Cyber Security | Is Your Practice at Risk?
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cyber Security | Is Your Practice at Risk?
Laurance (Larry) Selnick, CTP | Webster Bank
Matt Kozloski, VCDX and CISSP VP, Professional Services | Kelser Corporation
Larry Racioppo, SVP | Management & Professional Services (MPS) | USI
2/22/17
Fraud Awareness Presentation | Discussion Today
Setting the Stage
Types of Fraud
How to Mitigate Risk
2
Internet of Things | What is it?
• Internet of Things: A network of internet-connected objects able to collect and exchange
data using embedded sensors
3
Internet of Things | Web-Connected Devices
Kitchen
Living Room
Kitchen
4
Internet of Things | Your Computer is a Connected Device
The primary way that attackers compromise
computers in the small office is through viruses
that exploit vulnerabilities on the machine.
A computer that has all of the latest security
updates to its operating system and applications
may still be at risk because of previously
undetected flaws.
Computers can become infected by seemingly
innocent outside sources such as e-mail, flash
drives, and web downloads.
It is important to use a product that provides
continuously updated protection against these
exploits. Anti-virus software is a must.
5
Setting the Stage | As a Business You Should Know…
“There has been a shift in the online criminal world from primarily targeting individuals
to increased targeting of corporations” (FS-ISAC)….a focus on smaller businesses!
Unlike consumers who enjoy strong federal protection, a business may be liable under
Uniform Commercial Code (UCC) rules (FS-ISAC)…it is a shared responsibility to
prevent fraud
6
Setting the Stage | No Business Too Small to Be Hacked
Healthcare providers may believe that if
they are small and low profile, they will
escape the attentions of the “bad guys”
who are running these attacks.
Every day there are new attacks aimed
specifically at small to mid-size
organizations for the very reason that they
are less likely to have fully protected
themselves.
Criminals have been highly successful at
penetrating these smaller organizations,
carrying out their activities while their
unfortunate victims are unaware until it is
too late.
7
Setting the Stage | Cyber Fraud is Now Part of the Norm
Reported at the annual meeting of the WSJ CIO Network
CIO’s accepted that being hacked was a given.
The question is how to react to it.”
8
Setting the Stage | Not a Case of if, But When
Nobody is ever 100% secure.
The threat environment is simply moving too fast.
Rather than bulletproof security, organizations need to focus on ways to make the cost
of breaching their security more trouble than the data that could be obtained is worth
► using a layered, risk-based approach to maintain the balance between security
and customer experience.
41% of all data breaches are a result of criminal attack
Source: Aite' RSA Study & First Data
9
Setting the Stage | Not a Case of if, But When
There was more malware found over the last 2 years than in the previous 10 years
combined.
Vulnerabilities Found in Three Quarters of Websites with Web administrators still
struggle to stay current on patches. There were over one million web attacks against
people each day in 2015.
“Zero-day” attacks increased 50% in 2015.
Cyber-attacks are increasing in number and sophistication. Today’s threats differ from
those encountered a month ago.
Source: Symantec’s 2016 Internet Security Threat Report
10Setting the Stage | Not a Case of if, But When
Organized crime rings are responsible for the majority
of attacks.
Lone hackers, who are in it for either individual
financial gain or the thrill of the chase, still initiate a
small percentage of cyber threats.
Hackivists are individuals who use the act of
hacking, or breaking into a computer system,
for a politically or socially motivated purpose.
Some breaches are linked to insider activity for
financial gain.
11Setting the Stage | The Bottom Line
NOT A CASE OF IF, BUT WHEN…
& HOW MUCH WILL IT “COST”
12Setting the Stage | Payment Fraud is Still a Concern… but Cyber Risk is Growing
“…the year of online extortion. Cyber extortionists will
devise new ways to target its victim’s psyche to make
each attack personal..”
-Trend Micro
“Organizations need to realize that (immediate) financial
gain is no longer the only or even the biggest driver….”
