While “Cyber” emerged only in the last Century, her Trinity of People, Process, and Technology, are evident Historically, providing our Industry “deep-learning” insights, on preparedness for proactively preventing and navigating the nightmare of a Data Breach.
In context of Masada’s historical analogy, I humbly submit what I gleaned from attending CLM 2017 Annual Conference, Panel Session: “User’s Guide to Data Breach Handling.” Positioned from left to right, panelists Nicholas Barone, Elissa Doroff, Cathleen Kelly Rebar, and Brian Robb shared their collectively broad guidance, emanating from their extensive backgrounds in Computer Forensics Investigations, Cyber and Technology Liability, as well as, Errors and Omissions (E&O), Director and Officers (D&O), Product and Premise Liability. Voicing their concerns and issuing warnings on matters of cross-discipline Corporate Governance and Professional Liability, in the Cyber threat landscape; as well as, presenting opportunities to contain exposure and seek coverage.
Nicholas Barone is a Director within EisnerAmper’s Consulting Services Group, based in New York. As a recognized computer forensics expert, Nicholas has managed hundreds of Incident Response, Computer Forensic, PHI, PII and PCI related investigations in the US and globally. Nicholas’s work has been reported in the national media, periodicals and respected Internet Blogs such as the New York Times, The Wall Street Journal, Newsweek and Krebs On Security while in law enforcement and private industry roles. Nicholas uses his hacking expertise and legacy systems knowledge to perform data breach, discovery, investigation, and/or IT Vulnerability Risk and Compromise assessments. He has also worked with a number of America’s Fortune 500 companies across a range of industries in the related fields of Risk Identification and Remediation, IT Audit and Penetration Testing assignments as a former PCI-QSA.
Elissa Doroff is a Vice President and Product Manager for XL Catlin’s Cyber & Technology Underwriting team. In this role, she works to direct and manage XL Catlin’s risk management services designed to minimize the frequency and severity of data breaches. She has over a decade of cyber and technology insurance expertise having worked as claims counsel at AIG and, most recently, as broker of cyber insurance at Marsh and McLennan Companies. Throughout her tenure in the industry, she has counseled public and private clients on their risks and insurance needs in the areas of media, technology, privacy and cyber. She has considerable experience presenting these topics on panels and seminars for clients and industry associations and she has published many industry related articles.
Cathleen Kelly Rebar
Cathleen is a partner and shareholder at SBRS. She has been advising and counseling clients in complex litigation matters for over a decade. She defends clients in claims pertaining to professional liability and errors and omissions, products liability, toxic tort, premise liability, security, health care, social services and employment practices. She represents leading insurance companies and their insureds in multi-faceted matters involving violations of professional standards of care. Cathleen’s representation extends to design professionals, architects, engineers, contractors, surveyors, appraisers, environmental consultants, agents, brokers, service providers, medical professionals, business professionals, food manufacturers and distributors and property owners.
Brian is a Claims Director in the CNA Specialty Claim, Management Liability, Financial Institutions and Technology unit where he is responsible for, among other things, management of Technology E&O, Media, Privacy/Cyber and Fidelity claims. In his role, Brian has five attorneys who report directly to him, and he also works very closely with our Underwriting Partners. Brian joined CNA and the Specialty Claim unit in 2010, and has worked exclusively on large account professional liability E&O and Privacy/Cyber claims during his tenure. Prior to joining CNA, Brian worked in private practice in New York, where his practice focused on Professional Liability Defense Litigation. Brian received his law degree from Brooklyn Law School in 2005 and his undergraduate degree from The University of North Carolina at Chapel Hill in 2001. Brian is scheduled to graduate with a MBA from the Zicklin School of Business at Baruch College, City University of New York in December 2014.
Journey with me, briefly to Masada, located near the Dead Sea: Once a well-fortified, cliff-top fortress, her design is attributed to Judean King Herod. Archaeologically, the plateau bulwark consisted of an enclosure, promising safety and provision for her refugees. Ideally situated geographically, Masada was believed to be impenetrable, featuring scenic 360° views of desert landscape, from palace balconies, multiple buildings and numerous towers. Her infrastructure included such necessities as self-filling water cisterns, and storage repositories for food and weapons: She was engineered, deliberately, to sustain life, should she ever fall under siege.
The Roman army, as we know, was no “inconsequential” adversary. Over a period of several months, Roman soldiers besieged Masada, employing tools of their notorious warfare Technology, eventually breaching the rebel Sicarii stronghold. Their strategy included, not inconspicuously, penetrating her walls, by erecting an assault ramp on her western slope. Additionally, the remains of eight Roman camps, with siege dikes formed between, were built to prevent the Sicarii refugees from escaping. Employing sophisticated artillery weapons, the Romans covered their advance by firing stone ballista projectiles from catapults mounted on an ironclad siege tower. This battering ram, set on wheels, was then moved into position at the summit of the ramp, subsequently enabling Roman soldiers to efficiently and effectively breach Masada’s “impenetrable” fortress walls.
When a business is under Cyber siege, it’s a bit late to effectively educate People, tweak the internal Process blueprint, or re-engineer Technological infrastructure for greater efficiencies. And as the extinguished voices of refugees within Masada’s walls would tell you (if given the opportunity): Preparedness is EVERYTHING! Just as there is no “tomorrow,” in sales; there is NO promise of security in personal or corporate Cybersphere! Daily, your Intellectual Property (IP), Corporate assets and treasury, Brand and Trademarks are quite literally: Masada under Siege!
