Maritime Insurance Cyber Security Framing the Exposure. Tony Cowie May 2015

Similar documents
ENSURING SECURITY IN AND FACILITATING INTERNATIONAL TRADE. Measures toward enhancing maritime cybersecurity. Submitted by Canada SUMMARY

London Business Interruption Association Technology new risks and opportunities for the Insurance industry

Liability Management Evolving Cyber and Physical Security Standards and the SAFETY Act

Cyber Risks in the Boardroom

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Cyber resilience The cyber risk challenge and the role of insurance

How To Protect Your Business From A Cyber Attack

Cyber Security Strategy

White Paper on Financial Industry Regulatory Climate

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

Cyber resilience The cyber risk challenge and the role of insurance

Cyberprivacy and Cybersecurity for Health Data

Nuclear Security Requires Cyber Security

Cybersecurity. Are you prepared?

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance

Security Risk Management Strategy in a Mobile and Consumerised World

Tackling the growing risk of cyber crime

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

Cyber Security for audit committees

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber Risks and Considerations for the Marine Insurance Industry Joseph G. Grasso David L. Hall February 26, 2015

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

What is Management Responsible For?

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cybersecurity The role of Internal Audit

ICS CP/PE (Cyber-to-Physical or Process Effects) case study paper German Steel Mill Cyber Attack

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Cyber-insurance: Understanding Your Risks

Vulnerability Assessment & Compliance

Allianz Global Corporate & Specialty. Cyber Risks. Recent Trends. AIRMIC 15 th June 2015

Critical Infrastructure Security and Resilience

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Cyber Terrorism and Australia s Terrorism Insurance Scheme. Physically Destructive Cyber Terrorism as a Gap in Current Insurance Coverage

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cybersecurity in the maritime and offshore industry

An Introduction to Cyber Liability Insurance. Catherine Berry Senior Underwriter

OECD PROJECT ON CYBER RISK INSURANCE

Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day

Cybersecurity: Protecting Your Business. March 11, 2015

Cyber Security & Cyber Criminality: ~ The Facts ~ - Sgt Phil Cobley

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

Cyber Insurance and Your Data Ted Claypoole, Partner, Womble Carlyle and Jack Freund, PhD, InfoSec Mgr, TIAA-CREF

Who s next after TalkTalk?

CYBERSECURITY INVESTIGATIONS

About the Survey Respondents

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Cybersecurity and the Threat to Your Company

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Insurance for Data Breaches in the Hospitality Industry

Cybercrime Security Risks and Challenges Facing Business

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

ACE European Risk Briefing 2012

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

CYBER SECURITY. ADVISORY SERVICES Governance Risk & Compliance. Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts

Top Fraud Trends Facing Financial Institutions

Cybercrime: risks, penalties and prevention

THE RISK OF CYBER-ATTACK TO THE MARITIME SECTOR

October 24, Mitigating Legal and Business Risks of Cyber Breaches

CYBERSECURITY: Is Your Business Ready?

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Cybersecurity Awareness. Part 1

Cybersecurity Global status update. Dr. Hamadoun I. Touré Secretary-General, ITU

RETHINKING CYBER SECURITY Changing the Business Conversation

The Recover Report. It s business. But it s personal.

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW TECHNOLOGY AND TELECOM COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

FINAL // FOR OFFICIAL USE ONLY. William Noonan

Cyber Security Issues - Brief Business Report

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Mitigating and managing cyber risk: ten issues to consider

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

CYBER SECURITY INDUSTRY GUIDELINES

Cybernetic Global Intelligence. Service Information Package

Cybersecurity: What CFO s Need to Know

Into the cybersecurity breach

The Landscape of Cyber, critical infrastructure and how Regulation fits in

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

CYBER SECURITY FOUNDATION - OUTLINE

THE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE

Defending Against Data Beaches: Internal Controls for Cybersecurity

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber security: Are Australian CEOs sleepwalking or a step ahead? kpmg.com.au

Cyber Risks and Insurance Solutions Malaysia, November 2013

Cybersecurity Issues for Community Banks

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Good morning Chairman Moran, Ranking Member Blumenthal and members of. the subcommittee. My name is Catherine Mulligan and I am Senior Vice President

Cyber Security and the Board of Directors

AUDIT TAX SYSTEMS ADVISORY

Managing Cyber Risk through Insurance

In an age where so many businesses and systems are reliant on computer systems,

The promise and pitfalls of cyber insurance January 2016

Protecting against cyber threats and security breaches

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

Cyber security: Are consumer companies up to the challenge?

