what is cyber risk worth to your organization? prepared for orims · 2017. 7. 1. · legal defense...
TRANSCRIPT
![Page 1: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/1.jpg)
What Is Cyber Risk Worth To Your Organization?
Prepared for ORIMS May 31st, 2017
Gregory EskinsNational Cyber Practice [email protected]
![Page 2: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/2.jpg)
© 2017 Marsh Canada Limitée 1
Agenda
• Cyber Risk Management Principles
• Focus #1: Cyber Risk Quantification
• Focus #2: Emerging Risk Considerations
• Coverage Considerations
• Takeaways
![Page 3: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/3.jpg)
© 2017 Marsh Canada Limitée
http://funpicc.blogspot.ca/2011/04/your-password-is-incorrect-will-ferrell.html
2
![Page 4: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/4.jpg)
3
Cyber Risk Management Principles
![Page 5: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/5.jpg)
© 2017 Marsh Canada Limitée
“In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed. ”– Director of National Intelligence James R. Clapper
Worldwide Cyber Threats Testimony, Sep. 10, 2015
4
![Page 6: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/6.jpg)
© 2017 Marsh Canada Limitée
Objectives of Cybersecurity
Confidentiality• Restricting access to
information.• Control over
information.
Integrity• Consistency,
validity, and fitness for use.
• Alignment with intended meaning.
Availability• Timely access.• Usefulness for
purpose.
5
![Page 7: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/7.jpg)
© 2017 Marsh Canada Limitée
What Makes Cyber Risk Different?
Cyber Risk is a Game Played Against an Adversary
Cyber Past Does Not Predict Cyber Future
Cyber Risk is Extremely Volatile Cyber Risk is Interconnected and Interdependent
![Page 8: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/8.jpg)
© 2017 Marsh Canada Limitée
What Drives Cyber Threats: Sophistication versus Motivation
MOTIVATIONto hack the Company
“Why would a Threat Actor attack
this Company?”
SUSCEPTIBILITYof the Company
(People, Process, Technology)
“How strong a Threat Actor does it take to break into this
Company?”
7
![Page 9: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/9.jpg)
© 2017 Marsh Canada Limitée
Living with Cyber Risk
Avoidance Mitigation Transfer Acceptance
Risk Management Options
8
![Page 10: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/10.jpg)
© 2017 Marsh Canada Limitée
Risk Mitigation vs. Risk Transfer: Not Alternatives or Mutually Exclusive
Risk Mitigation
• Owner: InfoSec
• Est. Cost: 5-6% of IT Budget
• Target: Reducing frequency
Risk Transfer
• Owner: Treasury / Risk Mgmt.
• Cost: 1% - 4% rate on-line
• Target: Reducing severity
9
![Page 11: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/11.jpg)
© 2017 Marsh Canada Limitée
Impact of Preparedness on the Cost of a Cyber Breach
Cost CategoryMINIMUM
CostsWhat Can Drive Costs Higher?
