THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Transcription

1 THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

2 Download the entire guide and follow the conversation at SecurityRoundtable.org

3 Investment in cyber insurance Lockton Companies Inc. Ben Beeson, Senior Vice President, Cybersecurity Practice A number of high-profile corporate data breaches, mainly in the US retail sector over the last two years, have led rapidly to a major change in enterprise cybersecurity strategy. Many chief information security officers (CISOs) now view risk avoidance as extremely challenging, if not impossible, and a traditional approach that builds layered defenses around the network perimeter as increasingly insufficient. Accepting risk means adopting an approach that seeks to mitigate and build enterprise resilience. This approach now also must weigh the benefits of transferring residual severity risk from the balance sheet through cyber insurance. Here are 10 reasons to consider making the investment. 1. Advanced persistent threats (APTs) Targeted attacks, known as APTs, have become increasingly difficult to detect, let alone stop. The emergence of the nation-state as an adversary leaves the majority of organizations vulnerable regardless of the resources committed to defense. 2. Governance and an enterprise-wide risk management strategy The emergence of cybersecurity as a governance issue that must be addressed by the board of directors is redefining the role of cyber insurance as purely a financial instrument to transfer risk. Cybersecurity involves the entire enterprise, with numerous stakeholders, no longer only the domain of the IT department. Driving a culture of collaboration between these stakeholders is challenging for many organizations, but cyber insurance and, more importantly, the underwriting process can be the catalyst. 3. Increasing regulatory risk Liability to boards of directors is expected to increase and give added weight to a focus on governance. SEC guidance published in 2011 highlights how regulators see cyber insurance as part of a strong enterprise risk 1

4 CYBER RISK MANAGEMENT INVESTMENT DECISIONS management strategy. Many in the legal community see the launch in February 2014 of a federal cybersecurity framework (known as the NIST framework) as creating a standard of care to be used by plaintiff attorneys to allege negligence or worse. 4. A financial incentive Legislators are giving greater prominence to the role of cyber insurance. The failure to pass laws to drive stronger enterprise security has demonstrated the challenges in trying to enforce minimum standards. There is growing support for market-based incentives such as insurance that can reward strong cybersecurity through discounted premium or broader coverage. However, the insurance market for cyber risks is young, if not embryonic in some respects, and faces significant challenges if it is to continue to grow. Reversing the lack of actuarial data to model risk and an underwriting process that must change to meet ever-evolving threats sit at the top of the insurance industry s priorities. 5. Vicarious risk to vendors and business associates Adversaries are focusing increasingly on third parties that have access to sensitive information and other critical assets of the target enterprise. Professional service firms or cloud-based solution providers are examples of business associates whose security may be weaker than that of their client and consequently provide an easier back door for the attacker. Liability for a breach of personally identifiable information (PII) or protected health information (PHI) typically still rests with the enterprise data owner, even though a breach may have occurred to the vendor s network. Cyber insurance addresses costs of responding to a breach and possible privacy regulatory action or civil litigation. 6. Insider threat Attacks from the inside continue to be hard to prevent. Cyber insurance covers the employee as perpetrator as well as an attack by a third party. This will not extend to an act involving the board of directors or executive team. 7. Security is not about compliance Treating security as a compliance exercise only will result in failure. For example, many organizations that are compliant with payment card industry data security standards have been breached. 8. Monetizing the cost of cybersecurity One of the biggest challenges to the CISO is to quantify cybersecurity risk in dollar terms to the executive team. The premium charged by an insurance company can help solve this problem. 9. Merger and acquisition activity The difficulty in evaluating the cybersecurity posture in any acquisition target leaves the acquirer vulnerable. 10. Operational technology Industry sectors dependent on operational technology and industrial control systems are particularly vulnerable. Built primarily to be available 24/7 and to operate in isolation, these devices are increasingly being connected to the corporate information technology network and the Internet. The cyber insurance marketplace today It is estimated that more than 50 insurers domiciled mainly in the U.S. and London insurance market provide dedicated cyber products and solutions today. Buyers are concentrated overwhelmingly in the U.S. with little take up to date internationally, with low demand in the rest of the world. Annual premium spending at the end of 2014 was estimated to be in excess of $2 billion. Total capacity (the maximum amount of insurance available to any single buyer) is currently at about $300,000,000, although this is now contracting substantially in certain sectors such as retail and health care. Cyber insurance first emerged at the end of the 1990s, primarily seeking to address loss of revenue and data restoration costs from attacks to corporate networks. However, the underwriting process was seen as too 2

