Session 57 L, Cyber Risks: Risk Management and Insurance. Moderator: Mike Porier. Presenters: Elisabeth Case, ARM Ray Farmer Mike Porier

Transcription

1 Session 57 L, Cyber Risks: Risk Management and Insurance Moderator: Mike Porier Presenters: Elisabeth Case, ARM Ray Farmer Mike Porier

2 Cyber Risks: Risk Management & Insurance October 12, 2015

3 Agenda & Introductions Cyber Risks & Considerations Michael Porier Protiviti, Managing Director Cyber Security & Privacy Cyber Insurance Market Elisabeth D. Case Marsh, SVP & National Commercial E&O Practice Lead NAIC Resources Raymond G. Farmer Director of South Carolina Department of Insurance

4 Cyber Risks & Considerations Michael Porier, Protiviti

5 In the news

6 What is Cybersecurity? Data is increasingly getting digitized and internet is being used to save, access and retrieve vital information. Protecting this information is not just a priority, but has become a necessity for most companies and government agencies around the world. Types of Cyber Threats Methods Security Measures for Protection Cracking Hactivisim Information Warfare Cyber Threats Cyber Espionage Cyber Crime Spam Identity theft Malicious code such as Viruses, Worm, Trojan Horse Phishing attacks Spyware Personal Security Legal Compliance Incident Reporting Continuity Planning System Protection Physical & Environmental Protection Cyber Terror Denial-of-service attacks Packet spoofing Communications Protection Access Controls Sources: Secondary Research

7 Cyber Incidents in Recent Years The Global State of Information Security Survey 2015 of more than 9,700 security, IT, and business executives found that the total number of security incidents detected by respondents climbed to 42.8 million in 2014, an increase of 48% over That s the equivalent of 117,339 incoming attacks per day, every day. Total number of detected incidents (in millions) The compound annual growth rate (CAGR) of detected security incidents has increased 66% year-over-year since Source: PWC

8 Biggest Data Loss Incidents ( ) AOL South Africa Police Evernote Adobe Apple Gmail Home Depot Crescent Health, Inc. Walgreens Community Health Services European Central Bank Kroll Background Twitter America Ubuntu Kissinger Cables JP Morgan Chase LinkedIn, eharmony, Last.fm Dun & Bradsheet Florida Courts Lexis Nexis Advocate Medical Group Target Korea Credit Bureau SnapChat Washington State Court System SouthAfrica Police Ebay Nasdaq Facebook Florida Department of Juvenile Justice Sources: Information is Beautiful Financials Web Tech Government Healthcare Retail

9 The Cyber/Data Breach Landscape Number of Breaches 700m Records compromised $400m Financial losses >200 days The average time from breach until discovery >60% 60% 40% Companies learn they have been breached from a third party (customer, partner, vendor etc.) Cases where hackers were able to compromise an organization within minutes. Controls determined to be most effective fall into the quick win category. Source: Verizon, 2015 Data Breach Investigations Report Most recorded attacks stemming from external threat actors though internal threat actors are increasing (including abuse of access and loss of hardware). Breaches increasingly from unknown unknowns almost every breached organization had up-to-date anti-virus.

10 Source of Cyber Attacks Insiders VS Outsiders 31% 35% Current employees 27% 30% Former employees 16% 18% Current service providers/consultants/contractors 13% 15% Former service providers/consultants/contractors 12% 13% Suppliers/business partners 10% 11% Customers Source: PWC 8% 10% Terrorists 12% 15% Organized crime 10% 16% Activists/activist organizations/hacktivists 10% 16% Information brokers 14% 24% Competitors 6% 9% Foreign entities & organizations 4% 7% Foreign nation-states 6% Domestic intelligence service 32% Hackers 24% 18% Do not know %

11 Top 5 Cyber Security Risks in Ransomware A type of malware which restricts access to the computer system that it infects will become increasingly sophisticated in its methods and targets. 2 Internet of Things The connection of physical devices such as home appliances and cars to the internet will still be the "Internet of Vulnerabilities. 3 Cyber-espionage Cyber espionage is becoming the weapon of choice for many national governments. 4 Cyber theft increases New ways of paying for goods, such as contactless and mobile payments brings a new opportunity for hackers. Insecure 5 Easy-to-crack passwords will continue to be a big risk in Passwords Source: CNBC

