised Code authorizing the creation of public data sites throughout Ohio.

• A collaborative of public entities

– some things are done better together than separately

• Provides effective, cost‐efficient services, coupled with superior client

support.

– Accounting, Payroll, Student Administration, Electronic Grade Books, Library Automation, Professional Development, Internet Access, Technical/Network Support, Telephony, State reporting to the ODE, and more.

• To a variety of organizations

– public school districts, community schools, educational service centers, nonpublic schools, governmental entities, higher ed, other ITC, and others.

What today IS – and ISN’T

• Today IS:

– High‐level overview of essential executive‐level topics related to cyber security – Opportunity to hear from and interact with subject area experts

• Today ISN’T:

– A deep dive into any of the topics – If there is interest, NEOnet will follow‐up with more in‐depth sessions

What we need to know for today

• Cyber security is a matter of organization‐wide risk

that includes, but is much broader than, IT management.

• Control and alignment of the functions required to

manage organization‐wide risk reside at the Executive‐level!

• Risk Assessment – Understand cybersecurity risk to organization

– National Institute for Standards and Technology – (NIST) ‐ www.nist.gov/cyberframework

• Risk Management Strategy
• Policies

– Data Security – Data Goverence

• Procedures

– Computer Security Incident Handling – Access to assets

• Staffing

– Cybersecurity roles and responsibilities – Senior Information Security Officer

• Training

– Cybersecurity Awareness education

• Budgeting – How much are we going to spend to mitigate risk?
• Insurance

– Cyber Liability Insurance

• Legal – Federal and State

– FERPA, PPRA, COPPA, HIPAA

Executive Level Responsibilities

NIST Cybersecurity Framework

NIST Cybersecurity Framework

Items to consider

• Senior Information Security Officer
• Security Training Records
• Security Awareness Training policy and procedures
• Risk Assessment

– AIG Application

• Document system backup and recovery process
• Maintain inventory of information systems assets
• Computer Security Incident Handling

Computer Security Incident Handling Guide FAQ

– What is an incident? – What is an incident response team? – To whom should incidents be reported? – What should someone do who discovers that a system has been attacked?

• Reviewing and adapting this guide for your
• rganization will be helpful for dealing with cyber‐

related events that may occur.

Legal Landscape: Federal Law

• Family Educational Rights and Privacy Act (FERPA)
• Protection of Pupil Rights Amendment (PPRA)
• Children Online Privacy Protection Act of 1998

(COPPA)

• Health Insurance Portability & Accountability Act

(HIPAA)

Legal Landscape: Ohio Law

• Confidentiality of student records (O.R.C. 3319.321)
• Security (O.R.C. 1347.05(G))
• School districts must “take reasonable precautions to protect

personal information” maintained in school district information systems from “unauthorized modification, destruction, use, or disclosure.”

• Appoint 1 person responsible for system
• Develop procedures for using and maintaining system
• Data Breach Notification
• Public Schools: O.R.C. 1347.12
• Private Schools: O.R.C. 1349.19

Disclaimer: For informational purposes only. Please consult insurance and legal professionals for more information. Some information attributed to AIG and other sources.

Cyber Insurance

Cyber Security Insurance is the hot topic in the IT world right now, and understandably so. Recent studies show that cyber crime is on the rise at an alarming rate – and IT experts predict that cyber crime will result in approximately $2 Trillion in losses globally by 2019, up from $500B in 2015. The number of reported ransomware cases increased 500% from 2015 to 2016, with the average security breach costing approximately $4M.

Ba c k ro und

In 2015, Cyber Security was a relatively unknown segment of the Insurance market, since then however, it has become the fastest growing segment – increasing from approximately $1B in 2015 to $2.5B today. With that being said, not all cyber insurance policies are created equal. It is a new market, and there are still a lot of undetermined sweet spots surrounding things like coverage limits, deductible amounts, and even what is and what is not covered under these policies. NEOnet and the MCOECN are collaboratively and aggressively pursuing answers to these questions to ensure that all members are adequately covered in the event of a breach.