-Amit Yoran, RSA
“Credit Card number sells for $2 on the black market
while a health record goes for $20 or more…”
-Peter B. Nichol, PMP, CSSMBB
LINE OF BUSINESS 13Tales From The
Field
Select stories from Kelser, your trusted
cybersecurity and IT service provider.… but first A quick HIPAA recap: Your obligations.
HIPAA: § 164.306 Security Standards 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
HIPAA: § 164.306 Security Standards 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
HIPAA: § 164.306 Security Standards 3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
HIPAA: § 164.306 Security Standards 4. Ensure compliance with this subpart by its workforce.
You are ultimately responsible for protecting the confidentiality, integrity, and availability of patient information.
Things We Commonly See
• After 12 years, support for Windows XP ended April 8, 2014. There are no more security updates or support for Windows XP. • Almost 3 years have passed since security updates have been released for Windows XP. • HIPAA: “Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.” • 3 years without a refresh is beyond “reasonable” at this point.
• Grossly unprotected systems in
exam rooms.
• Unauthorized access to:
• View records
• Change records
• Install CnC to harvest/breach
data remotely
• There are relatively simple
solutions that fix this problem -
software/tokens, physical laptops,
automated screen locking.• All practices we’ve worked with have some files stored on networked PCs or on premise servers. Even those that have a cloud-hosted EMR! • Do you know where patient data is? You are still responsible for it! • How do you protect this data? Are you taking “reasonable” steps or doing nothing? • Is your workforce trained in handling sensitive information?
• Under HIPAA, MAPFRE (Insurance Company of Puerto Rico) will pay $2,200,000 resulting from a stolen USB storage device from its IT department. • MAPFRE failed to perform a risk analysis or implement a risk management plan. • MAPFRE did not utilize encryption, train their employees, or implement reasonable security measures on its laptops and storage devices. (Hint: encrypt everything!)
• According to Ponemon, the average cost of a data breach for healthcare organizations is $355 per record. • Let’s say you have 1,500 patient records. If your practice was compromised, it could cost you over $500,000 in this scenario. Source: 2016 Cost of Data Breach Study: Global Analysis, Ponemon Institute LLC
• Do you provide cybersecurity awareness training for your staff? • Is your staff vulnerable to phishing attacks? How do you know – have you tested them? • Humans are a weak link! • HIPAA: “Ensure compliance with this subpart by its workforce”
Ransomware – I’m sure you’ve heard all
about it.
• Best way to extort $$$ from you
• Very difficult to trace (due to BitCoin)
• They love repeat business!
• There’s even a way to infect your friends
instead of paying!
• Depending on circumstances, a
ransomware infection may constitute a
data breach!
• Let’s talk $$$: say you had a productivity
impact of 6 hours (VERY low estimate),
with an office staff of 20 (mixed
burdened cost). That could cost $7,000-
$8,000 in direct lost productivity. Then
factor in the cost of recreating records
that were lost and the impact on patient
workflow. Without adequate data
protection, one ransomware incident
could cost $8,000 to $20,000 alone!Beyond the immediate financial
costs, consider the impact to your
practice’s reputation if your patients’
records are compromised.Now What? DO something about it with someone you trust! • Use experienced consultants • Implement preventative care • Plan for WHEN not IF
Thank You!
Types of Fraud | The Dark Web
“Antivirus works by stopping the most advanced cyber attacks by using the malicious
signatures to identify and block bad code form being loaded”
The problem, today, is similar to a human immune system; if they have not seen this
strain of a virus before – it does not know how to block it.
Adapted from a report in the WSJ by D. Yadron on Symantec Corp.
32Types of Fraud | Setting the Stage
The number of attacks is now so large and their
sophistication so great, that many organizations
are having trouble determining which new
threats and vulnerabilities pose the greatest risk.
► Attackers may be able to access
information, monitor your actions, modify
programs, or perform other functions on
your computer without being detected.
