Cybersecurity Roundtable Cincinnati Business Courier 11/4/2016

Page 1




Joseph M. Callow, Jr. Keating Muething & Klekamp PLL

Chris Hart First Financial Bank

Zach Scheublein Aon Risk Solutions

Sponsored by



CYBERSECURITY ROUNDTABLE The Cincinnati Business Courier recently hosted a roundtable discussion on cybersecurity asking a panel of experts how business leaders can protect their businesses from cyberattacks and cybercrime.

QUESTION: Tell us who you are, where you work, what your title is and what you do every day? CH R I S HART: My name is Chris Hart, first vice president and Operational Risk Director for First Financial Bank. On a daily basis, my team and I focus on business activities and controls to mitigate the risk of loss due to failures of people, processes, systems, and external events. We manage the company’s business continuity plan, pandemic preparedness plan, incident/crisis management plans, insurance program, and operational loss reporting. I also serve as Customer Information Security Officer for First Financial. JOE CALLOW: I’m Joe Callow. I am a partner with Keating Muething & Klekamp PLL. Primarily, I handle business litigation. I’m also the cochair of our Cybersecurity and Data Privacy Group, which is a cross-disciplinary team of people in corporate, insurance, and litigation, as well as other attorneys who have dealt with and have an interest in cybersecurity issues.

ZACH SCHEUBLEIN: I’m Zach Scheublein. I serve as a vice president at Aon Risk Solutions. I specialize in risk-transfer placements on behalf of my clients in various industry sectors, including health care, retail and manufacturing, essentially all industry verticals that are looking to transfer their cyber-risk to insurance carriers, and I’m responsible for placing and renewing those programs. QUESTION: Let’s start by defining several terms. Cybersecurity is one of those things, at least from an outsider’s point of view, that disappears as a fear-point until something happens. Then, it’s like somebody punched a big giant red button and I freak out. First, what exactly is cybersecurity? What’s your elevator speech? CALLOW: Cybersecurity is the protection of data in the 21st Century. Companies and individuals have accumulated vast amounts of information and data, and now can store that data for long periods of time on servers, the cloud, lap tops and cell phones. As a business, you have a responsibility to maintain and protect that data. It is a

combination of understanding what data you have, knowing where your data is stored, and more importantly, to have a plan to protect and monitor and to make decisions based on good governance associated with it. SCHEUBLEIN: I agree. I will take it a step further by defining cybersecurity beyond data to the integrity and availability of computer systems and networks. As hacking evolves, it’s not just hackers trying to get into the system for financial gain, which entails them going into a system, penetrating the system, and extracting personal identifiable information. That’s been rampant for the last three to five years. But, what we are seeing is a shift in the types of attacks, where it’s now hacking for destructive purposes, or disruptive purposes, including hacktivism and cyber-terrorism, where the primary focus is not necessarily to steal data, but to shut a company down from and its ability to operate. HART: I totally agree with both of those viewpoints. Cybersecurity is about protecting the confidentiality, integrity, and availability of information

PANELISTS Joseph M. Callow, Jr.

Chris Hart

Zach Scheublein

Partner, Keating Muething & Klekamp PLL

First Vice President, Operational Risk Director, First Financial Bank

Vice President, Aon Risk Solutions

Joe is the co-chair and founder of KMK Law’s Cybersecurity and Privacy Team, an interdisciplinary group of attorneys focused on helping clients manage risk, develop and implement data protection and cybersecurity response plans, coordinate cybersecurity response actions, and defend litigation if needed. Joe advises clients on cybersecurity planning and manages incident responses. He and the team frequently speak and blog on cybersecurity issues.

Chris Hart is the Operational Risk Director and Customer Information Security Officer for First Financial Bank. His responsibilities include business continuity planning, incident and crisis management programs, operational loss reporting and customer information security. Chris collaborates with the Bank’s business units to monitor controls, avoid losses, and increase returns through sound operational processes commensurate with the risk appetite of the company.

Joe is a Litigation Partner at KMK and practices primarily in commercial litigation with a focus on class action and False Claims Act litigation on a national, regional, and local basis.

