Cyber Security and Cyber Liability Insurance

Wednesday, July 7, 2021 WEBCAST Speaker: Brandon Gordon

Brandon Gordon is a proud Iowa State University Alumni and President of Run Networks, a Managed IT Services company based in Omaha, Nebraska. He started Run Networks in 2007 and has over 20 years of experience in business IT. Brandon encourages his IT team to follow the company’s core values of being passionate about IT services and providing those services with value and efficiency. When Brandon is not at his computer saving the business world, he is under the hood of his 1968 MG tuning carburetors. He and his wife, Sarah have been married since 2001 and have 3 girls.

Brought to you by This page intentionally left blank. 7/7/2021

CYBER SECURITY AND CYBER LIABILITY INSURANCE

JULY 7 2021 12:00-1:00 RUN NETWORKS, MERCER

Cyber Liability Insurance

Cyber liability applications are in depth with some questions that can be confusing. In this session we will walk through some sample questions we see on cyber insurance applications and discuss how they apply to a firm, and review some options to fulfill that requirement.

1 7/7/2021

Introductions

• Caroline Murray – McGowan Program Administrators • John Collentine - Mercer • Mark Kollar – McGowan Program Administrators • Brandon Gordon – Run Networks

IMPORTANT – CYBERPRO POLICY STATEMENT OF FACT • By accepting this insurance you confirm that the facts contained in the proposal form are true. These statements, and all information you or anyone on your behalf provided before we

agree to insure you, are incorporated into and form the basis of your policy. If anything in these statements is not correct,

we will be entitled to treat this insurance as if it had never existed. You should keep this statement of fact and a copy of the completed proposal form for your records. This application must be signed by the applicant. Signing this form does not bind the company to complete

the insurance. With reference to risks being applied for in the united states, please note that in certain states, any person who knowingly and with intent to defraud any insurance company or other person submits an application for insurance containing any false information, or conceals the purpose of misleading information concerning any fact material

thereto, commits a fraudulent insurance act, which is a crime. The undersigned is an authorized principal, partner, director, risk manager, or employee of the applicant and certifies that reasonable inquiry has been made to obtain the answers herein which are true, correct and complete to the best of his/her knowledge and belief. Such reasonable inquiry includes all necessary inquiries to fellow principals, partners, directors, risk managers, or employees to enable you to answer the questions accurately.

2 7/7/2021

REFERENCE CONTROL: INFORMATION SECURITY POLICIES

Management Direction for Information Security

Records

• Do you collect, store, host, process, control, use or share any private or sensitive information* in either paper or electronic form? • *Private or sensitive information includes any information or data that can be used to uniquely identify a person, including, but not limited to, social security numbers or other government identification numbers, payment card information, drivers’ license numbers, financial account numbers, personal identification numbers (pins), usernames, passwords, healthcare records and email addresses.

3 7/7/2021

Records

• Do you collect, store, host, process, control, use or share any biometric information or data, such as fingerprints, voiceprints, facial, hand, iris or retinal scans, DNA, or any other biological, physical or behavioral characteristics that can be used to uniquely identify a person? • Approximately how many PII’s are retained within your computer network, databases and records? (PII is defined as a personally identifiable record on an individual that can be used to identify, contact or locate a single individual)

REFERENCE CONTROL 6: ORGANIZATION OF INFORMATION SECURITY

Internal Organization Mobile Devices and Teleworking

4 7/7/2021

IT Department

• This section must be completed by the individual responsible for the applicant’s network security. As used in this section only, “you” refers to the individual responsible for the applicant’s network security. • Who is responsible for the Applicant’s network security?

REFERENCE CONTROL 7: HUMAN RESOURCE SECURITY

Prior to Employment During Employment Termination and Change of Employment

5 7/7/2021

Human resource Security

• Administer a corporate-wide policy governing security, privacy, and acceptable use of company property for all employees? • Perform background checks on all employees and contracts with access to sensitive data?

