Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security Security Insurance: Security Insurance: Insurance: Insurance: A Montana Perspective A Montana Perspective Presented by: d b Brett E. Dahl, Administrator/State Risk Manager Risk Management & Tort Defense Division Montana State Government Montana State Government
Despite more media and law enforcement attention, by 2011, 7.0% of U.S. households (about 8.6 million households) had at least one of U.S. households (about 8.6 million households) had at least one member age 12 or older experience identity theft victimization. See, Bureau of Justice Statistics – http://bjs.ojp.usdoj.gov/index.cfm?ty=pbdetail&iid=2207 Large and sophisticated black market with shockingly low prices for personal information (supply > demand): l i f i ( l d d) ◦ Credit card information (name, billing address, card-number, CVV2 code, and expiration date) = $1.50 – $3.00 per file. ◦ Social security numbers = $1 ◦ Social security numbers = $1 – $6 per number, depending on $6 per number depending on availability of corresponding date of birth and/or mother's maiden name. ◦ Online banking log-in details = $50 – $1,000. g g ◦ SpyEye Trojan Kit (top on every aspiring hacker's holiday shopping list): $1,000 – $2,000. See, RSA Anti-Fraud Command Center, RSA Online Fraud Report, August 2011: www.rsa.com/solutions/consumer_authentication/intelreport/11068_Online_Fraud_report_0810.pdf
Montana’s agencies are the custodians of Montana s agencies are the custodians of personal information on an estimated 70% of the state’s citizens. In Montana state government, there are an estimated 500 million attempted cyber/information security intrusions each month.
In 2010 Montana experienced a well-publicized In 2010, Montana experienced a well publicized breach. At that time, there was no insurance mechanism and no incident response program in place. p In 2011, Montana gained access to inexpensive cyber/information security insurance on a primary basis albeit with low limits basis albeit with low limits. Services provided by the insurance carrier(s) and vendors on a primary basis were comprehensive and cost effective cost-effective. Effective July 1, 2013, Montana has an additional layer of commercial excess above primary which ‘f ll ‘follows form’ and provides seamless vendor services. f ’ d id l d i
The state's commercial insurance policy provides coverage for: Data breach response costs including, but not limited to, forensic investigations, mail notification, and credit g , , monitoring (one year) Fines/penalties assessed by regulatory authorities Revenue streams lost as a result of a breach Revenue streams lost as a result of a breach Personal injuries and property damage incurred by outside parties for negligent acts or omissions of the state state. First party digital assets and many other risks are also covered. Agency co pay 20% to $100 000 then fully covered Agency co-pay 20% to $100,000 then fully covered. Prevention is key! Prevention is key!
E E Examp xamples o l l es of Cyber f C b er/I /Informa /I f ormati tion ti on Secur S S ecurit ity i it y Inc I I ncid id i iden ents t s Unencrypted desktop computers were stolen from a former state vendor’s place of business. The computers contained the names and p p social security numbers of seven individuals. An unencrypted hard drive was stolen from an employee’s personal vehicle. The hard drive contained the names and social security numbers of 11 individuals numbers of 11 individuals. The name and social security number of an individual was included in material distributed to approximately 1,200 citizens and small businesses during a seminar. Unencrypted content was displayed on a website. The website content contained the names and social security numbers of workers’ compensation beneficiaries and other employees. A hacker posing as a Microsoft official installed ‘man in the browser’ A hacker posing as a Microsoft official installed man in the browser malware on a desktop in an attempt to discover passwords which could have allowed access to thousands of financial records. Electronic devices were stolen from an office. The devices contained names and social security numbers of individuals.
Loss Loss Prevention Loss Loss Prevention Prevention Emphasis Prevention Emphasis Emphasis Emphasis Strategic partnerships with the state’s chief information officer and chief information security officer. ffi Monthly cyber/information security meetings involving the state risk manager, state chief information security officer, legal counsel, and the y , g , Director of Administration. Insurance premium discounts (2.5%) to those state agencies or universities who…………….. 1. Require all employees and managers to attend on-line 1 R i ll l d t tt d li cyber/information security training courses. 2. Manage their mobile devices through the state’s secure mobile service. 3 3. Manage their website content media through the state s web Manage their website content media through the state’s web secure service. Loss mitigation grants for the purchase of mobile device software and website media content software.
Brett E. Dahl, State Risk Manager (406)444-3687 bd hl@ bdahl@mt.gov
Recommend
More recommend