► Fraud is a “career”
► Estimated that 35 million machines are
infected
► Targeted attacks against small and mid-
sized business are increasing
33Types of Fraud | What is Business Account Take Over Fraud?
Stolen valid online banking credentials
► Username, password
► Answers to security questions
Theft of valid online banking credentials occurs by social engineering or when
business gets infected with malware.
Malware downloaded via email or through a hot linked website
► Man in the Browser
► Invokes key logging which records key strokes to capture online
banking credentials
Business accounts are accessed and ACH and/or Wires are
generated
“Mules” hired to open accounts and forward the funds to international
destinations
34Types of Fraud | Not Just Hack Attacks
Stolen valid email capabilities and credentials
► Email system breached, or email slightly altered then
► Direct request to send funds by C-Suite (BEC)
Fraudsters pose as vendors and request payments be made to a new bank account.
It’s not just dollars – Fraudsters
Are looking for Data!
35Types of Fraud | FBI Internet Crime Complaint (www.ic3.gov)
36Types of Fraud | E-Mail Account Compromise
E-mail Account Compromise (EAC) is a sophisticated scam that targets the general
public and professionals associated with, but not limited to, financial and lending
institutions, real estate companies, and law firms.
The EAC scam is very similar to the Business E-mail Compromise (BEC) scam,
except that it targets individuals rather than businesses.
In 2015, IC3 reported 8,119 cases of EAC were filed with the Internet Crime
Complaint Center (IC3), with reported losses of $274 Million!
37Types of Fraud | Malvertising
“Provider of security products,
WatchGuard, predicts that
malvertising attempts will triple
in 2016;”
Familiar Malvertising Victims:
► New York Times
► The BBC
► Spotify
► The London Stock Exchange
BBC, The New York Times, and MSN were hit by a coordinated malware campaign
Delivered through the advertising networks used by the sites
The malvertising attack aimed to install ransomware on victims’ computers.
38Types of Fraud | (BEC) Business E-Mail Compromise
► Do not open e-mail messages or attachments from unknown individuals
► Be cautious of clicking links within e-mails from unknown individuals
► Be aware of small changes in e-mail addresses that mimic legitimate e-mail
addresses
► Question any changes to wire transfer instructions by contacting the associated
parties through a known avenue.
► Have a dual step process in place for wire transfers. This can include verbal
communication using a telephone number known by both parties.
39Types of Fraud | And the ^ Fraud Approach Keeps Evolving
40Types of Fraud | Ransomware…Crypto Locker
41Types of Fraud | Protect Your Computer
In 2015, IC3 received
2,453 complaints with
reported losses of $1.6
Million!
LINE OF BUSINESS 42Types of Fraud | Scam “Can You Hear Me Now?”
Fraudster obtains personal
information via a data breach
EX. Credit Card info is
compromised
Victim attempts to Fraudster calls “Can you hear
dispute charge and unsuspecting consumer
fraudster provides
recording of consumers
and asks a question that
prompts the consumer to
me now?”
consent. answer “yes”
The consumers “yes” response
is recorded and used as
“affirmative consent” to
authorize a charge; i.e. Credit
Card purchase, bill payment,
etc.x`
43Each Control Provides Security in Layers
Recommend dedicated accounts for receivable, operating, and disbursement accounts :
Cash Inflow Information Reporting Cash Outflow
Receivable Operating Disbursement
Account Account Account
JIT Funds JIT Funds
► Post no debits ► (2x) Daily Cash Position ► Check Positive Pay
► No ACH or wire ► Just in Time (JIT) Transfers ► ACH Positive Pay
origination capability ► Mandatory Alerts ► Controlled Disbursement
► Mandatory Alerts ► Daily Review/ reconciliations
► Mandatory Alerts
►Separate Account for check and EFT activities
► Dual Control/Tiered security
►Dedicated PC (segregate from network) (separate and distinct access)
►Up-to-Date Anti-Virus, Anti-Malware, and Network Controls ► Limits set to business needs
►Ongoing and Regular Employee, Vendor and Partner Education
44How to Mitigate Risk | I Know Your Password
“Passwords are awful and need to be shot”
J. Grant, head of the National for Trusted Identities in Cyberspace Federal
Government Task Force
45How to Mitigate Risk | Easy to Guess Passwords
123456 football
password baseball
qwerty dragon
CYBER FEUD
46How to Mitigate Risk | Easy to Guess Passwords Open Door to Hackers
Hacking into a voicemail account can be as easy as 1-2-3-4.