12 Cyber Risk Assessment and Management Proper cyber security risk management is more than a technology solution. A company, led by its CEO, must integrate cyber risk management into day-to-day operations. Additionally, a company must be prepared to respond to the inevitable cyber incident, restore normal operations and ensure that company assets and the company s reputation are protected. Cyber Risk Management comprises of: Cyber Assessments Understand what information you need to protect: identify the corporate crown jewels. Identify Threats to Crown Jewels Forecast the consequences of a successful attack Cyber Risk Mitigation Implement a Cybersecurity Plan Cyber Insurance Risk Transfer Security & Privacy Liability Crisis Management Regulatory Proceedings Data Recovery Cyber Extortion Source: Staysafeonline

13 Cybersecurity Framework (CSF) The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions that provide a high-level view of an organization s management of cyber risks. Identify Protect Detect Respond Recover Asset Management Business Environment Access Control Awareness and Training Anomalies and Events Response Planning Communications Recovery Planning Data Security Governance Risk Assessment Information Protection Processes and Procedures Security Continuous Monitoring Analysis Mitigation Improvements Maintenance Risk Management Strategy Protective Technology Detection Processes Improvements Communications

14 Defense in Depth Compliance does not equal security! Defense in depth is the coordinated use of multiple security counter measures to protect the integrity of the information assets in an enterprise. Physical Security User Awareness Firewalls and IDS/IPS If a hacker gains access to a system, defense in depth minimizes the adverse impact and gives administrators and engineers time to deploy new or updated counter measures to prevent recurrence. Logical Access Anti-Virus Patch Management Device Configuration Source:

15 What Are Organizations Doing? Evaluating security risks from key vendors and partners Employing tools to help answer the questions are we already breached? and how would we know if a breach occurs? Identifying critical data (the crown jewels ) and how it is being controlled Using the CSF to assess their program Assessing internal and external vulnerabilities and performing periodic penetration tests Training and awareness to raise education of employees Evaluating the Breach Kill Chain Developing (and testing) breach response plans Wrapping all of this into a holistic security program continuous and on-going

16 Conclusions Focus on the Fundamentals Simple or intermediate controls will prevent many attacks. Expensive tools and large initiatives are often not required. How effectively does your team block and tackle? Perform Periodic Assessments Internal/External Vulnerability Assessments and Penetration Tests Wireless Security / Firewall Reviews / Web Application Scans Social Engineering Layer Defenses Many breaches involve several vulnerabilities. Maintain a defense-in-depth posture. Awareness and Training Train your employees what to look for (phishing s, telephonic approaches, etc.) Classroom style rather than CBT

17 Cyber Insurance Market Elisabeth D. Case, Marsh

18 CYBER INSURANCE TAKE-UP RATES Marsh 17

19 LARGE BUYERS ARE BUYING MORE LIMIT Marsh 18

20 RATES ARE MOVING BACK UP Marsh 19

21 US Cyber Insurance Marketplace 2014 Betterley Report: Annual gross written premium may be as much as $2.0 billion (up from $1.3 billion in last year s Report). The industry is divided by size (gross written premium) as follows: A limited number of very large writers, with premiums in excess of $100 million (AIG, ACE, Beazley, Zurich) Several carriers in the $ million range (Endurance, XL, etc.) Several more in the $25-50 million range (Liberty, etc.) Numerous carriers and Managing General Underwriters writing $10-25 million Several writing in the $5-10 million and $1-5 million ranges Marsh 20

22 A VOLATILE MARKET The US Cyber market is like two massive, but opposed forces coming together with unpredictable, unstable results Wall of Demand US Cyber Market is one of the fastest-growing markets in insurance; client penetration is still less than 25% Wall of Claims Recent acceleration in number and magnitude of Cyber events 21

