U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
1
Sandy MitchellDirector of InsuranceMassachusetts Institute of Technology
Carmelina BorsellinoVice President, Manager, Cyber Hazards, FM Global
Amy DaleyVice President, Education Practice Leader, FM Global
First Party Cyber:Mitigating the Risk
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Contrast the results of holistic cyber risk prevention with those of risk transfer alone.
Understand the interplay between first-party property and third-party cyber liability coverage.
Get practical property risk solutions that thwart cyber-related damage to property and increase resiliency.
Learning Objectives
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
2
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
3
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
FM Global’s Premium Distribution
Manufacturing
Real Estate
Healthcare/EdPower Generation
Public BuildingsChemical
FoodPulp and PaperPharmaceutical
RetailElectronics
Other (mining, molten materials, public entity, semiconductors and more)
21%
9%
8%
7%
7%
7%
6.92%
6.13%4.58%3.79%3.55%
14%
612 Accounts$436M Premium
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
3
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Higher Education Causes of Loss
$3,824,594
$9,549,260
$16,016,697
$25,434,486
$28,359,174
$37,594,609
$89,492,039
$101,659,121
$169,605,597
$199,575,919
$0 $40,000,000 $80,000,000 $120,000,000 $160,000,000 $200,000,000
Cyber
Pressure Equipment Breakdown
Collapse
Temperature Change
Service Interruption
Electrical/Mechanical Breakdown
Wind and Hail
Fire
Escaped Liquids/Sprinkler Leakage/Water…
Flood/Surface Water
Cyber Pressure Equipment Breakdown
Collapse Temperature Change
Service Interruption Electrical/Mechanical Breakdown
Wind and Hail Fire
Escaped Liquids/Sprinkler Leakage/Water… Flood/Surface Water
5
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
HealthCare, Manufacturing, Retail and Education
WannaCrypt and Petya Attacks
Microsoft vulnerability – Eternal Blue + phishing emails
Ransomware attack – GLOBAL IMPACT!
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
4
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
De-Mystifying Cyber Risk
Our Agenda
Learn from the Experience of MIT
Practical, Research-Based
Solutions
1101100010110100111000
010010
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Practical, Research-Based
Solutions
1101100010110100111000
010010
De-Mystifying Cyber Risk
De-Mystifying Cyber Risk
Learn from the Experience of MIT
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
5
June 30, 2016Massachusetts General Hospital data breach affects 4.3K patients
June 8, 2016Calgary university pays ransom in Bitcoin after cyberattack
June 6, 2016Irongate malware that targets industrial control systems uncovered
August 3, 2016Bitcoin Exchange Hacked, Loses $65 Million
May 18, 2016Hacker selling 117 million LinkedIn emails and passwords on dark web
July 8, 2016Omni hotels warns of data breach
June 9, 2016Twitter passwords leaked for millions of accounts
June 20, 2016Greenwich University suffers second data breach this year in ‘revenge hack’
August 18, 2016Eddie Bauer stores hit with credit card breach
June 27, 2016Hard Rock Las Vegas reports card data breach
March 31, 2016Hospitals crippled by cybercriminals: Ruthless MedStar hack demands £12,900 to unlock
October 21, 2016Attack on Dyn affects major websites across the US
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Cyber Loss Trends
Increased sophistication impacting all types of clients
Cyber attacks can be felt beyond the targeted location
Ransomware remains the most prevalent threat vector
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
6
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
FM Global Loss Trends - Education
Top 5 15% Ransomware
A2
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Ransomware/Cyber Extortion Events
2009 2010 2011 2012 2013 2014 2015 2016
A3
Slide 11
A2 Need an update...focus only on EducationAuthor, 6/16/2017
Slide 12
A3 not relevant for education...hacking is keyAuthor, 6/16/2017
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
7
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Ransomware$25 Million
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Education Cyber Incidents 2016
itgovernanceusa.com, 2017: Education industry: 1,048,342 records exposed in 2016.
Data breaches increased by 40% over 2015.
Leading cause was hacking/phishing/skimming: 56%.
Employee error/negligence caused 31% of events.
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
8
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Education Top Threat Vectors1. Hacking/Phishing/Skimming/Malware
2. Employee error/negligence
3. Portable devices
4. Stationary devices
5. Physical loss
6. Intentional insider threats
Advisory.com 2016 https://advisory.ey.com/cybersecurity/cyber-threats-higher-education-institutions
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – 2016 Cyber Attacks
16
Attacks Protection Detection Response
Data Breach Security awareness; Vulnerability scans; Incident analysis (DIRT);
Distributed Denial of Service (DDoS)
Cloud-based DDoS mitigation service
Automated notification from
Akamai
Akamai filters out all of the malicious
traffic (total protection for MITnet)
Compromised Hosts Security awareness; Intrusion detection systems
Identify system owner Quarantine host’s
address if necessary
Malware Anti-malware, Anti-virus Device firewalls;
Security awareness
Alerts from detection systems;
Identify system owner and Quarantine host’s address, if necessary
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
9
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – 2016 Cyber Attacks
17
Attacks Protection Detection Response
Ransomware Security awareness; Anti-malware
Alerts from Provider;Reports from users
Restore from system & data backups
Phishing/Social Engineering
Phishing awareness;Spam filtering;
Two-factor-authentication (Duo)
Semi-automated review of activity;
Reports from users
Quarantine IP address;
Identify victims through logs;
Suspend accounts
Website Defacements Vulnerability scanning
Reports from Provider & users
Identify system owner and notify
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Cyber risk is more than an IT issue.It’s an enterprise risk.