Certain password configurations are very popular showing many people aren't using
random numbers (over 200,000 iPhone users surveyed)
PIN Used Rank
Same digit (0000,1111,etc.) 1
Years (from 1900-2011) 2
ABAB format (1010, 2121, 3131, etc.) 3
1234 4
2580 or 0852 (center of keypad) 5
5683 (spells LOVE) 6
Source: Big Brother Camera Security, Daniel Amitay
47How to Mitigate Risk | Strong Password
GoAway$UMeanHacke3s!
Password Rules
► Do not write them down or store in a file that can be hacked
► Use different passwords for different applications
► Don’t be obvious on Passwords - hackers can social engineer a guess
► The same holds true for Challenge questions
48NETWORK SECURITY & PRIVACY
(“CYBER”) OVERVIEW
2017
February
Larry Racioppo, SVP | Management & Professional Services (MPS)
www.usi.com
CONFIDENTIAL AND PROPRIETARY: This presentation and the information contained herein is confidential and proprietary information of USI Insurance Services, LLC ("USI"). Recipient agrees not to copy, reproduce or distribute this document,
in whole or in part,
© 2014 without the
USI Insurance prior written
Services. consent
All rights of USI. Estimates are illustrative given data limitation, may not be cumulative and are subject to change based on carrier underwriting. © 2014 USI Insurance Services. All rights reserved.
reserved.Discussion Points
Cyber Statistics
What a cyber policy covers?
Regulatory impact
Emerging exposures
Negotiating a cyber placement
What does a policy cost?
| 50
© 2014 USI Insurance Services. All rights reserved.Why is Cyber Risk awareness critical?
Healthcare industry has experienced largest # of cyber attacks
Median loss is $150,000
Small Breaches (under 100 records - 49%) and Medium Breaches (100-1M
records - 50%) occurred far more frequently than large breaches
Impact companies of ALL sizes
40% large companies (over $1B in revenue)
37% medium companies ($10M - $1B)
23% small companies (under $10M)
Stats: Hiscox/Advisen Cyber InfoGraphic November 2016
| 51
© 2014 USI Insurance Services. All rights reserved.Why is Cyber Risk awareness critical?
$158 — average cost per record in a data breach. Average total breach
incident cost increased to approx. $4m in 2015. Average cost per record in a
healthcare data breach is $355
96% of breaches could have been avoided if reasonable data security controls
had been in place at the time of incident
Cyber and Privacy attacks are the #1 risk noted by CEO’s across business
classes and company sizes
Stats: Ponemon 2016 study (sponsored by IBM), and FIS Risk Practices Survey 2016
| 52
© 2014 USI Insurance Services. All rights reserved.Do you believe in miracles?
| 53
© 2014 USI Insurance Services. All rights reserved.What Can a Cyber Policy Cover?
