ntxissacsc4 - cyber insurance – did you know?

25
@NTXISSA #NTXISSACSC4 Cyber Insurance – Did you Know? Heather Goodnight-Hoffmann President and Cofounder Patrick Florer CTO and Cofounder Risk Centric Security, Inc. October 7, 2016

Upload: north-texas-chapter-of-the-issa

Post on 23-Jan-2018

786 views

Category:

Internet


2 download

TRANSCRIPT

Page 1: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

CyberInsurance– DidyouKnow?

HeatherGoodnight-HoffmannPresidentandCofounder

PatrickFlorerCTOandCofounder

RiskCentricSecurity,Inc.October7,2016

Page 2: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

Agenda

Whyarewetalkingaboutinsurance?Whyworry?RiskandRiskManagementInsurance– Why,Who,andWhat?CyberInsurance101

NTXISSACyberSecurityConference– October7-8,2016 2

Page 3: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

IntroductionsHeatherGoodnight

GlobalSalesandBusinessDevelopmentConsultantforover20yearsPresidentandCo-founderofRiskCentricSecurity,Inc.Member,RIMCouncil(ResponsibleInformationCouncil),PonemonInstitute,since2010Co-authorandco-analystofthe2016NetDiligence©CostofCyberClaimsreport

PatrickFlorer

Informationtechnologistfor37yearsDatabasedesigner/statisticalanalystinevidence-basedmedicinefor17yearsinparallelCTOandcofounderofRiskCentricSecurity,Inc.Member,RIMCouncil(ResponsibleInformationCouncil),PonemonInstitute,since2009DistinguishedFellow,PonemonInstitute,since2012Co-authorandco-analystofthe2016NetDiligence©CostofCyberClaimsreport

NTXISSACyberSecurityConference– October7-8,2016 3

Page 4: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

Whyareweeventalkingaboutthis?

InformationSecurityhasanimportantroletoplayintheinsurancepurchasingprocess:• InformationSecurityknows(orshouldknow)wherethesnakes

live.• InformationSecurityknows(orshouldknow)wherethingsare

donewell.

Inordertositatthetablewiththefinance,risk,andlegalpeople,andbeaknowledgeableandcredibleparticipant,itwillbeveryusefultoknowsomethingaboutthesubjectathand.

NTXISSACyberSecurityConference– October7-8,2016 4

Page 5: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

38Companies/22Categories

NTXISSACyberSecurityConference– October7-8,2016 5

ByCharlesMcLellan |September15,2016.©ZDNEThttp://www.zdnet.com/article/cybersecurity-predictions-for-2016-how-are-they-doing/?ftag=CAD-04-10aab6c&bhid=%%cf_regid%%

Page 6: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

WhyWorry?

CivilActionsandEnforcements/Fines:

FederalTradeCommission(FTC)

SecuritiesandExchangeCommission(SEC)

HealthandHumanServicesOfficeofCivilRights(HHS/OCR)– HIPAA/HITECH

FDA– medicinesandmedicaldevices

StateAttorneysGeneral

EUGeneralDataProtectionRegulation(GDPR)

NTXISSACyberSecurityConference– October7-8,2016 6

Page 7: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

AreYouWorriedYet?

GuidanceandRules:FTCpublicationsonDataPrivacy,ProtectionofMinors,MobileDataPrivacy,…(manyofthese)”

SECGuidance:Disclosureofmaterialinformationsecurityvulnerabilitiesandevents

HHS/OCR– HIPAA/HITECHauditsandbreachdisclosurerules

FDA– Postmarketguidance,safetyrecommendations

StateAttorneysGeneral– breachnotificationstatutes

NTXISSACyberSecurityConference– October7-8,2016 7

Page 8: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

Howaboutnow?

ServiceLevelAgreements(SLA’s)CloudServiceLevelAgreements

Infrastructureproviders(IaaS)Platformproviders(PaaS)ManagedService/SoftwareasaServiceproviders(SaaS)

ISP/TelecomprovidersOtherVendors/SupplyChain

PCIDSS(PaymentCardIndustryDataSecurityStandard)

NTXISSACyberSecurityConference– October7-8,2016 8

Page 9: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

Really?Notevenabitconcerned?

CivilLawsuitsLawsuitsfromindividualsClassActionlawsuits

Criminalactions– rarebutpossible

NTXISSACyberSecurityConference– October7-8,2016 9

Page 10: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

WhyInsurance?

ManagingRisk:

EliminatetheRisk

MitigatetheRisk– PolicyandTechnicalControls

AccepttheRisk/ResidualRisk

TransfertheRisk

NTXISSACyberSecurityConference– October7-8,2016 10

Page 11: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

WhatisRisk?

