a reinsurer’s perspective on cyber threats, cyber reinsurer’s perspective on cyber threats,...

A reinsurer’s perspective on cyber threats, cyber resilience, insurance and data taxonomy

Mark Coss

Quelle: Verw endung unt er der Lizenz von Shut t ers t ock.com

Agenda

1. Cyber Security Taxonomy: From threats to an insured loss

2. Cyber Attack Life Cycle – how does a targeted attack look like?

3. Information Security & Systems Control Risk Management framework

4. Cyber Insurance- available risk transfer and residual business risk

5. Data Taxonomy-what data needs to be fed into a industry database and recorded

13-Oct-16A reinsurer’s perspective on cyber-Mark Coss

From threats to an insured loss

Cyber Security Taxonomy From Threats to an insured Loss

Workstations

OS, Applications, Browsers

Servers

Network devices

Telephone

Cloud provider

Persons

Processes

Information

Assets

Source: http://cambridgeriskframework.com/getdocument/3913-Oct-16

A reinsurer’s perspective on cyber-Mark Coss

Buffer overflows

SQL injection

Cross-Site-Scripting (XSS)

Privilege escalation

Unencrypted data

Untrained personnel

Misconfiguration

Inadequate policies

Cyber Vulnerabilities

Vulnerabilities

Source: https://www.riskbasedsecurity.com/2015/12/our-new-year-vulnerability-trends-prediction//13-Oct-16A reinsurer’s perspective on cyber-Mark Coss

Assets

Cyber Security Taxonomy From threats to Insured Loss

Threats

Vulnera-bilities

Assets

Denial of Service (DoS)

Phishing

Social Engineering

Ransomware

Virus/Trojan/Worms

(Malware)

Espionage

Botnets

Zero-Day Exploits

Identity theft

Cyber Threats2015 World Map of Malware & Threats by Sophos

Source: © Sophos GmbH

Banking Trojan Remote Access Trojan (RAT)

Password Stealers

Download-Malware

Ransomware Spambots Others

Bootkits

Viruses

Scandinavia

RussiaCanada

Columbia

Brazil

South Africa

Great Britain

Turkey

Saudi Arabia

China Japan

Australia

Hong Kong

Philippines

Malaysia

Singapore

Vulnerabilities

Assets

13-Oct-16

Threats

Vulnerabilities

Assets

Actors

Threat-

Matrix

Cybercrime Cyberkid Cyberwar and

Cyberspionage

Cyber-Terrorist Hacktivist

Motivation Money Fun, curiosity Strategic Ideologie/Religion Politics, Ethic

Choice of

targets

Individual, by

chance or

directly aimed

By chance,

political reasons

Individual,

collateral

ideological, anti-

western, collateral,

media-effected

Ideological and

political targets

Organisation Strongly

pronounced

Partially Perfect Regional Structured

Competence High Low-high Very high Low-high (external

Middle-high

Source: https://www.europol.europa.eu/content/eu-serious-and-organised-crime-threat-assessment-socta

Threats

Vulnerabilities

Assets

Actors

Cyber Attack Life Cycle

Myth- Each cyber attack is different hence

prevention is impossible

• Old attacks (successful) used repeatedly

• Re-use of code amongst criminals

• Cyber attack process is exactly the same

• Recent examples

Cyber Attack ProcessSource: Cyber kill chain-Intelligence driven cyber defense-Lockheed Martin

Cyber Attack How does a targeted attack look like?

