Why Do I Ne

ed Cyber
Liability Insu
rance?

Cyber Liability Risks

Data Theft

Denial of
Service

Extortion
CyberCrime

Electronic
Theft

Network
Damage

Organized Hacking
108 Countries with
dedicated cyber attack
capabilities (FBI 2007)
Main source of revenue
for Eastern Bloc gangs
Russian and Sicilian
mafias actively
recruiting hacking
experts

Notable Trends in
Cyber Crime
Motivation : Huge
financial potential is
making attackers more
sophisticated
Methods : Attacks are
becoming more targeted
Targets : The workstation
(desktop or laptop) and
the user is the easiest path
into the network

Sources of Data
Breaches

Potential Cyber
Crime Scenario
During his lunch break, an employee opens
an Important Security Update supposedly
from your IT department.
The email contains malicious code designed to
discreetly take control of the employees desktop.
A remote attacker leverages the desktop to launch
subsequent attacks on your backend network.
The attacker gains access to systems with increasing
levels of security eventually compromising a
customer database.
Your CEO then receives an email containing the
names, addresses and social security numbers of
5,000 of your customers.
The hacker will publish the email on an Internet
bulletin board unless he is paid $250,000

Dont Think That Can Happen?

AUGUST 22, 2000

SECURITY NET
By Alex Salkever

Cyber-Extortion: When Data Is Held Hostage Here's an issue facing more

and more e-businesses -- malicious hackers who demand a payoff to keep
their security breaches secret
Under most circumstances, a business decision involving $200,000 wouldn't be
important enough to require a personal appearance from the CEO of a $2 billion
corporation, let alone a special trip to London from New York. But media titan Michael
Bloomberg made such a trip Aug. 10. And he did it to prove that cyber-extortion will
not go unpunished at his company.
Bloomberg went to meet with two Kazahks named Oleg Zezov, 27, and Igor Yarimaka,
37, who were allegedly demanding $200,000 in "consulting" fees. For this, they would
reveal how they had allegedly compromised the Byzantine Bloomberg computer
systems, an exploit the Kazakhs allegedly proved by e-mailing Bloomberg the
photograph from his own corporate ID badge.
With thousands of financial institutions and other customers trading billions of dollars
daily in stocks and bonds based on information from Bloomberg terminals, the threat
of a hacked system could have proven catastrophic for both the media company and
its Wall Street customers.

Another Likely
Scenario

Jacks laptop computer is stolen when he leaves it

unattended in an airline club at the Philadelphia Airport.
On the laptop are the names, account numbers, credit
card numbers, social security numbers and birthdates
of 2500 of Galway Banks Gold Level customers.
The laptop thief is able to quickly sell the customer
data to an organized group that makes large purchases
over the internet

Notification
Expenses

44 states, the District of

Columbia and Puerto Rico have
enacted legislation requiring
notification of security
breaches involving personal
information*

* National Conference of State Legislature

Whats the
Notification Cost?
Notification Expenses average
$13 per data record
Provided credit monitoring
service for affected customers
averages $24 per data record
Miscellaneous expenses average
$22 per data record
= $59 per data record!

Any other costs?

Third-party damages for identity theft

Lawsuit defense costs
Reimbursement to credit card
companies
Replacement of damaged network
Reward expense
Lost business revenue do to
compromised network
Crisis management expense

Wont My Insurance
Cover That?

Property and Crime Policies generally:

Respond only to loss of or damage to tangible
property;

Exclude indirect or consequential loss

Liability Insurance Policies generally:

Respond only to loss from defined professional
services or defined acts or offenses;

Exclude Loss from violations of privacy

e
c
n
a
r
u
s
n
I
r
s
e
e
b
r
u
t
Cy
a
e
F
y
c
i
l
o
P

Covers liability for monetary damages sustained by a person

arising from the actual or potential unauthorized access to
that persons personal information. Includes mental anguish &
emotional distress.
E-Business Income Loss
Cyber Extortion Expense
E-Vandalism Expense
Violation of Privacy Notification Expense
Covers unauthorized access by employees

Security is a Process
Identify information assets
Conduct periodic risk assessments to identify the specific
vulnerabilities your company faces
Develop and implement a security program to manage and
control the risks identified
Monitor and test the program to ensure that it is effective
Continually review and adjust the program in light of
ongoing changes
Oversee third party service provider arrangements
Maintain training for all staff on Information Security

Christopher L. Strickland
Senior Risk Advisor
Larkin Insurance Group
World Headquarters:
310 West Front St. Traverse City,Mi
Phone: 231.947.8800
Email: cstrickland@larkingrp.com
Blog: http://cyberinsurance.wordpress.com