NTXISSACyberSecurityConference– October7-8,2016 11

Page 12: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

WhatRiskIsn’t

NTXISSACyberSecurityConference– October7-8,2016 12

Vulnerability Threat

Page 13: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

RiskIs

NTXISSACyberSecurityConference– October7-8,2016 13

$$$

and/or

MissionImpairment

Page 14: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

Risk=FrequencyandImpact

NTXISSACyberSecurityConference– October7-8,2016 14

Frequency

Impact Risk

Page 15: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

WhatisInsurancefor?

Thedutytoindemnify

Thedutytodefend

NTXISSACyberSecurityConference– October7-8,2016 15

Page 16: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

www.netdiligence.com

NTXISSACyberSecurityConference– October7-8,2016 16

QuartilesFirst Min 290

1.0% 6422.5% 1,2035.0% 1,811

10.0% 4,03620.0% 9,612

Second 25.0% 12,20030.0% 16,24340.0% 31,645

Third 50.0% 54,537 Median60.0% 82,52870.0% 106,031

Fourth 75.0% 196,93180.0% 271,800

Average 648,30790.0% 1,110,72995.0% 2,820,00097.5% 6,962,00099.0% 10,417,480Max 20,000,000

StandardDeviation 2,227,369CoefficientofVariance 3.44

TotalDataBreachCosts(N=173)

80%

90%

95%

Page 17: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

AvailableonOctober17,2016

NTXISSACyberSecurityConference– October7-8,2016 17

QuartilesFirst Min 1,000

1.0% 1,1162.5% 1,2845.0% 1,835

10.0% 4,18120.0% 7,654

Second 25.0% 10,04430.0% 12,43440.0% 21,252

Third 50.0% 44,513 Median60.0% 62,84870.0% 93,411

Fourth 75.0% 143,01780.0% 199,604

Average 479,38190.0% 880,99095.0% 2,490,28797.5% 5,436,87599.0% 7,840,540Max 15,000,000

StandardDeviation 1,660,175CoefficientofVariance 3.46

TotalClaimsPayoutsCosts(N=162)

95%

90%

80%

Page 18: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

Whoarethekeyplayers?

TheInsured

TheBroker/Agent

TheUnderwriter

TheActuary

TheInsurer/Carrier

TheISO

NTXISSACyberSecurityConference– October7-8,2016 18

Page 19: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

Whoarethekeyplayers?

TheInsured

TheBroker/Agent

TheUnderwriter

TheActuary

TheInsurer/Carrier

TheISO– theInsuranceServicesOffice

NTXISSACyberSecurityConference– October7-8,2016 19

Page 20: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

KeyTerms

Policy

Risk/Peril

Retention

Limits/Sub-limits

Exclusions

Re-insurance

NTXISSACyberSecurityConference– October7-8,2016 20

Page 21: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

SomeTypesofBusinessInsurance

CGL– CommercialGeneralLiabilityInsurance

CrimeInsurance

D&O– Directors’andOfficers’InsuranceE&O(PLI/PII)– ErrorsandOmissionsInsurance

(sometimescalledProfessionalLiabilityorProfessionalIndemnityInsurance)

K&R– KidnapandRansom

CyberInsurance

NTXISSACyberSecurityConference– October7-8,2016 21

Page 22: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

CyberInsurance

Relativelyrecentdevelopment10– 15%marketpenetration

50– 100InsurersactivelyinvolvedMostpolicieswrittenbytop5Insurers

Totalmarketcapacityisstilllimited

Highcoveragelimitsinvolvelargeretentionsandmultiplelayersofre-insurance(towers)

RoleofCaptiveInsuranceisunclear

NTXISSACyberSecurityConference– October7-8,2016 22

Page 23: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

CyberInsurance:Whatareyoubuying?

Thedevil,asalways,isinthedetails.Coveragemayinclude:

Businessdisruption/interruptionandrestorationexpensesNetworkintrusionsDataexposure– intentionalandaccidentalCrisisManagementServices:• Forensics• PublicRelations• NotificationandCreditmonitoring• LegalGuidance

LegalExpenseandFinesduetoRegulatoryActionsLegalExpenseandsettlementsduetolawsuits(individuals,classactions,PCI,…)

NTXISSACyberSecurityConference– October7-8,2016 23

Page 24: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4

CyberInsurance:Whatyoumaynotbebuying

Torepeat:thedevil,asalways,isinthedetails.CGLinsurancemayormaynotcovercyberevents– itdependsuponthecontract.

Crimeinsuranceprobablydoesn’tcoverdigitaleventsperpetratedbycriminals

Cybercoveragemay notinclude:ActualransomspaidMoneythatwaswiretransferredduetofraudulentinducements

Professionalliabilityinsurance(PLI/E&O)mayormaynotcovercyberevents– itdependsuponthecontract.

NTXISSACyberSecurityConference– October7-8,2016 24

Page 25: NTXISSACSC4 - Cyber Insurance – Did You Know?

@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4

The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA

NorthTexasISSA(InformationSystemsSecurityAssociation)

NTXISSACyberSecurityConference– October7-8,2016 25

Thankyou