Managing Your Cyber/E&O Risk with Willis FINEX Robert Barberi, Vice President, Willis Cyber...
-
Upload
kristian-stokes -
Category
Documents
-
view
220 -
download
0
Transcript of Managing Your Cyber/E&O Risk with Willis FINEX Robert Barberi, Vice President, Willis Cyber...
Managing Your Cyber/E&O Risk with Willis FINEX
Robert Barberi, Vice President, Willis Cyber Practice
2
Quantifying The Loss: Analytics
TOTAL COST = (# PEOPLE) X $363OLD
NEW ANALYTICS & LOSS MODELING
3
Quantifying The Loss: Estimated Breach Costs
Healthcare records 1,000 10,000 100,000 500,000 1,000,000 5,000,000 10,000,000 100,000,000
Breach Expenses (Forensics/Crisis) $50,000 $160,000 $300,000 $580,000 $1,070,000 $2,100,000 $2,750,000 $3,800,000
Forensics Investigation $30,000 $100,000 $200,000 $400,000 $750,000 $1,500,000 $1,750,000 $2,000,000
Data Breach Coach $10,000 $40,000 $60,000 $100,000 $120,000 $200,000 $200,000 $300,000
Public Relations $10,000 $20,000 $40,000 $80,000 $200,000 $400,000 $800,000 $1,500,000
Breach Expenses (Notice/Credit Monitoring) $8,500 $85,000 $800,000 $3,625,000 $4,800,000 $21,175,000 $37,500,000 $287,500,000
Customer Notification $2,000 $15,000 $150,000 $625,000 $1,000,000 $5,000,000 $9,000,000 $50,000,000
Call Center $1,000 $15,000 $100,000 $500,000 $800,000 $3,500,000 $5,000,000 $20,000,000
Credit Monitoring $4,500 $45,000 $450,000 $2,250,000 $2,500,000 $11,875,000 $22,500,000 $212,500,000
Identity Fraud Remediation $1,000 $10,000 $100,000 $250,000 $500,000 $800,000 $1,000,000 $5,000,000
Breach Expense Total: $58,500 $245,000 $1,100,000 $4,205,000 $5,870,000 $23,275,000 $40,250,000 $291,300,000(Breach Expense Cost per record) $58.50 $24.50 $11.00 $8.41 $5.87 $4.66 $4.03 $2.91
Regulatory Defense/Fines $150,000 $500,000 $1,250,000 $2,000,000 $3,000,000 $7,500,000 $15,000,000 $40,000,000State Regulatory (AG) $0 $0 $250,000 $500,000 $1,000,000 $2,500,000 $5,000,000 $25,000,000
Federal Regulatory (HHS) $150,000 $500,000 $1,000,000 $1,500,000 $2,000,000 $5,000,000 $10,000,000 $15,000,000
Civil Liability $25,000 $100,000 $500,000 $2,000,000 $2,500,000 $10,000,000 $20,000,000 $75,000,000Legal Defense/Damages $25,000 $100,000 $500,000 $2,000,000 $2,500,000 $10,000,000 $20,000,000 $75,000,000
Card Reissuance Liability $0 $0 $0 $0 $0 $0 $0 $0
Privacy Liabilty Total: $175,000 $600,000 $1,750,000 $4,000,000 $5,500,000 $17,500,000 $35,000,000 $115,000,000
Total Data Breach Cost: $233,500 $845,000 $2,850,000 $8,205,000 $11,370,000 $40,775,000 $75,250,000 $406,300,000
Per Record Cost: $233.50 $84.50 $28.50 $16.41 $11.37 $8.16 $7.53 $4.06
Assumptions:
Credit Monitoring: $15 per individual (5-15% take-up rate)
Identity Fraud Remediation: $100-$500 per affected individual (less than 1% typically require fraud remediation)
Note: Healthcare Regulatory Fines can be significant ($1M) in small breaches (<1,000), which can drastically impact the calculations. Version 5.5
Willis Estimated Data Breach Costs (based on number of affected individuals compromised)
BREACH EXPENSES
PRIVACY LIABILITY
4
5
Program Considerations
A range of limit, retention and privacy breach response cost sub-limit options are available
All options have certain trade offs, which must be identified and weighed Third Party only
First and Third Party
Costs coverage options· Full limits· Per Person Coverage· Notification coverage inside or outside the Policy
Aggregate Limit· Quota Share
When considering the types of coverage that is appropriate, the organization should consider the following: Internet & Network Business Interruption. What is the impact of an interruption on the
organizations network or web-site service? What percentage of sales/customer offerings are being offered online or are network dependent?
Loss of Data through an IT security Event or Theft. What is the value of your data or programs? What would the expense of recovering your data cost your operations? What customer lists, customer preference information, supplier information, pricing information and other vital competitive information may be at risk for theft by a thief or hacker?
Liability for loss or disclosure of confidential information. What confidential information does the organization hold and what is the potential loss if a class action were to be commenced? What would be the cost of notifying and providing credit monitoring for those customers? What are the costs of defending an investigation by regulators and how much might fines be if they are imposed?
Liability of loss as a result of the acts of a third-party. What activities are third party vendors doing on your behalf? What important commercial or confidential data do they hold and what would be the loss or liability if it were to be corrupted or released?
Media Exposure. What is your exposure to potential trademark infringement from domain name, slogan or advertising message, product names, etc.; copyright violations for content on websites, brochures or elsewhere; accusations of false advertising and unfair competition; infringement of trade secrets
6
Program Considerations
Coverage Enhancements:
Privacy Expense: · Outside of liability limits options · New express coverage (e.g., ID Theft Restoration Response) · Large (Full+) Limits · Coverage for breaches in the cloud
Regulatory and/or PCI Fines/Penalties – larger limits available
Excess “Drop Down” Limits · Excess carriers can drop down over all underlying sublimits
1st Party Coverage· Administrative Error Triggers · Lower BI Waiting Periods · Cloud Failure Coverage
Examples of Coverage Issues:
Breaches or Disruptions in the Cloud
Acts of Rogue Employees
Encryption Exclusions
Credit Monitoring Coverage
Terrorism
Limited 1st Party Coverage
7
Contact Information
ROBERT O. BARBERI, JR., Vice President
WILLIS
617.351.7490
COLIN ZICKPartner and Chair, Privacy & Data Security Practice
FOLEY HOAG LLP
617.832.1275
FRED HOWELL, MBA, MSISM, CISSPManager of Security and Privacy Consulting Services
RSM LLP
617.241.1520
STEVE SCHOENBERGERVice PresidentWILLIS
617.351.7550