@NTXISSA#NTXISSACSC4
CyberInsurance– DidyouKnow?
HeatherGoodnight-HoffmannPresidentandCofounder
PatrickFlorerCTOandCofounder
RiskCentricSecurity,Inc.October7,2016
@NTXISSA#NTXISSACSC4
Agenda
Whyarewetalkingaboutinsurance?Whyworry?RiskandRiskManagementInsurance– Why,Who,andWhat?CyberInsurance101
NTXISSACyberSecurityConference– October7-8,2016 2
@NTXISSA#NTXISSACSC4
IntroductionsHeatherGoodnight
GlobalSalesandBusinessDevelopmentConsultantforover20yearsPresidentandCo-founderofRiskCentricSecurity,Inc.Member,RIMCouncil(ResponsibleInformationCouncil),PonemonInstitute,since2010Co-authorandco-analystofthe2016NetDiligence©CostofCyberClaimsreport
PatrickFlorer
Informationtechnologistfor37yearsDatabasedesigner/statisticalanalystinevidence-basedmedicinefor17yearsinparallelCTOandcofounderofRiskCentricSecurity,Inc.Member,RIMCouncil(ResponsibleInformationCouncil),PonemonInstitute,since2009DistinguishedFellow,PonemonInstitute,since2012Co-authorandco-analystofthe2016NetDiligence©CostofCyberClaimsreport
NTXISSACyberSecurityConference– October7-8,2016 3
@NTXISSA#NTXISSACSC4
Whyareweeventalkingaboutthis?
InformationSecurityhasanimportantroletoplayintheinsurancepurchasingprocess:• InformationSecurityknows(orshouldknow)wherethesnakes
live.• InformationSecurityknows(orshouldknow)wherethingsare
donewell.
Inordertositatthetablewiththefinance,risk,andlegalpeople,andbeaknowledgeableandcredibleparticipant,itwillbeveryusefultoknowsomethingaboutthesubjectathand.
NTXISSACyberSecurityConference– October7-8,2016 4
@NTXISSA#NTXISSACSC4
38Companies/22Categories
NTXISSACyberSecurityConference– October7-8,2016 5
ByCharlesMcLellan |September15,2016.©ZDNEThttp://www.zdnet.com/article/cybersecurity-predictions-for-2016-how-are-they-doing/?ftag=CAD-04-10aab6c&bhid=%%cf_regid%%
@NTXISSA#NTXISSACSC4
WhyWorry?
CivilActionsandEnforcements/Fines:
FederalTradeCommission(FTC)
SecuritiesandExchangeCommission(SEC)
HealthandHumanServicesOfficeofCivilRights(HHS/OCR)– HIPAA/HITECH
FDA– medicinesandmedicaldevices
StateAttorneysGeneral
EUGeneralDataProtectionRegulation(GDPR)
NTXISSACyberSecurityConference– October7-8,2016 6
@NTXISSA#NTXISSACSC4
AreYouWorriedYet?
GuidanceandRules:FTCpublicationsonDataPrivacy,ProtectionofMinors,MobileDataPrivacy,…(manyofthese)”
SECGuidance:Disclosureofmaterialinformationsecurityvulnerabilitiesandevents
HHS/OCR– HIPAA/HITECHauditsandbreachdisclosurerules
FDA– Postmarketguidance,safetyrecommendations
StateAttorneysGeneral– breachnotificationstatutes
NTXISSACyberSecurityConference– October7-8,2016 7
@NTXISSA#NTXISSACSC4
Howaboutnow?
ServiceLevelAgreements(SLA’s)CloudServiceLevelAgreements
Infrastructureproviders(IaaS)Platformproviders(PaaS)ManagedService/SoftwareasaServiceproviders(SaaS)
ISP/TelecomprovidersOtherVendors/SupplyChain
PCIDSS(PaymentCardIndustryDataSecurityStandard)
NTXISSACyberSecurityConference– October7-8,2016 8
@NTXISSA#NTXISSACSC4
Really?Notevenabitconcerned?
CivilLawsuitsLawsuitsfromindividualsClassActionlawsuits
Criminalactions– rarebutpossible
NTXISSACyberSecurityConference– October7-8,2016 9
@NTXISSA#NTXISSACSC4
WhyInsurance?
ManagingRisk:
EliminatetheRisk
MitigatetheRisk– PolicyandTechnicalControls
AccepttheRisk/ResidualRisk
TransfertheRisk
NTXISSACyberSecurityConference– October7-8,2016 10
@NTXISSA#NTXISSACSC4
WhatisRisk?
NTXISSACyberSecurityConference– October7-8,2016 11
@NTXISSA#NTXISSACSC4
WhatRiskIsn’t
NTXISSACyberSecurityConference– October7-8,2016 12
Vulnerability Threat
@NTXISSA#NTXISSACSC4
RiskIs
NTXISSACyberSecurityConference– October7-8,2016 13
$$$
and/or
MissionImpairment
@NTXISSA#NTXISSACSC4
Risk=FrequencyandImpact
NTXISSACyberSecurityConference– October7-8,2016 14
Frequency
Impact Risk
@NTXISSA#NTXISSACSC4
WhatisInsurancefor?