REFERENCE CONTROL 8: ASSET MANAGEMENT

Responsibility for Assets Information Classification Media Handling (physical)

6 7/7/2021

REFERENCE CONTROL 9: ACCESS CONTROL

Business Requirements of Access Control User Access management User Responsibilities System and Application Access Control

Authentication

• Do you use multi-factor authentication (MFA) to secure all cloud provider services that you utilize (e.g. Amazon web services (AWS), Microsoft Azure, google cloud)? • Do you use MFA to protect access to privileged user accounts? • Does you provide your users with password management software? • Require users to change passwords on at least a quarterly basis? • Requirestrong passwords for administrator rights

7 7/7/2021

REFERENCE CONTROL 10: CRYPTOGRAPHY

Cryptographic Controls

Encryption

• Indicate whether the Applicant encrypts private or sensitive data: • a. While at rest in the Applicant’s database or on the Applicant’s network • b. While in transit in electronic form • c. While on mobile devices • d. While on employee owned devices • e. While in the care, custody, and control of a third party service provider

8 7/7/2021

Encryption

• Is all sensitive and confidential information stored on your databases, servers and data files encrypted? • Is all information held in a physical form disposed of or recycled by confidential and secure methods? • If you have answered ‘No’ to question b, please detail the type and how much PII is stored on portable media devices and how it is protected in the absence of encryption. • Do you use a cloud provider to store data or host applications? If you use more than one cloud provider to store data, please specify the cloud provider storing the largest quantity of sensitive customer and/or employee records (e.g., including medical records, personal health information, social security numbers, bank account details and credit card numbers) for you.

REFERENCE CONTROL 11: PHYSICAL AND ENVIRONMENTAL SECURITY

Secure Areas Equipment

9 7/7/2021

Physical and Environmental Security

• Have physical security to control access to data cetners / server rooms? • Enforce a clear desk policy at all sites? • Have an enterprise-wide data retention and destruction policy?

REFERENCE CONTROL 12: OPERATIONS SECURITY Operational Procedures and Responsibilities Protection from Malware Backup Logging and Monitoring Control of Operational Software Technical Vulnerability Management Information Systems Audit Considerations

10 7/7/2021

Operations Security Ransomware Controls

• Do you pre-screen emails for potentially malicious attachments and links? • If “Yes”, do you have the capability to automatically detonate and evaluate attachments in a sandbox to determine if they are malicious prior to delivery to the end-user? • Can your users access email through a web application or a non-corporate device? • If “Yes”, do you enforce MFA? • Do you have up-to-date, active firewall technology? • Intrusion prevention or detection solution in place? • Monitor Active Directory to detect unusual activity or abnormal behavior?

Do you allow remote access to your network?

• If “Yes”: • (1) Do you use MFA to secure all remote access to your network, including any remote desktop protocol (RDP) connections? • If MFA is used, please select your MFA provider: • If “Other”, please provide the name of your MFA provider

11 7/7/2021

Antivirus and Updates

• Do you have a process in place to regularly download and install patches? • In what time frame do you install critical and high severity patches across your enterprise? • Do you have up-to-date, active anti-virus software on all computers, networks, and mobile devices? • Do you use a next-generation antivirus (NGAV) product to protect all endpoints across your enterprise? If “Yes”, please select your NGAV provider: • Do you use an endpoint detection and response (EDR) tool that includes centralized monitoring and logging of all endpoint activity across your enterprise?

Do you use a data backup solution?

• How frequently does it run? • Estimated amount of time it will take to restore essential functions in the event of a widespread malware or ransomware attack within your network? • Please check all that apply: • Backups are encrypted. • Backups are kept separate from your network (offline/air-gapped), or in a cloud service designed for this purpose. • Backups are secured with different access credentials from other administrator credentials.

12 7/7/2021

Backup Solution Continued

• You utilize MFA to restrict access to your backups. • You use a cloud-syncing service (e.g. Dropbox, OneDrive, SharePoint, Google Drive) for backups. • Your cloud-syncing service is protected by MFA. • You have tested the successful restoration and recovery of key server configurations and data from backups in the last 6 months. • You are able to test the integrity of backups prior to restoration to ensure that they are free of malware. • ADDITIONAL COMMENTS (Use this space to explain any “No” answers in the above section and/or to list other relevant IT security measures you are utilizing that are not listed here.)

Operational Security Controls Against Malware

• Do any of the following employees at your company complete social engineering training: (1) employees with financial or accounting responsibilities? (2) employees without financial or accounting responsibilities? • If “yes” to question 8.A.(1) or 8.A.(2) above, does your social engineering training include phishing simulation?

13 7/7/2021

REFERENCE CONTROL13: COMMUNICATIONS SECURITY

Network Security Management Information Transfer

Wire Transfers

• Does your organization send and/or receive wire transfers? If “Yes”, does your wire transfer authorization process include the following: (1) A wire request documentation form? (2) A protocol for obtaining proper written authorization for wire transfers? (3) A separation of authority protocol?

