THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com. MARSH
CYBER RISK: TRENDS AND SOLUTIONS SEPTEMBER 2013
CYBER RISKS: TRENDS AND SOLUTIONS CYBER RISK OVERVIEW Cyber Risk Segmentation 1. The harm caused by the insured 2. The harm that befalls the insured 3. Regulatory Requirements Stipulated by the government One event can trigger a loss that involves multiple risks. MARSH 2
CYBER RISKS: TRENDS AND SOLUTIONS CYBER RISK AND SUPPLY CHAINS Technology outages outpaced adverse weather in 2012. Data breaches and cyber attacks collectively were more disruptive than fire and civil unrest. MARSH 3
CYBER RISK CYBER INSURANCE POLICIES Cyber insurance policies: Fill many of the gaps in traditional insurance. Provide direct loss and liability protection for risks created by the use of technology and data in an organization s day-to-day operations. Risks Coverage Traditional Policies Cyber & Privacy Policy Legal liability to others for privacy breaches Privacy Liability: Harm suffered by others due to the disclosure of confidential information Legal liability to others for computer security breaches Network Security Liability: Harm suffered by others from a failure of your network security Loss or damage to data/information Property Loss: The value of data stolen, destroyed, or corrupted by a computer attack Loss of revenue due to a computer attack Loss of Revenue: Business income that is interrupted by a computer attack Extra expense to recover/respond to a computer attack Cyber Extortion: The cost of investigation and the extortion demand Loss or damage to reputation Identity theft Expenses resulting from identity theft Privacy notification requirements Cost to comply with privacy breach notification statues Regulatory actions Legal defense for regulatory actions Not typically covered May be covered Typically covered MARSH 4
CYBER RISKS: TRENDS AND SOLUTIONS CYBER RISK INSURANCE EVOLUTION Cyber insurance policies are able to address: Protection for claims arising from a failure of computer security to prevent or mitigate a computer attack. Protection for claims arising from a disclosure or mishandling of confidential information whether electronic or hard copy. Protection for the intentional acts of rogue employees and vicarious liability for a privacy breach by third-party vendors or business process outsourcing firms. Coverage for defense of regulatory actions, including affirmative coverage for assessed fines and penalties. Cyber policies can also include a fund for public relations and crisis management in connection with a crisis event relating to a failure of computer security or breach of privacy. MARSH 5
CYBER RISKS: TRENDS AND SOLUTIONS MIDSIZE BUSINESS EXPOSURE TO CYBER RISK Five things every small business should know about cyber crime: 1. Any size organization can fall victim. 2. Small businesses manage information that is of interest to cyber criminals. 3. Cyber criminals unleash 3.5 new threats every second targeting small businesses. 4. Compliance is costly, but noncompliance is costlier and can serve as a window to cybercrime. 5. As small businesses move to the cloud, cyber criminals are not far behind. Source: Trend Micro Inc. MARSH 6
CYBER RISKS: TRENDS AND SOLUTIONS CHANGING THREAT ENVIRONMENT Evolution of Cybercrime MARSH Copyright 2013 Trend Micro Inc. 7
CYBER RISKS: TRENDS AND SOLUTIONS TARGETED ATTACK TACTICAL TRENDS 1. Social and political events will be harbingers of attacks. 2. Localized attacks such as malware that will not execute unless certain conditions are met, such as language settings or even only specific netblocks. 3. The malware used in targeted attacks will have destructive capacity, either as its primary intent or as a cleanup mechanism to cover the attackers tracks. MARSH Copyright 2013 Trend Micro Inc. 8
CYBER RISK: TRENDS AND SOLUTIONS INSURANCE OPTIONS FOR MIDSIZE COMPANIES Insurance solutions have changed dramatically for midsize companies. Insurers have adapted products to fit the needs of all size companies. For example, crisis team approach for midsized firms. Easier for midsize organizations to apply for coverage. Still work to be done Marsh focused on breadth of coverage. Midsize organizations lack some of the bargaining clout, expertise, and time to negotiate terms and conditions. Marsh creating a platform to take advantage of coverage enhancements. MARSH 9
CYBER RISK: TRENDS AND SOLUTIONS RESPONDING TO A CYBER ATTACK: INITIAL STEPS NIST Depiction of Incident Response Life Cycle (NIST 800-61 rev 2) MARSH 10
CYBER RISK: TRENDS AND SOLUTIONS RESPONDING TO A CYBER ATTACK: INITIAL STEPS Accurately identify scope and scale of incident. Contain the incident by immediately remediating vulnerabilities that facilitated the attack. Neutralize (but not necessarily destroy) malicious code. Remediate damage and recover from the breach and return to normal operations as quickly as possible. Review lessons learned. MARSH 11
CYBER RISK: TRENDS AND SOLUTIONS RESPONDING TO A CYBER ATTACK: DATA ANALYSIS External Data Breach Analysis Should Seek to Ascertain: The initial entry-point of the intruder. How long the intruder had access to victim s system. What areas of the network the intruder accessed. What, if any, sensitive information could have been exposed. What legal obligations arise from the breach. MARSH 12