Chris regularly presents on topics including Identify Theft, Corporate Fraud, and Protecting Your Business to clients, businesses, and centers of influence. These opportunities allow First Financial to share best practices for safeguarding sensitive information and protecting assets from would-be fraudsters, hackers, and thieves.

Joe also was involved in establishing the KMK E-Discovery & Litigation Support Group, which helps clients develop information governance policies and creates proactive, defensible, and cost-effective end-to-end E-Discovery solutions for litigation and regulatory investigations. Recognized by Chambers USA and The Best Lawyers in America® as a leading attorney in his field, Joe earned his J.D. from the University of Cincinnati College of Law in 1993 and his B.A. degree from Miami University in 1990. He has practiced at KMK since he graduated from UC Law.

A Cincinnati native, Chris has more than 30 years of IT and Risk Management experience working for numerous Fortune 100 companies domestically and overseas, including Petroleum Information – an A.C. Nielsen Co., Mobil Oil Indonesia and British Petroleum.

Zach is a member of the Financial Services Group in New York City. Zach works on the Professional Risk Solutions Team providing client advisory, coverage analysis, risk assessment and insurance placement advice with a focus on cyber, technology, media and errors & omissions insurance. Zach provides advisory and placement services, while identifying and analyzing client exposures to develop solutions suited to fit Aon’s clients’ needs. He routinely conducts extensive policy reviews while lending his technical expertise to assist clients in better understanding risks and exposures. His role includes researching and developing submissions, establishing coverage specifications necessary for program design, and working with clients to develop client-specific renewal strategies. Zach has 10 years of experience as a broker in the Professional Liability space. During this time, Zach has held various positions with insurance brokers in New York. Before joining Aon, Zach most recently was an equity partner at Privacy Professionals LLC, specializing in cyber insurance placement, advisory and privacy risk management services. Prior to Privacy Professionals, Zach worked at Crystal & Company in New York, where he specialized in Professional Liability and Cyber Liability risks.



PROTECTING YOUR BUSINESS FROM CYBER CRIME and systems. In addition to identifying your most valuable information assets and protecting these resources, cybersecurity must cover the functions to detect, respond, and recover from a cyber event. QUESTION: Joe, you touched on this, but can you talk about the need for a company to have a cybersecurity plan. Can each of you walk us through what that would entail? How different will that be within various industries? This is a general question, but what does that plan look like? Where do you start? SCHEUBLEIN: Start by doing a cyber-risk assessment. Identify where the crown jewels are stored. It varies per industry. There will be certain companies within industry sectors where they don’t have a lot of personal identifiable information or consumer information. Instead, they have a lot of corporate confidential information such as law firms. It could be intellectual property, where they store their own proprietary intellectual property, or third-party intellectual property. We’re seeing a lot of hacking with respect to the theft of

that type information for competitive purposes. It could be where their primary risk is business interruption, and the availability of the systems and their networks, so it does vary by industry sector. The first step is to execute a cyber-risk assessment to identify what the critical digital assets are for the company, and where they are stored. It could be within their own network; it could be with third parties that store the information on their behalf. Once you identify where your digital assets are stored, then you can proceed with identifying and implementing appropriate protections in place around network security controls, policies and procedures, third-party vendor due diligence with respect to audits, contracts, or risk assessments for those third parties that are in the care, custody or control of that information. That will show you the map of where your risks lie, and allow you to put together a plan that will properly address it. This should be done on an on-going basis, every year. It’s not just a one-time assessment. CALLOW: If you are new to this, the first thing to do is to create a data map

Aon Risk Solutions Aon Risk Solutions

Data and Information Data and Information Empower Results Empower Results We use data to help our clients make smart, informed decisions.