14 7/7/2021

Wire Transfers Continued

• (4) A protocol for confirming all payment or funds transfer instructions/requests from a new vendor, client or customer via direct call to that vendor, client or customer using only the telephone number provided by the vendor, client or customer before the payment or funds transfer instruction/request was received? • (5) A protocol for confirming any vendor, client or customer account information change requests (including requests to change bank account numbers, contact information or mailing addresses) via direct call to that vendor, client or customer using only the telephone number provided by the vendor, client or customer before the change request was received?

REFERENCE CONTROL 14: SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

Security Requirements of Information Systems Security in Development and Support Processes Test Data

15 7/7/2021

REFERENCE CONTROL 15: SUPPLIER RELATIONSHIPS

Information Security in Supplier Relationships Supplier Service Delivery Management

Supplier Relationships Vendor Management

• Do you have procedures in place which require service providers with access to the applicant’s systems or the applicant’s confidential information to demonstrate adequate network security controls? • Please identify all vendors that have access to or help to manage the Applicant’s network or security systems. • Name • Nature of service • Does the vendor indemnify the Application under contract?

16 7/7/2021

REFERENCE CONTROL 16: INFORMATION SECURITY INCIDENT MANAGEMENT

Management of Information Security Incidents and Improvements

Incident management

• Do you have an incident response plan to respond to a network intrusion?

17 7/7/2021

REFERENCE CONTROL 17: INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

Information Security Continuity Redundancies

Information Security Continuity

• Do you have a disaster recovery plan, business continuity plan, or equivalent to respond to a computer system disruption?

18 7/7/2021

REFERENCE CONTROL 18: COMPLIANCE

Compliance with legal and Contractual Requirements Information Security Reviews

Compliance

• Do you process, store, or handle credit card transactions? • If “Yes”, are you PCI-DSS Compliant? • Is the applicant HIPAA compliant? • Please confirm up-to-date compliance with relevant regulatory and industry framework (eg. Gramm-Leach Bliley Act, Health Insurance, Portability & Accountability Act (HIPAA), Payment Card Industry (PCI), Data Security Standard, CAN-SPAM Act, TCPA or similar.

19 7/7/2021

Compliance

• Do you have a privacy policy on your website which has been legally reviewed and includes a statement advising users as to how any information collected will be used and for what purposes? • Do you have a process in force to obtain a legal review of all media content and advertising materials prior to release? • Do you have controls to ensure the content of media communications and websites are lawful?

LOSS HISTORY

20 7/7/2021

Loss history

• If the answer to any question in 9.a. through 9.c. below is “Yes”, please complete a Claim Supplemental Form for each claim, allegation or incident. In the past 3 years, has the Applicant or any other person or organization proposed for this insurance: (1) Received any complaints or written demands or been a subject in litigation involving matters of privacy injury, breach of private information, network security, defamation, content infringement, identity theft, denial of service attacks, computer virus infections, theft of information, damage to third party networks or the ability of third parties to rely on the Applicant’s network?

Loss History Continued

• (2) Been the subject of any government action, investigation or other proceedings regarding any alleged violation of privacy law or regulation? • (3) Notified customers, clients or any third party of any security breach or privacy breach? • (4) Received any cyber extortion demand or threat? • (5) Sustained any unscheduled network outage or interruption for any reason? • (6) Sustained any property damage or business interruption losses as a result of a cyber- attack? • (7) Sustained any losses due to wire transfer fraud, telecommunications fraud or phishing fraud?

21 7/7/2021

Loss History Continued

• Do you or any other person or organization proposed for this insurance have knowledge of any security breach, privacy breach, privacy-related event or incident or allegations of breach of privacy that may give rise to a claim? • In the past 3 years, has any service provider with access to the Applicant’s network or computer system(s) sustained an unscheduled network outage or interruption lasting longer than 4 hours? • If “Yes”, did the Applicant experience an interruption in business as a result of such outage or interruption?

Loss History Continued

• During the Last three years have you: Received notice or become aware of any privacy violations or that any data or personally identifiable information has become compromised?

22 7/7/2021

REQUESTED INSURANCE TERMS

• Requested Terms • Aggregate Limit Requested • Retention Requested • Effective Date

23 7/7/2021

CYBER GLOSSARY FROM TOKIO MARINE

• DKIM, DMARC, SPF • Powershell • Privileged Account Management • Endpoint application isolation and Software (PAM) containment technology • Protective DNS • EDR, Next Generation AV • SOC, SIEM • MFA • Vulnerability management tool • Offline/Air-gapped backup solution • RDP