DOCSLIB.ORG

Cyber Security and Cyber Liability Insurance

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cyber Security and Cyber Liability Insurance Cyber Security and Cyber Liability Insurance Wednesday, July 7, 2021 WEBCAST Speaker: Brandon Gordon Brandon Gordon is a proud Iowa State University Alumni and President of Run Networks, a Managed IT Services company based in Omaha, Nebraska. He started Run Networks in 2007 and has over 20 years of experience in business IT. Brandon encourages his IT team to follow the company’s core values of being passionate about IT services and providing those services with value and efficiency. When Brandon is not at his computer saving the business world, he is under the hood of his 1968 MG tuning carburetors. He and his wife, Sarah have been married since 2001 and have 3 girls. Brought to you by This page intentionally left blank. 7/7/2021 CYBER SECURITY AND CYBER LIABILITY INSURANCE JULY 7 2021 12:00-1:00 RUN NETWORKS, MERCER 1 Cyber Liability Insurance Cyber liability applications are in depth with some questions that can be confusing. In this session we will walk through some sample questions we see on cyber insurance applications and discuss how they apply to a firm, and review some options to fulfill that requirement. 2 1 7/7/2021 Introductions • Caroline Murray – McGowan Program Administrators • John Collentine - Mercer • Mark Kollar – McGowan Program Administrators • Brandon Gordon – Run Networks 3 IMPORTANT – CYBERPRO POLICY STATEMENT OF FACT • By accepting this insurance you confirm that the facts contained in the proposal form are true. These statements, and all information you or anyone on your behalf provided before we agree to insure you, are incorporated into and form the basis of your policy. If anything in these statements is not correct, we will be entitled to treat this insurance as if it had never existed. You should keep this statement of fact and a copy of the completed proposal form for your records. This application must be signed by the applicant. Signing this form does not bind the company to complete the insurance. With reference to risks being applied for in the united states, please note that in certain states, any person who knowingly and with intent to defraud any insurance company or other person submits an application for insurance containing any false information, or conceals the purpose of misleading information concerning any fact material thereto, commits a fraudulent insurance act, which is a crime. The undersigned is an authorized principal, partner, director, risk manager, or employee of the applicant and certifies that reasonable inquiry has been made to obtain the answers herein which are true, correct and complete to the best of his/her knowledge and belief. Such reasonable inquiry includes all necessary inquiries to fellow principals, partners, directors, risk managers, or employees to enable you to answer the questions accurately. 4 2 7/7/2021 REFERENCE CONTROL: INFORMATION SECURITY POLICIES Management Direction for Information Security 5 Records • Do you collect, store, host, process, control, use or share any private or sensitive information* in either paper or electronic form? • *Private or sensitive information includes any information or data that can be used to uniquely identify a person, including, but not limited to, social security numbers or other government identification numbers, payment card information, drivers’ license numbers, financial account numbers, personal identification numbers (pins), usernames, passwords, healthcare records and email addresses. 6 3 7/7/2021 Records • Do you collect, store, host, process, control, use or share any biometric information or data, such as fingerprints, voiceprints, facial, hand, iris or retinal scans, DNA, or any other biological, physical or behavioral characteristics that can be used to uniquely identify a person? • Approximately how many PII’s are retained within your computer network, databases and records? (PII is defined as a personally identifiable record on an individual that can be used to identify, contact or locate a single individual) 7 REFERENCE CONTROL 6: ORGANIZATION OF INFORMATION SECURITY Internal Organization Mobile Devices and Teleworking 8 4 7/7/2021 IT Department • This section must be completed by the individual responsible for the applicant’s network security. As used in this section only, “you” refers to the individual responsible for the applicant’s network security. • Who is responsible for the Applicant’s network security? 