what is cyber risk worth to your organization? prepared for orims · 2017. 7. 1. · legal defense...

What Is Cyber Risk Worth To Your Organization?

Prepared for ORIMS May 31st, 2017

Gregory EskinsNational Cyber Practice [email protected]

© 2017 Marsh Canada Limitée 1

Agenda

• Cyber Risk Management Principles

• Focus #1: Cyber Risk Quantification

• Focus #2: Emerging Risk Considerations

• Coverage Considerations

• Takeaways

© 2017 Marsh Canada Limitée

http://funpicc.blogspot.ca/2011/04/your-password-is-incorrect-will-ferrell.html

2

3

Cyber Risk Management Principles


“In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed. ”– Director of National Intelligence James R. Clapper

Worldwide Cyber Threats Testimony, Sep. 10, 2015

4


Objectives of Cybersecurity

Confidentiality• Restricting access to

information.• Control over

information.

Integrity• Consistency,

validity, and fitness for use.

• Alignment with intended meaning.

Availability• Timely access.• Usefulness for

purpose.

5


What Makes Cyber Risk Different?

Cyber Risk is a Game Played Against an Adversary

Cyber Past Does Not Predict Cyber Future

Cyber Risk is Extremely Volatile Cyber Risk is Interconnected and Interdependent


What Drives Cyber Threats: Sophistication versus Motivation

MOTIVATIONto hack the Company

“Why would a Threat Actor attack

this Company?”

SUSCEPTIBILITYof the Company

(People, Process, Technology)

“How strong a Threat Actor does it take to break into this

Company?”

7


Living with Cyber Risk

Avoidance Mitigation Transfer Acceptance

Risk Management Options

8


Risk Mitigation vs. Risk Transfer: Not Alternatives or Mutually Exclusive

Risk Mitigation

• Owner: InfoSec

• Est. Cost: 5-6% of IT Budget

• Target: Reducing frequency

Risk Transfer

• Owner: Treasury / Risk Mgmt.

• Cost: 1% - 4% rate on-line

• Target: Reducing severity

9


Impact of Preparedness on the Cost of a Cyber Breach

Cost CategoryMINIMUM

CostsWhat Can Drive Costs Higher?

MAXIMUMCosts

Public Relations, Notification & Call Center $1.3M

Amount of TIME lapsed before breach is discovered

NUMBER and TYPE of records breached

Organization’s ABILITY TO MANAGE the crisis

Availability of post-breach RESPONSE SERVICES

LENGTH and COMPLEXITY of legal defense

Whether the organization is found to be NEGLIGENT

$7.2M

IT Investigation & Remediation $1.1M $6M

Credit Monitoring and Identity Protection $3M $9M

Regulatory Fines / Penalties $0 $100K

Class Action Legal Defence & Settlement $2.7M $14.2M

Total Loss $8.1M $36.5M

10


The NIST Five Domains of Cybersecurity

NIST Cyber Security Domains

Identification• Cyber security governance• Asset management • Cyber security risk management

Protection• Access management • Cyber security awareness• Data protection

Detection • Analysis of anomalies and events • Detection processes and procedures

Response• Incident response plan• Incident analysis and mitigation• Crisis management

Recovery• Disaster Recovery• Business Continuity• Insurance and third parties

11


Relative Maturity of Sampled Organizations (our field experience)

NIST Cyber Security Domains

Identification

Protection

Detection

Response

Recovery

12


• 100% of victims had firewalls and up-to-date anti-virus solutions

• Over 95% of attacks start with spear phishing campaigns

• Most organizations only realize they have been compromised when data has been stolen

• Median days before attack detection:

Cybersecurity facts related to advanced attackscourtesy of a collaborative firm: Mandiant (a FireEye company)

416

243 229 205146

2011 2012 2013 2014 2015

13


• Identify Cyber Risk Scenarios

• Quantify Exposures & Cost

What can go wrong and how much?

• Close Technical Security Gaps

• Align With Best Practices

• Optimize Risk Transfer

What can be done?

