cyber risk...cyber risk is increasingly defining the 21 st century, with virtually every facet of...

1| Privileged and Confidential |

Cyber RiskBusiness Continuity amid Rampant Cyber Threats

Risk Cooperative March 18


About Us

Risk Cooperative, a coverholder at Lloyd’s, is a specialized strategy, risk and insurance advisory firm helpingorganizations to better manage risk, and limit their exposures. Operating on a global scale, Risk Cooperativeworks hand-in-hand with organizations to identify, mitigate and reduce the key exposures that would otherwisederail their operations. As an extension of the client’s team, we are able to address all classes of risks andinsurance placements. Where a need arises that is otherwise unaddressed by the current set of availableinsurance solutions, Risk Cooperative is able to custom design bespoke solutions.

Facts and Figures> Founded in 2014> Provides Life, Health, Property, Casualty, Specialty as well as Excess and Surplus lines of

insurance> Licensed nationally across all 50 states, Puerto Rico and Washington, D.C.> Global coverage capabilities> Offices in Washington D.C.


Agenda

> Evolution of Cyber Attacks

> Impact on an Organization

> Mitigating Risks


Evolution of Cyber Attacks


Systemic ConnectionsCyber risk is increasingly defining the 21st

century, with virtually every facet of the global economy exposed to this insidious threat.

> The 2003 Great Blackout plunged much of the North East and parts of Canada into darkness because of tree branches in Ohio.

> The rise of “ransomware” and business models being “kidnapped” is an alarming new trend.

> The WannaCry virus affected 300,000 organizations in over 150 countries in 3 days.

> No one is “safe” – Equifax with 147+ million records exposed.

Source: World Economic Forum – Global Risk Report 2015


Threat Landscape


Threats from Within Threats from Without

Data Data Data

> The amount of money spent is not a proxy for cyber-security.

> Organizations with aligned culture that can withstand sunlight are the safest.

End. End.

Threat Matrix


Defense-In-Depth originally a military strategy to “buy time” when impossible to prevent attack by a potentially overwhelming adversary.

US agencies have applied Defense-In-Depth to the digital domain:

> Establish layers of defense

> Allow time to identify intruders and mitigate

> Build redundancies and resilience

Defense-In-Depth


The Human Condition

In addition to fighting the modern technological weapons of the nefarious actor (the embedded malicious code, viruses and ransomware).

We are equally challenged by ancient traits embedded in the human condition:

˃ Nescience

˃ Curiosity

˃ Apathy

˃ Hubris

CYBERSECURITY IS NOT JUST ABOUT TECHNOLOGY

MOST CYBER RISK LIES BETWEEN THE KEYBOARD AND THE CHAIR


Impact on an Organization


By the Numbers

> 43 percent of cyber attacks target small business.> Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly

effective.> 60 percent of small companies go out of business within six months of a cyber attack.> 48 percent of data security breaches are caused by acts of malicious intent. Human error or system failure account

for the rest.> 90% of small business don’t use any data protection at all for company and customer information.> 50% of small businesses have been breached in the past 12 months.> The most prevalent attacks against small businesses are web-based and phishing/social engineering.> 59% of small businesses have no visibility into employee password practices and hygiene.> 65% of small businesses that have a password policy do not strictly enforce it.

Source: Ponemon Institute


By the Numbers


Bank of Bangladesh - Case Study

˃ Bank of Bangladesh: ~US$27 Billion in reserves˃ Member, Asian Clearing Union˃ Sustained an $81 million exploit in 2016˃ Hackers exploited weak defenses in the SWIFT transfer system˃ Hackers attempted to steal $1 billion˃ Thwarted by alert staff that noticed a spelling mistake˃ The attack cost the Chief Governor his job

Former Bangladesh BankChief Governor Atiur Rahman:

“When we learned about it we got scared. We were afraid because it was a cyber

attack, like a terrorist attack.

We were afraid thinking, ‘what if they attacked the entire banking system?’

