Cyber Liability - Forrest Pace
RIMS Cyber Presentation
Forrest Pace Cyber & Strategic Risk Leader South Zone | AIG Property Casualty [email protected]
1
Bio Forrest Pace is the Cyber and Strategic Risk Leader for the South Zone, coordinating projects with innovation hubs in the territory. Since joining AIG in 2013, Forrest has held positions within Financial Lines as a leading cyber liability underwriter and then as the Regional Cyber Expert for the Southeast where he specialized in robotics and the Internet of Things.
Outside of work, Forrest is the Director of Professional Development for the Atlanta chapter of Young Risk and serves on the executive board for The Pink Agenda, a non-profit breast cancer research organization, and the Metro Atlanta Chamber of Commerce IoT Leadership Council.
Forrest earned his B.B.A. in Risk Management and Insurance from the University of Mississippi.
2
How Can A Breach Occur?
Internally
Externally
• Employees/Vendors
• Individual Hackers/Organized Crime
• Stealing Information (Card Skimming)
• Stealing Information
• Lost Resources (Laptop, Smart Phone, Tablet, Paper Files)
• Sending Viruses/Malicious Code • Disruption Of Business (Vandalism)
3
Key Underwriting Questions • Who owns information security? What kind of assets are involved (people and tech)?
• What data does the applicant have, and where is it? • Is the amount of data commiserate with the size of the insured? • How does the applicant limit access to their data both internally and externally? • How does the applicant know who they're letting in? • How do are they removing access from those who don't need it? • How does the applicant get rid of data or move it to a 3rd party? • How are they managing the removal of old data assets (i.e. Win XP servers)?
• What kind of IR/BC/DR planning and testing has the applicant done? • Have there been prior breaches?
4
Emerging Threats Increase in outsourcing data hosting Cloud Computing and other Vendor Data Access:
• Increased Trend • Increased Data Exposure BYOD Programs • More mobile devices than ever • Potentially weak security on devices
5
Regulatory Exposures State level breach notice:
47 states (plus Puerto Rico, Washington D.C., and Virgin Islands) require notice customers after unauthorized access to PII/PHI. • Difficult process for insured to manage • Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information
• Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies • Notice content and timing requirements vary • Some states allow private right of action for violations
6
Regulatory Exposures Federal regulations • HITECH Act and HIPAA through OCR • Federal Trade Commission • Fair and Accurate Credit Transaction Act (FACTA)
• SEC • COPPA
Industry standards • Payment Card Industry Data Security Standards (PCI DSS)
7
Anatomy Of A Breach Response Breach discovery EXPERTS • Breach counsel • Forensics • Public relations
NOTICE METHODS • Written • Electronic • Substitute • Media
INVESTIGATION – internal/ forensic/criminal • How did it happen • When did it happen • Is it still happening • Who did it happen to • What was accessed/acquired • Encrypted/protected
DEADLINES • Can be from 48 hours to “without unreasonable delay”
INQUIRIES • State regulators (i.e. AG, PD) • Federal regulators (i.e. OCR) • Federal agencies (i.e. SEC, FTC) • Consumer reporting agencies
NOTICE OBLIGATIONS • State • Federal • Other (i.e. PCI, FDIC, Insurance Regulators)
LITIGATION • Subrogation • Class action • Indemnification
8
Cyber Insurance Coverage Security and privacy liability insurance: • 3rd party legal liability section • Defense & damages coverage for private or governmental regulatory actions Event management insurance: • 1st party coverage section for insured’s costs in responding to a breach or potential breach. • Includes legal consultation, forensics, notifications, identity monitoring, PR, call center services, and other services to assist in managing/ mitigating a cyber incident. Business interruption insurance: • 1st party coverage section for insured’s lost profits from a network outage Cyber extortion insurance: • 1st party coverage section for extortion demands against insured around stolen data
9
Coverage Scenarios System Failure/Network Interruption • This is not only limited to the insured’s network, but also companies they depend on to conduct business as well.
Employee Data • Not just data of the employees, but also spouses and dependents covered under the benefits.
• Information provided by all applicants and former employees. Interconnected Supply Chain • Do supply chain providers have access to critical data? What happens if their credentials are stolen? Intellectual Property of Others • If manufacturing products for a third party, how is that intellectual property being safeguarded?
