Georgios TsinosChief Information Security Officer

(CISO)

Athens, 18/03/2019

1

The Cyber Insurance weapon in the Cyber Security battlefield

2

128 years of uninterrupted (and through

war!) operation in Greece.

Leads the domestic Insurance

Sector, with the largest

market share, 14.94%

(31/12/2017).

€ 50.1m arethe posted earnings,

before taxes, in the first 9 months of

2018.

Under the new Solvency II, the

solvency Capital

Requirement is set at

31/12/2017 at 200% at Group

level.

“ The Ethniki” Hellenic General Insurance Co. SA

The Economist - 18.03.2019

Cyber Sphere Challenges - The Battlefield

3

The Economist - 18.03.2019

New Technology adoption (AI, Cloud, IoT, etc.)

Existing Complex IT Environment

New Strict Regulations

Time to Market (Continuous Integration / Delivery)

New Threats (5th Generation – Mega / Targeted)

Lack of Skilled Resources

Global Security Landscape and Predictions

4

The Economist - 18.03.2019

1 Gartner - 3875867/forecast-information-security-worldwide-

Market Trends$143b and annual growth rate of 7.8% for the information security market from 2017 through 20221

Security Services40% of organizations will spend on Risk management due to new technology and 50% of security software will be delivered as a Service by 20201

Cost Predictions$3t by 2020 Possible cost of cyberattacks and new regulations3

2 EY - global-information-security-survey-2018-20193. WEF - /hyperconnected-world-2014/

Statistics$3.62m Average cost of a data breach in 20182

5

The Economist - 18.03.2019

Preventive Protection through Cyber Insurance Coverage - The Weapon

TechnologyProcessPeople

Transfer risk when Impact >> and Probability <<

Risk Treatment Option: CRISK - ISACA

Note: Legal liability is NOT transferred

6

Scenario: Cyber extortion, business interruption and privacy breach on an Organization - part 1

The Economist - 18.03.2019

• The CISO (Information Security Officer) hires a third-party forensic firm, which determines that the threat is real and that more than 500,000 sensitive customer records have been accessed.

• The organization notifies law enforcement.

The CEO of a telecom organization receives an email demanding a ransom of €500,000 in bitcoins within 24 hours, or else anonymous hackers will release sensitive customer information (a sample of which is provided in the email) and shut down critical business systems.

Preparing for cyber insurance (Insurance Europe, Ferma, bipar, Aon, March)

7

Scenario: Cyber extortion, business interruption and privacy breach on an Organization - part 2

The Economist - 18.03.2019

Before the Organization can make a decision regarding the ransom (Note: 24 hours deadline passed), the hackers release half of the records obtained. They have also managed to make some critical networks inaccessible, so clients/employees are not able to access critical systems or process orders.

• The organization hires legal counsel to assist with notifications to individuals impacted by the breach.

• Another vendor is hired to handle the public relations response.

• The critical systems remain down for ten days, impacting customer orders and general operations. The organization suffers loss of income and incurs significant expenses related to the outage and to restore the business to operation.

• Two weeks after the breach notice was issued, a class action suit is filed alleging failure to properly protect private information.

Preparing for cyber insurance (Insurance Europe, Ferma, bipar, Aon, March)

8

Outcome – Costs (Direct / Indirect)

The Economist - 18.03.2019

Forensics to end the threat and secure the systems. Extra services to determine exactly what information was accessed by the hacker.

Breach coach to determine what obligations it has and which laws it will need to comply with.Defense costs as a result of the class action lawsuit.

Call center cost to respond to enquiries from concerned clients.

Crisis management/public relations team to control the public narrative relating to the breach.

Loss of revenue coverage.

Reputation Impact

Regulatory Fines

DIR

ECT

IND

IREC

T

The Economist - 18.03.2019

Preparing the dialog on Cyber InsuranceGeneral Business Information Involved: Finance/Treasury, Legal, Investments, Risk etc.Understand links between business profile and cyber treats (Sector, Type of products, B2B – 1st party losses, B2C – 3nd party losses, Geographical (Laws / Jurisdictions), Budget, Annual Turnover etc.)

Cyber Security Corporate CultureInvolved: HR, CISO, DPOThe human component (All, not only IT) – Ability to raise awareness and train teams

Information SecurityInvolved: CISO, IT Security, CIO, IT Audit, DPO, Legal, ProcurementInformation System Security Holistic approach• Identification sensitive data and critical equipment• Authentication (Roles & Access) access on critical information & systems• Mobile Working data leakage through mobile devices.• Networks (segmentation, WiFi, secure connections etc.) risks and possible outage • Administration (SoD and rights, correct configuration, secure access (2FA) etc.) any serious gap• Industrial Control Systems (Power supply) large business interruptionIT Suppliers SLAs in contractsIT Update Management centralized & automated for continuous maintenanceOngoing Assessment systematic track of weak pointsPersonal Data GDPR needs

Preparing for cyber insurance (Insurance Europe, Ferma, bipar, Aon, March)

“The Ethniki” is using “tailor made” approach solutions

on Cyber Insurance products. It combines third-party

liability coverage and first party losses.

The Economist - 18.03.2019

“The Ethniki” Approach

Thank you

11

End note

The Economist 2019