To prevent this from happening, we brought in world-class forensic experts from the U.S. This is why it took a little

while.”Source: BBC World Tonight, 15 March 2016


Equifax - Case Study

˃ 147 million records of personally identifiable information breached

˃ This included social security numbers, addresses, birthdates and credit card information

˃ This corresponds to nearly half of the U.S. populationand virtually 100% of the labor force

˃ $70 billion class action lawsuit already filed˃ No technological panacea to cybersecurity, but rather a

holistic approach to cyber resilience is needed˃ True issue was cyber culture and lack of leadership - 3

Equifax executives, including CEO, sold stock days after knowledge of breach and months before public disclosure

˃ This highlights how cyber risk cannot be treated in isolation of reputational harm


Cyber Risk: What’s Really at Stake?

> In a recent HBR article, we introduced the concept of Enterprise value of Data (EvD) to capture what is really at stake.

> EvD is more akin to brand equity and intangible value, giving a more accurate quotient that may one day become a public accounting standard.

> Some firms have a lower EvD than others – for example CSX has a lower comparative EvD than Google.

> By this measure, trillions in EvD exposures are unhedged and misunderstood.


Regulatory Risk

State Regulation

˃ Banks, insurance companies, and other financial services institutions regulated by DFS are required to have with effect a cybersecurity program designed to protect consumers’ private data;

˃ A written policy or policies that are approved by the board or a senior officer;

˃ A Chief Information Security Officer to help protect data and systems; and;

˃ Controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.

Federal Regulation˃ S,536 Cybersecurity Disclosure Act of

2017 - Securities and Exchange Commission (SEC) to issue final rules requiring a registered issuer to disclose in its mandatory annual report or annual proxy statement whether any member of its governing body has expertise or experience in cybersecurity, including details necessary to describe fully the nature of that expertise or experience; and;

˃ If no member has such expertise or experience, describe what other company cybersecurity steps were taken into account by the persons responsible for identifying and evaluating nominees for the governing body.

˃ Safety Act – Cyber liability amendment being contemplated.

International Regulation˃ The GDPR is new legislation that will replace all

current national data protection legislation throughout the EU Member States with effect from 25th May 2018

˃ All personal data must be processed securely to protect against unlawful access, loss or damage “using appropriate technical or organizational measure.” Those measures are not defined, but if data lost or stolen, company could be not in compliance.

˃ Data breaches must be reported within 72 hours to supervisory authorities and individuals affected.

˃ Impact assessments must be conducted to identify risks to EU citizens, and must also describe how company is addressing those risks.

˃ Non-compliant companies may be fined up to 20 million EURO or 4 percent of global annual turnover, whichever is higher. Many organizations do not have the reserves on hand to afford these hefty fines.


Average Costs

Source: Ponemon Institute, Cost of a Data Breach 2017

0 1 2 3 4 5 6 7 8

Total Average Cost in $US millions

United States Middle East India Brazil

US $7.35 million

Middle East $4.94 million

India $1.68 million

Brazil $1.52 million

Hidden Costs

> Insurance premium increases.

> Increased cost to raise debt.

> Operational disruption or destruction.

> Lost value of customer relationships.

> Value of lost contract revenue.

> Devaluation of trade name.

> Loss of intellectual property.

> Reputational risk.

> Stock price volatility.

Source: Deloitte. CFO Insights

Detection and Escalation Costs

> Forensic and investigative activities.

> Assessment and audit services.

> Crisis management.• Notifications• Public Relations• Legal/Litigation• Compliance

> Communications to executive management and board of directors.


Mitigating Risks


Building a Governance FrameworkPe

ople

Do you have a culture of cybersecurity?

Are roles, responsibilities and priorities defined?

Does your organization chart and accountabilities reflect the importance of cybersecurity to your enterprise?

Proc

esse

s

Do you have enterprise cybersecurity policies in place?

Do your onboarding/termination procedures include cyber elements?

Do you have established procedures for allowing access to your networks and infrastructure?

Do you have plans and procedures for emergency response and business continuity?

Do you have cybersecurity insurance? Do you understand its requirements?

Tech

nolo

gy

Do you utilize firewalls as well as anti-virus and anti-malware software?

Are these technologies kept up to date?

What monitoring capabilities do you employ?

Do you encrypt data?

Do you have “tripwires” in place guarding against exfiltration?

A RESILIENT ORGANIZATION CANNOT RELY ON ONE SINGULAR COMPONENT.


