Session 57 L, Cyber Risks: Risk Management and Insurance

Moderator: Mike Porier

Presenters:

Elisabeth Case, ARM Ray Farmer Mike Porier

Cyber Risks: Risk Management & Insurance

October 12, 2015

Cyber Risks & Considerations

Agenda & Introductions

Cyber InsuranceMarket

NAIC Resources

Michael PorierProtiviti, Managing DirectorCyber Security & Privacy

Elisabeth D. CaseMarsh, SVP & National Commercial E&O Practice Lead

Raymond G. FarmerDirector of South Carolina Department of Insurance

Cyber Risks &ConsiderationsMichael Porier, Protiviti

In the news…

What is Cybersecurity?

Sources: Secondary Research

Data is increasingly getting digitized and internet is being used to save, access and retrieve vital information.Protecting this information is not just a priority, but has become a necessity for most companies and governmentagencies around the world.

Types of Cyber Threats

Cyber Terror

Hactivisim

Cracking

Information Warfare

Cyber Crime

Cyber Espionage

Cyber Threats

• Spam

• Identity theft

• Malicious code such as Viruses, Worm, Trojan Horse

• Phishing attacks

• Spyware

• Denial-of-service attacks

• Packet spoofing

Methods

• Personal Security

• Legal Compliance

• Incident Reporting

• Continuity Planning

• System Protection

• Physical & Environmental Protection

• Communications Protection

• Access Controls

Security Measures for Protection

Cyber Incidents in Recent YearsThe Global State of Information Security Survey 2015 of more than 9,700 security, IT, and businessexecutives found that the total number of security incidents detected by respondents climbed to 42.8 millionin 2014, an increase of 48% over 2013. That’s the equivalent of 117,339 incoming attacks per day, every day.

The compound annual growth rate (CAGR) of

detected security incidents has increased

66% year-over-year since 2009.

3.4

9.4

22.724.9

28.9

42.8

2009 2010 2011 2012 2013 2014

Total number of detected incidents (in millions)

Source: PWC

Biggest Data Loss Incidents (2013-14)

2014

2013

Financials Web Tech Government Healthcare Retail

TwitterLinkedIn,

eHarmony, Last.fm

Evernote

Apple Facebook

Florida Departmentof Juvenile

JusticeAdvocate Medical Group

CrescentHealth, Inc.Walgreens Ubuntu

Nasdaq

South Africa Police

CommunityHealth

Services

Sources: Information is Beautiful

JP Morgan Chase

European Central

Bank

Korea Credit Bureau

GmailAOL

Adobe

Kroll Background

America

Lexis Nexis

SnapChat

Dun & Bradsheet

Kissinger Cables

WashingtonState Court System

SouthAfricaPolice

Home Depot

TargetEbay

Florida Courts

The Cyber/Data Breach Landscape

Financial losses

2000 Number of Breaches

700m

$400m

Records compromised

Companies learn they have been breached from a third party (customer, partner, vendor etc.)

>200 days

>60%

The average time from breach until discovery

Controls determined to be most effective fall into the “quick win” category.

60%

40%

Cases where hackers were able to compromise an organization within minutes.

Most recorded attacks stemming from external threat actors though internal threat actors are increasing (including abuse of access and loss of hardware).

Breaches increasingly from “unknown” “unknowns” – almost every breached organization had up-to-date anti-virus.

2014

Source: Verizon, 2015 Data Breach Investigations Report

Source of Cyber AttacksInsiders OutsidersVS

31%

27%

16%

13%

12%

10%

35%

30%

18%

15%

13%

11%

2013 2014

Current employees

Former employees

Current service providers/consultants/contractors

Former service providers/consultants/contractors

Suppliers/business partners

Customers

8%

12%

10%

10%

14%

6%

4%

32%

24%

10%

15%

16%

16%

24%

9%

7%

6%

24%

18%

2013 2014

Terrorists

Organized crime

Activists/activist organizations/hacktivists

Information brokers

Competitors

Foreign entities & organizations

Foreign nation-states

Domestic intelligence service

Hackers

Do not know

Source: PWC

Top 5 Cyber Security Risks in 2015

Ransomware1 A type of malware which restricts access to the computer system that it infects will become increasingly sophisticated in its methods and targets.

Internet of Things2 The connection of physical devices such as home appliances and cars to the internet will still be the "Internet of Vulnerabilities”.

Cyber-espionage3 Cyber espionage is becoming the weapon of choice for many national governments.