• What happens if competitors have access to such sensitive information?
10
Forrest Pace Cyber & Strategic Risk Leader South Zone | AIG Property Casualty [email protected]
1
Bio Forrest Pace is the Cyber and Strategic Risk Leader for the South Zone, coordinating projects with innovation hubs in the territory. Since joining AIG in 2013, Forrest has held positions within Financial Lines as a leading cyber liability underwriter and then as the Regional Cyber Expert for the Southeast where he specialized in robotics and the Internet of Things.
Outside of work, Forrest is the Director of Professional Development for the Atlanta chapter of Young Risk and serves on the executive board for The Pink Agenda, a non-profit breast cancer research organization, and the Metro Atlanta Chamber of Commerce IoT Leadership Council.
Forrest earned his B.B.A. in Risk Management and Insurance from the University of Mississippi.
2
How Can A Breach Occur?
Internally
Externally
• Employees/Vendors
• Individual Hackers/Organized Crime
• Stealing Information (Card Skimming)
• Stealing Information
• Lost Resources (Laptop, Smart Phone, Tablet, Paper Files)
• Sending Viruses/Malicious Code • Disruption Of Business (Vandalism)
3
Key Underwriting Questions • Who owns information security? What kind of assets are involved (people and tech)?
• What data does the applicant have, and where is it? • Is the amount of data commiserate with the size of the insured? • How does the applicant limit access to their data both internally and externally? • How does the applicant know who they're letting in? • How do are they removing access from those who don't need it? • How does the applicant get rid of data or move it to a 3rd party? • How are they managing the removal of old data assets (i.e. Win XP servers)?
• What kind of IR/BC/DR planning and testing has the applicant done? • Have there been prior breaches?
4
Emerging Threats Increase in outsourcing data hosting Cloud Computing and other Vendor Data Access:
• Increased Trend • Increased Data Exposure BYOD Programs • More mobile devices than ever • Potentially weak security on devices
5
Regulatory Exposures State level breach notice:
47 states (plus Puerto Rico, Washington D.C., and Virgin Islands) require notice customers after unauthorized access to PII/PHI. • Difficult process for insured to manage • Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information
• Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies • Notice content and timing requirements vary • Some states allow private right of action for violations
6
Regulatory Exposures Federal regulations • HITECH Act and HIPAA through OCR • Federal Trade Commission • Fair and Accurate Credit Transaction Act (FACTA)
• SEC • COPPA
Industry standards • Payment Card Industry Data Security Standards (PCI DSS)
7
Anatomy Of A Breach Response Breach discovery EXPERTS • Breach counsel • Forensics • Public relations
NOTICE METHODS • Written • Electronic • Substitute • Media
INVESTIGATION – internal/ forensic/criminal • How did it happen • When did it happen • Is it still happening • Who did it happen to • What was accessed/acquired • Encrypted/protected
DEADLINES • Can be from 48 hours to “without unreasonable delay”
INQUIRIES • State regulators (i.e. AG, PD) • Federal regulators (i.e. OCR) • Federal agencies (i.e. SEC, FTC) • Consumer reporting agencies
NOTICE OBLIGATIONS • State • Federal • Other (i.e. PCI, FDIC, Insurance Regulators)
LITIGATION • Subrogation • Class action • Indemnification
8
Cyber Insurance Coverage Security and privacy liability insurance: • 3rd party legal liability section • Defense & damages coverage for private or governmental regulatory actions Event management insurance: • 1st party coverage section for insured’s costs in responding to a breach or potential breach. • Includes legal consultation, forensics, notifications, identity monitoring, PR, call center services, and other services to assist in managing/ mitigating a cyber incident. Business interruption insurance: • 1st party coverage section for insured’s lost profits from a network outage Cyber extortion insurance: • 1st party coverage section for extortion demands against insured around stolen data
9
Coverage Scenarios System Failure/Network Interruption • This is not only limited to the insured’s network, but also companies they depend on to conduct business as well.
Employee Data • Not just data of the employees, but also spouses and dependents covered under the benefits.
• Information provided by all applicants and former employees. Interconnected Supply Chain • Do supply chain providers have access to critical data? What happens if their credentials are stolen? Intellectual Property of Others • If manufacturing products for a third party, how is that intellectual property being safeguarded?
• What happens if competitors have access to such sensitive information?
10