• Know Dollars At Risk

• Know Potential Actions

⇒ Balance Economically Risk Acceptance And Cyber Security Investment

Make informed decisions

How to Improve your Cyber Risk Posture

14

15

Focus #1: Cyber Risk Quantification


Malicious Acts External Accidents

System Disruptions

Integrity

Confidentiality Availability

Systems

Identification of Cyber Risk Scenarios

17


Most Common Cyber Risks

� Cyber Extortion

� Theft of Marketable Data: Retail / Market / IP

� Embezzlement

� Infrastructure or Technology Disruption / Destruction

� Confidential Information Leak, Website Defacement

� Cyber War, Espionage, Influence on Politics, Dissuasion…

Without malicious intent:

� Loss of Portable Device, Data Storage

� Accidental Data Corruption, Software Bug

� Interruption of Systems, Telecommunication, Power Outage

18


Quantification: What Impacts?

Investigation and Remediation

• Forensic investigation

• Remediation to repair or replace systems

Business Interruption • Costs associated with business downtime

Crisis Services & Data Privacy Impacts

• Identity theft repair and protection, credit monitoring

• Public relations, notification, and call center services

Claim Settlement & Legal Defence

• Payouts for class action / claim settlements with customers, employees, third parties, financial institutions, etc.

• Associated legal fees

Regulatory Fines or Penalties

• Fines for government and payment card regulators/associations law violations

19


Credit Card Data Breach Scenario Consequences

TotalImpact

($M)FI HI RI Fq.

The network is breached by a cyber crime attacker, 400,000 credit card numbers are stolenand sold on the black market. The incident is published in the press thus negatively impacting the organization’s reputation –victims, including card owners, Payment Card Companies, etc. engage a successful class action

• Disclosure of credit card information : 400 000 records

• Forensic investigation and remediation costs: $2M

• Notification costs: $250K

• Legal Defense costs : $10M

• ID Theft, Identity Monitoring, Credit Monitoring: $600K

• Third Party Call Center for Crisis Services: $200K

• Class action settlement for payment card companies and financial institutions: $6.5M

• Class action settlement for victims: $1.25M

• Regulatory penalties and fines: $479K

• Public relations: $200K

$21.48M 4 1 4 2

RI = Reputational Impact

FI = Financial Impact

Fq.= Frequency

HI = Human Impact

Legend

3 = High

1 = Low

4 = Severe

2 = Moderate

Scale

Data Breach Scenario Sample

20


Critical Infrastructure Damage and Disruption Scenario Consequences

TotalImpact

($M)FI HI RI Fq.

A hacker gains access to operational controls through an internet portal intending to damage the infrastructure. This is accomplished using the industrial control system. Assets are damaged and operations are interrupted leading to 6 months downtime until systems are controlled and repairs are completed. Gross negligence in cybersecurity allows a client and employee lawsuits to be successful.

• Investigation and Remediation: $14M

• Asset repair costs: $105M

• Business Interruption costs: $21M

• Class action settlement and legal costs: $19M

$159M 4 1 3 1

RI = Reputational Impact

FI = Financial Impact

Fq.= Frequency

HI = Human Impact

Legend

3 = High

1 = Low

4 = Severe

2 = Moderate

Scale

Critical Infrastructure Damage Scenario Sample

21


Risk Tolerance Estimation

Annual cost of risk lower than expected

Visible impact on KPIs

Probability

Annual expected cost of risk

Average severityAffordable cost drift

High severityUnaffordable cost drift

Total claims ($)

Need for at least specific communication up to capital increase

Low impact

L1

L2

L1 – How much you can afford to lose before a visibl e impact on forecasted earnings?

L2 – How much you can afford to lose before altering the corporate strategy?

22


Risk NameFinancial

Impact ($M)

Critical infrastructure damage 159.