9 REFERENCE CONTROL 7: HUMAN RESOURCE SECURITY Prior to Employment During Employment Termination and Change of Employment 10 5 7/7/2021 Human resource Security • Administer a corporate-wide policy governing security, privacy, and acceptable use of company property for all employees? • Perform background checks on all employees and contracts with access to sensitive data? 11 REFERENCE CONTROL 8: ASSET MANAGEMENT Responsibility for Assets Information Classification Media Handling (physical) 12 6 7/7/2021 REFERENCE CONTROL 9: ACCESS CONTROL Business Requirements of Access Control User Access management User Responsibilities System and Application Access Control 13 Authentication • Do you use multi-factor authentication (MFA) to secure all cloud provider services that you utilize (e.g. Amazon web services (AWS), Microsoft Azure, google cloud)? • Do you use MFA to protect access to privileged user accounts? • Does you provide your users with password management software? • Require users to change passwords on at least a quarterly basis? • Requirestrong passwords for administrator rights 14 7 7/7/2021 REFERENCE CONTROL 10: CRYPTOGRAPHY Cryptographic Controls 15 Encryption • Indicate whether the Applicant encrypts private or sensitive data: • a. While at rest in the Applicant’s database or on the Applicant’s network • b. While in transit in electronic form • c. While on mobile devices • d. While on employee owned devices • e. While in the care, custody, and control of a third party service provider 16 8 7/7/2021 Encryption • Is all sensitive and confidential information stored on your databases, servers and data files encrypted? • Is all information held in a physical form disposed of or recycled by confidential and secure methods? • If you have answered ‘No’ to question b, please detail the type and how much PII is stored on portable media devices and how it is protected in the absence of encryption. • Do you use a cloud provider to store data or host applications? If you use more than one cloud provider to store data, please specify the cloud provider storing the largest quantity of sensitive customer and/or employee records (e.g., including medical records, personal health information, social security numbers, bank account details and credit card numbers) for you. 17 REFERENCE CONTROL 11: PHYSICAL AND ENVIRONMENTAL SECURITY Secure Areas Equipment 18 9 7/7/2021 Physical and Environmental Security • Have physical security to control access to data cetners / server rooms? • Enforce a clear desk policy at all sites? • Have an enterprise-wide data retention and destruction policy? 19 REFERENCE CONTROL 12: OPERATIONS SECURITY Operational Procedures and Responsibilities Protection from Malware Backup Logging and Monitoring Control of Operational Software Technical Vulnerability Management Information Systems Audit Considerations 20 10 7/7/2021 Operations Security Ransomware Controls • Do you pre-screen emails for potentially malicious attachments and links? • If “Yes”, do you have the capability to automatically detonate and evaluate attachments in a sandbox to determine if they are malicious prior to delivery to the end-user? • Can your users access email through a web application or a non-corporate device? • If “Yes”, do you enforce MFA? • Do you have up-to-date, active firewall technology? • Intrusion prevention or detection solution in place? • Monitor Active Directory to detect unusual activity or abnormal behavior? 21 Do you allow remote access to your network? • If “Yes”: • (1) Do you use MFA to secure all remote access to your network, including any remote desktop protocol (RDP) connections? • If MFA is used, please select your MFA provider: • If “Other”, please provide the name of your MFA provider 22 11 7/7/2021 Antivirus and Updates • Do you have a process in place to regularly download and install patches? • In what time frame do you install critical and high severity patches across your enterprise? • Do you have up-to-date, active anti-virus software on all computers, networks, and mobile devices? • Do you use a next-generation antivirus (NGAV) product to protect all endpoints across your enterprise? If “Yes”, please select your NGAV provider: • Do you use an endpoint detection and response (EDR) tool that includes centralized monitoring and logging of all endpoint activity across your enterprise? 23 Do you use a data backup solution? • How frequently does it run? • Estimated amount of time it will take to restore essential functions in the event of a widespread malware or ransomware attack within your network? • Please check all that apply: • Backups are encrypted. • Backups are kept separate from your network (offline/air-gapped), or in a cloud service designed for this purpose. • Backups are secured with different access credentials from other administrator credentials. 24 12 7/7/2021 Backup Solution Continued • You utilize MFA to restrict access to your backups. • You use a cloud-syncing service (e.g. Dropbox, OneDrive, SharePoint, Google Drive) for backups. • Your cloud-syncing service is protected by MFA. • You have tested the successful restoration and recovery of key server
Load more

Recommended publications
  • Defending Against an Invisible Threat Pragmatic Cybersecurity for the Interconnected Business