Sho rt Histo ry

As c yb e r risks g ro w, se nio r ma na g e me nt a nd b o a rds o f dire c to rs o f c o mpa nie s a re inc re a sing ly fo c use d o n a holistic re sponse to c yb e r thre a ts tha t inc lude s:

• Risk Mitig a tion

–

How do we r e duc e the odds or se ve r ity of some thing happe ning?

• Risk T

ra nsfe r

–

How c an we c ontr ac tually shift a por tion of our r isk to some one e lse ?

• Re sponse / Re c ove ry

–

Some thing happe ne d, now what?

Whe n thinking a b o ut c yb e r insura nc e , c o nside r a ll thre e e le me nts.

Wha t Sho uld E xe c utive s Be T hinking Ab o ut?

Wha t Ca n Go Wro ng ?

E mploye e L

• st F

la sh Drive

An e mplo ye e o f a he a lthc a re pro vide r lo st a fla sh drive c o nta ining the pro te c te d he a lth info rma tio n o f a ppro xima te ly 600 individua ls. T he pro vide r no tifie d the a ffe c te d individua ls a nd pro vide d c re dit mo nito ring se rvic e s. Va rio us sta te re g ula to rs we re a lso no tifie d in a c c o rda nc e with a pplic a b le la w.

L e gal c osts + $110,000 for notific ation, c all c e nte r se r vic e s, c r e dit monitor ing, and le gal fe e s to de te r mine the insur e d’s r e gulator y

• bligations

Wha t Ca n Go Wro ng ?

Rog ue e mploye e

An e mplo ye e le a rns she ma y b e te rmina te d, a nd in re spo nse , she ste a ls na me s, a ddre sse s, so c ia l se c urity numb e rs a nd o the r pe rso na l info rma tio n fro m c usto me r file s. She so ld the info rma tio n to he r c o usin who use d the ide ntitie s to fra udule ntly o b ta in c re dit c a rds.

T he affe c te d individuals file d suit against the c ompany for ide ntity the ft.

Wha t Ca n Go Wro ng ?

Sma ll busine ss ha c ke d

A b usine ss is ha c ke d b y a lo c a l te e na g e r who sto le so c ia l se c urity numb e rs a nd b a nk a c c o unt da ta fro m c usto me r file s. He so ld the info rma tio n to a n inte rne t we b site whic h use d it to c re a te fa lse ide ntitie s fo r c rimina ls to use .

T he busine ss inc ur r e d notific ation and c r e dit monitor ing c osts, and the le gal e xpe nse s as we ll as the damage s fr

• m pote ntial lawsuits

r e sulte d in mor e than $500,000 in damage s.

Wha t Ca n Go Wro ng ?

Pa pe r Re c ords, T

• Outside a middle sc ho o l, pa pe rs we re b lo wing a ro und in the wind

b e side a g a rb a g e c o nta ine r. A stude nt, se e ing the pa pe rs, g ra b b e d so me a nd re a d a b o ut the spe c ia l ne e ds a sse ssme nt fo r a se ve nth- g ra de r na me d K e vin, inc luding his I Q sc o re , psyc ho lo g ic a l a sse ssme nt da ta , b e ha vio ra l info rma tio n, a nd fa mily histo ry. Ove r the ne xt fe w we e ks, stude nts re le ntle ssly ta unte d K e vin, c a lling him "stupid," "dumb ," a nd "re ta rde d."

Ke vin's family sue d the sc hool distr ic t, and at the tr ial c our t, the jur y r e tur ne d a ve r dic t that found the distr ic t liable for $60,000 in past damage s and $80,000 in futur e damage s--and also awar de d mor e than $45,000 in le gal fe e s to the family.

Wha t do yo u ha ve to lo se ?

T a ng ible Costs

– L

• ss o f funds

– Da ma g e to Syste ms/ F

• re nsic s T

ime a nd E xpe nse

– L

e g a l Da ma g e s/ Co mmunic a tio n E xpe nse s

– F

ina nc ia l Co mpe nsa tio n

Inta ng ible Costs

– L

• ss o f c o mpe titive a dva nta g e

– L

• ss o f c usto me r a nd/ o r pa rtne r trust

– L

• ss o f inte g rity (c o mpro mise d dig ita l a sse ts)

– Da ma g e to re puta tio n a nd b ra nd

11th a nnua l Co st o f Da ta Bre a c h Study (2016), the industry’ s g o ld- sta nda rd b e nc hma rk re se a rc h, inde pe nde ntly c o nduc te d b y Po ne mo n I nstitute .