MAXIMUMCosts
Public Relations, Notification & Call Center $1.3M
Amount of TIME lapsed before breach is discovered
NUMBER and TYPE of records breached
Organization’s ABILITY TO MANAGE the crisis
Availability of post-breach RESPONSE SERVICES
LENGTH and COMPLEXITY of legal defense
Whether the organization is found to be NEGLIGENT
$7.2M
IT Investigation & Remediation $1.1M $6M
Credit Monitoring and Identity Protection $3M $9M
Regulatory Fines / Penalties $0 $100K
Class Action Legal Defence & Settlement $2.7M $14.2M
Total Loss $8.1M $36.5M
10
![Page 12: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/12.jpg)
© 2017 Marsh Canada Limitée
The NIST Five Domains of Cybersecurity
NIST Cyber Security Domains
Identification• Cyber security governance• Asset management • Cyber security risk management
Protection• Access management • Cyber security awareness• Data protection
Detection • Analysis of anomalies and events • Detection processes and procedures
Response• Incident response plan• Incident analysis and mitigation• Crisis management
Recovery• Disaster Recovery• Business Continuity• Insurance and third parties
11
![Page 13: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/13.jpg)
© 2017 Marsh Canada Limitée
Relative Maturity of Sampled Organizations (our field experience)
NIST Cyber Security Domains
Identification
Protection
Detection
Response
Recovery
12
![Page 14: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/14.jpg)
© 2017 Marsh Canada Limitée
• 100% of victims had firewalls and up-to-date anti-virus solutions
• Over 95% of attacks start with spear phishing campaigns
• Most organizations only realize they have been compromised when data has been stolen
• Median days before attack detection:
Cybersecurity facts related to advanced attackscourtesy of a collaborative firm: Mandiant (a FireEye company)
416
243 229 205146
2011 2012 2013 2014 2015
13
![Page 15: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/15.jpg)
© 2017 Marsh Canada Limitée
• Identify Cyber Risk Scenarios
• Quantify Exposures & Cost
What can go wrong and how much?
• Close Technical Security Gaps
• Align With Best Practices
• Optimize Risk Transfer
What can be done?
• Know Dollars At Risk
• Know Potential Actions
⇒ Balance Economically Risk Acceptance And Cyber Security Investment
Make informed decisions
How to Improve your Cyber Risk Posture
14
![Page 16: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/16.jpg)
15
Focus #1: Cyber Risk Quantification
![Page 17: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/17.jpg)
© 2017 Marsh Canada Limitée 16
![Page 18: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/18.jpg)
© 2017 Marsh Canada Limitée
Malicious Acts External Accidents
System Disruptions
Integrity
Confidentiality Availability
Systems
Identification of Cyber Risk Scenarios
17
![Page 19: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/19.jpg)
© 2017 Marsh Canada Limitée
Most Common Cyber Risks
� Cyber Extortion
� Theft of Marketable Data: Retail / Market / IP
� Embezzlement
� Infrastructure or Technology Disruption / Destruction
� Confidential Information Leak, Website Defacement
� Cyber War, Espionage, Influence on Politics, Dissuasion…
Without malicious intent:
� Loss of Portable Device, Data Storage
� Accidental Data Corruption, Software Bug
� Interruption of Systems, Telecommunication, Power Outage
18
![Page 20: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/20.jpg)
© 2017 Marsh Canada Limitée
Quantification: What Impacts?
Investigation and Remediation
• Forensic investigation
• Remediation to repair or replace systems
Business Interruption • Costs associated with business downtime
Crisis Services & Data Privacy Impacts
• Identity theft repair and protection, credit monitoring
• Public relations, notification, and call center services
Claim Settlement & Legal Defence
• Payouts for class action / claim settlements with customers, employees, third parties, financial institutions, etc.
• Associated legal fees
Regulatory Fines or Penalties
• Fines for government and payment card regulators/associations law violations
19
![Page 21: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/21.jpg)
© 2017 Marsh Canada Limitée
Credit Card Data Breach Scenario Consequences
TotalImpact
($M)FI HI RI Fq.
The network is breached by a cyber crime attacker, 400,000 credit card numbers are stolenand sold on the black market. The incident is published in the press thus negatively impacting the organization’s reputation –victims, including card owners, Payment Card Companies, etc. engage a successful class action
• Disclosure of credit card information : 400 000 records
• Forensic investigation and remediation costs: $2M
• Notification costs: $250K
• Legal Defense costs : $10M
• ID Theft, Identity Monitoring, Credit Monitoring: $600K
• Third Party Call Center for Crisis Services: $200K
• Class action settlement for payment card companies and financial institutions: $6.5M
• Class action settlement for victims: $1.25M
• Regulatory penalties and fines: $479K
• Public relations: $200K
$21.48M 4 1 4 2
RI = Reputational Impact
FI = Financial Impact
Fq.= Frequency
HI = Human Impact
Legend
3 = High
1 = Low
4 = Severe
2 = Moderate
Scale
Data Breach Scenario Sample
20
![Page 22: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/22.jpg)
© 2017 Marsh Canada Limitée
Critical Infrastructure Damage and Disruption Scenario Consequences
TotalImpact
($M)FI HI RI Fq.