Transcription:

Maritime Insurance Cyber Security Framing the Exposure Tony Cowie May 2015

Table of Contents / Agenda What is cyber risk? Exposures - Should we be concerned about "Cyber"? Is Cyber covered under a Marine Insurance Policy? What about a Reinsurance Treaty? How is the maritime insurance industry currently addressing the situation? Further Reading / Insurance Market in Cyber /How can insurers increase Cyber Risk Resilience? 2

What is cyber risk? CYBER RISK covers the risks of doing business, including managing and controlling data, in a digital or "cyber" environment Factors influencing the threat landscape The Cloud Shadow IT Mobile and flexible working Sources Human/ system error Cyber crime Lone hackers State-backed Bring your own devices Internet of things Tools and expertise needed to exploit vulnerabilities are becoming more widely available Ability to carry out an attack is therefore simpler 3

Should we Mariners be concerned about "Cyber"? University of Texas researchers demonstrated in July 2013 that it is possible to change a vessel's direction by interfering with its GPS signal to cause the onboard navigation systems to falsely interpret a vessel's position and heading Hacker caused a floating oil platform off Africa to tilt to one side, forcing temporary shutdown. (Note this story is all over the internet, and in the IMO report, but I was unable to verify the actual platform) Somali pirates employed hackers to infiltrate a shipping company's cyber systems to identify vessels passing through the Gulf of Aden with valuable cargoes and minimal on-board security which led to the hijacking of at least one vessel All examples from a report submitted by Canada to the IMO in July 2014 (http://www.protectgroup.org/assets/uploads/fal-39-7-measures-toward-enhancing-maritime-cybersecurity-canada.pdf) 4

Should we Mariners be concerned about "Cyber"? Denial of service attacks (initiating a very high number of requests to a system to overwhelm it and cause it to cease operating) against ports have been reported (Houston being one of them) Efforts to gain unauthorized access to wireless Internet networks in ports have been reported Studies by the Brookings Institute and the European Union Agency for Network and Information Security both concluded that there is very little awareness of cybersecurity issues in the maritime transportation sector and few initiatives underway to enhance cybersecurity. All examples from a report submitted by Canada to the IMO in July 2014 (http://www.protectgroup.org/assets/uploads/fal-39-7-measures-toward-enhancing-maritime-cybersecurity-canada.pdf) 5

Should we Mariners be concerned about "Cyber"? Lot of reports of stolen or corrupted data, but any physical losses? Cyberattack on German Iron Plant Causes 'Widespread Damage': Report Rachael King Dow Jones Institutional News Copyright 2014, Dow Jones & Company, Inc. A German federal agency has acknowledged in a report Wednesday that a cyberattack caused physical damage to an iron plant in the country. It was a rare admission by a government tying a cyber action to actual physical destruction. The attackers gained access to an unnamed plant's office network through a targeted malicious email and were ultimately able to cross over into the production network. The plant's control systems were breached which "resulted in an incident where a furnace could not be shut down in the regular way and the furnace was in an undefined condition which resulted in massive damage to the whole system," according to the report, called the IT Security Situation in Germany in 2014. "I know of seven other incidents that have claimed to have had a cyber-to-physical or significant process effect and a few near misses that were caught in time," said Michael Assante industrial control systems lead for SANS Institute, a cybersecurity research and education organization, in an email. "The industrial control systems community is very secretive for legal and compliance reasons," Mr. Lee told CIO Journal. However, he sees Germany's acknowledgement of the attack on the plant as a sign that things are starting to change. "We're absolutely reaching a point where it's becoming more normal and expected to talk about these things rather than run from them," he said. - From 18 Dec 2014 Wall Street Journal I could not find any reports of Marine Physical Loss 6

Should we Mariners be concerned about "Cyber"? YES We certainly have potential exposure here. Experts estimate that hacking attacks against gas and oil infrastructures will cost energy companies upwards of $2 billion by the time 2018 rolls around. (note it is unclear if this is in expected losses or additional expenses to combat the exposure US Gov't currently spending circa $10B a year on Cyber Risk) I could find no estimates on the potential economic impact to the Hull and Cargo sectors does not mean it is not there. 7