Cyber theft increases4 New ways of paying for goods, such as contactless and mobile payments brings a new

opportunity for hackers.

Insecure Passwords5 Easy-to-crack passwords will continue to be a big risk in 2015.

Source: CNBC

Cyber Risk Assessment and ManagementProper cyber security risk management is more than a technology solution. A company, led by its CEO, must integratecyber risk management into day-to-day operations. Additionally, a company must be prepared to respond to theinevitable cyber incident, restore normal operations and ensure that company assets and the company’s reputation areprotected.

Cyber Risk Management comprises of:

Cyber Risk Mitigation – Implement a Cybersecurity Plan

Understand what information you need to protect: identify the corporate “crown jewels”.

Identify Threats to Crown Jewels

Forecast the consequences of a successful attack

Cyber Assessments

Security & Privacy Liability

Crisis Management

Regulatory Proceedings

Data Recovery

Cyber Extortion

Cyber Insurance – Risk Transfer

Source: Staysafeonline

Cybersecurity Framework (CSF)

Asset Management

Business Environment

Governance

Risk Assessment

Risk Management Strategy

Access Control

Awareness and Training

Data Security

Information Protection

Processes and Procedures

Maintenance

Protective Technology

Anomalies and Events

Security Continuous Monitoring

Detection Processes

Response Planning

Communications

Analysis

Mitigation

Improvements

Recovery Planning

Improvements

Communications

The Framework Core is a set of cybersecurity activities and informative references that are commonacross critical infrastructure sectors. The cybersecurity activities are grouped by five functions thatprovide a high-level view of an organization’s management of cyber risks.

Identify Protect Detect Respond Recover

Compliance does not equal security!

Defense in depth is the coordinated use of multiple security counter measures to protect the integrity of the information assets in an enterprise.

If a hacker gains access to a system, defense in depth minimizes the adverse impact and gives administrators and engineers time to deploy new or updated counter measures to prevent recurrence.

Physical Security

User Awareness

Firewalls and IDS/IPS

Logical Access

Anti-Virus

Patch Management

Device Configuration

Source: http://searchsecurity.techtarget.com/definition/defense-in-depth

Defense in Depth

What Are Organizations Doing?Evaluating security risks from key vendors and partners

Assessing internal and external vulnerabilities and performing periodic penetration tests

Evaluating the “Breach Kill Chain”

Identifying critical data (the “crown jewels”) and how it is being controlled

Developing (and testing) breach response plans

Employing tools to help answer the questions “are we already breached?” and “how would we know if a breach occurs?”

Wrapping all of this into a holistic security program – continuous and on-going

Training and awareness to raise education of employees

Using the CSF to assess

their program

Conclusions

• “Simple or intermediate” controls will prevent many attacks.• Expensive tools and large initiatives are often not required.• How effectively does your team “block and tackle?”

Focus on the Fundamentals

• Internal/External Vulnerability Assessments and Penetration Tests• Wireless Security / Firewall Reviews / Web Application Scans• Social Engineering

Perform Periodic Assessments

• Many breaches involve several vulnerabilities.• Maintain a “defense-in-depth” posture.

Layer Defenses

• Train your employees what to look for (phishing emails, telephonic approaches, etc.)• Classroom style rather than CBT

Awareness and Training

Cyber Insurance

MarketElisabeth D. Case,

Marsh

17© Marsh 17

CYBER INSURANCE TAKE-UP RATES

18© Marsh 18

LARGE BUYERS ARE BUYING MORE LIMIT

19© Marsh 19

RATES ARE MOVING BACK UP

20© Marsh 20

US Cyber Insurance Marketplace

• Annual gross written premium may be as much as $2.0 billion (up from $1.3 billion in last year’s Report).

• The industry is divided by size (gross written premium) as follows:

A limited number of very large writers, with premiums in excess of $100 million (AIG, ACE, Beazley, Zurich)

Several carriers in the $50-100 million range (Endurance, XL, etc.)

Several more in the $25-50 million range (Liberty, etc.)