Our significant investment in data platforms and expert analysis We use data to help our clients make smart, informed decisions. allows us to see things competitors don’t, giving our clients a Our significant investment in data platforms and expert analysis competitive edge in every industry we touch. allows us to see things competitors don’t, giving our clients a Aon Risk Solutions the industry’s most forward-looking competitive edge indelivers every industry we touch. tools and expertise to support fact-based decisions making for Aon Risk Solutions delivers the industry’s most forward-looking insurance and top-to-bottom risk management programs. tools and expertise to support fact-based decisions making for insurance and top-to-bottom risk management programs.

with both active data and old data. A lot of companies know they have active emails, purchase orders, invoices and documents like these. But, many companies have old data and old systems, such as servers they don’t use. All that data may not be useful to your business, but it could be useful to a hacker, or to someone who is trying to invade your system. So, part of a data map is to figure out what data you have, the data you need, and whether there is data that you can get rid of or destroy, because it’s not active and useful for your business. This is all part of the cyber-risk assessment. It starts with what (data) do I care about and what data do I not care about. Then, we can figure out the different levels of protection for all the different types of data. HART: Knowing what data you have, what data you need, and who has access to it is the first step. An effective vendor management program is a must, particularly as companies move to outsource services and systems to third-party relationships. Equally important is managing the people within your company who have access to proprietary, critical, or sensitive data.

Most financial institutions utilize the “principle of least privilege” – where employees only have access to the information they need to do their jobs. A cybersecurity plan should include pre-incident planning/training, detection and notification processes, containment strategies, eradication and recovery processes, and post-mortem analysis. If you don’t have a plan, start by identifying your incident response team and define the types of incidents this group will centrally manage. QUESTION: Let’s take a step back. In your experience working with companies big or small, how prepared are most companies? Are they up-to-speed on cybersecurity and the various aspects we’re talking about? When we’re talking about building a network map, or developing a plan, what kind of stories are you hearing from businesses out in the workplace? Have you heard any horrifying hacking stories? Or does everyone understand this is a problem. CALLOW: It varies across the board. There are companies that are proactive, those that aren’t, and a lot of companies in between. The interesting thing

First Financial is proud to sponsor The 2016 Cyber Security Discussion Panel. At First Financial, we don’t just do business in Cincinnati—we live, work, and raise our families here. We care about the community and want to serve our clients by offering solutions to help prevent a cyber security breach. Visit your local banking center today!

Risk. Reinsurance. Human Resources. Risk. Reinsurance. Human Resources.





about cybersecurity is when you look at studies and surveys, cybersecurity and data protection is a top concern of company boards, C-Suite individuals, IT personnel, and every-day employees – everyone recognizes the need to care for and protect corporate data. At the same time, it’s just as vital for shareholders when they look at companies, for the government, for state AG’s and for the customers who wonder whether or not the company is protecting their personal data. Cybersecurity has both external and internal forces driving it to be an important issue for companies. It boils down to resources, time and getting the right people together to make it work. Different companies are at different stages of the process right now. SCHEUBLEIN: I’ve certainly seen a shift. For the most part, especially for larger organizations with a couple billion-plus in annual turnover. I have an interesting perspective, because I get to go through this process with my clients and walk them through it. Some of the shift is driven by the underwriting

community, because the underwriting of this product, and we will get to this later, has changed over the past few years given what happened in 2014 and 2015 in the healthcare and retail industry sectors. There is a more of concerted effort from organizations across various industry sectors, again primarily larger organizations, where they are doing their due diligence, and appropriating a lot of resources and budget dollars toward their cybersecurity initiatives. Up until about 2013, I don’t think this was a primary focus within a lot of C-Suites. That has changed, but there’s still a long way to go. Especially, when you get into small or mid-market businesses that probably don’t have the same resources as larger corporations do, so it’s more challenging. Yet, they have the same risk profiles as larger organizations. No entity is immune to these attacks. HART: I agree with Zach. What I see is that small and medium-sized businesses are lacking the technical resources to understand their cyber risks and fail to perform a proper risk assessment to know where gaps exist. The other thing I see, with the excep-

tion of larger enterprises, is the lack of an incident plan which addresses the workflow and processes for managing a cyber incident.

ing a plan in place upfront, where everybody’s trained, and its table-topped throughout out the year, so when an incident does occur, you’re prepared.