    Defending Against an Invisible Threat Pragmatic Cybersecurity for the Interconnected Business This white paper has been reformatted and reprinted with permission fromassurexglobal.com ACE Private Risk Services® for the clients of Assurex Global Private Client Group members. 1 SUMMARY THINK YOUR BUSINESS IS REASONABLY SAFE FROM A CYBER-ATTACK? Think again. The threat is so widespread that there is an entire black market built to arm hackers with the tools they need to breach your systems. Even worse, 50 percent of online traffic is automated. It does not sleep. It is ever-present, and it can be searching for your data—or your client’s data at any moment. Should a hacker gain access into your business’ network, the results could be devastating in terms of lost assets, lost credibility, and a tarnished reputation. The good news is that there are a number of steps your business can take to not only protect your employee and client data, but also to demonstrate the level of diligence that is critical to your customers and insurers. The first step is understanding the extent of cyber-attacks and familiarizing yourself with the various methods hackers use to infiltrate your system. Armed with this basic knowledge, you will be better equipped to recognize the signs of an attack and prevent a breach from happening in the first place. This white paper is based on a presentation from Mr. Chris Ensey, COO of Dunbar CyberSecurity. By reading it, you will learn what constitutes a cyber-attack and the associated tactics. You will also learn about preventative measures that you can take to strengthen your company’s security.
    [Show full text]
  • Insurance Coverage for Data Breaches and Unauthorized Privacy Disclosures
    This material was published as chapter 16 in Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age (2nd ed.) by Ryan P. Blaney of Proskauer Rose LLP (©2016 & Supp. 2019 by Practising Law Institute), www.pli.edu. Reprinted with permission. Not for resale or redistribution. Chapter 16 Insurance Coverage for Data Breaches and Unauthorized Privacy Disclosures Steven R. Gilford JAMS Marc E. Rosenthal* Proskauer Rose LLP § 16:1 Overview § 16:2 Applicability of Historic Coverages § 16:2.1 First- and Third-Party Coverages for Property Loss [A] First-Party Property Policies [B] Third-Party CGL Policies: Coverage for Property Damage Claims § 16:2.2 CGL Coverage for Personal and Advertising Injury Claims [A] Publication Requirement [B] Right to Privacy As an Enumerated Offense [B][1] Telephone Consumer Protection Act Cases [B][2] Fair Credit Reporting Act Cases [B][3] “ZIP Code” Cases * The authors would like to thank Proskauer summer associates Dakota Treece and Libbie Osaben for their work researching and updating the current version of this chapter. (Proskauer, Rel. #6, 10/19) 16–1 ©2016 & Supp. 2019 by Practising Law Institute. Not for resale or redistribution. § 16:1 Proskauer on Privacy § 16:2.3 Other Coverages [A] Directors and Officers Liability Insurance [B] Errors and Omission Policies [C] Crime Policies § 16:3 Modern Cyber Policies § 16:3.1 Key Concepts in Cyber Coverage [A] Named Peril [B] Claims Made § 16:3.2 Issues of Concern in Evaluating Cyber Risk Policies [A] What Is Covered? [B] Confidential Information,
    [Show full text]
  • Content Analysis of Cyber Insurance Policies: How Do Carriers Price Cyber
    Journal of Cybersecurity, 2019, 1–19 doi: 10.1093/cybsec/tyz002 Research paper Research paper Content analysis of cyber insurance policies: how do carriers price cyber risk? Downloaded from https://academic.oup.com/cybersecurity/article-abstract/5/1/tyz002/5366419 by guest on 18 June 2019 Sasha Romanosky, Lillian Ablon, Andreas Kuehn and Therese Jones RAND Corporation, 1200 South Hayes St, Arlington VA, 22202 *Corresponding author: E-mail: [email protected] Received 1 October 2018; accepted 20 December 2018 Abstract Data breaches and security incidents have become commonplace, with thousands occurring each year and some costing hundreds of millions of dollars. Consequently, the market for insuring against these losses has grown rapidly in the past decade. While there exists much theoretical litera- ture about cyber insurance, very little practical information is publicly available about the actual con- tent of the polices and how carriers price cyber insurance premiums. This lack of transparency is es- pecially troubling because insurance carriers are often cited as having the best information about cyber risk, and know how to assess – and differentiate – these risks across firms. In this qualitative re- search, we examined cyber insurance policies filed with state insurance commissioners and per- formed thematic (content) analysis to determine (i) what losses are covered by cyber insurance poli- cies, and which are excluded?; (ii) what questions do carriers pose to applicants in order to assess risk?; and (iii) how are cyber insurance premiums determined – that is, what factors about the firm and its cybersecurity practices are used to compute the premiums? By analyzing these policies, we provide the first-ever systematic qualitative analysis of the underwriting process for cyber insurance and uncover how insurance companies understand and price cyber risks.