Bund

led

• Bundled programs

• Directors and officers

• General liability

• Property insurance

• Errors and omissions

Elec

tron

ic D

ata

Proc

essin

g

• Data processing equipment

• Hardware replacement

• Property coverage

Stan

d-Al

one

• Third party liability

• Breach Response

• Notification

• Restoration

• Business interruption

• Reputation risk

Stop

-Los

s (DI

C)

• Catastrophic backstop

• Covers gaps

• Meant for large Losses above first layer cover.

DepletedUnderlyingCoverage

Danger Zone Safe(r) Zone

> Bundled products are the source of systemic risk in the insurance balance sheet.

> Courtrooms increasingly determining claims outcomes.

> Cyber insurance brings breach panel and outside resources most companies do not have in house.

> Can’t buy insurance when your house is on fire.

Cyber Insurance: Financial Hedging


Coverage ComparisonCoverage Description Risk Cooperative Proprietary

Standalone Cyber ProgramStandard Rider add-on Coverage / Endorsement

Security and Privacy Liability Coverage (Including Employee Privacy)

Damages and claims expense payment from either a security wrongful act , privacy breach or security breach

Security Breach Response CoverageProvide breach response panel of specialist resources to respond to a cyber intrusion resulting in a security breach or privacy breach

Security Breach Assessment Coverage for analysis of systems following a security breach with respect to personal, non-public information

Multimedia Liability Coverage for damages and expenses legally obligated to pay arising out of a multimedia wrongful act

Privacy Regulatory Claims Coverage Coverage resulting in regulatory claim arising out of a privacy breach or security breach


Coverage Comparison

PCI-DSS Assessment CoverageCoverage for amounts legally obligated to pay as a PCI DSS Assessment resulting from a security breach

Cyber Extortion CoverageReimbursement for cyber extortion expenses and payments directly resulting from a cyber extortion threat

Business Income InterruptionCoverage for income earnings loss sustained during a period of restoration resulting directly from a network disruption

Reputational Harm Loss

Coverage for reputational harm, earnings loss and/or expenses loss sustained during a period of restoration resulting directly from a network disruption

Digital Asset Restoration CostsReimbursement for the restoration costs incurred because of the alteration, destruction, damage, or loss of digital assets

Coverage DescriptionRisk Cooperative Proprietary Standalone Cyber Program

Standard Rider add-on Coverage / Endorsement


Why Buy It?

> Organizations of all sizes are vulnerable.

> Few have the financial discipline to set aside reserve funds to cover losses.

> The process of underwriting drives improvement – while there is some risk-shifting organizations still own their reputation.

> Insurers have been underwriting cyber risk for nearly 20 years – proficient breach response capabilities are in place.


Common Cyber Myths

1. If you don’t work with or manage PII your firm has no cyber risk component.

2. Cyber security is just an IT risk.

3. I have an IT vendor or service provider, that should be enough for my company.

4. My general insurance policy includes a level of cyber coverage that will keep me safe.

5. Only large companies need to worry about their cyber risk.

6. We have the most up-to-date technology and financial protection, our cyber risk is fully covered

7. Cyber insurance will not cover me in the event of cyber extortion


What Really Matters

> Cyber insurance has more in common with kidnap and ransom coverage than traditional liability policies– in short money does not matter.

> What matters is who is ‘rescuing you’ and establishing your ‘war room.’

> Anonymous breach panels set up to help insurers contain costs can come at the insured’s peril.

> The rise of cyber terrorism and cyber warfare negate many private sector responses.

> Certain policies cover cyber terrorism.


Connect Risk Cooperative1140 Connecticut Ave. NWSuite 510Washington, DC 20036

[email protected]

Phone: +1.202.688.3560Fax: +1 202.905.0308

Risk Cooperative, a coverholder at Lloyd's, is a specialized strategy, risk and insurance advisory firm licensed to originate, place and serviceinnovative risk-transfer and insurance solutions in all 50 states, D.C. and Puerto Rico. Risk Cooperative helps organizations address risk,readiness and resilience through a comprehensive service and solution offering in partnership with leading insurance companies and value-adding partners.

Contact UsRisk Cooperative is located in the heart of the U.S. capital. Phone, email, or use the contact form online to get in touch.

mailto:[email protected]

https://www.linkedin.com/company/risk-cooperative

http://www.twitter.com/RiskCoop

cyber risk...cyber risk is increasingly defining the 21 st century, with virtually every facet of...

Documents