SCHEUBLEIN: In my opinion, that’s probably one of the most important things any organization can do is to have a response plan. It’s been said so many times, and it’s not a matter of “if” but “when.” It’s very true. This is an enterprise planning issue. It’s the C-Suite that develops the plan in accordance with different parts of an enterprise. It’s not just an IT issue, it’s HR, legal, compliance and even public relations. Everyone should be on the same page, even your frontline employees. All employees should be trained on what to do when they suspect there is an incident, because if you are trying to manage these breaches, especially when you get into a breach that involves personal identifiable information where there are statutory notification requirements, and you’re not prepared, it’s essentially like a chicken running around with its head cut off. What will happen is you will end up throwing unnecessary dollars towards trying to manage the response process, instead of hav-

HART: Do insurance carriers give clients price breaks for having an incident response plan, and do you request these plans from your clients? SCHEUBLEIN: I’m not an underwriter, I’m a broker, so I’m essentially in between. But, yes, as I prepare my clients for these types of meetings where underwriters come in and evaluate their cyber-risk profile, one of the things we do highlight is the importance of an incident response plan. Overall, we prepare and train clients for the entire underwriting process from start to finish – from cyber governance all the way through to every possible vertical of Incident Response Planning as underwriters are going to look at incidence response planning, along with business continuity and disaster recovery planning. Cyber should be a part of all of those plans now. HART: First Financial Bank’s incident response plan supports a crisis man-

As your strategic partner in cybersecurity, KMK Law helps you assess risk and develop a plan. KMK’s experienced Cybersecurity & Privacy Team delivers strategic offense in preventing a cyber attack or data breach and provides rapid defense when a violation occurs.

Contract Negotiations

HIPAA Privacy & Security Compliance

Cyber Insurance Review

Incidence Response

Information Governance

The Courier’s Industry Roundtables provide the opportunity

Litigation Management

to take part in a panel discussion of trends and issues in specific industries from some of the area’s most prominent and knowledgeable industry leaders. The Courier will publish


a special supplement that will include an edited version of the discussion and a biographical profile of each panelist.

To sponsor an industry specific roundtable contact Bill Schneider at 513.337.9451 or One East Fourth Street, Suite 1400 • Cincinnati, OH 45202 • tel 513.579.6400 • fax 513.579.6457 • ©2016 Keating Muething & Klekamp PLL. All Rights Reserved. ADVERTISING MATERIAL.



PROTECTING YOUR BUSINESS FROM CYBER CRIME agement escalation process for the quick assembly of key personnel from across the organization in the event of a cyber-attack or other impactful event. Since a crisis can take many forms, this allows for major incidents to be fully managed through resolution and ensures clients, associates, senior management and other stakeholders are kept fully informed.

they have and what kind of risk mitigation tools you have.

QUESTION: Joe in your experience, does a company have to be hit before they wake up and realize they have to have their ducks in a row, or are you able to go in, and explain the risks and get them moving forward without something bad happening?

HART: Corporate account takeover occurs when cyber thieves gain control of a business’ bank account by stealing the business’ valid online banking credentials and attempt to transfer money out of the account. Sometimes the machine used to login to online banking is compromised; sometimes it’s the account credentials themselves that are compromised. To protect against corporate account takeover, we encourage businesses to use a dedicated machine for online banking – no e-mail, no web surfing; employ multi-factor authentication; and use a distinct, complex password – and don’t share it with anyone. Your financial institution may have other mandatory and discretionary controls. Have a conversation with your bank to discuss what controls are available and proactively use them.

