October 28, 2014Steve Hasse, INSUREtrust
Eugene Slobodzian, Winxnet
Dianna Fletcher, Fletcher Media
Cyber Security Planning:
Preparing for a
Data Breach
+ Our Speakers
Steve Hasse, CEO, INSUREtrust
Eugene Slobodzian, PhD, CISSP, Vice President
of Security, Winxnet
Dianna Fletcher, Fletcher Media
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
1
+ Today’s Agenda
Before the breach: preparations and planning
During the breach: the event
After the breach: managing the aftermath
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
2
+ Today’s Data Breaches
The
retail industry was the #1 target: 22% percent of network intrusions occ
urring at retailers (Verizon 2013 Data Breach Investigation Report).
47% of American adults have been affected by data breaches in the last year
(Ponemon Institute).
Cybercrime has cost the global economy $575 billion and the US eco
nomy $100 billion, annually. The US is the hardest hit of any country
(Intel Security and the Center for Strategic and International Studies).
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
3
+ Data Breach Laws & Regulations
No federal law
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
47 states adopted their own Me. Rev. Stat. title 10 § 1347 et seq., § 1348. Security breach notice requirements: If an information
broker that maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the information broker shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
4
+ Data Breach Laws & Regulations
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
HITECH Breach Notification Interim Final
Rule (500 individuals)
GLBA, SEC – more generic
PCI, FERPA, other – no clearly defined
guidance
5
+ Today’s Agenda
Before the Breach:
Preparations and Planning
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
6
+ Question One
Have you ever received a breach
notification letter?
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
7
+ Notification Letter
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
8
+ Notification Letters
Over 80% of the people we have
surveyed received at least one breach
notification letter.
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
9
+ Question Two
Have you, or has someone you know,
experienced identity theft?
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
These occur via stolen digital or paper personal information.
10
+ Identity Theft Reality
Over 90% of the people we talk to have
experienced identity theft or know someone
who has.
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
11
+ Insurance Cyber Security Market
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
As compared to other products Cyber as compared to EPLI
Cyber as compared to pollution insurance
What do buyers want? Many competing carriers
All with state-of-the-art broad coverage
All competing on price and financial strength
What do buyers have? Many carriers competing
All with different coverage
12
+ Insurance Cyber Security Market
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
This makes the insurance buying decision very
difficult; hard to compare policies.
The Good News? It’s a buyer’s market - possible exception is large retailers
13
+
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Revenue Range (£) % Purchasing Cyber<1.5M 3.8%
1.5M<3M 4.8%
3M<6M 6.6%6M<15M 7.2%15M<60M 10%60M<180M 17.6%
180M<600M 20.5%600M<3B 21.8%3B+ 25.9%
14
+ Target Breach: Largest of all Breaches
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
15
+ Target Breach: Largest of all Breaches
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
16
+ What Happened After the Breach?
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
17
+ Every Email
Email is often over looked, but is a significant
exposure of both personal and corporate
information. Most people have sent and received an
enormous amount of email.
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Almost every company requires a confidentiality statement at
the footer of every sent email. This implies that the recipient
maintains the confidentiality of the content.
Hackers are now using sophisticated tools to capture your email as you send it. Then, they use your email to impersonate you or others in spear phishing attacks.
18
+ Every Email
Email is often over looked, but is a significant
exposure of both personal and corporate
information. Most people have sent and received an
enormous amount of email.
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Most people know about phishing attacks but, when they get an
email from a known source, they do not expect to be
accidentally downloading malicious code.
A breach of your email exposes everyone you communicate
with to spear phishing attacks as well as other privacy
breaches.
19
+ Shhh…
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Inside information on a new breach that the
“feds” have not made public.
20
+ Underwriter’s Perspective:
Good Risk vs. Bad Risk
Vertical Industry/Revenues/Number of
Records
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Completing the application forms Dos and Don’ts: Encryption Question
Need a good story to tell if you go to court
21
+ Before: IT Security Perspective
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Most common
Incident Response
Plan implementation
22
+ Before: IT Security Perspective
Winning battles before they are fought
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Should be most time-consuming phase
Is hopefully the most expensive phase
Minimizes the chances of a breach
Minimizes the impact of a breach
“Beef up” security
23
+ Before: IT Security Perspective
Preventive: Beef up security controls
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Detective: Implement detection mechanisms
Assemble Computer Incident Response Team
(CIRT)
Create an Incident Response Program Policy
Plan
Procedures
Practice makes perfect
24
+ Crisis Communications Scenarios
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
25
+ Crisis Communications: Data Breach
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
26
+ Crisis Communications:
Team Building
Know your notification laws www.ncsl.org: National Conference of State Legislatures
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Assemble an A-team Corporate lead: privacy officer or internal lead
Legal
IT partner: internal & incident response team
Investigatory representative: company liaison
PR professional: national vs. local
Customer care
HR
Social media manager
Web master
27
+ Crisis Communications Outreach
Identify your stakeholders
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Gather your troops: review your internal
social media policies
Assess your media relations
Assess your social media outreach to
customers
Open all channels of communications
Build your bank of PR
28
+ Train Your Team
Media-train spokespeople
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Map your messages
Communicate with transparency and empathy
29
+ Today’s Agenda
During the Breach:
The Event
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
30
+ Data Breach Notification Costs
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
31
+ Have a Good Story to Tell
Consider investigating the breach under
attorney/client privilege:
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
What if the FBI requests that you continue to allow the hackers access so they can catch them? This might be the first step before you notify the carrier.