Security/Privacy Liability
First Party First Party Third Party Third Party
Breach Notice Costs Other Business Costs Civil Lawsuits Regulatory Actions
Forensic Investigation Business interruption Consumer class action State AG investigations
Crisis management/PR Data repair Corporate or financial FTC investigations
/replacement institution suits
Notification costs Health & Human
Cyber-extortion Credit card brands Services
Credit monitoring
Social Engineering PCI fines, penalties, Foreign Privacy Entities
and assessments
54
© 2014 USI Insurance Services. All rights reserved.HIPAA
| 55
© 2014 USI Insurance Services. All rights reserved.HIPAA
•12-physician pediatric and adult dermatology practice
•Paid $150,000 for alleged HIPAA violations
•Lost, unencrypted flash drive containing protected health information (PHI)
•5 physician cardiology group
•$100,000 settlement
•Posting clinical and surgical appointments for patients on a publicly
accessible internet-based calendar
•Failed to implement even the most basic HIPAA requirements
•An orthopedic clinic
•$750,000 settlement
•Failed to execute a business associate agreement prior to turning over
17,300 patients’ PHI to a potential business partner
| 56
© 2014 USI Insurance Services. All rights reserved.HIPAA
•Jason Pierre-Paul sues ESPN/Adam Schefter for twitter post
•Details of recent settlement unknown
| 57
© 2014 USI Insurance Services. All rights reserved.CFO REACTION TO HIPAA PENALTY
| 58
© 2014 USI Insurance Services. All rights reserved.E-mail received from “PayPal”: Cyber Stat You’ve sent a payment of $90 to Youseff Mansouer Forwarded to PayPal and their response: Did you know that approximately 90% of all email sent worldwide falls into the spoof, phishing, spam, and general junk category? 59 © 2014 USI Insurance Services. All rights reserved.
Emerging Exposures – Social Engineering
Social Engineering
Hackers use trickery, based on internal or vendor
communication, to induce employees to process fraudulent
wire transfers
Average “Social Engineering” related loss is $130,000
$100,000 to $500,000 is the norm for mid-size businesses
Notables:
Xoom Corp. - $30M (January 2015)
Ubiquiti Networks - $46.7M (August 2015)
IRS W-2 schemes
60
© 2014 USI Insurance Services. All rights reserved.Emerging Exposures- Ransomware
Cyber Extortion (aka Ransomware)
Cyber attack that involves a demand for $$ to avoid or stop a
network attack/data breach
On average, in 2016 there are approx. 4,000 ransomware
attacks per day…up from 1,000 in 2015
77% of attacks b/w $500 - $10,000
61
© 2014 USI Insurance Services. All rights reserved.Cyber Insurance as a Last Line of Defense
Fills gaps in “traditional” property/casualty insurance
Acts as a financial backstop to protect your budget
Be out in front with continuity planning
Assist in establishing relationships with key vendors
Demonstrates an organizational commitment to network security/privacy
Access to wide range of resources at time of loss:
Forensics firm – who, what, where, when
Attorney for various state requirement compliance
Including contractual indemnification obligations
Public Relations expense – brand protection
Credit monitoring, notification assistance
ID restoration services
Licensed investigator/fraud specialist
62
© 2014 USI Insurance Services. All rights reserved.Pre-Breach Resources?
FREE with policy purchase
Data Security Training
Anti-Phishing and Social Engineering courses
Incident Response Plans
Mobile Device
E-Mail
Removable Device
Cyber Fitness checklist
Assign and manage training for your employees
63
© 2014 USI Insurance Services. All rights reserved.Post Breach – who ya gonna call?
Data Breach Coach
Forensics support
IT support
Public Relations
Insurance Company
64
© 2014 USI Insurance Services. All rights reserved.Negotiating a cyber placement
Breach Response Costs coverage
- Offered at full policy limit or sub-limited?
- Inclusive of overall limit or “Outside” the limit?
Other things to consider:
- Regulatory coverage (seek full limit and defense/penalties)
- Seek full “unknown” prior acts coverage
- Avoid “Unencrypted portable device” exclusions
- Data restoration/business interruption cover (waiting period)?
- Cyber extortion/ransomware coverage?
- Social Engineering sub-limit offered?
65
© 2014 USI Insurance Services. All rights reserved.How much does it cost?