13-Oct-16

Espionage

13-Oct-16

Espionage

Intrusion

Redirect

Exploit

13-Oct-16

Espionage

Intrusion

Redirect

Exploit

Evolution

Dropper

Call Home

13-Oct-16

Espionage

Intrusion

Redirect

Exploit

Evolution

Dropper

Call Home

13-Oct-16

Espionage

Intrusion

Redirect

Exploit

Evolution

Dropper

Call Home

Attack

Data Theft

Denial-of-Service

Manipulate data

13-Oct-16

Espionage

Intrusion

Redirect

Exploit

Evolution

Dropper

Call Home

Attack

Data Theft

Denial-of-Service

Manipulate data

Cyber Attacks on the world of finance

Bangladesh, March 2016: Central Bank Theftof USD$101 Million

3 Information Security Risk Management

13-A reinsurer’s perspective on cyber-

Accept- Cyber Attacks are a real threat

• Same risk irrespective of business size

• Increasing Board recognition of cybersecurity & privacy due to high profile

incidents e.g Target

• Increasing focus from regulators

• Cybersecurity incidents –YOY 34% growth & attacks average 200 days before

discovery

WHY?• Cultural : Acceptance no system is secure and consumer privacy concerns

• Technological: Cloud security and IoT

Source: 2015 TrustWave global security report: State of cybersecurity ISACA report 2015

Ponemon/IBM data breach study 2015

• Australia ranked 3rd for malicious URL’s/phishing attacks & 4th

globally for botnet infections (Source: Ponemon 2015)

• Average loss incurred by security breaches <US$3mio but figure is

for direct costs such as forensics, PR &legal. Third party liability

and damages would increase losses four fold.

• Time for businesses to discover a sophisticated cyber attack is

between 200 and 280 days

• 38% of mobile users have experienced cybercrime (Source:

Symantec 2014)

• In 2013, cyber attacks affected 5 million Australians at an

estimated cost of $1.06 billion (Source: Symantec 2013)

• 71% of incidents go undetected (Source: Trustwave 2014)

• 60% of SME’s close their doors <6 months of a cyber attack

(Source Experian, 2015)

Cyber Risk Landscape

Cyber Security FrameworkNIST- a comprehensive cyber security framework used by ASIC Report 429

13-Oct-16

tify •Asset management

•Risk Assessment

•Governance & Compliance

•Responsibilities

•Risk Management

•Procurement

•Working with external partners

•Recruitment

tect •User access control

•Awareness & Training

•Data Security

•Processes and Procedures

•Encryption

•Patch & change management

ect •Security Incident Event

Monitoring (SIEM)

•Anti-Virus

ver •Incident Management

•Emergency Management

•Backup

•Disaster Recovery

•Business Continuity Management

Cyber Security FrameworkNIST-a comprehensive cyber security framework used by ASIC Report 429

13-Oct-16

tify •Asset Management

•Risk Assessment

•Responsibilities

•Risk Management

•Procurement

•Recruitment

•Data Security

•Information protection processes and procedures

•Protection technologies

•Encryption

ect •Security Incident Event

Monitoring (SIEM)

•Anti-Virus

•Backup

Cyber Security FrameworkNIST-a comprehensive cyber security framework used by ASIC Report 429

13-Oct-16

tify •Asset Management

•Risk Assessment

•Responsibilities

•Risk Management

•Procurement

•Recruitment

•Data Security

•Encryption

ect •Detection processes

•Security Incident Event Monitoring (SIEM) & anomalies

•Security continuous monitoring

•Backup

Cyber Security FrameworkNIST- a comprehensive cyber security framework used by ASIC Report 429

13-Oct-16

tify •Asset management

•Risk Assessment

•Responsibilities

•Risk Management

•Procurement

•Recruitment

•Data Security

•Encryption

ect •Detection processes

•Security Incident Event Monitoring (SIEM) & anomalies

•Security continuous monitoring

•Backup

•Disaster Recovery (DRP)

•Business Continuity Management (BCP)

4 Cyber Insurance

Cyber Insurance role is secondary to cyber

resilience

• First Party-reputational expenses, customer support for customer notification, advertising &credit card monitoring, data recovery, businessinterruption, investigation and legal costs, cyber extortion, clean-up of leaked data

• Third Party- technology professional services, multimedia liability, security and privacy liability, personal data liability, corporate data liability, civil & some criminal penalties, outsourcing risk

• Benefits- access to expert panel to manage cyber event and mitigate losses

• Loss of or damage to reputation/trust/brand

• Betterment costs to address vulnerabilities

• Physical Hardware loss/damage

• Loss of customers and jobs

• Loss in competitive advantage and

markets

• CBI from service interruption of critical infrastructure

• Under & uninsured losses (+policy

exclusions)