Implement pre-planning
Loss Prevention: Have a plan, train your people, test your
people
Crisis Management: Have a plan, have a resource approved by
your insurance carrier; practice-run (i.e. fire drill)
Collect all computer logs and gather all evidence
32
+ Have a Good Story to Tell
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Report all incidents in a timely basis
Obtain acknowledgement from the carrier
Expect a reservation of rights letter
You may have forgotten how overly broad these policies
are.
Don’t wait until you are filling out the renewal application
form.
Do not go public or start notification without all of the facts. (Ex: DSW)
33
+ Evaluating Coverage/Claims Process
Gather and review all potentially relevant policies and indemnity/vendor agreements
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Consider which policies to put on notice –may be primary and excess layers; may be cyber policies and/or other lines (e.g., D&O)
Crime coverage vs. cyber coverage
Provide timely notice of actual or potential breaches, claims or losses under appropriate policies and under appropriate indemnity/ vendor agreements
34
+ Evaluating Coverage/Claims Process
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Promptly obtain consent for expenses and defense arrangements
Adhere to cooperation obligations and respond to reasonable requests for information (privilege issues)
Obtain consent to settle or offer other relief
Resolve coverage issues
Vast majority of claims are covered
35
+ During: IT Security Actions
Detect
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Analyze
Contain
Eradicate
Preserve evidence
Notify
Recover
36
+ Before the News Breaks
Determine: “when the clock starts ticking.”
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Message map: What is your end-goal?
One statement vs. interviews
First statement: Foundation of ALL
communications
37
+ Determine What You Want to Say
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
38
+ Sample Press Statement
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
(For Immediate Release): February 15, 2011: Waterville, ME:
Day’s Jewelers recently became aware of possible unauthorized and illegal
access to credit and debit card information by third parties. Day’s Jewelers
cannot release details about the suspected breach because there is an ongoing
investigation, according to the Maine State Police Computer Crimes Unit.
Investigators have informed Day’s Jewelers that the suspected breach involved
hackers outside of the company. Upon notification, Day’s Jewelers immediately
began taking steps to protect against any unauthorized access. Within hours of
contact by law enforcement, Day’s IT partners were on site, locating any suspect
software. When the company received approval from law enforcement agencies,
Day’s Jewelers contacted the bankcard processing companies.
39
+ Sample Press Statement
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Day’s has hired a nationally recognized computer forensic team to
determine the nature and extent of any unauthorized access to customer
information, and to identify the information that may have been
compromised. As a result of the company’s initial investigation, a likely time
frame of the breach has been determined. This narrows the number of Day’s
customers that may have been affected by any security breach.
According to Day’s Jewelers President Jeff Corey, the initial investigation by the
company indicates personal identification was not accessed. Also, the
unauthorized access does not affect customers who made online purchases..
40
+ Sample Press Statement
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
“At Day’s Jewelers, our customers are our primary concern,” said Jeff
Corey. “We are working diligently with law enforcement as it investigates
this criminal activity. We apologize for any concerns this may raise with our
customers. We are talking directly with any consumer who may have
questions or concerns.”
Day’s Jewelers is in contact with its customers. It is recommending
customers review credit and debit card statements. If questionable
transactions appear, consumers should contact their card company
immediately.
Also, consumers can contact Day’s directly at 1-800-439-3297.
41
+ As Notification Begins & News Breaks
Channels of outreach
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
What is required by law
What is expected by your customers, stakeholders
Phone banks
Emails
Media monitoring: traditional and social
Website updates
Determine frequency of updates
42
+ Today’s Agenda
After the Breach:
Managing the Aftermath
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
43
+ Proper Claims Reporting
Report all incidents in a timely basis
Obtain acknowledgement from the carrier
Expect a reservation of rights letter
You may have forgotten how overly broad
these policies are.
Don’t wait until you are filling out the
renewal application form.
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
44
+ Proper Claims Reporting
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Consider Investigating the Breach under
attorney/client privilege: What if the FBI requests that you continue to allow the
hackers access so they can catch them?
Does insured have “choice of counsel”?
45
+ Evaluating Coverage/Claims Process
Gather and review all potentially relevant policies and indemnity/vendor agreements
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Consider which policies to put on notice –may be primary and excess layers; may be cyber policies and/or other lines (e.g., D&O)
Crime coverage vs. cyber coverage
Provide timely notice of actual or potential breaches, claims or losses under appropriate policies and under appropriate indemnity/ vendor agreements
46
+ Evaluating Coverage/Claims Process
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Promptly obtain consent for expenses and defense arrangements
Adhere to cooperation obligations and respond to reasonable requests for information (privilege issues)
Obtain consent to settle or offer other relief
Resolve coverage issues
Vast majority of claims are covered
Other carrier provided services
47
+ After: IT Security Actions
Review actions
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Analyze effectiveness
Augment Incident Response Program
Implement additional security measures
Create incident report
Review lessons learned
48
+ Reputation Management
New normal
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Reputation management team
Media monitoring: traditional and social
49
+ Reputation Management
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
Reputation management team
Listen to your stakeholders: What do
they need?
Privacy and security statements
50
+ Reputation Management
October 28, 2014Cyber Security Planning: Preparing for a Data Breach
51
Cyber Security Planning:
Preparing for a
Data Breach
Q & A