cyber risk...cyber risk is increasingly defining the 21 st century, with virtually every facet of...
TRANSCRIPT
1| Privileged and Confidential |
Cyber RiskBusiness Continuity amid Rampant Cyber Threats
Risk Cooperative March 18
2| Privileged and Confidential |
About Us
Risk Cooperative, a coverholder at Lloyd’s, is a specialized strategy, risk and insurance advisory firm helpingorganizations to better manage risk, and limit their exposures. Operating on a global scale, Risk Cooperativeworks hand-in-hand with organizations to identify, mitigate and reduce the key exposures that would otherwisederail their operations. As an extension of the client’s team, we are able to address all classes of risks andinsurance placements. Where a need arises that is otherwise unaddressed by the current set of availableinsurance solutions, Risk Cooperative is able to custom design bespoke solutions.
Facts and Figures> Founded in 2014> Provides Life, Health, Property, Casualty, Specialty as well as Excess and Surplus lines of
insurance> Licensed nationally across all 50 states, Puerto Rico and Washington, D.C.> Global coverage capabilities> Offices in Washington D.C.
3| Privileged and Confidential |
Agenda
> Evolution of Cyber Attacks
> Impact on an Organization
> Mitigating Risks
4| Privileged and Confidential |
Evolution of Cyber Attacks
5| Privileged and Confidential |
Systemic ConnectionsCyber risk is increasingly defining the 21st
century, with virtually every facet of the global economy exposed to this insidious threat.
> The 2003 Great Blackout plunged much of the North East and parts of Canada into darkness because of tree branches in Ohio.
> The rise of “ransomware” and business models being “kidnapped” is an alarming new trend.
> The WannaCry virus affected 300,000 organizations in over 150 countries in 3 days.
> No one is “safe” – Equifax with 147+ million records exposed.
Source: World Economic Forum – Global Risk Report 2015
6| Privileged and Confidential |
Threat Landscape
7| Privileged and Confidential |
Threats from Within Threats from Without
Data Data Data
> The amount of money spent is not a proxy for cyber-security.
> Organizations with aligned culture that can withstand sunlight are the safest.
End. End.
Threat Matrix
8| Privileged and Confidential |
Defense-In-Depth originally a military strategy to “buy time” when impossible to prevent attack by a potentially overwhelming adversary.
US agencies have applied Defense-In-Depth to the digital domain:
> Establish layers of defense
> Allow time to identify intruders and mitigate
> Build redundancies and resilience
Defense-In-Depth
9| Privileged and Confidential |
The Human Condition
In addition to fighting the modern technological weapons of the nefarious actor (the embedded malicious code, viruses and ransomware).
We are equally challenged by ancient traits embedded in the human condition:
˃ Nescience
˃ Curiosity
˃ Apathy
˃ Hubris
CYBERSECURITY IS NOT JUST ABOUT TECHNOLOGY
MOST CYBER RISK LIES BETWEEN THE KEYBOARD AND THE CHAIR
10| Privileged and Confidential |
Impact on an Organization
11| Privileged and Confidential |
By the Numbers
> 43 percent of cyber attacks target small business.> Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly
effective.> 60 percent of small companies go out of business within six months of a cyber attack.> 48 percent of data security breaches are caused by acts of malicious intent. Human error or system failure account
for the rest.> 90% of small business don’t use any data protection at all for company and customer information.> 50% of small businesses have been breached in the past 12 months.> The most prevalent attacks against small businesses are web-based and phishing/social engineering.> 59% of small businesses have no visibility into employee password practices and hygiene.> 65% of small businesses that have a password policy do not strictly enforce it.
Source: Ponemon Institute
12| Privileged and Confidential |
By the Numbers
13| Privileged and Confidential |
Bank of Bangladesh - Case Study
˃ Bank of Bangladesh: ~US$27 Billion in reserves˃ Member, Asian Clearing Union˃ Sustained an $81 million exploit in 2016˃ Hackers exploited weak defenses in the SWIFT transfer system˃ Hackers attempted to steal $1 billion˃ Thwarted by alert staff that noticed a spelling mistake˃ The attack cost the Chief Governor his job
Former Bangladesh BankChief Governor Atiur Rahman:
“When we learned about it we got scared. We were afraid because it was a cyber
attack, like a terrorist attack.
We were afraid thinking, ‘what if they attacked the entire banking system?’