The average cost incurred for each lost or stolen record containing sensitive and confidential information increased to $158.

$158/record

(some estimates at $225+)

Cyber Claims Overview (10 years) Average Cost of First Party Expenses (as of 10/2015)

$51,600 $185,600 $81,600 $59,150 $44,500 $‐ $20,000 $40,000 $60,000 $80,000 $100,000 $120,000 $140,000 $160,000 $180,000 $200,000 Legal Fees Forensics Notification & Call Center Credit Monitoring Crisis Management

Every Breach Response is Unique Cost Range of Each Service

• Legal Fees:

Under $5,000 up to about $50,000

• Forensics:

About $10,000 to Seven Figures

• Notification & Call Center: up to $80,000
• Credit Monitoring:

$10 ‐ $30/month ($120 ‐ $360/annual) per employee and/or student

• Crisis Management Costs

T hre e Re a so ns to Co nside r Cyb e r I nsura nc e

• Insurance places a dollar value on an organization’s cyber risk.
• The underwriting process can help organizations identify

cybersecurity gaps and opportunities for improvement.

• Many cyber insurance policies bring supplemental value through

the inclusion of risk mitigation tools as well as significant incident response assistance following a cyber incident.

E xa mple s o f Ava ila b le Co ve ra g e

I nsure rs o ffe r b o th first- a nd third-pa rty insura nc e fo r c yb e r lo sse s.

F irst- pa rty c ove ra g e insure s fo r lo sse s to the po lic yho lde r’ s o wn da ta

• r lo st inc o me o r fo r o the r ha rm to the po lic yho lde r’ s b usine ss

re sulting fro m a da ta b re a c h o r c yb e r a tta c k.

T hird- pa rty c ove ra g e insure s fo r the lia b ility o f the po lic yho lde r to third

pa rtie s — inc luding c lie nts a nd g o ve rnme nta l e ntitie s — a rising fro m a da ta b re a c h o r c yb e r a tta c k.

E xa mple s o f Ava ila b le Co ve ra g e

Ne twork Se c urity L ia bility

• Co ve rs c la ims a rising fro m a n ina b ility to use o r a c c e ss yo ur ne two rk, infe c tio n o f
• the rs ne two rks, info rma tio n da ma g e to o the r ne two rks, ina b ility o f o the rs to re ly

upo n the a c c ura c y, va lidity o r inte g rity o f the ir info rma tio n re siding o n yo ur ne two rk.

• L
• ss E

xample – Hac ke r s obtaine d ac c e ss to c ounty’s ne twor k and pr e ve nte d ac c e ss to pe r sonally ide ntifiable infor mation (PII) thr

• ugh a De nial of Se r

vic e attac k r e sulting in a liability of $10M Conte nt Injury L ia bility (Me dia )

• De fa ma tio n, dispa ra g e me nt, c o pyrig ht, tra de ma rk, pub lic ity rig hts a nd c o nte nt

e rro rs, e tc . Co ve rs c o mpute r re a da b le c o nte nt a nd c a n b e e xpa nde d to a ll me dia



Can c ove r unauthor ize d e xpr e ssion and othe r e xposur e s ove r soc ial me dia site s by e mploye e s or

• the r

s for whom a c ompany might be r e sponsible

E xa mple s o f Ava ila b le Co ve ra g e

Ne twork L

• ss or Da ma g e
• Co ve rs c o sts to re c re a te o r re sto re ne two rk pre -lo ss c o nditio ns. Atta c ks c o ve re d

inc lude tho se instig a te d b y e mplo ye e s.



L

• ss E

xample – Hospital has to spe nd mor e than $3.5M to r e move time d malic ious c ode de signe d to br ing down the ne twor k in or de r to pr e ve nt futur e attac ks. Busine ss Inte rruption & E xtra E xpe nse s

• Co ve rs lo st o nline & o ffline inc o me , a s lo ng a s yo ur inc o me is ne two rk de pe nde nt

a nd the lo ss is c a use d b y se c urity b re a c h o r e rro rs plus e xpe nse s o f a vo iding suc h a lo ss.