• Specific Intellectual Property e.g Patents

Risks Transferred & Service Benefits

Business and Residual Risk

Cyber ClaimsData Breaches and insured costs

Insurance Risk Transfer Solutions for SME’sStandalone cyber product to be main source of liability cover as exclusions in traditional policies become

more commonplace

Cyber insurance policy

3rd party Cyber Liability

Privacy Disclosure/Liability

Access Failure

Security Failure Intellectual Property

InternetCommunication and Media

Liability

Legal Counsel

Forensics

Notification Costs

Credit Monitoring

1st party Cyber Expenses

Business Interruption

IT Vandalism

Network Extortion

Electronic Theft

Internal Network Interruption

Administrative Fines

Loss or Theft of

Data Coverage

(1st party)

Confidentiality

Breach Liability

Coverage

(3rd party)

Privacy Breach

Protection

Coverage

(1st party)

Privacy Breach

Liability Coverage

(3rd party)

Payment Card

Industry Data Security

Standard (PCI-DSS)

Coverage

(1st party)

Business

Interruption

Coverage

(1st party)

Extortion Coverage

(1st party)

Network

Security Liability

Coverage

(3rd party)

Reputational Risks

Coverage (1st

party)

Munich Re modular wordingOverview of coverage elements

PRICING CYBER RISK PROBLEMATIC AT

PRESENT• Key problem is scarcity of data. While there are markets for assessments regarding loss

frequencies due to cyber related threats this is not the case for loss severities.

• The same holds for cyber related threats which are well covered by various parties (commercial as well as non-commercial). However, to turn knowledge about threats into the ability to quantify loss potential, historic threats and losses have to be matched systematically. As of today, this kind of data appears to be not available.

• external pricing models unavailable, no “buy” option -(RMS, AIR, Symantec, Cambridge…)

• MOTIVATION FOR DATA BASE PROJECT (NAIC for industry codes, Veris for cyber losses in US)

• Presently no mandatory requirements by ISA/APRA and unable to identify cyber experience in NCPD

• Presently mostly pragmatic methods used for pricing single cyber risk (i.e ROL, benchmarking)

• Mainly non-experienced based pricing methods used globally so far

• GIVEN VERY DYNAMIC TRENDS IN CYBER LOSSES AND RISK OF CHANGE PRICING PROFITABILITY IS NOT YET ENSURED

There are a number of threat modelling frameworks, designed to help

organisations understand cybersecurity risks in a formal, standardized way

Frameworks:

• STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of

Service, Elevation of Privilege)

• DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability)

• OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)

• CVSS (Common Vulnerability Scoring System)

• PASTA (Process for Attack Simulation & Threat Analysis)

Threat modelling frameworks

Veris Cyber data framework

APRA NCPDExisting industry data inputs not relevant to cyber incidents

QUESTIONS & ANSWERS

Just follow-up with us @ your convenience

Mark Coss

Cyber Threats and Loss data for Accounting

Services Sector

Cyber threats and loss data for Accounting

Services Sector(Source : Hiscox & Advisen)

Services Sector(Source: Hiscox & Advisen)

Cyber Threat and Loss data for Accounting

Services Sector(Source: Advisen)

a reinsurer’s perspective on cyber threats, cyber reinsurer’s perspective on cyber threats,...

Documents

current & emerging cyber security threats

cyber threats and national security:real vs. perceived...

covid-19 cyber threats

cyber threats - a romanian perspective

financial cyber threats q3 2016

satellite infrastructures - principal cyber threats

new threats to cyber-security

cyber attacks, threats, espionage and...

emran islam dg market infrastructure & payments via cyber...

2019 future cyber threats - accenture

defeating cyber threats

outpacing cyber threats - nti

september 2016 understanding cyber...

cyber threats: applying the law to malicious cyber

the cyber threats to smes

cyber security threats and threat actors training ... ·...

strategies to combat new, innovative cyber threats -...

nybf 2014 - cyber threats

the evolution of cyber threats and cyber threat intelligence

energy sector cyber-threats