Limit Revenue Retention Premium
1M 56M 25k 13k
1M 89M 50k 13k
1M 15M 10k 8k
2M 120M 50k 21k
2M 49M 25k 27k
2M 156M 100k 18k
3M 78M 25k 20k
3M 44M 10k 33k
5M 1.6B 250k 100k
10M 482M 2M 86k
66
© 2014 USI Insurance Services. All rights reserved.How to Mitigate Risk | Where Is Fraud Occurring
• 73% of organizations experienced
attempted or actual payments fraud
Prevalence of Attempted Fraud : in 2015.
• 42% of survey respondents report
Payment Channel All Respondents that incidents of fraud increased in
2015.
Checks 71%
• Checks continue to be the
Credit/debit cards 39% payment method most often targeted
ACH Debits 25% to commit payment fraud with 71%
of effected organizations reporting
Wire Transfers 41% their checking accounts had been
targeted.
• Among organizations that did
suffer a financial loss resulting from
payments fraud in 2015, the typical
loss was up to $25,000.
Source: 2016 AFP Payments Fraud and Control Survey,
67How to Mitigate Risk | What to Do If You’ve Been Hacked
Don’t unplug – malware resides in computer’s memory and not the hard drive.
Turning off a computer erases the memory, and with it many traces of the hack.
Call in the Pros
Keep a chain of custody – record every time someone touches a compromised
computer or server and everything that’s done to it
Stop the bleeding – Figure out how the hacker broke in, and fix that hole.
Find out what they stole
Figure out who to tell
Be apologetic – in your customers minds, it’s your fault!
68How to Mitigate Risk | What Should You Do Next? (Today!)
Establish “Dual Control” authorizations and Review your limits for ACH and Wire to
determine if they suit your business needs
Consider a “stand alone” computer that is used exclusively for online banking
Inventory all systems and programs that use the Web. What would you do if they were
hacked today – who would you call? Are all of your “patches” and updates current?
If you were hacked, how would you meet your business goals? How would your
customers react?
Review your internal controls (review Fraud Awareness Checklist as a start)
Then, schedule a meeting with your trusted advisors to review your total risk exposure
and learn how to mitigate those risks.
691. Establish a Security Culture
2. Protect Mobile Devices
3. Maintain Good Computer Habits
4. Use a Firewall
5. Install and Maintain Anti-Virus Software
6. Plan for the Unexpected
7. Control Access to Protected Health Information
8. Use Strong Passwords and Change Them Regularly
9. Limit Network Access
10. Control Physical Access
Source: healthit.gov
70How to Mitigate Risk | Electronic Health Records
Good patient care also means safe
record-keeping practices.
Never forget that the electronic health
record (EHR) represents a unique and
valuable human being.
Electronic Health
Records Cybersecurity experts recommend not
transmitting electronic health
information across public networks
without encryption.
Encrypt
Most common way that (EHR)
information is compromised is through
the loss of devices.
Source: healthit.gov
71How to Mitigate Risk | The Weakest Link in Any Computer System is the User
The consequences of a successful cyber-
attack could be very serious and is far
greater than merely the financial
implications.
In addition to direct costs there are:
► The cost of computer downtime
► Plummeting productivity
► Lost sales opportunities
► Regulatory fines
► Worried Customers
► Concerned vendors
► Loss of patient trust
► Violations of the Health Insurance
Portability and Accountability Act
(HIPAA)
► Loss of life or of the practice itself
Source: healthit.gov
72How to Mitigate Risk | Fraud Checklist
Engage your Partners:
► Accountant
► Insurance
• Cyber Liability
► Legal
• Involve your Practice
Partners
► IT Consultant
• Forensic IT on call
► Banker
► Public Relations
73Cyber Security | Is Your Practice at Risk?
74How to Mitigate Risk | Value of Your Reputation … Priceless!
The true costs to business from threats are
far greater than merely the financial
implications.