5 INVESTMENT IN CYBER INSURANCE intrusive and the cost prohibitively expensive. It was not until 2003, and the passage of the world s first data breach notification law in California, that demand started to grow. What does cyber insurance cover? Insurers do not address all enterprise assets at risk. The majority of premium spent by buyers was intended to address increasing liability from handling personally identifiable information (PII) or protected health information (PHI) and the costs from either unauthorized disclosure (a data breach) or a violation of the data subject s privacy. Insurable costs range from data breach response expenses such as notification, forensics, and credit monitoring to defense costs, civil fines, and damages from a privacy regulatory action or civil litigation. Insurers also continue to address certain first party risks, including the impact on revenue from attacks on corporate networks, extortion demands, and the costs to restore compromised data. Insurable assets include the following: PII and/or PHI of employees or consumers Data breach response costs to include the following: Notification Credit monitoring IT forensics Public relations Defense costs and civil fines from a privacy regulatory action Defense costs and damages from civil litigation Corporate confidential information Addresses defenses costs and damages incurred for a breach of third-party corporate confidential information. Certain insurers will extend to address misappropriation of a third party s trade secret, but first-party loss of intellectual property remains uninsurable. Corporate information technology network Addresses the loss of income as a consequence of network downtime. Certain insurers will also extend coverage to downtime of vendors on whom a policyholder is reliant. This is commonly known as contingent business interruption. Costs to restore compromised data Reimbursement for costs associated with an extortion threat Operational technology A few insurers have begun to extend coverage for the information technology network to also include operational technology such as industrial control systems. Physical assets Cybersecurity is no longer just about risks to information assets. A cyberattack can now cause property damage that also could lead to financial loss from business interruption as well as liability from bodily injury or pollution, for example. Understanding where coverage lies in a corporate insurance policy portfolio is challenging and at times ambiguous. An assumption that coverage should rest within a property or terrorism policy may not be accurate. Exclusionary language has begun to emerge and is expected to accelerate across the marketplace as losses occur. Dedicated products also have started to appear. Reputation and brand Insuring reputational risk from some form of cyber event remains out of the scope of the majority of insurers. At the time of writing, the London market has begun to innovate to address the financial loss after adverse media publicity. However, capacity remains constrained at $100,000,000 at best. What does cyber insurance not cover? Intellectual property assets Theft of one s own corporate intellectual property (IP) still remains uninsurable today as insurers struggle to understand its intrinsic loss value once compromised. The increasing difficulty in simply detecting an attack and, unlike a breach of PII or PHI, the frequent lack of a legal obligation to 3

6 CYBER RISK MANAGEMENT INVESTMENT DECISIONS disclose, suggest that a solution is not in the immediate future. Leveraging cyber insurance as a risk management tool Since 2009 the marketplace has evolved to also provide services to help buyers manage risk. Focused mainly on post-event response, turnkey products have emerged, which provide a panel of legal, forensics, and public relations specialists. Popular with smaller enterprises that lack the resources or relationships, this innovation has been a key component in increasing the relevance of cyber insurance and consequently its growth. Larger firms typically seek products based on breadth of coverage and the flexibility to use their own vendor network. Services that help mitigate risk before an event occurs have started to emerge. Insurers likely will begin to incentivize buyers to adopt these services with rewards such as discounted premiums. How do insurers underwrite cyber risks? Historically, underwriters have sought to understand the controls that enterprises leverage around their people, processes, and technology. However, the majority of assessments are static, meaning a snapshot at a certain point in time through the completion of a written questionnaire, a phone call interview, or a presentation. A consensus is growing that this approach is increasingly redundant and that insurers will seek to partner with the security industry to use tools that can help predict and monitor the threat as part of the underwriting process to adopt a more threat intelligence led capability as part of the underwriting process. In fact, this already has started to happen, as certain insurers have started to use technology to underwrite vendor and M&A activity risks. How do insurers price risk? Pricing cybersecurity risk remains a challenge. An insurance market that is only 15 years old has begun to build up a profile for frequency and severity of loss with regard to PII and PHI assets. However, the ever-evolving nature of the threat, particularly the emergence of APTs, undermines the reliability of these statistics. Pricing risk to physical assets is a bigger problem because this has begun to emerge only since 2010, and actuarial data are extremely thin on the ground. Fundamentally insurers continue to look for a strong security culture within the firm as a first step in risk triage. Additional factors such as industry, revenue size, and actual assets at risk also contribute to how risk is priced. How to engage the insurance market Once a decision has been made to explore a suitable solution, the first step is to choose a broker. The lack of consistency in policy language from one insurer to the next means that a broker with dedicated expertise is vital for a successful outcome. First class brokers work with their clients to understand the assets at risk and how best to address them either under the existing insurance program or through a new dedicated product. An existing Directors and Officer s policy form (D&O) addressing management liability from a cyber event probably offers sufficient coverage. However, more often than not, liability to the enterprise requires a new dedicated product. A broker should understand that insurers seek to understand the security culture of a firm and will work to position their clients as best as possible. For many larger organizations this does not involve completing a written questionnaire and staying divorced from the process. Rather, an investor-style presentation to the marketplace by key stakeholders in IT, legal, and risk management in particular, which involves questions and answers, ensures the best possible outcome. Top-tier underwriters appreciate that cybersecurity is not a tick-box exercise. They understand that the risk is dynamic and will not necessarily penalize a buyer today for shortcomings if a roadmap is spelled out as to how these shortcomings will be addressed in the next 12 months. 4