    [Show full text]
  • Chapter 2 Types of Cyber Incidents and Losses
    Enhancing the Role of Insurance in Cyber Risk Management © OECD 2017 Chapter 2 Types of cyber incidents and losses This chapter provides an overview of the different types of cyber incidents, based on a categorisation approach developed by the CRO Forum, as well as the types of losses that may result from these incidents. Where available, data is presented on the magnitude of losses from past incidents including trends in the magnitude of losses and some of the drivers of cost variations across different countries (such as differences in terms of notification requirements). There is significant literature on the nature and evolution of cyber risk as well as the magnitude of potential costs - although limited consensus in terms of definitions, categorisation or the reliability of the data that has been made available on the frequency and impact of cyber incidents. For example, there is no prevailing definition of cyber risk or prevailing taxonomy for categorisation of different types of incidents and losses. Much of the data that is publicly available on cyber incidents and costs is provided by security and consulting firms and is perceived by some as potentially biased due to the commercial incentives that these firms may have to inflate the significance of cyber risk. For example, Romanosky (2016), using data collected mostly by Advisen, questions a number of commonly cited statistics and trends including the typical cost of a third party confidentiality breach, the share of companies that have been impacted by cyber incidents and the rise in the relative share of incidents that are malicious relative to accidental.
    [Show full text]
  • Enhancing the Role of Insurance in Cyber Risk Management
    Enhancing the Role of Insurance in Cyber Risk Management The digital transformation of economic activities is creating significant opportunities for innovation, convenience and efficiency. However, recent major incidents have highlighted the digital security and privacy protection risks that come with an increased reliance on digital technologies. While not a substitute for investing in cyber Enhancing the Role security and risk management, insurance coverage for cyber risk can make a significant contribution to the management of cyber risk by promoting awareness about exposure to cyber losses, sharing expertise on risk management, encouraging investment in risk reduction and facilitating the response to cyber incidents. This of Insurance in Cyber Risk report provides an overview of the financial impact of cyber incidents, the coverage of cyber risk available in the insurance market, the challenges to market development and initiatives to address those challenges. It includes Management a number of policy recommendations which support the development of the cyber insurance market and contribute to improving the management of cyber risk. Enhancing the Role of Insurance in Cyber Risk Management Enhancing the Role of Insurance in Cyber Risk Management This work is published under the responsibility of the Secretary-General of the OECD. The opinions expressed and arguments employed herein do not necessarily reflect the official views of OECD member countries. This document, as well as any data and any map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Please cite this publication as: OECD (2017), Enhancing the Role of Insurance in Cyber Risk Management, OECD Publishing, Paris.