In addition to direct costs there are:
► The cost of computer downtime
► Plummeting productivity
► Lost sales opportunities
► Regulatory fines
► Worried Customers
► Concerned vendors
► Patient trust
75Cyber Security | Business Cards
Laurance Selnick, CTP, Senior Vice President, Lawrence A. Racioppo, Senior Vice President
Director, Treasury & Payment Solutions Sales Management & Professional Services
CityPlace II USI Insurance Services LLC
185 Asylum Street HFD 640 Phone: 203.291.2015
Hartford, CT 06103 Toll Free: 855.874.0123
Phone: 860.691.1679 larry.racioppo@usi.biz
Lselnick@Websterbank.com
Matt Kozloski Jordan Arovas, SVP
VP, Professional Services Specialty Business Banking
Kelser Corporation 157 Church St., 20th Floor
111 Roberts St. Ste. D New Haven Ct, 06510
East Hartford, CT 06108 Phone: 203.782.4656
Phone: 860.610.2200 Jarovas@websterbank.com
MKozloski@Kelsercorp.com>
76Moderator | Laurance Selnick, CTP
Director, Treasury & Payment Solutions Sales
Larry has almost 40 years of banking experience including cash management systems, bank operations
and product management. He joined Webster’s management team in 1995 to design, implement and
deliver cash management services to commercial clients. He speaks on Cyber Security issues to clients
and recently moderated a panel on Cyber Liability at Connecticut Technology Councils Cyber
Awareness series. Larry currently leads a team of Consultative Sales Treasury Management
professionals to review and provide recommendations on how to best utilize cash management
products to improve a client’s cash flow needs.
Larry serves on the New England ACH Payments Board of Directors and is a member of the Executive
committee focusing on payments information training and regulatory awareness. He is a member of the
New England Association for Financial Professionals and National Association for Financial
Professionals (AFP) and holds the Certified Treasury Professional (CTP) designation from the AFP.
Larry is active in the community where he volunteers as a mentor in a local elementary school and is
Chair emeritus of the Webster Bank Mentoring program. Larry has served on the Board of Directors of
the Connecticut/Rhode island region of the American Red Cross and United Way of Connecticut 211
Call center and recently joined the Business Advisory Council of the School of Business at Southern
Connecticut State University.
© 2014 Webster Bank, N.A. Member FDIC
All rights reserved.
771Lawrence A. Racioppo, SVP – Management and Professional Services
Larry began his insurance career in the claims and underwriting areas of AIG followed by Chubb. He
transitioned to the brokerage side of the business when he joined Marsh and McLennan in 2001,
serving as a Senior Vice President in their Financial and Professional (FINPRO) practice for 9 years.
Prior to joining USI Insurance Services in 2014, Larry was Vice President at JLT Towers Re, where he
led their Executive Liability Practice.
Over the past 20 years he has developed comprehensive and creative solutions for both commercial and
financial institutions. He deals with all aspects of the transaction for a broad range of management and
professional liability products, including: directors and officers liability, employment practices liability
and network security/privacy related coverages.
In his current role as Senior Vice President, Larry is responsible for providing Management and
Professional Services for USI’s Connecticut, Northeast and Mid-Atlantic regions.
78
© 2014 USI Insurance Services. All rights reserved.Introduction
This Is Me:
Matt Kozloski, VCDX and CISSP
VP, Professional Services at Kelser Corporation
Kelser has been in business for 35 years. We offer technical and non-technical consulting services
to improve your cybersecurity posture and on-going defense, detection and response strategy.
Lots of tech companies talk about being partners with their clients. My vision for Kelser? That our
clients will be downright excited when we arrive on the scene, not just because they enjoy
working with us, but because they understand the impact we can have on their business.
As Vice President of Professional Services, I encourage my team to think of themselves as
consulting engineers, not just engineers. “There’s a part to consulting that’s art and can’t be
exactly taught or explained. It’s empathizing with a customer’s situation, being responsive and
responsible, and maintaining integrity along the way.”
With every engagement, I push us all to think of what tangible business outcome our work will
provide for our clients, and for their clients.You can also read