CALLOW: When you read the paper, and there’s a cyber incident every week, more and more companies are in tune to that. They are trying to get proactive teams in place to manage risks and to be prepared in the event of a cyber-attack. Generally, the first question to ask the IT manager is, “Are we protected?” Then, the IT person probably shrugs his or her head and the conversation starts from there, which is a helpful start. More and more companies are recognizing this is an issue and they are trying to get the right people and procedures in place. You need IT, risk management, and C-Suite involvement, and a number of different individuals representing different interests within the company to get together and deal with this proactively to develop an incident response team and a plan. QUESTION: Let’s talk about specifics that are most concerning to companies right now. There are some terms I don’t know a lot about, but I’d like you to talk about some of these – corporate account takeovers, ransomware, business email compromise and skimming. Are these the top risks right now? CALLOW: I would say ransomware is probably the top concern that is getting the most press. It’s a favorite when it comes to hackers and cybersecurity issues right now. As we mentioned earlier, ransomware is not going in and taking personal, identifiable information, it’s sending in a virus to shut your system down. Whereas, if it gets into your system and shuts it down, you may have to pay to restart your business. It can be damaging. It can take days to restore your system. It can also be difficult because you become the potential victim of a second and third attack. When you get hit by a ransomware virus, you are sending people home, and you are losing

HART: With ransomware, it’s case by case for sure. It’s also pay at your own risk. There’s no guarantee you will get your data back. QUESTION: What is a corporate account takeover? What does that mean?


“When we think about cybersecurity, we often think about systems, technology, or hacking, but a lot of this starts with an employee.” – Joe Callow, Keating Muething & Klekamp PLL productivity and access to your data. It can be a major event. If you’re not prepared, or if you haven’t talked about how to deal like an event like this, you will lose productivity, more than just dealing with it in the first instance. It can be a real challenge for a company that’s not prepared. SCHEUBLEIN: Yes, ransomware is a top concern. We saw a real-life example with Hollywood Hospital a few months ago. Essentially, the malware encrypted them out of their entire network for more than a week. Interestingly, the demand amount was about 17,000-bitcoin, which when you translate that to dollars, it’s not a lot of money, (about $10,625 US) but the ancillary impact to the business was significant, because they were impacted for a significant amount of time. In these type of attacks, organizations will incur extra expenses including third-party forensics experts to investigate the source of the ransomware attack, and hire specialists to negotiate demands in terms of the ransom amount. I’ve heard clients say, “I have insurance for cyber extortion,” but the demand amount was so low, it wouldn’t even breach the deductible/retention on the policy. But, what’s not talked about enough are all of the significant behind the scenes issues – it is a business interruption issue, it’s a business continuity issue, because they are going to incur so many extra expenses as a result of this. Plus, there’s the potential for income loss, because an organization was not able to operate at full capacity for a significant period of time. Ransomware is rampant. It’s

so easy to launch these attacks into corporate environments, and it only takes one employee to click on a malicious link and then the malware is in the system. It’s the way they start and scale an attack. They can take over a couple of desktops or they can encrypt the entire organization out of their own network. QUESTION: When it comes to a ransom, the United States doesn’t negotiate. Do you recommend that companies negotiate? SCHEUBLEIN: It’s tough, it’s a case by case basis. Joe brought up the point that if you do pay, they come back. Studies have shown they don’t come back. You should weigh the risks, and there’s a lot you can do to mitigate the impact of a ransomware attack. For example, if you are backing up your systems constantly, where the data they are saying that they have, or that they’ll release, is data you have backed up, you may make the decision to not pay the ransomware demand. But, it also depends on the type of data. If hackers allege that they have stolen your “secret sauce” or your proprietary intellectual property, and if that got out into the public, what the potential impact could be to the business, then you may make the election to pay the ransomware demand. Especially, if it’s only a few thousand bitcoins as the risk of having your secret sauce or your competitive edge and trade secrets in the general marketplace could have a significant impact on your business. At the end of the day it really depends on the type of attack, what kind of data

QUESTION: Zach, is this business email compromise? SCHEUBLEIN: I would say it’s social engineering, which is rampant right now. It is the easiest way for hackers to get into whoever they are trying to target. It’s email spoofing. A hacker will try to come up with a fake email address that mirrors the CEO or CFO’s email address. Their primary motive is to send an email to an employee in the internal accounting department from what appears to be the CEO or CFO so the person receiving the email thinks it a legitimate email requiring them to wire money, and now the company has potentially lost millions of dollars sending funds to a fraudulent account. These cyber-attacks can be used as a mechanism to steal money, or to gain access into the network. CALLOW: When we think about cybersecurity, we often think about systems, technology, or hacking, but a lot of this starts with an employee, a secretary or an assistant who may not be paying attention to an email. He or she may think they received an email from a corporate executive asking for an Excel spreadsheet. Then, he or she sends the Excel spreadsheet and realizes shortly thereafter that they sent DISCUSSION, CONTINUED ON PAGE 6B