L

• ss E

xample – A c ounty was vic tim of a hac ke r and was for c e d to shutdown the ir

• pe r

ations while r e pair ing ne twor k at a c ost of $5M.

E xa mple s o f Ava ila b le Co ve ra g e

E le c tronic T he ft

• Co ve rs fo r the ft via a ne two rk o f mo ne y, se c uritie s, g o o ds, se rvic e s

a nd inta ng ib le pro pe rty (e .g ., inte lle c tua l pro pe rty).

 L

• ss E

xample – Stole n c r e dit c ar ds numbe r s use d to obtain goods thr

• ugh an online site and bank pr
• c e dur

e s ar e not followe d pr e ve nting r e imbur se me nt for m the ac quir ing bank

Ne twork E xtortion

• Pa ys c re dib le e xto rtio nist de ma nds a nd re spo nse c o sts to de ma nds fo r

mo ne y a g a inst thre a ts to re le a se priva te info rma tio n o r b ring do wn a ne two rk.

 L

• ss E

xample – A he althc ar e or ganization’s patie nt infor mation is he ld at r ansom by a hac ke r until the hac ke r r e c e ive s $250,000 or the y will r e le ase the infor mation to the public . Costs for for e nsic s, inve stigations, le gal c osts, pr e ve ntative c all c e nte r s and pote ntial notific ations of individuals c ost ove r $3M.

“Ho w muc h c yb e r insura nc e do we ne e d? ” I t de pe nds.

What is at risk, your appetite for risk, the ‘cyber maturity’ of your organization, and your existing insurance coverages?

So , whe re do we sta rt?

Sta rt with a n a c c e pte d fra me wo rk to a sse ss c yb e r risks a nd c yb e rse c urity risk ma na g e me nt.

Recommended: National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity www.nist.gov/cyberframework

NIST or similar assessment can identify areas to address PRIOR to seeking insurance which may strengthen your ‘cyber‐maturity’ profile, resulting in lower premiums.

Or sta rt with a c yb e r insura nc e APPL

ICAT ION F ORM to

he lp g uide yo ur re vie w.

Yo u’ ll e va lua te po te ntia l risk e xpo sure

– What types of information does the organization have (i.e., social security numbers, direct deposit information, credit card numbers, passwords, health records, etc.)? – What are the potential ramifications to the organization if this information is compromised or exposed (reputational damage, regulatory actions, litigation, inability to continue operations, repairs to network, etc.)? – What steps has the organization already taken to protect this information?

Yo u’ ll e xa mine Po lic ie s, Pro c e sse s, a nd Pra c tic e s, a nd mo re

Inc ide nt Re sponse Pla nning :

–

I s a fo rma l inc ide nt re spo nse pla n in pla c e a nd will a lso inq uire re g a rding re g ula r te sting thro ug h ta b le to ps o r simula tio n e xe rc ise s.

Se c urity Me a sure s:

–

Unde rwrite rs a re typic a lly inte re ste d in da ta re te ntio n, ne two rk se g me nta tio n, da ta c la ssific a tio n, lo g mo nito ring , pe ne tra tio n te sting , pa tc h ma na g e me nt a nd b usine ss inte rruptio n pla nning .

Ve ndor Manage me nt:

–

As ma ny re c e nt da ta b re a c he s ha ve o c c urre d thro ug h third-pa rty re la tio nships, unde rwrite rs a re c o nc e rne d with third-pa rty ve ndo r ma na g e me nt. I t will b e impo rta nt to de sc rib e whe the r the b usine ss ha s a fo rma l third-pa rty ma na g e me nt pro c e ss, due dilig e nc e a nd o ng o ing

• ve rsig ht pe rfo rme d o n third pa rtie s, a nd the c o ntra c tua l o b lig a tio ns re q uire d o f third pa rtie s.