A hacker gains access to operational controls through an internet portal intending to damage the infrastructure. This is accomplished using the industrial control system. Assets are damaged and operations are interrupted leading to 6 months downtime until systems are controlled and repairs are completed. Gross negligence in cybersecurity allows a client and employee lawsuits to be successful.
• Investigation and Remediation: $14M
• Asset repair costs: $105M
• Business Interruption costs: $21M
• Class action settlement and legal costs: $19M
$159M 4 1 3 1
RI = Reputational Impact
FI = Financial Impact
Fq.= Frequency
HI = Human Impact
Legend
3 = High
1 = Low
4 = Severe
2 = Moderate
Scale
Critical Infrastructure Damage Scenario Sample
21
![Page 23: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/23.jpg)
© 2017 Marsh Canada Limitée
Risk Tolerance Estimation
Annual cost of risk lower than expected
Visible impact on KPIs
Probability
Annual expected cost of risk
Average severityAffordable cost drift
High severityUnaffordable cost drift
Total claims ($)
Need for at least specific communication up to capital increase
Low impact
L1
L2
L1 – How much you can afford to lose before a visibl e impact on forecasted earnings?
L2 – How much you can afford to lose before altering the corporate strategy?
22
![Page 24: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/24.jpg)
© 2017 Marsh Canada Limitée
Risk NameFinancial
Impact ($M)
Critical infrastructure damage 159.
Credit card data breach 21.4
Privacy breach of customer PII data 4.00
Third party data center fire 3.50
Advanced persistent threat results in tracking & theft of sensitive data 3.00
Hacktivist targeting, website defacement & media exposure 1.50
Malware used in targeted attacks causes destruction of assets 0.75
Corporate office fire 0.50
Data corruption due to inadequate patch 0.20
Interruption of the third party data center / DOS attack 0.20
L2
L1
Cyber Risk Quantification Results
L2 Risk Tolerance Level /Threshold 2: A loss exceeding this amount would require revision of the Strategic Plan
L1 Risk Tolerance Level /Threshold 1: A loss beyond this amount would be visible on performance indicators
23
![Page 25: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/25.jpg)
Focus #2: Emerging Risk Considerations
![Page 26: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/26.jpg)
© 2017 Marsh Canada Limitée 25
Insurance
![Page 27: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/27.jpg)
© 2017 Marsh Canada Limitée
Insurance Innovation is Running after Technology the 4th Industrial Revolution
2,500,0007,000,000
28,000,000
0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
1992Windows 3.1
1996Windows NT 4.0
2000Windows 2000
2016
Num
ber
of li
nes
of s
oftw
are
code
s
Average lines of code/software in a
high-end model
100,000,000
26
![Page 28: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/28.jpg)
© 2017 Marsh Canada Limitée
What Makes IoT a Challenging Risk Issue?
• A massive attack surface allowing for many point potential points of entry; examples:Automobiles: many are wif fi enabled with entertainment systems connected to your device and the internetSmart buildings: HVAC systems, lighting, elevators, etc.
• These devices and products do not require human intervention to operate, and as such,
• Device to device communication increases the risk that an unauthorized device / attacker will attempt to infiltrate your network
• Security is generally not built into the architecture
![Page 29: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/29.jpg)
© 2017 Marsh Canada Limitée
What Makes IoT a Challenging Risk Issue?
Key Findings from the DYN Ddos Attack
• The Friday October 21, 2016 attack has been analyzed as a complex & sophisticated attack, using maliciously targeted, masked TCP (transmission control protocol) and UDP (user datagram protocol) traffic over port 53.
• Dyn confirms Mirai botnet as primary source of malicious attack traffic.