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
10
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Cyber Insurance Market
Cyber Insurance Market Maturity Curve
Current state of cyber insurance market
Market is rapidly growing and evolving
DeclineMaturityGrowth
2020$7.5B
$2.5B market
2025$20+B
Introductory
Sal
es
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Cyber Market Trends
Outsourcing Mitigation StrategiesInsurers are partnering with security experts
Gaining ConsistencyCyber carries now include property coveragein their stand alone policies
Lacking ClarityCyber excluded from property policiesConfusion over primary/excess coverage
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
11
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Evolution
Financial Gain Business Disruption Property Damage
3rd party 1st party and 3rd party
2010-2014 2015-2017 2020
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
9/18/2017 22
The majority of cyber losses are preventable.
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
12
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Practical, Research-Based
Solutions
1101100010110100111000
010010
De-Mystifying Cyber Risk
Learn from the Experience of MIT
Learn from the Experience of MIT
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA201724
MIT
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
13
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT
25
2016 Cyber Attacks
Evolving Threats
Ongoing Risk Management
and Mitigation
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – 2016 Cyber AttacksIntrusion Attempt Totals (24 hr period)
26
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
14
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Real Time Heat Map Showing Campus Targets
27
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Evolving Threats
28
Data Breach:Destruction, modification, theft, or disclosure of information
Top concern: Identity theft
Attack vector: Social engineering
System Integrity Breach:Denial of use, interruption of services, or loss of control Top concern: DDoS
(Distributed Denial of Service) botnets Emerging concern: Breach of
IoT (Internet-of-things) sensors, devices, and control systems
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
15
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – IT Risk Management
29
How do we respond quickly and efficiently to mitigate/manage and minimize the loss(es) that occur
Mapping to Risk Management Framework
Action Required Reactive Planned Managed
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Ongoing Mitigation Efforts
30
Identify: What is there to protect?
Protect: Defensive measures, safeguards available
2FA, etc.
Detect: Real-time monitoring e.g., adaptive machine-learning, etc.
Respond: Take rapid action /response
(via automation if possible)
Recover: Plan for resilience
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
16
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Ongoing Mitigation Efforts
31
People Strengthening our information security awareness program & expanding its scope beyond personal-information-requiring-notification (PIRN) data
Expanding the capabilities of the Information Security Office
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Ongoing Mitigation Efforts
32
Process Enhancing the security process guidelines
published for our community at the Information Protection @ MIT website
Decreasing vulnerability windows by increasing the use of internal vulnerability scanning, and by automating responses to events
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
17
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Ongoing Mitigation Efforts
33
Technology Expanding the use of network segmentation, 2FA, encryption, and automated data backup
Expanding the use of real-time analytics for identification of “out-of-the-ordinary” activities
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Identify: What is There to Protect
34
Reputational, financial, and physical harm
Confidentialityunauthorized disclosure
Integrity unauthorized modification
Availabilityaccess to resources
Personally Identifiable Information (PII) Denial of Service
Building Management Systems (IoT)
Website defacement
Research data
Admissions decisions
Credit Card Information (PCI-DSS)
Health Insurance Information (HIPAA)
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
18
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Identify Data Classification
35
Levels of information based on risk
Security controls for each level
Education/documentation for each control
Applications allowed at each level
In progress, goal is to have levels and controls approved by Fall 2017
LOW, MODERATE, HIGH
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Data Classification cont.
36
LOW: Includes information that the Institute has chosen not to disclose,
but which would not result in material harm. Includes public information – good security practices should still
be followed to protect the integrity and availability of information.
MODERATE Information is not meant to be freely available to the general
public, or to the MIT community without access controls. Loss of confidentiality, integrity, or availability of these assets
could reasonably be expected to result in legal liability, reputational damage, or potential for other types of harm.
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
19
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
MIT – Data Classification cont.
37
HIGH Information subject to legal or regulatory requirements
requiring its proper safeguarding and handling, including possible notification in the event of a breach.
The loss of confidentiality, integrity, or availability of these assets could reasonably be expected to result in serious harm to individuals or the Institute.
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Practical, Research-Based
Solutions
1101100010110100111000
010010
De-Mystifying Cyber Risk
Practical, Research-Based Solutions
Learn from the Experience of MIT
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
20
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
The Next Big Thing
A4
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Cyber Risk Assessment
RiskQuality
Likelihoodand Severity
IndustrialControl
SystemsPhysical Security
InformationSecurity
Slide 39
A4 Need to use an example that is more education relatedAuthor, 6/16/2017
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
21
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Prevent unauthorized access, disclosure, disruption,
destruction of information.
Information Security
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Solutions
ERM Program
Identify, Classify, Protect
Incident Response
PlanEducation
and Training
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
22
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Prevent malicious attacks of building automation systems,
process controls and equipment.
Industrial Control Systems
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Solutions
Cross functional team
Industrial control systems
Critical control networks
Patch vulnerabilities
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
23
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Prevent unauthorized access to facilities, equipment and
information systems.
Physical Security
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Cyber attacks require network access, which can be achieved:
Cyber Connection
REMOTELY over an internet connection
PHYSICALLY by connecting to a network port in person
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
24
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Solutions
Physical security risk assessment
Procedures for visitors and contractors
Secure network areas and rooms
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Cyber Risk Assessment
RiskQuality
Likelihoodand Severity
IndustrialControl
SystemsPhysical Security
InformationSecurity
U n i v e r s i t y R i s k M a n a g e m e n t & I n s u r a n c e A s s o c i a t i o n
48th Annual ConferenceOrlando, FL September 23-27, 2017
25
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
Study Assess Improve Transfer
Your Mission (Should you choose to accept it…)
Cyber Risk
L A U N C H I N G R I S K I N T O T H E F U T U R EU R M I A 2 0 1 7 • O r l a n d o , F L #URMIA2017
50