Is Cyber covered under a Marine Insurance Policy? What about a Reinsurance Treaty? Maybe Marine / Energy Insurance Policies are so varied and/or bespoke, hard to give a definite answer, but assuming an "all risk policy" without a proper exclusion, then I would say yes, cover would be found for a "Cyber" loss. Read your policy! Marine / Energy Reinsurance Treaty may or may not include exclusionary and / or non accumulation language. Reinsurers may rely on a warranty from the Primary Insurer to apply exclusionary language on each and every original policy. Is cyber crime just good old-fashioned crime like theft, vandalism, fraud and kidnap, but perpetrated in "cyberspace", using computer code over the internet? How is it different from conventional crime? The greater distance and time between the criminal and the crime? The scale of the proceeds of the crime in terms of volume and value? The manner in which the consequences can cascade across enterprises and market sectors? 8

Something to think about 9

Thank You for Your Kind Attention 10

Further Reading Canada Cyber Report to the IMO - July 2014 (http://www.protectgroup.org/assets/uploads/fal-39-7-measures-toward-enhancing-maritimecybersecurity-canada.pdf Cyber Resilience - the cyber risk challenge and the role of insurance http://www.thecroforum.org/cyber-resilience-cyber-risk-challenge-roleinsurance/ Ideas for Resilience 11

Insurance Market in Cyber Insurance is increasingly part of the strategy to manage cyber risk Market for insurance products specifically designed to cover cyber risk is expected to continue to evolve in response to: Increased publicity around breaches which reinforces the potential economic impact of a cyber attack High profile court rulings (Zurich America Insurance Co. vs. Sony Corp of America et al). Regulatory shifts in the US (SEC guidance) and in the EU (Data protection regulation) Changes in policy language (e.g. Insurance Services Office (ISO) standard exclusion for cyber risk under the commercial general liability policy) Government initiatives such as the UK's Cyber Essentials Scheme and the US NIST framework However, there continue to be challenges to an insurance market for cyber risk due to: Continually shifting threats Sparse loss data Increasing complexity and interconnectivity A well-functioning insurance market for cyber risk requires appropriate risk management Common classification and codification of cyber risks and understanding of cyber risk exposure accumulation are prerequisites to a strong and well designed risk management framework 12

How can insurers increase Cyber Risk Resilience? PREPARE Understand your critical assets (data and systems) What is vital to protect? Develop capabilities to address different levels of risk New approaches to assurance and threat management Build good relationships with industry and government Establish risk appetite Understand regulatory, environmental and operational requirements Risk tolerance Embed cyber risk management throughout the organisation PROTECT Ensure well founded and repeatable cyber preparedness Strong levels of IT hygiene Undertake Threat and Control Assessments Understand cyber threat landscape Ensure appropriate due diligence and vetting of third parties Enable and empower incident management and response capabilities Develop and implement an incident response plan Education and training Cyber risk understanding and awareness Historically, there has been too much focus on PREPARE and PROTECT and insufficient focus on DETECT and IMPROVE 13

How Can Insurers Increase Cyber Risk Resilience? DETECT Develop detection and continuous monitoring Continuous monitoring to detect anomalies and threats Incident response teams Regular testing of detection capabilities UK government estimates indicate that, on average, 200 days elapse between the occurrence of a security incident and its detection IMPROVE Build a comprehensive database of security incidents Include near miss/ minor events Capture lessons learnt to allow ongoing modification/ improvement Recover from an event Execute the recovery plan Learn from experience to allow ongoing modification/ improvement 14

15

Legal notice 2015 Swiss Re. All rights reserved. You are not permitted to create any modifications or derivative works of this presentation or to use it for commercial or other public purposes without the prior written permission of Swiss Re. The information and opinions contained in the presentation are provided as at the date of the presentation and are subject to change without notice. Although the information used was taken from reliable sources, Swiss Re does not accept any responsibility for the accuracy or comprehensiveness of the details given. All liability for the accuracy and completeness thereof or for any damage or loss resulting from the use of the information contained in this presentation is expressly excluded. Under no circumstances shall Swiss Re or its Group companies be liable for any financial or consequential loss relating to this presentation. 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information