Don’t believe me? That’s okay! I buried Ego long ago, vowing to devote myself in service, to our Insurance Industry. But, I strongly urge you to heed the Panel expert’s WARNINGS: 1) The best defense is InfoSec preparedness, 2) Ignorance is a preposterously invalid excuse, and 3) Cyber Risk Identification and Remediation experts are standing by to help businesses (large or small) detect and defend against the daily onslaught of nefarious cyber activity. At the epicenter of our Corporate Governance, we must immediately set aside willful ignorance, and the emotional malaise of apathy; radiating out to our customers, vendors and employees that we operate on a business model, holding Cyber Security at its forefront. With 2017 and 2018 data protection regulations going “live,” requiring higher standards of breach reporting, in-depth post-incident investigations, enhanced by salaciously Brand damaging headlines; a well-meaning intention to protect corporate and consumer data, starting “tomorrow,” will indubitably prove to be too little, too late.
Now, if the threat landscapes is as described, and we’ve now learned our businesses are under siege, where should we start? The IAPP (International Association of Privacy Professionals), advises that pre-breach work done by a business, can mitigate overall effects of a breach: https://iapp.org/resources/article/security-breach-response-plan-toolkit/. A Tabletop Exercise, kicking off the underwriting process for Cyber Insurance, will lead to better Corporate awareness and protection against data loss and illicit exposure of personally identifiable information (PII). Furthermore, Cyber coverage can mitigate most expenses that arise from a breach, such as computer forensic investigations, breach notification and response, preventing loss and/or destruction of data.
Assessing Attack Vectors in Cyber Trinity
- What is Social Engineering? Who is likely to be targeted as the Weakest Link? (Human error accounts for largest percentage of Cyber claims),
- How often is Privacy Awareness and InfoSec employee training offered and recalibrated?
- Did key players show up and actively participate in the “Tabletop Exercise”? (A preparedness test, revealing threats and opportunities),
- Do you have access to raw data captured by Pen Testers in their routine testing? (Team responsible for exposing vulnerabilities and monitoring traffic for suspicious patterns),
- Have you vetted/selected a Breach coach and Forensic response team? (If/when a breach happens, be transparent: Burying details in an investigation will harm you, not them),
- How well do you understand 3rd Party Vendor Liability? (Following a breach, you may be required to litigate against your vendors, especially if a hacker used their vulnerabilities to tunnel into your network),
- Have you established Attorney Client Privilege and negotiated a fee arrangement? (Post-breach, when stakeholders are looking at you, asking what you’re going to do, pick up the phone and dial your Cyber Crime Coverage attorney),
- What constitutes “Standard of Care”?
- How is an Incident distinguished from a Breach?
- Has there been an acquisition of data? (If regulatory notification is required for consumers in one state, uniformly notify consumers in all),
- Which regulatory obligations apply, regarding data compromise, especially when involving IP/HIPPA/Credit Cards/Personal Privacy?
- What protections are afforded by your Cyber Crime Coverage policy? (May even cover ransomware extortion fees),
- In a breach, what is the role of the ISPs (Internet Service Providers)?
- Microsoft and Google do not release details trafficked on their servers,
- Smaller data servers are even more reluctant to disclose,
- In a Denial of Service attack, ISPs will do “x/y/z,” (pull the plug),
- Has “ID compromise fatigue” set in?
- Low levels and/or lack of encryption,
- Poor password control guidance,
- Irregular penetration/vulnerability testing,
- Non-deployment of intrusion detection software,
- Inconsistent log review for system abnormalities,
- How recently have you tested:
- Incident Response Plan (IRP)?
- Business Continuity Plan(BCP)? (If securing Business Interruption Coverage, BCP is likely to be tested semi-annually),
- Are any of these easily lost/frequently stolen items, containing poorly encrypted, sensitive data, under-represented in your Data Protection and Network Security Privacy Policies?
- Smart phones (Does your mobile device policy, enforce guidance on smart phones connecting to the network via USBs?)
- USB drives,
- IoT (Internet of Things) Devices,
- Desktop computers,
- Office phones,
- Card readers
- Have you vertically/concentrically/laterally emphasized, throughout the organization, a need to employ Tech-savvy use of VPNs (Virtual Private Networks)?
- Have you pre-established a Bitcoin wallet, in event hackers use Ransomware as a Service, to hold your data/systems hostage, until you pay their Cyber Extortion fee?
Resources extracted from Session Handout
In Defending a New Domain, The Pentagon’s Cyberstrategy, U.S Deputy Defense Secretary William J. Lynn, III, illuminates how U.S. defense networks were compromised in 2008: https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain.
Post-Breach Due Diligence:
- Experian offers 10 critical steps to take in the first 24 hours following a breach:
- FTC guidance on fixing underlying root cause(s) of a breach, and employing forensics to establish the “what, how and who?”:
- PCI Security Standards Council’s guidance for discerning success of network segmentation and encryption in containing a breach:
- Harvard Business Review’s guidance for responding to a data breach by having a communication plan:
Legal Notification Requirements, Fines and Penalties:
- Businesses who are breached, are likely subject to multi-state and federal regulatory actions, each creating opportunity for additional investigations, hefty fines and penalties for non-compliance. Class action litigation, asserting federal or state statutory violations, likely follows, in addition to common law negligence, fraud or breach of contract:
- Law enforcement notification may range from contacting local police department, FBI, U.S. Secret Service, and in cases of mail theft the U.S. Postal Inspection Service.
- If electronic health information was breached, the Health Breach Notification Rule applies:
- The HIPAA Breach Notification Rule may apply, requiring notification to the Secretary of the U.S. Department of Health and Human Services (HHS) and in some cases, the media:
- FTC guidance for notifying affected businesses:
- Guidance for notifying individuals, whose personal information has been compromised in a breach: