Navigating Cyber Risk Exposure and Insurance Stephen Wares EMEA Cyber Risk Practice Leader Marsh
Presentation Format Four Key Questions How important is cyber risk and how should we view the cyber threat? To what extent do European organisations have a clear and documented understanding of their cyber risk profile and how can this be improved? Where are the gaps in knowledge and data that might impair an organisation s ability to make informed risk transfer choices? Are the insurance products available meeting client demand or is the insurance market developing a product that clients do not believe they need? 2
How important is cyber risk and how should we view the cyber threat? 3
Importance of cyber risk? Context National Level UK Attacks in cyberspace can have a potentially devastating real-world effect. Government, military, industrial, and economic targets, including critical services, could feasibly be disrupted by a capable adversary. National Security Strategy, October 2010. 4
Importance of cyber risk? Context National Level USA Despite ever-improving network defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come. In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed. Senate Armed Services Committee, February 2015. 5
Importance of cyber risk Context European Cyber Risk Survey 2015 Where does cyber risk feature in the corporate risk register? Top five risk. Top ten risk. Outside the top 10. Not on the corporate risk register 25% 17% 28% 30% The fact that over half of all organisations surveyed do not have cyber risk within the top 10 items on the risk register would suggest a divergence from the government view. 6
To what extent do European organisations have a clear and documented understanding of their cyber risk profile and how can this be improved? 7
Understanding of Cyber Risk Context European Cyber Risk Survey 2015 To what extent do you believe your organisation has a clear understanding of its exposure to cyber risk? 21% 4% 26% No understanding. Limited understanding. Basic understanding. Complete understanding. 49% 79% of organisations reported that they have, at best, a basic understanding of their cyber risk profiles. 8
Understanding of Cyber Risk Context European Cyber Risk Survey 2015 The fact that only slightly more than half (57%) of respondents have identified one or more cyber scenarios that could most affect their organisations would suggest that the lack of a complete understanding and absence/low positioning of cyber on the risk register is, for many companies, filtering through to a lack of definition around specific scenarios that might impact their business. Have you identified one or more cyber scenarios that could most affect your organisation? No Yes 9
Understanding Cyber Risk Context European Cyber Risk Survey 2015 Ireland UK Poland Italy Spain Austria & CEE Russia Cyprus Germany Netherlands Sweden Portugal France Denmark Switzerland Turkey Belgium Total Europe 11% 68% 56% 62% 76% 44% 66% 50% 70% 65% 58% 75% 39% 67% 75% 71% 65% 86% 93% 22% 11% 19% 6% 30% 8% 8% 15% 12% 3% 8% 9% 10% 17% 3% 15% 15% 8% 9% 5% 33% 5% 6% 24% 11% 11% 5% 7% IT function including security. Board. Risk management. IT departments continue to take primary responsibility for cyber risk in the majority (65%) of organisations. 10
Understanding Cyber Risk Marsh/HM Government, UK Cyber Security Report Taxonomy 11
Understanding Cyber Risk Marsh/HM Government, UK Cyber Security Report Risk Profile for a Large Business Insurer View 12
Understanding Cyber Risk Scenario Gathering Process Set parameters Which group companies, business divisions are in scope? Malicious events versus non-malicious events. Map the IT value chain. Gather exposure data Single day workshop. Structured interviews. Questionnaire. Select from a menu. Refine to create risk scenarios for material exposures Amalgamate common/similar items. Write up as a scenario that can be considered for quantification. Remove immaterial items, reallocate any that don t fit parameters. 13
Understanding Cyber Risk Scenario Example Actor Criminal Motivation Acquisition of payment card details Means of access Remote via internet Point of attack Point of sale devices Damage Investigation/response costs PCI fines and assessments Regulatory (ICO) fines and costs Civil compensation claims o Banks o Customers o Shareholders Reputational income loss 14
Where are the gaps in knowledge and data that might impair an organisation s ability to make informed risk transfer choices? 15
Preparedness for Risk Transfer 1. An understanding of the event that is to trigger an insurance. 2. An appreciation of the likely quantum. 3. An appreciation as to the likely frequency of the triggering event. 16
Preparedness for Risk Transfer Context European Cyber Risk Survey 2015 The majority of UK 15% organisations Poland 12% Turkey (68%) have not Switzerland yet made any Sweden 9% Spain attempt to Russia estimate/calculate Portugal 5% 5% Netherlands 10% loss estimates Italy 14% making it difficult Ireland to direct mitigation efforts to areas of most potential Germany France Denmark Cyprus 13% 10% harm. Belgium 6% Austria & CEE 17% 25% 5% 14% 25% 22% 20% 4% 6% 14% 10% 4% 8% 10% 11% 5% 8% 4% 2% 4% 33% 5% 10% 15% 16% 10% 24% 6% 7% 6% 25% 30% 100% 100% 25% 73% 75% 78% 75% 77% 66% 70% 67% 75% 61% 62% 56% 65% 50% 25% EUR1 million or below. EUR1 million to EUR2 million. EUR2 million to EUR5 million. EUR5 million and above. No loss estimates made. 17
Preparedness for Risk Transfer Expert Judgement Scale Description Financial Reputation Service / Operations 1 Negligible 2 Significant 3 Major 4 Catastrophic <$1m (max of 1% EBITDA) $1m-$4.9m (max of 4% EBITDA) $5m-$8.9m (max of 8% EBITDA) >$9m (exceeds 8% EBITDA) Public concern restricted to local complaints Minor adverse local/public/ media attention and complaints Serious negative national or regional criticism Prolonged international, regional & national condemnation Insignificant fall in service quality, limited interruption to partnerships, insignificant effect on service standards Minor fall in service quality, interruption to partnerships, some minor service standards are not met Major fall in service quality, major partnerships deteriorating, ongoing serious disruption in service standards Catastrophic fall in service quality, failure of several major partnerships, complete failure in service standards 18
Preparedness for Risk Transfer Expert Judgement 19
Are the insurance products available meeting client demand or is the insurance market developing a product that clients do not believe they need? 20
Suitability of Insurance Products Context European Cyber Risk Survey 2015 The insurance market continues to address the issues that represent organisations greatest concerns. 21
Suitability of Insurance Products Context European Cyber Risk Survey 2015 The insurance market appears to be innovating in the right direction to address the primary concern of risk managers. 22
Suitability of Insurance Products Context European Cyber Risk Survey 2015 Over half (57%) of respondents admit to the insurances available. having insufficient knowledge in order to assess 23
Is this a conscious decision not to purchase following a thorough evaluation of the available insurance products or are companies not yet in a position to approach the market due to a lack of risk profiling in their own organisations? Suitability of Insurance Products The Insurance Communications Gap 24
Further Reading 25
Navigating Cyber Risk Exposure and Insurance Thank you This PowerPoint presentation is based on sources we believe reliable and should be understood to be general risk management and insurance information only,. The information contained herein is based on sources we believe reliable and should be understood to be general risk management and insurance information only. The information is not intended to be taken as advice with respect to any individual situation and cannot be relied upon as such. In the United Kingdom, Marsh Ltd is authorised and regulated by the Financial Conduct Authority. Copyright 2015 Marsh Ltd All rights reserved
Thanks for your support! LIVING AND WORKING IN A RISKIER WORLD PROFESSION INNOVATION DIVERSITY
Cyber Insurance Update: Policy Basics First Party Coverage Business Interruption Loss of First Party Data Cyber Extortion Customer Notification Expenses Reputational Damages Third Party Coverage Network Security Liability Privacy Liability Multimedia Liability Loss of Third Party Data 28
Cyber Insurance Update: Coverage Trends Contingent Business Interruption Administrative Costs Coverage Regulatory Fines and Penalties Coverage Emergency Costs Crime Coverage Bodily Injury / Property Damage Extensions Cyber Exclusions under Traditional Property & Casualty Policies 29
Cyber Insurance Trends: Evolving Cyber Proposition Product Proposition 30
Cyber Insurance Update: Post-Breach Remediation 31
Cyber Insurance Update: Post-Breach Remediation 1 hour 2-5 hours Notification to Incident Manager 24/7/365 Incident Manager appoints specialists 5-24 hours 24-48 hours Specialist/s investigations / discussions underway Specialists initial reports Incident Manager appointed Triage Call with all stakeholders Stakeholder update conference call/s Stakeholder update conference call/s Incident Manager First call with Insured Next steps and actions agreed Immediate mitigations if appropriate Clear Discovery Plan emerges Clear Solution Plan emerges
Cyber Insurance Update: Pre-Breach Services Risk Assessments Contractual and Regulatory / Legal Review Analysis of Security & Privacy Practices Systems Monitoring Incident Response Planning Business Continuity Enhancement 33
70% Cyber Insurance Update: Purchasing Trends 60% 50% 40% 30% 20% U.S. Europe Asia 10% 0% 2011 2012 2013 2014 2015 Source: Zurich / Advisen Information Security & Cyber Liability Risk Management Reports for U.S. and Europe; 2011-2015 34
Thanks for your support!