Thedutytoindemnify
Thedutytodefend
NTXISSACyberSecurityConference– October7-8,2016 15
@NTXISSA#NTXISSACSC4
www.netdiligence.com
NTXISSACyberSecurityConference– October7-8,2016 16
QuartilesFirst Min 290
1.0% 6422.5% 1,2035.0% 1,811
10.0% 4,03620.0% 9,612
Second 25.0% 12,20030.0% 16,24340.0% 31,645
Third 50.0% 54,537 Median60.0% 82,52870.0% 106,031
Fourth 75.0% 196,93180.0% 271,800
Average 648,30790.0% 1,110,72995.0% 2,820,00097.5% 6,962,00099.0% 10,417,480Max 20,000,000
StandardDeviation 2,227,369CoefficientofVariance 3.44
TotalDataBreachCosts(N=173)
80%
90%
95%
@NTXISSA#NTXISSACSC4
AvailableonOctober17,2016
NTXISSACyberSecurityConference– October7-8,2016 17
QuartilesFirst Min 1,000
1.0% 1,1162.5% 1,2845.0% 1,835
10.0% 4,18120.0% 7,654
Second 25.0% 10,04430.0% 12,43440.0% 21,252
Third 50.0% 44,513 Median60.0% 62,84870.0% 93,411
Fourth 75.0% 143,01780.0% 199,604
Average 479,38190.0% 880,99095.0% 2,490,28797.5% 5,436,87599.0% 7,840,540Max 15,000,000
StandardDeviation 1,660,175CoefficientofVariance 3.46
TotalClaimsPayoutsCosts(N=162)
95%
90%
80%
@NTXISSA#NTXISSACSC4
Whoarethekeyplayers?
TheInsured
TheBroker/Agent
TheUnderwriter
TheActuary
TheInsurer/Carrier
TheISO
NTXISSACyberSecurityConference– October7-8,2016 18
@NTXISSA#NTXISSACSC4
Whoarethekeyplayers?
TheInsured
TheBroker/Agent
TheUnderwriter
TheActuary
TheInsurer/Carrier
TheISO– theInsuranceServicesOffice
NTXISSACyberSecurityConference– October7-8,2016 19
@NTXISSA#NTXISSACSC4
KeyTerms
Policy
Risk/Peril
Retention
Limits/Sub-limits
Exclusions
Re-insurance
NTXISSACyberSecurityConference– October7-8,2016 20
@NTXISSA#NTXISSACSC4
SomeTypesofBusinessInsurance
CGL– CommercialGeneralLiabilityInsurance
CrimeInsurance
D&O– Directors’andOfficers’InsuranceE&O(PLI/PII)– ErrorsandOmissionsInsurance
(sometimescalledProfessionalLiabilityorProfessionalIndemnityInsurance)
K&R– KidnapandRansom
CyberInsurance
NTXISSACyberSecurityConference– October7-8,2016 21
@NTXISSA#NTXISSACSC4
CyberInsurance
Relativelyrecentdevelopment10– 15%marketpenetration
50– 100InsurersactivelyinvolvedMostpolicieswrittenbytop5Insurers
Totalmarketcapacityisstilllimited
Highcoveragelimitsinvolvelargeretentionsandmultiplelayersofre-insurance(towers)
RoleofCaptiveInsuranceisunclear
NTXISSACyberSecurityConference– October7-8,2016 22
@NTXISSA#NTXISSACSC4
CyberInsurance:Whatareyoubuying?
Thedevil,asalways,isinthedetails.Coveragemayinclude:
Businessdisruption/interruptionandrestorationexpensesNetworkintrusionsDataexposure– intentionalandaccidentalCrisisManagementServices:• Forensics• PublicRelations• NotificationandCreditmonitoring• LegalGuidance
LegalExpenseandFinesduetoRegulatoryActionsLegalExpenseandsettlementsduetolawsuits(individuals,classactions,PCI,…)
NTXISSACyberSecurityConference– October7-8,2016 23
@NTXISSA#NTXISSACSC4
CyberInsurance:Whatyoumaynotbebuying
Torepeat:thedevil,asalways,isinthedetails.CGLinsurancemayormaynotcovercyberevents– itdependsuponthecontract.
Crimeinsuranceprobablydoesn’tcoverdigitaleventsperpetratedbycriminals
Cybercoveragemay notinclude:ActualransomspaidMoneythatwaswiretransferredduetofraudulentinducements
Professionalliabilityinsurance(PLI/E&O)mayormaynotcovercyberevents– itdependsuponthecontract.
NTXISSACyberSecurityConference– October7-8,2016 24
@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4
The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA
NorthTexasISSA(InformationSystemsSecurityAssociation)
NTXISSACyberSecurityConference– October7-8,2016 25
Thankyou