Boa r d Ove r sig ht:

–

Unde rwrite rs will a lso like ly a sk ho w fre q ue ntly c yb e r se c urity risk issue s a re re po rte d to the Bo a rd a nd whe the r the re is Bo a rd-le ve l a ppro va l o r o ve rsig ht o f the info rma tio n se c urity pro g ra m.

Review Current Insurance

Che c k Curre nt I nsura nc e Co ve ra g e

• F

irst- Pa rty L

• sse s - Cybe r

–

Ne two rk inte rruptio n due to c o mpute r c rime , e mplo ye e sa b o ta g e , o pe ra tio na l e rro rs a nd mista ke s, se c urity b re a c h, c yb e r te rro rism

–

Re sto ra tio n, re c o lle c tio n a nd re c tific a tio n o f dig ita l a sse ts

• F

irst- Pa rty L

• sse s – Da ta Priva c y

–

Da ta pro te c tio n fine s a nd pe na ltie s

–

Da ta pro te c tio n inve stig a tio n a nd de fe nse e xpe nse s

–

Crisis ma na g e me nt a nd pub lic re la tio ns c o sts

• T

hird- Pa rty Cybe r L

• sse s

–

Da ta b re a c h c a use d b y o r to third-pa rty o utso urc e r

–

Distrib ute d De nia l o f Se rvic e (DDo S) a tta c ks

–

T ra nsmissio n o f ma lic io us c o de

–

L

• st o r sto le n la pto p o r de vic e

• Cyb e r insura nc e is re la tive ly ne w in the ma rke tpla c e
• Risk/ pric e imb a la nc e c urre ntly in fa vo r o f c lie nts.

Pric ing o fte n b a se d o n re ve nue / size o f o rg a niza tio n, no t o n a mo unt o f da ta a t risk.

• Ma ny tra ditio na l a g e nts no t fa milia r, c yb e r a o ne -o ff
• So me insure rs de ve lo ping c yb e r po lic ie s
• Co nside r ‘ Big T

hre e ”: AI G, Chub b , DL Gro up

Sho pping fo r a Cyb e r Po lic y – K e y Que stio ns

“T he U .S . pro pe rty/ c asualty insuranc e industry ge ne rate d $1 billio n in dire c t writte n pre mium vo lume fo r c ybe r insuranc e in 2015. Ame r

ic an Inte r national Gr

• up (AIG), Chubb and XL

Gr

• up le d the mar

ke t, ac c o rding to F

itc h Ratings.” I

nsura nc e Jo urna l

Sho pping fo r a Cyb e r Po lic y – K e y Que stio ns

• When is coverage triggered?

– Unlike ‘slip and fall’ or ‘flood’ scenarios, where the triggering event is often straightforward, the interconnectedness of the data environment can be quite complex, sometimes resulting in delays between the event occurring and notification of the event.

• When is notice to the insurers required?

– Typically, notice to the insurers is required at a very early stage of potential breach identification and consent from the insurers is often required for many expenditures following a breach.

• How are breach counsel and vendors selected?

– Typically, notice to the insurers is required at a very early stage of potential breach identification and consent from the insurers is often required for many expenditures following a breach. Best to do in advance rather than after event has occurred.

• What are the possible exclusions?

– Portable devices, voluntary/intentional acts, social engineering, negligent security, insider malfeasance, information maintained and stored by third‐parties, etc.

Sho pping fo r a Cyb e r Po lic y – K e y Que stio ns

As Mark Twain noted – “it ain’t the things you don’t know that will get you – it’s the things you know for sure that just ain’t so.” Worse than not having cyber insurance in place is having a false sense of security in a policy that will not provide coverage. It is important that cyber policies include coverage for the following:

• Communications plan
• Digital forensics
• Legal fees
• Ransom payments
• Identity theft protection

Thank You Tom Collins, HCC Donna Davis, SWOCA John Pouliot, CISCO Systems Geoff Andrews, MCOECN

Ne xt Ste ps

• Organizational review
• Consult insurance and legal professionals
• Cybersecurity Bundle

Core Values

• Courteous
• Helpful
• Knowledgeable
• Prompt
• Concerned

Remember without you there would be no NEOnet, Thank YOU