Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage...
Transcript of Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage...
![Page 1: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/1.jpg)
Controlling Technology Risks
Paul A. Forlenza, MGA, RMC Deputy Executive Director,
TRICO JIF
Edward J. Cooney, MBA
Fund Underwriter, TRICO JIF
![Page 2: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/2.jpg)
Members Increasing Use of Technology
• Credit card payments • Websites • Electronic applications • Banking transactions • Payroll processing • Internet-connected devices (IoT)
Hackers see government networks as low hanging fruit!
2
![Page 3: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/3.jpg)
Beyond Outside Threats…
• Employees pose our greatest threat! • A chain is only as strong as its weakest link Human error Disgruntled employee Careless employee Uneducated employee
3
![Page 4: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/4.jpg)
Members Hold a lot of Valuable Information
• Employee PII & PHI • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death
Certificates
4
![Page 5: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/5.jpg)
Other Cyber Risks Facing Members
• Hacktivism • Destructive Malware • Business Interruption • Public Relations
5
![Page 6: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/6.jpg)
Technology Risk Assessments
• Pivot Point Security (2016-2017) • On line Survey • Member Visits – GAP Assessments • Individual Member Reports • Executive Summary Highlighting the most frequently cited
technology based exposures
6
![Page 7: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/7.jpg)
What Did We Learn? • 31% have an Information Security Contingency Plan in place • 29% have an Incident Management Plan that includes the restoration of IT
services • 4.8 - How comprehensive is your Business Continuity / Disaster Recovery plan?
(1= not very comprehensive / 10= very comprehensive) • 100% of Personally Identifiable Information & Protected Health Information is
stored in-house • 83% outsource payroll
88% Casa Payroll Services 9% ADP 3% Paychex
• 27% outsource benefits / 76% outsource IT / 73% outsource web design / 61% outsource email
• 22% require vendors to demonstrate adequate security of their computer systems
• 52% allow vendors to access their network (does not include Edmunds) 7
![Page 8: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/8.jpg)
What Did We Learn? • 76% do not have a contract in place with vendors who have access to
personally identifiable information which requires the other party to defend and indemnify you from legal liabilities
• 0% provide employees, contractors and vendors formal Information Security Awareness training
• 5% encrypt sensitive information when communicating it (account #, SS #, medical information, credit card information, etc.)
• 46% periodically test their security controls
• 22% process credit card transactions
55% filed their PCI SAQ (PCI Self Assessment Questionnaire)
• 54% perform background checks as part of the hiring process
• 100% maintain good practice when storing sensitive information (file cabinets with locks)
8
![Page 9: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/9.jpg)
Boiling it all Down: What do the Members Really Need?
• Security Awareness Training & Ongoing Notifications • Security Risk Policies & Training • Incident Management Plans • Phishing Assessments • External Vulnerability Testing • Third Party Risk Management Policies & Training
Taking these steps will eliminate 80% of our claims! 9
![Page 10: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/10.jpg)
Where Do We Get these Services?
• Cyber Insurers – XL? • The MEL? • Outside governmental sources? • Each member on their own? • The JIF?
10
![Page 11: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/11.jpg)
Cyber Insurers
• Have not traditionally played a pro-active role • Training materials are not widely publicized • What materials do exist are geared towards the
private sector! • While they may offer needed services and coverage,
their clients don’t understand how to access it
11
![Page 12: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/12.jpg)
XL - CyberRiskConnect.com • Cyber Library / News Center
– Trending articles related to cyber exposure • Breach Response Services / Response Partners
– Identifies the panel firms XL Catlin has pre-approved to assist post-breach, and recommends firms for pre-breach training
• Risk Manager Tools – Sample documents to use in everyday operations
Policies on mobile computing or social networking Network & information security self-test and scorecard Breach notification law map & data breach cost calculator
• Learning Center – Educational articles and guides, such as “Forensics: Planning a
Successful Investigation” and “Social Engineering Red Flags” • Privacy Training
– Short training videos on privacy & network security, such as Cybersecurity awareness, risk assessments & data security
12
![Page 13: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/13.jpg)
CyberRiskConnect.com
13
![Page 14: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/14.jpg)
The MEL?
14
![Page 15: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/15.jpg)
Government Sources
WWW.CYBER.NJ.GOV
15
![Page 16: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/16.jpg)
Government Sources
16
![Page 17: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/17.jpg)
The Individual Members?
• Lack of consistency: • Training • Policies
• Financial Resources? • Technical expertise?
17
![Page 18: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/18.jpg)
Where Do We Go From Here?
Technology Risk Management Services RFP • Services Sought: Security Awareness Training Security Awareness Notifications Security Risk Policies & Training Incident Management Plans Phishing Assessments External Vulnerability Testing Third Party Risk Management Policies & Training
18
![Page 19: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/19.jpg)
Technology Risk Management Services RFP
• RFP issued as a Competitive Contract under the LPCL with ACM and BURLCO JIFs
• Issued April 30, 2018 • Responses due May 24, 2018 • Three (3) Responses Received The Incendio Group Media Pro Pivot Point Security
• Sub Committee reviewed & scored proposals on June 29, 2018
19
![Page 20: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/20.jpg)
Technology Risk Management Services RFP
• Contract award recommendations: • Security Awareness Training – Media Pro Extensive library of online training Three year price lock - $7,439 Annually
• All other Services – Pivot Point Year One - $30,305 Years 2 & 3 - $12,037
20
![Page 21: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/21.jpg)
Technology Risk Management Services
• Benefits: • Costs: Short term – efficient & no impact on member budgets Long term – better cyber liability policy pricing
• Consistency in & tracking of training • Consistency in policies & procedures • Consistency in technical services being provided • Compliance with the MEL Cyber Risk Management
Program!