• Attack generated compounding recursive DNS retry traffic, further exacerbating its impact.
In short, IoT devices were compromised allowing for a massive and sustained attack on a Domain Name System provider (DYN).
Source: https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
![Page 30: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/30.jpg)
© 2017 Marsh Canada Limitée
Privacy & IoT
Lawsuit over Ottawa company's Internet-connected se x toys settled for $3.75 million US
• Internet enabled device connected to an application allows users to remotely control the device and allows for private texts messages and video calls
• 300,000 people own the device with 1/3 using the application
• The suit claimed a lack of explanation about how and what sensitive information was being generated and for what purpose
The company has since overhauled its privacy policy to make it easier for users to understand how data is collected and what it is used for. Source: http://ottawacitizen.com/business/local-business/lawsuit-over-internet-connected-sex-toys-settled-for-3-75-million-us
![Page 31: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/31.jpg)
© 2017 Marsh Canada Limitée
Privacy & IoT
• Customer profiling – tracking via IoT means the tracking of devices/products/components with the general aim being to better understand the motivation and behaviour of people
• Accountability – who is accountable for actions taken by an inanimate object?
• Transparency– what information is being collected, and for what purpose?
• Consent model – is informed consent being secured and how easy is it to Opt In vs. Opt Out?
Source: The Internet of Things; Research paper prepared by the Policy and Research Group of the Office of the Privacy Commissioner of Canada ; February 2016
![Page 32: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/32.jpg)
© 2017 Marsh Canada Limitée 31
Coverage Considerations
![Page 33: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/33.jpg)
© 2017 Marsh Canada Limitée
• Evolving legal theories
• Denials –overblown?
• Late Notice• Regulator
Guidance• Interaction
of Policies
• Engaging Services
• Consent in Advance
• Privilege
• Coverage Triggers
• Social Engineering
• Physical Damage
• Retroactive Coverage
• IP Coverage
• Quantification• Rating Metrics• Control
Environment• Holistic
Approach• Control
Environment
• Exposure to Impact
• Quantification• Interaction of
Other Insurance Policies
• Threats and Vulnerabilities
Value Add Services
Coverage Considerations
Underwriting Considerations
Exposure Mapping
Claims
Highly Interrelated
When Considering Cyber Coverage
![Page 34: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/34.jpg)
© 2017 Marsh Canada Limitée
Malicious: Internal and External Operational
Financial Loss | Property Damage & Bodily Injury
Establish link between triggering Event and Loss
3 buckets: uninsurable: war, Beyond scope: criminal acts, covered elsewhere: theft of funds
Pre and Post Breach, Risk Mgmt. Tools, FACS
Damage | Loss
Causality –Trigger and Damage
Exclusions and other Conditions
Value Add Services
Coverage Triggers
Can Negate or Limit Coverage or Recovery
When Considering Cyber Coverage
![Page 35: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/35.jpg)
© 2017 Marsh Canada Limitée
There are many headlines about “Cyber Insurance Claim Denied”, Almost all of these articles then go on to note how it is the General Liability or Property insurance that is denying the claim
• Late notice can be a big issue: certain coverages are written on a claims made and reported vs. discovery basis. Be aware and understand the retroactive and continuity dates
• Many denials or conflicts surround coverages that are either optional which the insured did not purchase or not covered in general. For example:
— Wrongful Collection of Information – Many insureds face allegations that information was unlawfully or wrongfully collected or wrongfully sold.
— Business Interruption Cause of Loss – We have seen claims denied because the insured could not determine the cause of the loss.
— Choice of Vendors – We have seen costs denied because the insured did not use insurer panel or did not obtain consent before incurring event management costs.
— Theft of Funds – The loss of data/privacy liability related to phishing attacks/social engineering is included under cyber policies; however, cyber insurers are denying the actual theft of funds as this is a crime coverage issue
— Condition of System – Systems required to be maintained at a certain level or to a certain standard; Not something we would accept when placing coverage.