To prevent this from happening, we brought in world-class forensic experts from the U.S. This is why it took a little
while.”Source: BBC World Tonight, 15 March 2016
14| Privileged and Confidential |
Equifax - Case Study
˃ 147 million records of personally identifiable information breached
˃ This included social security numbers, addresses, birthdates and credit card information
˃ This corresponds to nearly half of the U.S. populationand virtually 100% of the labor force
˃ $70 billion class action lawsuit already filed˃ No technological panacea to cybersecurity, but rather a
holistic approach to cyber resilience is needed˃ True issue was cyber culture and lack of leadership - 3
Equifax executives, including CEO, sold stock days after knowledge of breach and months before public disclosure
˃ This highlights how cyber risk cannot be treated in isolation of reputational harm
15| Privileged and Confidential |
Cyber Risk: What’s Really at Stake?
> In a recent HBR article, we introduced the concept of Enterprise value of Data (EvD) to capture what is really at stake.
> EvD is more akin to brand equity and intangible value, giving a more accurate quotient that may one day become a public accounting standard.
> Some firms have a lower EvD than others – for example CSX has a lower comparative EvD than Google.
> By this measure, trillions in EvD exposures are unhedged and misunderstood.
16| Privileged and Confidential |
Regulatory Risk
State Regulation
˃ Banks, insurance companies, and other financial services institutions regulated by DFS are required to have with effect a cybersecurity program designed to protect consumers’ private data;
˃ A written policy or policies that are approved by the board or a senior officer;
˃ A Chief Information Security Officer to help protect data and systems; and;
˃ Controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.
Federal Regulation˃ S,536 Cybersecurity Disclosure Act of
2017 - Securities and Exchange Commission (SEC) to issue final rules requiring a registered issuer to disclose in its mandatory annual report or annual proxy statement whether any member of its governing body has expertise or experience in cybersecurity, including details necessary to describe fully the nature of that expertise or experience; and;
˃ If no member has such expertise or experience, describe what other company cybersecurity steps were taken into account by the persons responsible for identifying and evaluating nominees for the governing body.
˃ Safety Act – Cyber liability amendment being contemplated.
International Regulation˃ The GDPR is new legislation that will replace all
current national data protection legislation throughout the EU Member States with effect from 25th May 2018
˃ All personal data must be processed securely to protect against unlawful access, loss or damage “using appropriate technical or organizational measure.” Those measures are not defined, but if data lost or stolen, company could be not in compliance.
˃ Data breaches must be reported within 72 hours to supervisory authorities and individuals affected.
˃ Impact assessments must be conducted to identify risks to EU citizens, and must also describe how company is addressing those risks.
˃ Non-compliant companies may be fined up to 20 million EURO or 4 percent of global annual turnover, whichever is higher. Many organizations do not have the reserves on hand to afford these hefty fines.
17| Privileged and Confidential |
Average Costs
Source: Ponemon Institute, Cost of a Data Breach 2017
0 1 2 3 4 5 6 7 8
Total Average Cost in $US millions
United States Middle East India Brazil
US $7.35 million
Middle East $4.94 million
India $1.68 million
Brazil $1.52 million
Hidden Costs
> Insurance premium increases.
> Increased cost to raise debt.
> Operational disruption or destruction.
> Lost value of customer relationships.
> Value of lost contract revenue.
> Devaluation of trade name.
> Loss of intellectual property.
> Reputational risk.
> Stock price volatility.
Source: Deloitte. CFO Insights
Detection and Escalation Costs
> Forensic and investigative activities.
> Assessment and audit services.
> Crisis management.• Notifications• Public Relations• Legal/Litigation• Compliance
> Communications to executive management and board of directors.
18| Privileged and Confidential |
Mitigating Risks
19| Privileged and Confidential |
Building a Governance FrameworkPe
ople
Do you have a culture of cybersecurity?
Are roles, responsibilities and priorities defined?
Does your organization chart and accountabilities reflect the importance of cybersecurity to your enterprise?
Proc
esse
s
Do you have enterprise cybersecurity policies in place?
Do your onboarding/termination procedures include cyber elements?
Do you have established procedures for allowing access to your networks and infrastructure?
Do you have plans and procedures for emergency response and business continuity?
Do you have cybersecurity insurance? Do you understand its requirements?
Tech
nolo
gy
Do you utilize firewalls as well as anti-virus and anti-malware software?
Are these technologies kept up to date?
What monitoring capabilities do you employ?
Do you encrypt data?
Do you have “tripwires” in place guarding against exfiltration?
A RESILIENT ORGANIZATION CANNOT RELY ON ONE SINGULAR COMPONENT.
