Best Practices for Insuring Medical Practices from Cyber Risk.
-
Upload
deshaun-bibby -
Category
Documents
-
view
214 -
download
0
Transcript of Best Practices for Insuring Medical Practices from Cyber Risk.
3
“There are two kinds of companies today, those who know they have been hacked, and those who don’t.”
James ComeyFBI Director
(USA Today, May 2014)
4
Cyber Risk Trend/Statistics2013 Verizon Data Breach Study
• Organized crime accounts for 55% of all breaches studied
• Organizations under 100 employees account for 31% of all breaches
• 66% of breaches took months to discover
• 69% of breaches are discovered by external party
• 78% of the breaches are considered low to very low difficulty
• Method of action: – 40% Malware – 52% Hacking
• Most desired data for organized crime:– Payment card information– Authentication credentials– Bank account information
• 48% of the 47,000 security incidents studied were attributed to errors such as:– Lost devices– Publishing errors– Mis-delivered email/mail
5
True Cost of a Data Breach
$188 Per Record for U.S.*
Forensics (determining where, what and how much data was breached)
Notification (as required by law)
Fines/Penalties
Loss of Customers/ Donors
Damage Control Expenses
(to retain clients, restore confidence in org. and
restore reputation)
NOTE: This study DOES NOT factor in costs associated with defense costs or liability payments made*Source: 2013 Cost of a Data Breach Study – Ponemon Institute
6
Anatomy of a Data Breach
Incident• Malicious attack, employee error, or theft
Discovery• Victims are sometimes the last to know. Usually
discovered within months
Forensics Analysis• What, Where and How
Response• Compliance to regulatory requirements for notification
Damage Control• Offering credit monitoring /fraud monitoring to
impacted parties
8
Regulatory Considerations: Data Breach Notification Laws
• In effect in 47 states except: – Alabama– New Mexico– South Dakota
• Subject to statutory fines/penalties– Exemptions and notification deadlines vary by state
• HIPAA /HITECH law to entities that keep patient health information– Enforced by the Department of Health/Human Services
9
Social Media Exposures
Content • Potentially liable for content (i.e., Facebook page, YouTube video, blog on your website)
Privacy • Content posted can breach a person’s privacy or lead to identity theft
Intellectual Property Infringement • Copyright/trademark
Virus/Malware • Could be uploaded to your social media site that infects other members who click on that link
Reputational/Public Relations Risk
• Certain negative content can go viral and reach a critical mass of people in a very short time
10
Risk Management View
• Cyber viewed as very high profile risk by CEOs, CFOs, treasurers and risk managers
• Captive may be an excellent alternative to fill gaps between self insurance and true risk transfer– Cyber risk may diversify a
captive’s more traditional risk
*Source: Business Insurance Survey
56% of risk managers cite
cyber risk as “top concern”*
52% of risk managers have dedicated cyber
risk insurance policy*
11
How to Price Cyber Insurance
• The market for network, information security, and privacy (cyber) insurance remained stable in 2013
• Recent events will define the market for the next several years
• Pricing sources:– Commercial market quotes– Broker indications based on:
• Industry (retail, manufacturing, financial institution)• Exposure (credit cards, healthcare personal data,
SSNs, HIPAA exposures)• Company size (# of customers, # of transactions)
– Actuary– Transfer pricing study
13
Nittany Insurance Company
• Single-parent Vermont-based captive, owned by The Pennsylvania State University
1992Established as funding
vehicle for hospital professional liability
insurance
2000Expanded to include
reinsurance of primary GL and auto coverage
Later in 2000’s Added more coverages for convenience of University (i.e. deductible reimbursement for master insurance programs)
14
Penn State University
• Flagship land-grant University in the Commonwealth of Pennsylvania– However, NOT owned by the State
• Operating Budget 2013/14: $5 Billion• 25,000 full-time faculty and staff, plus another
15,000 part-time employees• 93,000 students at 20 campuses• Two hotel/conference centers• One very large football stadium
15
The Situation
Decentralized educational
departments and IT
networks/ systems
• Insurers not interested in covering large research institution with open computing philosophy
• Commercially available policy forms did not provide needed coverage
• Wanted a single funnel to accumulate expenses and manage responses to breaches
• Wanted behavior modification: – Incentivize decentralized units to
use good computer security practices
16
The Solution
• Placed risk in owned captive• Key feature of the coverage is a two-tiered
deductible– If a unit employs certain “good practices” advocated by
IT Security Operation Services, but has a breach anyway, $25,000 deductible
– If a unit did not employ “good practices”, and that led or contributed to a breach, $100,000 deductible
17
The Results
• Firewalls more reliably installed, maintained and patched
• Security software updated real-time• Software contracts routinely scrutinized and
include security requirements • Actual compromises decreased significantly• Release of SSN’s declined from 10,000 at a time to
5-10 in isolated instance
18
Contact Information
w w w . s p r i n g g r o u p . c o m
Karin LandryManaging PartnerSpring Consulting Group, [email protected]: 617-589-0930; ext.
102