CYBERSECURITY ROUNDTABLE done a better job at cybersecurity than other industries because they have to– we’re a naturally attractive target for cyber criminals.


the info to an outside, faulty account. Much of being prepared comes down to training employees, looking at emails and understanding what emails should look like, and not opening attachments that don’t look right. So, some of the pro-active training could be seminars that address these kinds of issues, such as recognizing improper emails, discussing password policies, or reminding people of the proper use and storage of data on laptops and cell phones. There’s a lot of general information about this topic, where we can do a better job of preparing employees, and executives to better handle data. HART: Companies need to do a better job protecting the data entrusted to them. I think it is important for any business dealing with confidential or sensitive information to ensure access to the data is limited and protected via encryption. Also, enforce password protection on all mobile devices, whether corporate or personal, if they serve a business purpose. Businesses can no longer forego properly securing this equipment because they lack the technical resources. QUESTION: What do you say about that? How can you safeguard every single employee? SCHEUBLEIN: I don’t think you can completely protect yourself against the human negligence factor, but you can take steps to train your employees, especially in the realm of social engineering. There are specialist training organizations out there in social engineering and spearfishing training. There are ways you can measure the quality, effectiveness and impact of the training over time. When you start rolling it out within an organization, you might see a click rate of around 60 to 70 percent. Through constant training, you can get the click rates down to 10 to 15 percent, which is a very good click rate range to be in, considering where you started from. While you can’t completely shield yourself from the human negligence factor, or even the human fraudulent perspective, there are proactive ways to address it, in terms of training your employees against these kinds of attacks. CALLOW: I don’t ever think you are going to eliminate the risk, but you can minimize the risk and minimize the potential damage. There are simple things you can do such as ask the question, “Do all employees need access to all the data?” “Do you separate servers so

QUESTION: I do most of my banking online. Is there something I should be doing to protect myself that maybe I don’t know about? Isn’t a great password all I need?


“An attacker doesn’t want to spend a lot of time trying to hack into a company when there’s an easier target.” – Chris Hart, First Financial Bank that different types of data are on different servers?” “Do we have back up data available in the event our servers are compromised?” There are steps a company can take in advance of a cyber event to minimize risk, and minimalize the damage that can be caused.

ic device that criminals place over the regular card slot to capture debit/ATM card numbers then they use a hidden camera to swipe the corresponding card PINs. The devices are made to look like part of the machine and very difficult to detect.

HART: Banks often talk about layered security controls. Layered security is characterized by the use of different controls so that a weakness in one control is generally compensated for by the strength of a different control. Security awareness and training employees on how to avoid clicking on a phishing email is a good example – it’s a good control. Other controls like keeping system software updated, using good password management, and employing anti-virus and anti-malware software are also effective mitigating controls that a business should consider.

QUESTION: Why don’t we transition from companies to people. Let’s talk about what I should I do if I feel like my card or information has been compromised? I know if I see an unauthorized charge, I can call my bank. But what if I feel like my identity has been compromised? What’s the first step?

QUESTION: What is skimming? HART: Skimming is an illegal activity that involves the installation of a device, usually undetectable, that records the bank account data on the magnetic strip of your credit or debit card when you insert it into a merchant point-of-sale or ATM machine. We see skimmers mostly at pay-at-the-pump installations because few, if any gas station pumps, are outfitted with chip card readers at this time. QUESTION: Are you talking about something that would be on the card itself, or would it be on the machine? HART: The skimmer is an electron-