Credit card data breach 21.4

Privacy breach of customer PII data 4.00

Third party data center fire 3.50

Advanced persistent threat results in tracking & theft of sensitive data 3.00

Hacktivist targeting, website defacement & media exposure 1.50

Malware used in targeted attacks causes destruction of assets 0.75

Corporate office fire 0.50

Data corruption due to inadequate patch 0.20

Interruption of the third party data center / DOS attack 0.20

L2

L1

Cyber Risk Quantification Results

L2 Risk Tolerance Level /Threshold 2: A loss exceeding this amount would require revision of the Strategic Plan

L1 Risk Tolerance Level /Threshold 1: A loss beyond this amount would be visible on performance indicators

23

Focus #2: Emerging Risk Considerations


Insurance


Insurance Innovation is Running after Technology the 4th Industrial Revolution

2,500,0007,000,000

28,000,000

0

20,000,000

40,000,000

60,000,000

80,000,000

100,000,000

120,000,000

1992Windows 3.1

1996Windows NT 4.0

2000Windows 2000

2016

Num

ber

of li

nes

of s

oftw

are

code

s

Average lines of code/software in a

high-end model

100,000,000

26


What Makes IoT a Challenging Risk Issue?

• A massive attack surface allowing for many point potential points of entry; examples:Automobiles: many are wif fi enabled with entertainment systems connected to your device and the internetSmart buildings: HVAC systems, lighting, elevators, etc.

• These devices and products do not require human intervention to operate, and as such,

• Device to device communication increases the risk that an unauthorized device / attacker will attempt to infiltrate your network

• Security is generally not built into the architecture


What Makes IoT a Challenging Risk Issue?

Key Findings from the DYN Ddos Attack

• The Friday October 21, 2016 attack has been analyzed as a complex & sophisticated attack, using maliciously targeted, masked TCP (transmission control protocol) and UDP (user datagram protocol) traffic over port 53.

• Dyn confirms Mirai botnet as primary source of malicious attack traffic.

• Attack generated compounding recursive DNS retry traffic, further exacerbating its impact.

In short, IoT devices were compromised allowing for a massive and sustained attack on a Domain Name System provider (DYN).

Source: https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/


Privacy & IoT

Lawsuit over Ottawa company's Internet-connected se x toys settled for $3.75 million US

• Internet enabled device connected to an application allows users to remotely control the device and allows for private texts messages and video calls

• 300,000 people own the device with 1/3 using the application

• The suit claimed a lack of explanation about how and what sensitive information was being generated and for what purpose

The company has since overhauled its privacy policy to make it easier for users to understand how data is collected and what it is used for. Source: http://ottawacitizen.com/business/local-business/lawsuit-over-internet-connected-sex-toys-settled-for-3-75-million-us


Privacy & IoT

• Customer profiling – tracking via IoT means the tracking of devices/products/components with the general aim being to better understand the motivation and behaviour of people

• Accountability – who is accountable for actions taken by an inanimate object?

• Transparency– what information is being collected, and for what purpose?

• Consent model – is informed consent being secured and how easy is it to Opt In vs. Opt Out?

Source: The Internet of Things; Research paper prepared by the Policy and Research Group of the Office of the Privacy Commissioner of Canada ; February 2016


Coverage Considerations


• Evolving legal theories

• Denials –overblown?

• Late Notice• Regulator

Guidance• Interaction

of Policies

• Engaging Services

• Consent in Advance

• Privilege

• Coverage Triggers

• Social Engineering

• Physical Damage

• Retroactive Coverage

• IP Coverage

• Quantification• Rating Metrics• Control

Environment• Holistic

Approach• Control

Environment

• Exposure to Impact

• Quantification• Interaction of

Other Insurance Policies

• Threats and Vulnerabilities

Value Add Services

Coverage Considerations

Underwriting Considerations

Exposure Mapping

Claims

Highly Interrelated

When Considering Cyber Coverage


Malicious: Internal and External Operational

Financial Loss | Property Damage & Bodily Injury

Establish link between triggering Event and Loss

3 buckets: uninsurable: war, Beyond scope: criminal acts, covered elsewhere: theft of funds

Pre and Post Breach, Risk Mgmt. Tools, FACS

Damage | Loss

Causality –Trigger and Damage

Exclusions and other Conditions

Value Add Services

Coverage Triggers

Can Negate or Limit Coverage or Recovery

When Considering Cyber Coverage


There are many headlines about “Cyber Insurance Claim Denied”, Almost all of these articles then go on to note how it is the General Liability or Property insurance that is denying the claim

• Late notice can be a big issue: certain coverages are written on a claims made and reported vs. discovery basis. Be aware and understand the retroactive and continuity dates

• Many denials or conflicts surround coverages that are either optional which the insured did not purchase or not covered in general. For example:

— Wrongful Collection of Information – Many insureds face allegations that information was unlawfully or wrongfully collected or wrongfully sold.