23 CAP(ACITY) CRUNCH? Capacity, Coverage, and Cost are the Three Sides of the Risk Transfer Triangle Coverage continues to expand Increased uptake of 1 st -party Cyber Coverages Expanding coverage for PCI breaches Continued carrier innovation Capacity remains generally available Our recent survey of capacity for large purchasers indicates $350m+ More capacity is available if Cyber is blended with E&O (where appropriate) Significant restrictions on capacity for managed care, coupled with restrictions on coverage under Managed Care E&O Costs are rising We can get the limits, but it may be hard to find the rate you had last year at every layer of your program Marsh 22

24 CYBER RISK MANAGEMENT Cyber Risk Management means thinking about more than just Prevention There is no IT Budget large enough to eliminate the risk of Cyber Events Cyber Risk must be accepted and managed by the organization But who should do this job? Cyber Risk Management is a job for RM, not for IT IT is a critical stakeholder, but they can t manage Cyber risk on their own Risk Management is a holistic process for the entire organization Stages of Cyber Risk Management Assessment assessments, analytics, valuation, modeling Manage - Prevent, Prepare/Mitigate, Transfer Respond Remediate and Recover Marsh 23

25 WHAT CAN YOU DO? Cyber risk management involves the engagement of resources throughout the organization. Not just IT. Cyber risk management means focusing on assessment, preparation, and response. Organizations should integrate outside stakeholders, like law enforcement, regulators, and cyber security resources into their cyber risk management framework. Business-partner management is also a critical concern, since many cyberattacks target resources may be outside a company s direct control. Risk transfer should be part of the risk management approach. Regulators are starting to expect insurance will be present. Marsh 24

26 NAIC Resources Raymond G. Farmer, Department of Insurance

27 Discussion Topics Task Force Formed Guiding Principles Annual Statement Supplement IT Examination Working Group Consumer Bill of Rights Model Laws 26

28 Guiding Principles Released for public comment Initial draft based on SIFMA guiding principles Adopted set of 12 guiding principles Marsh 27

29 Guiding Principles 1, 2 & 3 Principle 1: State insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Additionally, state insurance regulators should mandate that these entities have systems in place to alert consumers in a timely manner in the event of a cybersecurity breach. State insurance regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach. Principle 2: Confidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer s, insurance producer s or other regulated entity s network should be appropriately safeguarded. Principle 3: State insurance regulators have a responsibility to protect information that is collected, stored and transferred inside or outside of an insurance department or at the NAIC. This information includes insurers or insurance producers confidential information, as well as personally identifiable consumer information. In the event of a breach, those affected should be alerted in a timely manner. Marsh 28

30 Guiding Principle 4 & 5 Principle 4: Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework. Principle 5: Regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations. Marsh 29

31 Guiding Principle 6 & 7 Principle 6: State insurance regulators should provide appropriate regulatory oversight, which includes, but is not limited to, conducting risk-based financial examinations and/or market conduct examinations regarding cybersecurity. Principle 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program. Marsh 30

32 Guiding Principles 8 & 9 Principle 8: Insurers, insurance producers, other regulated entities and state insurance regulators should take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information. Principle 9: Cybersecurity risks should be incorporated and addressed as part of an insurer s or an insurance producer s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization. Marsh 31

33 Guiding Principles 10, 11 & 12 Principle 10: Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer s board of directors or appropriate committee thereof. Principle 11: It is essential for insurers and insurance producers to use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing. Principle 12: Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential. Marsh 32

34 Annual Statement Supplement Identity Theft Insurance Cybersecurity Insurance Marsh 33

35 34

36 35

37 IT Examination (E) Working Group Review existing guidance Reviewing data security controls Financial Examination Handbook Marsh 36

38 Consumer Bill of Rights Statutes Regarding Security Breach Notification Expectations of Insurers in the Event of a Cybersecurity Incident Current Project for Task Force Marsh 37

39 Model Laws and Regulations #670 Insurance Information and Privacy Protection Model Act Created in response to the Gramm-Leach-Bliley Act #672 Privacy of Consumer Financial Health and Information Regulation Created in response to the Gramm-Leach-Bliley Act Marsh 38

40 Model Laws and Regulations #673 Standards for Safeguarding Consumer Information Model Regulation #680 Insurance Fraud Prevention Model Act Marsh 39

41 Task Force Will Stay Abreast of What is Happening FBIIC FS-ISAC Marsh 40

42 Questions & Answers

43 42