The cyber insurance cleanup crew: A look inside a data breach response team by David Weldon
Later this month, Katherine Keefe expects to mark a very significant--and troubling--milestone. Her data breach response team at Beazley Insurance expects to investigate its 2,000th data breach.
"We'll be handling our 2,000th breach probably at the end of February if the numbers continue to trend," Keefe told FierceCIO. "So we've seen a lot in terms of sizes of breach, type of breach, types of industries affected, numbers of people involved, cost, etc."
"We are amassing a lot of data on various breach causes and trends, and certainly we're seeing more malware than we did a couple of years ago." Keefe revealed. "The frequency with which our insured are getting hit with malware attacks has increased and we're seeing that happen in industries where once we didn't see that."
Keefe serves as the global focus group leader of Breach Response Services at Beazley, which is the team assembled in 2009 to work with clients when a data breach occurs. While she actually does have some customer contact outside of those occasions, as a Beazley customer, you probably hope to see as little of her as possible.
But based on the growing number of cyber security incidents over the past two years, the likelihood that you will be sitting down with a Beazley insurance underwriter are definitely on the rise. Cyber insurance has become a hot topic--and at the highest levels of the organization.
"I think some of the very sophisticated and well-funded hacking activity and fraud activity perpetrated by very polished criminals makes organizations feel very vulnerable," Keefe said. "Despite best practices, and very good IT personnel and good infrastructure, the criminals are staying one step ahead of everybody else."
Indeed, corporate conversations around data breaches are no longer "Can it happen to us," but rather, "It's likely to happen to us."
"We're certainly seeing that the conversation has changed in the last year to 18 months--propelled in part by the well-publicized retail breaches like Target, Home Depot, Neiman Marcus, etc.--as well as some of the heightened regulatory and enforcement actions in this area," Keefe noted. "We're seeing the conversations really changed toward higher levels within organizations. They're being very concerned they have a plan in the event that their company experiences a data breach."
From product failures to data compromise
As noted earlier in this series, cyber insurance is not new. It evolved a decade ago out of early policies to protect high tech firms in the event of product failures.
"Beazley has provided cyber insurance for at least 10 to 12 years, if not longer," Keefe explained "Our product lines have evolved in that time. Historically Beazley started underwriting coverage for some of the largest tech companies in the United States and the vulnerabilities that they had with systems failures, installation problems, etc.
"When those organizations and others started experiencing situations in which their data became compromised, or went missing, our insured at that time would come to us and say, 'We've had an incident with our data. We suspect that we need to investigate further. We'd like some legal guidance on this. We'd like some forensics support.'"
Around 2007 to 2008, Beazley agents began to receive a lot of requests for help--"Do you know who the good lawyers are? Who the good forensics organizations are?"
At the same time the regulatory climate started changing, Keefe explained.
"One at a time, and then slowly building to a crescendo, states started enacting laws around obligations of companies in the event that consumers' data were compromised," Keefe noted. "So you started to see a whole patchwork of state laws governing data breach notification requirements."
This new regulatory climate was further underscored by HIPPA. Healthcare organizations have been dealing with HIPPA compliance for many years, and in 2009 the federal government mandated the notification of patients in the event that patient information--or as the government refers to it, protected health information--were to be compromised.
"This confluence of regulatory obligations--and the real help that we were hearing was needed by our insured--prompted our underwriters to develop a new product that was more proactive in nature, and supplied the insured organization with all of the tools they would need in the event they had a data breach incident," Keefe said. "So Beazley Data Breach Response was born and was launched in 2009."
What a cyber response team offers
The "product," as Keefe calls it, includes legal services, forensic services, notification services, credit monitoring, and identity theft crisis management.
"It allows the organization to get through the investigation and the data breach response with expert help that they wouldn't ordinarily have access to," Keefe noted. "Like a lot of specialized services, companies don't have this on staff. They don't have data breach lawyers; they don't have forensics personnel; they don't have a big mail house under contract or at the ready. So that is what we bring to the table."
The process of writing a cyber insurance policy begins with Beazley underwriters asking a series of questions around the organization's information security environment and its protective measures. Some questions are tailored at specific industries. For example, Beazley does a lot underwriting in healthcare, retail, higher education, hospitality, and for credit unions and other financial institutions.
"There is a dialogue around the vulnerabilities and protections unique to the industry and unique to the client," Keefe said.
The data breach response team might actually have first contact with a client around this time.
"In addition to the heat-of-the-moment services that we provide when a company presents us with an actual problem, we provide an array of risk management tools and resources, so we interact with our insured on a daily basis," Keefe said. "We are here to address questions; we provide best practices information; we have a website that is available to our policy holders that has a wealth of risk management information, regulatory information, sample incident response plan templates, sample contracts, sample policies and procedures.
"For our larger companies, we will go out and do an in-person, four-hour table top workshop where we speak directly with the incident response teams of a myriad of companies around the country. We walk them through breach preparedness and what's going on out there; and then we turn the attention on them, and take them through a hypothetical that allows them to test out their incident response plan," Keefe explained.