HART: If you feel your identity has been compromised, call your bank immediately so they can implement the appropriate controls to protect you and your financial assets. Businesses and consumers have different regulations that allow them to recoup losses. Consumers are not liable for unauthorized activity on their account as long as they report losses to the bank in a timely manner. Next, go to the Federal Trade Commission website, www.ftc. gov, to report identity theft and to create a personal recovery plan. QUESTION: Banks must be pouring a lot of resources into this. What do you see happening? HART: Banks collectively spend hundreds of millions of dollars on people processes, and technology to prevent cybercrime. Financial institutions, by the nature of the information they hold and the financial assets they are responsible to maintain, have probably

HART: The first thing I recommend is have a conversation with your bank. You want to understand the online and mobile banking controls available to you. Certainly, a unique password is a key control to safeguarding your account, but be sure to consider all of your options. Some online banking solutions use secondary factors to help ensure that the authentication is legitimate and complete. Others support messaging and alerting to notify you via text message or e-mail about activity on your account which can greatly reduce the occurrence of fraud. QUESTION: Zach are there new industry sectors that are buying insurance now that haven’t in the past? SCHEUBLEIN: Yes, it’s been interesting over the past 12 to 18 months, where we have seen a shift towards certain buyers in the marketplace that we didn’t see two years ago. I think that is in accordance with the sophisticated hacking that’s taking place, where there’s more hacktivism, cyber terrorism, or even potentially cyber warfare – in certain industries like transportation, manufacturing, critical infrastructure, logistics – industries where the primary cyber risks would be product liability and business interruption. Historically, the cyber insurance product has only been around for 16 years and the initial buyers of the product were organizations that are in the care, custody or control of voluminous amounts of personal identifiable information – financial institutions, retail, hospitality or health care industries. Obviously, those are industry sectors where there is significant volume of personal identifiable information, and a lot heavier regulatory oversight over data security and privacy. But with the shifting of certain types of hacking attacks, where business interruption becomes a critical focal point when we talk about cyber risk we are seeing a lot more “nontraditional” buyers in the marketplace. QUESTION: If these new industries are starting to get involved, how has underwriting shifted to become ready for this?



PROTECTING YOUR BUSINESS FROM CYBER CRIME SCHEUBLEIN: Underwriting continues to evolve. Up until the end of 2013, any organization large or small, could get insurance coverage by filling out a basic application and very much “check the box yes or no”. When you get into cyber risk, its not simply a matter of yes or no. There are a lot of grey areas, and there needs to be a lot further explanation and detail provided during the underwriting process. The reason for that was because there weren’t a lot of significant losses in the cyber-insurance marketplace up until the Target breach, which really sparked a trend of catastrophic losses across various industry sectors that hit the cyber insurance market. This led to underwriters reevaluating the underwriting process. So what used to be just an application has now shifted to a more formal underwriting process in terms of face-to-face presentations, where clients present their cyber risk mitigation strategy and protocols via their chief information security officer (or internal equivalent), representatives from legal, compliance, and risk management. Underwriters are essentially going through ‘verticals’ of cyber risk including cyber governance, network security, data privacy procedures, vendor management, and business continuity plan and incident response planning. These items get a lot more attention now. Essentially, they are underwriting to the overall culture of the firm related to cyber risk mitigation including that from the outset that the C-Suite is engaged in the process and implementing the culture from the top down. CALLOW: It’s been our experience that you can’t get cyber insurance without a data map, a data preservation policy, an incident response plan, and confirmation you’ve done training, or can show you are going to do training. All of that is part of the ability to acquire insurance. Then to keep that insurance, you must maintain your systems and do that work as well. So, you can’t just wake up on a Monday and say, we are going to go get cyber insurance. There’s a multi-step process to get to that point, and a multi-step process to keep the insurance. It’s not as simple as I’ll get cyber insurance, and solve my problem. SCHEUBLEIN: There’s a proper way to go about getting cyber insurance, especially for the first time. It goes back to doing formal cyber risk assessments as by doing the risk assessments, the client and ultimately their insurance broker can identify what the critical crown jewels are,

chemical manufacturer, and through a sophisticated malware attack can actually cause that plant to explode. Now, you are dealing with significant environmental issues, product liability issues, and bodily image and property related issues. We haven’t seen it in the United States, but it has happened. In two years, my fear is we are going to have one of those attacks.