20| Privileged and Confidential |
Bund
led
• Bundled programs
• Directors and officers
• General liability
• Property insurance
• Errors and omissions
Elec
tron
ic D
ata
Proc
essin
g
• Data processing equipment
• Hardware replacement
• Property coverage
Stan
d-Al
one
• Third party liability
• Breach Response
• Notification
• Restoration
• Business interruption
• Reputation risk
Stop
-Los
s (DI
C)
• Catastrophic backstop
• Covers gaps
• Meant for large Losses above first layer cover.
DepletedUnderlyingCoverage
Danger Zone Safe(r) Zone
> Bundled products are the source of systemic risk in the insurance balance sheet.
> Courtrooms increasingly determining claims outcomes.
> Cyber insurance brings breach panel and outside resources most companies do not have in house.
> Can’t buy insurance when your house is on fire.
Cyber Insurance: Financial Hedging
21| Privileged and Confidential |
Coverage ComparisonCoverage Description Risk Cooperative Proprietary
Standalone Cyber ProgramStandard Rider add-on Coverage / Endorsement
Security and Privacy Liability Coverage (Including Employee Privacy)
Damages and claims expense payment from either a security wrongful act , privacy breach or security breach
Security Breach Response CoverageProvide breach response panel of specialist resources to respond to a cyber intrusion resulting in a security breach or privacy breach
Security Breach Assessment Coverage for analysis of systems following a security breach with respect to personal, non-public information
Multimedia Liability Coverage for damages and expenses legally obligated to pay arising out of a multimedia wrongful act
Privacy Regulatory Claims Coverage Coverage resulting in regulatory claim arising out of a privacy breach or security breach
22| Privileged and Confidential |
Coverage Comparison
PCI-DSS Assessment CoverageCoverage for amounts legally obligated to pay as a PCI DSS Assessment resulting from a security breach
Cyber Extortion CoverageReimbursement for cyber extortion expenses and payments directly resulting from a cyber extortion threat
Business Income InterruptionCoverage for income earnings loss sustained during a period of restoration resulting directly from a network disruption
Reputational Harm Loss
Coverage for reputational harm, earnings loss and/or expenses loss sustained during a period of restoration resulting directly from a network disruption
Digital Asset Restoration CostsReimbursement for the restoration costs incurred because of the alteration, destruction, damage, or loss of digital assets
Coverage DescriptionRisk Cooperative Proprietary Standalone Cyber Program
Standard Rider add-on Coverage / Endorsement
23| Privileged and Confidential |
Why Buy It?
> Organizations of all sizes are vulnerable.
> Few have the financial discipline to set aside reserve funds to cover losses.
> The process of underwriting drives improvement – while there is some risk-shifting organizations still own their reputation.
> Insurers have been underwriting cyber risk for nearly 20 years – proficient breach response capabilities are in place.
24| Privileged and Confidential |
Common Cyber Myths
1. If you don’t work with or manage PII your firm has no cyber risk component.
2. Cyber security is just an IT risk.
3. I have an IT vendor or service provider, that should be enough for my company.
4. My general insurance policy includes a level of cyber coverage that will keep me safe.
5. Only large companies need to worry about their cyber risk.
6. We have the most up-to-date technology and financial protection, our cyber risk is fully covered
7. Cyber insurance will not cover me in the event of cyber extortion
25| Privileged and Confidential |
What Really Matters
> Cyber insurance has more in common with kidnap and ransom coverage than traditional liability policies– in short money does not matter.
> What matters is who is ‘rescuing you’ and establishing your ‘war room.’
> Anonymous breach panels set up to help insurers contain costs can come at the insured’s peril.
> The rise of cyber terrorism and cyber warfare negate many private sector responses.
> Certain policies cover cyber terrorism.
26| Privileged and Confidential |
Connect Risk Cooperative1140 Connecticut Ave. NWSuite 510Washington, DC 20036
Phone: +1.202.688.3560Fax: +1 202.905.0308
Risk Cooperative, a coverholder at Lloyd's, is a specialized strategy, risk and insurance advisory firm licensed to originate, place and serviceinnovative risk-transfer and insurance solutions in all 50 states, D.C. and Puerto Rico. Risk Cooperative helps organizations address risk,readiness and resilience through a comprehensive service and solution offering in partnership with leading insurance companies and value-adding partners.
Contact UsRisk Cooperative is located in the heart of the U.S. capital. Phone, email, or use the contact form online to get in touch.