7 INVESTMENT IN CYBER INSURANCE A broker must then negotiate competitive terms and conditions with competing insurers with a final recommendation as to whom their client should choose. 10 key coverage items to negotiate: 1. Full prior acts coverage Insurers try to limit coverage to acts from the first day that the policy begins, known as the retroactive date. However, in the context of the challenges in detecting an attack, buyers should seek to remove this exclusion and avoid the risk of a claim denial. 2. Restrict knowledge and notice of a circumstance to the executive team Again, an insurer should not be allowed to impute liability to the whole enterprise because detection has proven to be such a challenge. 3. Security warranty Remove any language that tries to warrant that security is maintained to the same level as represented in the underwriting submission. The dynamic nature of the risk leaves this too open to insurer interpretation in the event of a loss. 4. Operational technology The majority of insurance policies provide coverage only to the corporate IT network. If relevant, ensure that language is broadened to also address operational technology such as industrial control systems. 5. Outside counsel Choice of counsel must be agreed upon up front. In the event of a security breach, a dedicated legal expert must take the response lead not least for attorney client privilege. Negotiating with an insurer during the event would be counterproductive. 6. IT forensics In a similar vein to choice of counsel, the preferred forensics firm must be agreed upon up front. Forensics are not inexpensive and can form a significant part of the overall cost. 7. Law enforcement Law enforcement typically is involved in a major security breach. In fact, many times the FBI, the agency leading cybersecurity corporate defense, notifies the enterprise before it becomes aware of the breach. A claim should not be excluded by an insurer for failure to disclose as soon as practicable if law enforcement had advised nondisclosure during the investigation. 8. War and terrorism Many insurance policies exclude acts of war and terrorism which must be deleted with the emergence of the nation-state adversary in particular. 9. Intentional act Ensure that coverage addresses the employee or insider as perpetrator acting in isolation of the executive team. 10. Continuity of coverage When renewing the insurance policy with the same insurer, avoid signing a warranty regarding a circumstance or claim. Conclusion Cyber insurance has a broader role to play than simply reimbursing costs associated with a loss. Fundamentally, engaging in an underwriting process that forces collaboration from stakeholders across the enterprise can drive stronger cybersecurity resilience. Increasing regulator and shareholder scrutiny means that the case for investment will continue to grow. In addition, insurers will start to provide premium- and coverage-based incentives for adopting best practices such as the NIST framework and leveraging preferred technology tools. SecurityRoundtable.org 5

8 CYBER RISK MANAGEMENT INVESTMENT DECISIONS Lockton Companies Inc K Street, NW, Suite 200 Washington, DC Tel Web BEN BEESON Senior Vice President, Cybersecurity Practice [email protected] Ben Beeson advises organizations on how best to mitigate emerging cyber risks to mission critical assets that align with the business strategy. As insurance continues to take a greater role in a comprehensive enterprise cyber risk management program, he also designs and places customized insurance solutions to fit an organization s specific needs. Mr. Beeson is also engaged in the development of Cybersecurity Policy in the U.S. and U.K.. In March 2015 he testified before the Senate Commerce Committee on the evolving cyber insurance marketplace. A frequent public speaker, in April 2015 Mr. Beeson was one of the first panelists to present on the topic of Cyber Insurance at the world s largest Cyber Security Conference, RSA, San Francisco. Prior to moving to Washington, DC, Mr. Beeson was based in Lockton s London office for seven years, where he cofounded and built one of the leading cybersecurity teams within the Lloyd s of London marketplace. Mr. Beeson holds a BA (Hons) degree in modern languages from the University of Durham, U.K., and a certification in Cyber Security Strategy from Georgetown University, Washington, DC. 6