CYBER RISK: TRENDS AND SOLUTIONS COMMON MISSTEPS IN ATTACK RESPONSE 1. Concluding that a breach has occurred before an investigation has been conducted. Investigation may reveal that the company has suffered an intrusion but that no breach of sensitive information has occurred. 2. Failure to preserve, collect, and analyze critical evidence. Companies often overlook log data and fail to collect vital information from volatile memory both of which can be key to accurately understanding the scope and scale of a breach. 3. Inability to accurately define the scope of the exposure. Initial assumptions can be misleading. It is important to determine whether data was actually lost or subjected to unauthorized access. A thorough investigation helps establish the universe of data that was compromised. MARSH 13
CYBER RISK: TRENDS AND SOLUTIONS COMMON MISSTEPS IN ATTACK RESPONSE 4. Ineffective communication between technology and legal staff. First responders can unknowingly damage or destroy critical information. It is important to collect and preserve evidence in the process of containing the event. 5. Rushing to notify before the full scope of the breach has been confirmed. 6. Failure to apply lessons learned from the event to prevent future incidents. Updating IRPs, performing vulnerability assessments, providing training these will help to improve data security posture. MARSH 14
CYBER RISK: TRENDS AND SOLUTIONS BUSINESS CONTINUITY Cyber-Related Business Interruption Risks: Public website outages. Customer portal outages. Internal operations systems disruption. Supply chain disruptions. Communication system disruption. Cleansing/replacing infected IT equipment. MARSH 15
CYBER RISKS: TRENDS AND SOLUTIONS BUSINESS CONTINUITY Risk Exposure Category Outage Power 2.25 Capacity 9 Internet Service 3 Risk Elements DOS Attack Physical Damages 3 1.25 Upgrade/ Maintenance 4 CPE Outage 5.25 Performance Latency 6 Capacity congestion 8.75 Product Functionality 4 Compliance Global expansion 4 Industry standards 2 Unpr. reg. framework 4 Commercial Agreements 5.25 Data Breach Regulated Loss / corrupted 6 Leakage / compromise 10 Collection practices 9 Data Breach Non Regulated Loss / corrupted 4 Leakage / compromise 4 Collection practices 3 Integrity / Security Security design 5 Response to event 3.5 Lack of new capabilities 2 Lack of patches 5 Security coding 5 Malware 3.75 Infrastructure complexity 2 Relative Risk Exposure Spectrum and Scoring Scale Lowest Risk Exposure Lower Risk Exposure Medium Risk Exposure Higher Risk Exposure Highest Risk Exposure Scoring Scale (refer to appendix for details) Impact (1-5); Frequency (1-5) Risk = Impact x Frequency (1-25) MARSH 16
CYBER RISK: TRENDS AND SOLUTIONS INDUSTRY ISSUES Some industries with significant amount of activity: - Financial institutions (due to sheer volume). - Retail. - Hospitality. - Communication, media, and technology. MARSH 17
CYBER RISK: TRENDS AND SOLUTIONS PRE-LOSS ASSESSMENTS The potential financial exposures uncovered by pre-loss studies allow firms to assess the path towards managing the risk. Assess scenarios. Determine strength of contingency plans. Consider redundancies / improved network security and continuity. Desktop and professional studies: Understand financial exposure. Value stream mapping. Anticipated maximum business interruption loss (AMBIL) Ensure sufficient risk transfer: Property, cyber, fraud, and other insurance. Eliminate gaps in coverage. Know your exclusions. MARSH 18
CYBER RISKS: TRENDS AND SOLUTIONS MAKING AN INSURANCE CLAIM: COVERAGE Coverage Identify policy(ies) or endorsements that apply. Know your loss trigger (causation). You may receive a Reservation of Rights letter. Don t be shocked. Cyber losses can be difficult adjustments. Insurers will have their team amassed much more than an adjuster: Engineers to establish scope of loss and causation. Attorneys to support policy positions. Forensic accountants to audit claim. MARSH 19
CYBER RISKS: TRENDS AND SOLUTIONS MAKING AN INSURANCE CLAIM: QUANTIFICATION No Quantification For any material loss, best to retain experienced claim preparer. Many policies contain professional fees or claim preparation coverage that will reimburse for this expertise. Adjusters have their team of experts you need to put same expertise on your side of the table. You know your business: Forensic accounting claim preparers know proper measurement approach and the overall claim process. MARSH 20
CYBER RISKS: TRENDS AND SOLUTIONS MARSH FACS TYPICAL CLAIM PREPARATION PROCESS MARSH 21
CYBER RISKS: TRENDS AND SOLUTIONS MARSH FACS TYPICAL CLAIM PREPARATION PROCESS MARSH 22
This document and any recommendations, analysis, or advice provided by Marsh (collectively, the Marsh Analysis ) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh s prior written consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or reinsurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer, and Oliver Wyman. MA13-12624 Copyright 2013 Marsh Inc. All rights reserved. USDG 5657