    [Show full text]
  • Cyber Third-Party Risk Management: a Comparison of Non-Intrusive Risk Scoring Reports
    electronics Article Cyber Third-Party Risk Management: A Comparison of Non-Intrusive Risk Scoring Reports Omer F. Keskin, Kevin Matthe Caramancion, Irem Tatar, Owais Raza and Unal Tatar * College of Emergency Preparedness, Homeland Security and Cybersecurity, University at Albany, State University of New York, Albany, NY 12203, USA; [email protected] (O.F.K.); [email protected] (K.M.C.); [email protected] (I.T.); [email protected] (O.R.) * Correspondence: [email protected] Abstract: Cybersecurity is a concern for organizations in this era. However, strengthening the security of an organization’s internal network may not be sufficient since modern organizations depend on third parties, and these dependencies may open new attack paths to cybercriminals. Cyber Third-Party Risk Management (C-TPRM) is a relatively new concept in the business world. All vendors or partners possess a potential security vulnerability and threat. Even if an organization has the best cybersecurity practice, its data, customers, and reputation may be at risk because of a third party. Organizations seek effective and efficient methods to assess their partners’ cybersecurity risks. In addition to intrusive methods to assess an organization’s cybersecurity risks, such as penetration testing, non-intrusive methods are emerging to conduct C-TPRM more easily by synthesizing the publicly available information without requiring any involvement of the subject organization. In this study, the existing methods for C-TPRM built by different companies are presented and compared to discover the commonly used indicators and criteria for the assessments. Additionally, the results Citation: Keskin, O.F.; Caramancion, of different methods assessing the cybersecurity risks of a specific organization were compared to K.M.; Tatar, I.; Raza, O.; Tatar, U.
    [Show full text]
  • Cyber Insurance – Technical Challenges and a System Security Roadmap
    SoK: Cyber Insurance – Technical Challenges and a System Security Roadmap Savino Dambra Leyla Bilge Davide Balzarotti Eurecom Symantec Research Labs Eurecom Abstract—Cyber attacks have increased in number and complexity instance, digital data loss, damage and theft, as well as losses due in recent years, and companies and organizations have accordingly to network outages, computer failures, and website defacements. raised their investments in more robust infrastructure to preserve their data, assets and reputation. However, the full protection against these countless and constantly evolving threats is unattainable by the sole use of preventive measures. Therefore, to handle residual A. A booming phenomenon missing solid foundations risks and contain business losses in case of an incident, firms are increasingly adopting a cyber insurance as part of their corporate As evinced by recent market reports, the adoption of cyber risk management strategy. insurance has tremendously increased over the last decade, As a result, the cyber insurance sector – which offers to transfer achieving an annual growth rate of over 30% since 2011 [6]. This the financial risks related to network and computer incidents to a is also reflected in the growing number of claims submitted for third party – is rapidly growing, with recent claims that already reached a $100M dollars. However, while other insurance sectors rely cyber incidents in a wide range of business sectors [7] and that, on consolidated methodologies to accurately predict risks, the many in few striking cases, have seen insurance companies paying even peculiarities of the cyber domain resulted in carriers to often resort hundred-million-dollar indemnities [8]. to qualitative approaches based on experts opinions.
    [Show full text]
  • The Evolution of Cyber Risk and the Cyber Insurance Market
    University of South Carolina Scholar Commons Senior Theses Honors College Spring 2021 The Evolution of Cyber Risk and the Cyber Insurance Market Abigail Chase University of South Carolina - Columbia, [email protected] Follow this and additional works at: https://scholarcommons.sc.edu/senior_theses Part of the Insurance Commons Recommended Citation Chase, Abigail, "The Evolution of Cyber Risk and the Cyber Insurance Market" (2021). Senior Theses. 412. https://scholarcommons.sc.edu/senior_theses/412 This Thesis is brought to you by the Honors College at Scholar Commons. It has been accepted for inclusion in Senior Theses by an authorized administrator of Scholar Commons. For more information, please contact [email protected]. The Evolution of Cyber Risk and the Cyber Insurance Market By Abigail Chase Submitted in Partial Fulfillment of the Requirements for Graduation with Honors from the South Carolina Honors College May 2021 1 Table of Contents THESIS SUMMARY ............................................................................................................. 3 INTRODUCTION ................................................................................................................. 4 HISTORY OF CYBERSECURITY AND CYBER RISK ......................................................... 4 How Y2K Changed Cyber Risk ............................................................................................................ 5 The Interconnectivity of Systems .........................................................................................................
    [Show full text]