Every investigation is unique
When an event does happen, just what the response looks like will vary by client, by industry, and by the type of incident experienced.
"Every scenario is different. Every organization is different. The organization's internal level of sophistication is different," Keefe said. "Sometimes organizations have investigated an incident somewhat before they contact us. Others just know that something bad happened and they want our advice as to how to shape their investigations."
The primary role of Keefe's team is "to help shape the investigation--to preserve it under the attorney/client privilege to the extent that is possible, and to do the legal analysis. All of this is driven by legal requirements, and we maintain a series of relationships with law firms that are experts in this area--who live, eat and breathe data breach."
Whether or not an organization even has an incident response team of its own is very telling, Keefe said.
"That is really something we provide a lot of guidance on in the front end. An organization should know who to bring to the table in the event of a data incident, that you need cross-representation from different areas in the company--whether it's IT, risk management, compliance, finance, PR, privacy, security--all those areas should be at the table. They each bring a different perspective and set of expertise. Part of our job is to make sure that the right representation from the company is involved and that the right external resources are deployed."
Once the appropriate legal help is assigned to the investigation, the next step is forensics. Those experts will help determine if the incident was a systems intrusion, a malware attack, a successful email phishing attempt, or even a stolen laptop or iPhone that contains personally identifiable information.
"External forensics organizations can come in and work with the internal IT folks to do the further analysis: to assess the type of malware present, the type of variance, what it was capable of doing, what it actually did, whether data was merely accessed, and how relevant law applies," Keefe stated.
Lots of breaches, lot of lessons learned
With nearly 2,000 data breach investigations under its belt, Beazley's data breach response team has learned a thing or two about why organizations are attacked, and what the attackers hope to gain.
Take the healthcare industry. Keefe explained that, historically, malware was designed to get at financial information that criminals could readily convert for financial gain. That made financial institutions that maintain credit card information likely targets. But a new favorite target is healthcare insurance and service providers.
"Now we're seeing malware have a bit of prevalence in healthcare, and we weren't seeing that even a year-and-a-half, two years ago," Keefe said. "In talking with our partners and with healthcare industry thought leaders, there is the sense that someone's health information carries a pretty high street value.
"So someone could take my name, my age, my physician's name, my diagnosis, just that--with no financial information--and they could create and fabricate a new patient and set up a false medical provider to bill Medicare fraudulently or bill Medicaid fraudulently," Keefe stressed.
Another way that patient information can be used profitably without other financial information is when used by an unethical physician who is getting paid to write prescriptions for narcotics. Those prescriptions are then filled, and the drugs are sold on the black market.
"There is a lot more money in that, it has proven to be the case, then selling a credit card number or Social Security number," Keefe said.
Knowing right from wrong with security measures
Beazley's response team has also learned a lot about what organizations are doing well, and not well, when it comes to information security.
"We'll start with the not so well," Keefe said. "Unbelievably, encryption is still an issue. Organizations are experiencing breaches of devices and systems that should be, but are not, encrypted."
Not only is encryption important as a basic defense strategy, it can be key as a legal defense.
"What encryption gets you under the law is a silver bullet or a free pass," Keefe stressed. "If data is encrypted, by and large, 99.9 percent of the data breach notification laws are not triggered [by an event].
"But we still see--despite the fact that encryption is really raised to the level of industry's best practice--where organizations may roll out an encryption program for mobile devices, but that program might not capture every device. Low and behold, it's the unencrypted device that is lost or stolen, and breached."
Another example would be retailers that have point-of-sale (POS) systems that interface with other servers that don't have end-to-end encryption of data.
"So there might be partial encryption, or encryption of various data along the way, but it's not seamless encryption flow from end-to-end," Keefe said. "That's one place that we see problems that are, frankly, preventable."
It all starts with a good response plan
Asked what advice she would offer CIOs to best prepare for a possible data breach, Keefe said having a formal response plan in place is the most important first step.
"Have a document that is written in laymen's language, is easy to read, and that is the guidepost for what the organization should do when a data incident is discovered," Keefe stressed.
The response plan should clearly indicate who is on the response team and how they should immediately proceed. This includes:
- Who responds to the incident?
- How quickly?
- How can they get in touch with each other?
- What are the resources that they're going to need?
- When do they contact their insurance carrier?
"Having that kind of incident plan signifies to us that the organization is aware of these issues and probably maintains better security hygiene than an organization that doesn't get around to putting a plan in writing. That is number one," Keefe advised.
"Number two: vendor management is a huge area," Keefe said. "Our data shows that a little over 30 percent of data breaches are caused by vendors--persons that you work with, your business partners that have access to your data that, frankly, don't take as good care of it as you would.
"Organizations should take the time to understand what vendors have access to--what level of data--and put contract language in place around security expectations. Those provisions will go a long way to making a bad incident not quite as bad, or preventing an incident from happening at all."