21
![Page 22: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/22.jpg)
Don’t Forget! EPL/Cyber Risk Management Budget
• Funds can be used to offset cyber security related expenses
• Annual member allotment: • $1,000 to $3,000 - based upon member size
• Available balances included in the monthly agenda packet
22
![Page 23: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/23.jpg)
Edward J. Cooney, MBA: Conner Strong & Buckelew
• Vice President/Account Executive Commercial Lines – Major Accounts
• MEL Underwriting Manager • Negotiates MEL Reinsurance Program Property Liability Workers Compensation
• Markets and Places MEL Insurance Programs EPL/POL Cyber Aircraft - Drones
23
![Page 24: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/24.jpg)
MEL Cyber Task Force
• Comprised of MEL Commissioners & Fund Professionals Meets quarterly Reviews recent cyber claims Evaluates need for additional cyber related
services, coverage and limits Recommends additional training & policies as
needed Reviews & recommends changes to Cyber Risk
Management Program
24
![Page 25: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/25.jpg)
Technology Risk Management
Cyber Attacks Against NJ Local Government Are Increasing
25
![Page 26: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/26.jpg)
Cyber Claims Activity
By Event Type By Department
$71 per capita cost of a data breach for the Government Sector (2nd) 2017 Ponemon Institute
53% of data breaches were caused by human error or system glitch 2017 Ponemon Institute
26
![Page 27: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/27.jpg)
Public Entity Cyber Trends
Frequency of Email Malware
Malicious Email Themes
Phishing Rate
Cost of Malware
27
![Page 28: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/28.jpg)
Cyber Claims Activity (cont’d) MEL Claims Examples
• Social Engineering A town treasurer received an email looking to be from the town commissioner requesting a wire transfer be made to an address included in the email for a particular project in the town. Deception: 1) Looked like it was from the town commissioner as the email address was spoofed; and 2) Seemed to be for a sound purpose. $20,000 was sent to the fraudster.
• Ransomware An administrative employee of a municipality clicked on a “spoofed” link in a fake email, downloading the ransomware to the infected device and other devices it could spread to on the network. The municipality had daily backups, but the backups were performed on the same network. As such, the lost data could not be reconstructed. Breach counsel and forensics were engaged. Total loss in excess of $60,000.
• Malware Malware downloaded via a spoofed email onto a city employee’s workstation. Since the workstation was open to a shared server, including a shared drive, multiple workstations were affected. Breach counsel and forensics were engaged, determining the personal information of nearly 900 individuals was compromised, triggering New Jersey notification regulations. The individuals were notified, and a call center and a credit monitoring account were setup for the affected individuals. Total loss in excess of $125,000.
• Breach / Ransomware A network connected printer (“IoT” device) had an “open port” to the internet. An intruder gained access to the town’s network via the open port and downloaded Ransomware onto the network. Breach counsel and forensics were engaged. Total loss in excess of $40,000.
28
![Page 30: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/30.jpg)
Cyber Claim Engagement Letters
30
![Page 31: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/31.jpg)
31
![Page 32: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/32.jpg)
Technology Risk Management
Time to rethink Technology Investments and controls?
32
![Page 33: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/33.jpg)
MEL Cyber Risk Management Program
33
![Page 34: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/34.jpg)
Technology Risk Management
• Technology Management • Technical Competency • Cyber Hygiene
Three areas that all local governments must address
34
![Page 35: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/35.jpg)
MEL Cyber Risk Management Plan
Incentive 35
![Page 36: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/36.jpg)
MEL Cyber Risk Management Plan
1. Distributed December 18, 2017 2. Tier 1 & 2 standards 3. Tier 1 compliance $5,000
reimbursement of deductible 4. Tier 2 compliance $7,500
reimbursement of deductible
36
![Page 37: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/37.jpg)
MEL Cyber Risk Management Plan
1. Meet minimum backup standards 2. Install software security patches 3. Use defensive software 4. Annual cyber hygiene training for
employees 5. Management adopts basic cyber
incident response plan 6. Management adopts Information
Technology Practices Policy
Tier 1 Compliance Standards:
37
![Page 38: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/38.jpg)
MEL Cyber Risk Management Plan
1. Server (physical) security 2. Server access & privilege controls 3. Staff or contractor to respond to
security incidents 4. Adopt internet & email use policy 5. Encryption of files with PII & HII 6. Password Management Policy 7. Leadership has access to technology
decision making tools & professionals
Tier 2 Compliance Standards:
38
![Page 39: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/39.jpg)
MEL Cyber Risk Management Plan
1. Members submit an initial compliance checklist
2. If a member has a claim, they can submit a reimbursement request for a portion of their deductible
3. Members will need to document compliance with the standard(s) to receive reimbursement
How it works:
39
![Page 40: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/40.jpg)
How Many Members Have Qualified?
2
103
Members Qualified for Deductible Reimbursement
QualifiedNot Qualified
40
![Page 41: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/41.jpg)
MEL Cyber Risk Management Plan
1. Get the assistance of an IT Professional! 2. The Plan contains detailed explanation of
the standards, model policies, & checklists. 3. Standards will be updated from time to
time to keep up with the evolving threats. 4. ACM, BURLCO, & TRICO JIFs provide their
members with a “cyber budget” that can be used to offset compliance costs.
Some final thoughts:
41
![Page 42: Controlling Technology Risks - TRICO JIF · 2015-08-03 · • Residents’ Banking & Mortgage Info • Residents’ PII – Birth, Marriage, & Death Certificates . 4 . Other Cyber](https://reader035.fdocuments.net/reader035/viewer/2022063012/5fca81ffb100b34887014533/html5/thumbnails/42.jpg)
Questions?
42