the cyber insurance weapon in the cyber security battlefield...involved: ciso, it security, cio, it...
TRANSCRIPT
Georgios TsinosChief Information Security Officer
(CISO)
Athens, 18/03/2019
1
The Cyber Insurance weapon in the Cyber Security battlefield
2
128 years of uninterrupted (and through
war!) operation in Greece.
Leads the domestic Insurance
Sector, with the largest
market share, 14.94%
(31/12/2017).
€ 50.1m arethe posted earnings,
before taxes, in the first 9 months of
2018.
Under the new Solvency II, the
solvency Capital
Requirement is set at
31/12/2017 at 200% at Group
level.
“ The Ethniki” Hellenic General Insurance Co. SA
The Economist - 18.03.2019
Cyber Sphere Challenges - The Battlefield
3
The Economist - 18.03.2019
New Technology adoption (AI, Cloud, IoT, etc.)
Existing Complex IT Environment
New Strict Regulations
Time to Market (Continuous Integration / Delivery)
New Threats (5th Generation – Mega / Targeted)
Lack of Skilled Resources
Global Security Landscape and Predictions
4
The Economist - 18.03.2019
1 Gartner - 3875867/forecast-information-security-worldwide-
Market Trends$143b and annual growth rate of 7.8% for the information security market from 2017 through 20221
Security Services40% of organizations will spend on Risk management due to new technology and 50% of security software will be delivered as a Service by 20201
Cost Predictions$3t by 2020 Possible cost of cyberattacks and new regulations3
2 EY - global-information-security-survey-2018-20193. WEF - /hyperconnected-world-2014/
Statistics$3.62m Average cost of a data breach in 20182
5
The Economist - 18.03.2019
Preventive Protection through Cyber Insurance Coverage - The Weapon
TechnologyProcessPeople
Transfer risk when Impact >> and Probability <<
Risk Treatment Option: CRISK - ISACA
Note: Legal liability is NOT transferred
6
Scenario: Cyber extortion, business interruption and privacy breach on an Organization - part 1
The Economist - 18.03.2019
• The CISO (Information Security Officer) hires a third-party forensic firm, which determines that the threat is real and that more than 500,000 sensitive customer records have been accessed.
• The organization notifies law enforcement.
The CEO of a telecom organization receives an email demanding a ransom of €500,000 in bitcoins within 24 hours, or else anonymous hackers will release sensitive customer information (a sample of which is provided in the email) and shut down critical business systems.
Preparing for cyber insurance (Insurance Europe, Ferma, bipar, Aon, March)
7
Scenario: Cyber extortion, business interruption and privacy breach on an Organization - part 2
The Economist - 18.03.2019
Before the Organization can make a decision regarding the ransom (Note: 24 hours deadline passed), the hackers release half of the records obtained. They have also managed to make some critical networks inaccessible, so clients/employees are not able to access critical systems or process orders.
• The organization hires legal counsel to assist with notifications to individuals impacted by the breach.
• Another vendor is hired to handle the public relations response.
• The critical systems remain down for ten days, impacting customer orders and general operations. The organization suffers loss of income and incurs significant expenses related to the outage and to restore the business to operation.
• Two weeks after the breach notice was issued, a class action suit is filed alleging failure to properly protect private information.
Preparing for cyber insurance (Insurance Europe, Ferma, bipar, Aon, March)
8
Outcome – Costs (Direct / Indirect)
The Economist - 18.03.2019
Forensics to end the threat and secure the systems. Extra services to determine exactly what information was accessed by the hacker.
Breach coach to determine what obligations it has and which laws it will need to comply with.Defense costs as a result of the class action lawsuit.
Call center cost to respond to enquiries from concerned clients.
Crisis management/public relations team to control the public narrative relating to the breach.
Loss of revenue coverage.
Reputation Impact
Regulatory Fines
DIR
ECT
IND
IREC
T
The Economist - 18.03.2019
Preparing the dialog on Cyber InsuranceGeneral Business Information Involved: Finance/Treasury, Legal, Investments, Risk etc.Understand links between business profile and cyber treats (Sector, Type of products, B2B – 1st party losses, B2C – 3nd party losses, Geographical (Laws / Jurisdictions), Budget, Annual Turnover etc.)
Cyber Security Corporate CultureInvolved: HR, CISO, DPOThe human component (All, not only IT) – Ability to raise awareness and train teams
Information SecurityInvolved: CISO, IT Security, CIO, IT Audit, DPO, Legal, ProcurementInformation System Security Holistic approach• Identification sensitive data and critical equipment• Authentication (Roles & Access) access on critical information & systems• Mobile Working data leakage through mobile devices.• Networks (segmentation, WiFi, secure connections etc.) risks and possible outage • Administration (SoD and rights, correct configuration, secure access (2FA) etc.) any serious gap• Industrial Control Systems (Power supply) large business interruptionIT Suppliers SLAs in contractsIT Update Management centralized & automated for continuous maintenanceOngoing Assessment systematic track of weak pointsPersonal Data GDPR needs
Preparing for cyber insurance (Insurance Europe, Ferma, bipar, Aon, March)
“The Ethniki” is using “tailor made” approach solutions
on Cyber Insurance products. It combines third-party
liability coverage and first party losses.
The Economist - 18.03.2019
“The Ethniki” Approach
Thank you
11
End note
The Economist 2019