— Business Interruption Cause of Loss – We have seen claims denied because the insured could not determine the cause of the loss.

— Choice of Vendors – We have seen costs denied because the insured did not use insurer panel or did not obtain consent before incurring event management costs.

— Theft of Funds – The loss of data/privacy liability related to phishing attacks/social engineering is included under cyber policies; however, cyber insurers are denying the actual theft of funds as this is a crime coverage issue

— Condition of System – Systems required to be maintained at a certain level or to a certain standard; Not something we would accept when placing coverage.

We have generally seen that cyber insurers are not denying legitimate claims - insurers are looking to grow this market and prove the product works;

Claims Concerns

34

35

Takeaways


Marsh’s Cyber Risk Management Framework

Assess & Analyze Respond & RecoverSecure & Insure

Key Concepts:

• Scenarios must be customized

• Assessment must be objective

• Analysis must be quantified and economic

Key Concepts:

• Security & Insurance go hand-in-hand

• Decision making must be coordinated between InfoSec and Risk Management

Key Concepts:

• Response is equally important as analysis and prevention

• Experience and expertise are critical to success

Assess & Analyze Secure & Insure Respond & Recover

36


Key Questions to Answer Regarding Cyber Risk

• Which type of cyber attackers threaten your organization?

• What cyber incidents could occur and how much could it cost?

• What is your organization's current cyber security program maturity?

• Where does your organization stand as compared to industry peers?

• What could improve the security program effectiveness, in terms of:– Technical and organizational risk mitigation; and– Legal and financial risk transfer?

• What is a reasonable security program improvement roadmap considering:– Its cyber risk exposure;– Its current state of cyber security; and– The resources available for improvement?

3731 May 2017


Le présent document et les recommandations, données d’analyse ou avis délivrés par Marsh (collectivement, « l’analyse »), sont uniquement destinés à l’entité désignéecomme destinataire aux présentes (« vous »). Ce document contient des renseignements exclusifs à Marsh et ne peut en aucun cas être transmis à un tiers, notamment àd’autres courtiers, sans l’accord écrit préalable de Marsh. Les énoncés concernant des questions d’ordre actuariel, fiscal, comptable ou juridique sont fondés sur desobservations générales tirées uniquement de notre expérience en tant que consultants en matière de risque et d’assurance et ne doivent pas être considérés en tant queconseils de cet ordre, que vous devriez obtenir auprès de vos propres conseillers professionnels dans ces domaines. Les modélisations, données d’analyse ou projectionsde tous genres sont assujetties à des facteurs d’incertitude inhérente, et l’analyse que Marsh en fait est susceptible d’être affectée de façon substantielle si les hypothèses,conditions, renseignements ou facteurs sur lesquels l’analyse est fondée sont inexacts ou incomplets ou s’ils viennent à changer. Les renseignements contenus auxprésentes sont fondés sur des sources que nous estimons fiables, mais dont il ne nous appartient pas de garantir l’exactitude. Sauf stipulation contraire dans une ententeentre vous et Marsh, Marsh n’est aucunement tenue de mettre à jour l’analyse, et n’a aucune obligation envers vous ni qui que ce soit d’autre à l’égard de celle-ci ou detout service rendu à vous ou à Marsh par une tierce partie. Marsh ne fait aucune déclaration et n’avance aucune garantie, expresse ou implicite, à l’égard de l’applicationdes libellés de polices, de la situation financière ou de la solvabilité des assureurs ou des réassureurs, ni de la disponibilité, du coût ou des modalités de garantiesd’assurance.

Marsh est une des Sociétés Marsh & McLennan, tout comme Guy Carpenter, Mercer et Oliver Wyman. Copyright © 2017 – Marsh Canada Limitée et ses permettants. Tous droits réservés. www.marsh.ca | www.marsh.com

what is cyber risk worth to your organization? prepared for orims · 2017. 7. 1. · legal defense...

Documents