We have generally seen that cyber insurers are not denying legitimate claims - insurers are looking to grow this market and prove the product works;
Claims Concerns
34
![Page 36: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/36.jpg)
35
Takeaways
![Page 37: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/37.jpg)
© 2017 Marsh Canada Limitée
Marsh’s Cyber Risk Management Framework
Assess & Analyze Respond & RecoverSecure & Insure
Key Concepts:
• Scenarios must be customized
• Assessment must be objective
• Analysis must be quantified and economic
Key Concepts:
• Security & Insurance go hand-in-hand
• Decision making must be coordinated between InfoSec and Risk Management
Key Concepts:
• Response is equally important as analysis and prevention
• Experience and expertise are critical to success
Assess & Analyze Secure & Insure Respond & Recover
36
![Page 38: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/38.jpg)
© 2017 Marsh Canada Limitée
Key Questions to Answer Regarding Cyber Risk
• Which type of cyber attackers threaten your organization?
• What cyber incidents could occur and how much could it cost?
• What is your organization's current cyber security program maturity?
• Where does your organization stand as compared to industry peers?
• What could improve the security program effectiveness, in terms of:– Technical and organizational risk mitigation; and– Legal and financial risk transfer?
• What is a reasonable security program improvement roadmap considering:– Its cyber risk exposure;– Its current state of cyber security; and– The resources available for improvement?
3731 May 2017
![Page 39: What Is Cyber Risk Worth To Your Organization? Prepared for ORIMS · 2017. 7. 1. · legal defense Whether the organization is found to be NEGLIGENT $7.2M IT Investigation & ... Number](https://reader036.vdocuments.mx/reader036/viewer/2022071105/5fdef86408837562c86661f7/html5/thumbnails/39.jpg)
© 2017 Marsh Canada Limitée
Le présent document et les recommandations, données d’analyse ou avis délivrés par Marsh (collectivement, « l’analyse »), sont uniquement destinés à l’entité désignéecomme destinataire aux présentes (« vous »). Ce document contient des renseignements exclusifs à Marsh et ne peut en aucun cas être transmis à un tiers, notamment àd’autres courtiers, sans l’accord écrit préalable de Marsh. Les énoncés concernant des questions d’ordre actuariel, fiscal, comptable ou juridique sont fondés sur desobservations générales tirées uniquement de notre expérience en tant que consultants en matière de risque et d’assurance et ne doivent pas être considérés en tant queconseils de cet ordre, que vous devriez obtenir auprès de vos propres conseillers professionnels dans ces domaines. Les modélisations, données d’analyse ou projectionsde tous genres sont assujetties à des facteurs d’incertitude inhérente, et l’analyse que Marsh en fait est susceptible d’être affectée de façon substantielle si les hypothèses,conditions, renseignements ou facteurs sur lesquels l’analyse est fondée sont inexacts ou incomplets ou s’ils viennent à changer. Les renseignements contenus auxprésentes sont fondés sur des sources que nous estimons fiables, mais dont il ne nous appartient pas de garantir l’exactitude. Sauf stipulation contraire dans une ententeentre vous et Marsh, Marsh n’est aucunement tenue de mettre à jour l’analyse, et n’a aucune obligation envers vous ni qui que ce soit d’autre à l’égard de celle-ci ou detout service rendu à vous ou à Marsh par une tierce partie. Marsh ne fait aucune déclaration et n’avance aucune garantie, expresse ou implicite, à l’égard de l’applicationdes libellés de polices, de la situation financière ou de la solvabilité des assureurs ou des réassureurs, ni de la disponibilité, du coût ou des modalités de garantiesd’assurance.
Marsh est une des Sociétés Marsh & McLennan, tout comme Guy Carpenter, Mercer et Oliver Wyman. Copyright © 2017 – Marsh Canada Limitée et ses permettants. Tous droits réservés. www.marsh.ca | www.marsh.com