“...that’s probably one of the most important things any organization can do is to have a response plan.” – Zach Scheublein, Aon Risk Solutions and what the risk factors are. We can identify different risk factors from the threats to the types of data they have which allows us as brokers to determine what’s in the best interest of the client, and procure the best type of coverage that’s going to be tailored to their risk profile. A formal cyber risk assessment can also assist in building a quality underwriting presentation. The client has identified what their crown jewels are and laying out what their cyber risk mitigation strategies including forward looking plans to remediate identified potential. That gives underwriters a lot more comfort to provide their capacity for that risk. Whereas, if you’re just trying to go at haphazardly, where you say here’s an application and let’s see what you can get, it’s probably not going to drive a lot of carrier interest to that particular risk. QUESTION: Joe, you are a litigator? How prevalent is cyber-security litigation right now? CALLOW: It’s growing. One of the issues is that it’s not simple litigation, because it’s almost always a class action litigation. So, it’s always going to be the largest, most expensive type of litigation. The biggest issue we are seeing right now is the issue of standing and whether people can maintain these class action suites. When these events occur, there’s a rush of lawsuits and the consolidation of cases into a larger consolidated class action matter. One of the issues is whether the individuals have been harmed. Does the risk of identity theft

in the future give you standing to file claim? The Supreme Court addressed this last year in a case called Spokeo which was a big issue as to whether individuals had standing and what they had to allege for harm. Now, we are seeing a split along the circuit courts on whether that risk of harm, or that risk of identity theft, is truly enough standing to bring a claim when you read about the Yahoo problem in the paper. Do you have to have your identity stolen, or is the risk of it occurring sufficient that you can assert the claim. I think that issue is going to go back to the Supreme Court at some time, because it’s a hot topic. Several circuit courts have dealt with it, on several different issues, and there’s a big split. It’s a big legal issue, and it’s garnered a lot of attention. Some companies are choosing to settle the cases and resolve them. Others are deciding to fight them but I think we are going to see more cyber litigation in the future, because cyber events are going to continue to increase. QUESTION: Spinning this forward, if we were having this conversation a year or two from now, what do you expect to be talking about? SCHEUBLEIN: It’s tough to predict the future, but my biggest concern is that we are going to have a “black swan” attack, where it’s a critical infrastructure attack – where they are shutting off a grid, power, utilities, or a significant form of business interruption loss, or a hacking attack where there is third-party bodily injury or property damage. Let’s say it’s a

CALLOW: We mentioned it earlier, but I think it’s more of the “death by a thousand cuts” type of situation, where the attacks are targeted at small and mid-sized companies. With Target, Anthem and Yahoo, we saw that the larger ones generate the news and make the headlines. But, more and more the attacks or mistakes are going to be aimed at mid or small-sized companies that are going to have to start dealing with this issue on a pro-active basis. The attacks are going to be targeted at smaller entities, so they aren’t going to make the headlines, but they are going to be just as damaging. I hope we’ll see a movement from small and mid-sized companies to protect themselves. The DOJ and the FTC both published guidelines last year that focused on helping small and mid-sized companies get ahead of this issue. They are simple policies. They are very common sensical. If you don’t have the resources to do what the larger Fortune 100 companies are doing, there are still steps you can take to protect data at small and mid-sized companies. That’s what we are going to be talking about, because a lot of small and mid-sized companies want and need to get ahead of the curve. HART: I’m going to predict that what we’ll see a year from now is a continuation of the large-scale attacks on big business, because that’s where the information is. But as larger corporations become better equipped to defend themselves against these attacks, the bad guys will begin to shift their focus to smaller more susceptible entities. An attacker doesn’t want to spend a lot of time trying to hack into a company when there’s an easier target. So the points of compromise will move from large, well defended institutions to softer targets that include small and mid-sized businesses.





With MyBookofLists, powered by The Business Journals, create and download customized leads selecting from 43 cities nationwide. Learn more at or call 1-800-486-3289 for more information.