Cyber risks, a view from the industry Philippe COTELLE Head of Insurance Risk Management
A new industrial revolution Where the aeronautic industry had been so a century ago this is how we see this in the coming decade : 37
38
Cyber risks exposure Internet : a tool allowing the sharing of information between people in order to create an open world Difficulties to protect companies and their datas from the outside. 39
What are the obstacles to a good assessment of our cyber risks? Wrong perception Confidentiality Reputation 40
SPICE initiative (Scenario Planning to Identify Cyber Exposure) A program for Business impact analysis on disaster scenarios affecting our operational capabilities related to a cyber-event Gathering representatives of all the functions as well as IT and IM Security to overcome 3 hurdles : Explain to the operational people that we need them Address the security issue with extreme care, Be prepared to openly discuss some potential scenarios of exposure. No company shall assume that it is impossible to be hacked. 41
Scenario identification Focus on disaster scenarios clear hypothesis Scenarios identification 42
Assessing financial costs Assessing financial cost of each scenario Split scenarios in 4 different phases Simplify the list of impacted functions Compute over/under charge per scenario, per phase 22 Financial costs Scenario x 10 46 Phase A Phase B Phase C Security Breach Detection 88 Phase D Security Breach Crisis Remediation Investments Vigilance 10 46 88 22 43
Assessing financial costs Lessons learned NUMBERS are related to our financial exposure There is no final number The objective is to reach a consensus: acceptable by everyone valid for our analysis 44
Evaluate probability of occurence Quantify the technical probability of success of a scenario to occur For each step of a given scenario, identify technical ways to proceed Rate each step with a probability of occurrence (using internal probability scale) Assessment performed by the local Information Management Security APT Kill Chain description used in the technical threat scenario 45
Evaluate probability of occurrence Lessons learned Same method but different numbers!? 2 different approaches: Given the defence systems in place, in order to be successful the attacker should gather so many different skills and resources that this was very unlikely to be plausible. As such the probabilities were therefore very low. Need an homogeneous approach Associate to each scenario the type of hacker and their motives If an attacker was seriously considering hacking a major company, then this must be a very strong organisation which in itself should have gathered all those unique skills and resources. Therefore their probabilities were more important. 46
Next Steps Provide a rationale for mitigation strategy Risk identification Risk Assessment Risk Response Cost of implementing IT security Justify the interest of the transfer to insurance both for coverage and premium budget IT investment and mitigation measures to reduce the probability and severity of occurrence insurance then becomes complementary (and not competitive) to IT measures and can be an efficient financial tool IT Investment make sense to mitigate the exposure Insurance Premium cost is efficient % of Mitigation 47
Challenges The process needs to be performed regularly and be as exhaustive as possible a strategy allowing to manage the roll out of this process across the entire organisation, products and countries an efficient process manageable with the operational teams 48
Challenges The insurance market needs as well to face several challenges : Conditions of dialog with the insurers Problem of reputation in case of a claim Claim settlement 49
Conclusion Our mission to support technological development and to develop the conditions of securing and mitigating the unavoidable risks that such opportunities generate. Cybersecurity is one of the key priority for Airbus Group A dedicated entity: Airbus DS Cybersecurity Its products and services are also offered to external companies to fight against cyber threats. Active Cyber risk management is a key message towards external stakeholders. Standards for cyber risk assessment will be necessary 50
Don t forget! Your evaluation and comments are the only way for FERMA to obtain information in order to improve the quality of the sessions Please fill in the documents given to you by our hostesses Or Use the mobile application and earn points for the Leaderboard game! 51
Thank you! 52