Numerous carriers and Managing General Underwriters writing $10 - 25 million

Several writing in the $5-10 million and $1-5 million ranges

2014 Betterley Report:

A VOLATILE MARKET• The US Cyber market is like

two massive, but opposed forces coming together with unpredictable, unstable results

• “Wall of Demand”• US Cyber Market is one of the

fastest-growing markets in insurance; client penetration is still less than 25%

• “Wall of Claims” • Recent acceleration in number

and magnitude of Cyber events

21

22© Marsh 22

CAP(ACITY) CRUNCH?• Capacity, Coverage, and Cost are the

Three Sides of the Risk Transfer Triangle• Coverage continues to expand

• Increased uptake of 1st-party Cyber Coverages• Expanding coverage for PCI breaches• Continued carrier innovation

• Capacity remains generally available• Our recent survey of capacity for

large purchasers indicates $350m+ • More capacity is available if Cyber is blended with E&O (where

appropriate)• Significant restrictions on capacity for managed care, coupled with

restrictions on coverage under Managed Care E&O• Costs are rising

• We can get the limits, but it may be hard to find the rate you had last year at every layer of your program

23© Marsh 23

CYBER RISK MANAGEMENT• Cyber Risk Management means thinking about more than

just Prevention• There is no IT Budget large enough to eliminate the risk of Cyber

Events• Cyber Risk must be accepted and managed by the organization• But who should do this job?

• Cyber Risk Management is a job for RM, not for IT• IT is a critical stakeholder, but they can’t manage Cyber risk on

their own• Risk Management is a holistic process for the entire organization

• Stages of Cyber Risk Management• Assessment – assessments, analytics, valuation, modeling• Manage - Prevent, Prepare/Mitigate, Transfer• Respond – Remediate and Recover

24© Marsh 24

WHAT CAN YOU DO?• Cyber risk management involves the engagement of resources

throughout the organization. Not just IT.• Cyber risk management means focusing on assessment,

preparation, and response. • Organizations should integrate outside stakeholders, like law

enforcement, regulators, and cyber security resources into their cyber risk management framework.

• Business-partner management is also a critical concern, since many cyberattacks target resources may be outside a company’s direct control.

• Risk transfer should be part of the risk management approach. Regulators are starting to expect insurance will be present.

NAIC ResourcesRaymond G. Farmer,

Department of Insurance

Discussion Topics

• Task Force Formed• Guiding Principles• Annual Statement Supplement• IT Examination Working Group• Consumer Bill of Rights• Model Laws

26

27© Marsh 27

Guiding Principles

Released for public comment

Initial draft based on SIFMA guiding principles

Adopted set of 12 guiding principles

http://www.naic.org/documents/committees_ex_cybersecurity_tf_final_principles_for_cybersecurity_guidance.pdf

28© Marsh 28

Guiding Principles 1, 2 & 3Principle 1: State insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Additionally, state insurance regulators should mandate that these entities have systems in place to alert consumers in a timely manner in the event of a cybersecurity breach. State insurance regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach.Principle 2: Confidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer’s, insurance producer’s or other regulated entity’s network should be appropriately safeguarded.Principle 3: State insurance regulators have a responsibility to protect information that is collected, stored and transferred inside or outside of an insurance department or at the NAIC. This information includes insurers’ or insurance producers’ confidential information, as well as personally identifiable consumer information. In the event of a breach, those affected should be alerted in a timely manner.

29© Marsh 29

Guiding Principle 4 & 5

Principle 4: Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework. Principle 5: Regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.

30© Marsh 30

Guiding Principle 6 & 7

Principle 6: State insurance regulators should provide appropriate regulatory oversight, which includes, but is not limited to, conducting risk-based financial examinations and/or market conduct examinations regarding cybersecurity.Principle 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.

31© Marsh 31

Guiding Principles 8 & 9Principle 8: Insurers, insurance producers, other regulated entities and state insurance regulators should take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.Principle 9: Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.

32© Marsh 32

Guiding Principles 10, 11 & 12Principle 10: Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer’s board of directors or appropriate committee thereof.Principle 11: It is essential for insurers and insurance producers to use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing.Principle 12: Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.

33© Marsh 33

Annual Statement Supplement

Identity Theft Insurance

Cybersecurity Insurance

34

35

36© Marsh 36

IT Examination (E) Working Group

Review existing guidance

Reviewing data security controls

Financial Examination Handbook

37© Marsh 37

Consumer Bill of Rights

Statutes Regarding Security Breach

Notification

Expectations of Insurers in the Event of a

Cybersecurity Incident

Current Project for Task Force

38© Marsh 38

Model Laws and Regulations

• Insurance Information and Privacy Protection Model Act• Created in response to the Gramm-Leach-Bliley Act

#670

• Privacy of Consumer Financial Health and Information Regulation

• Created in response to the Gramm-Leach-Bliley Act

#672

39© Marsh 39

Model Laws and Regulations

• Standards for Safeguarding Consumer Information Model Regulation

#673

• Insurance Fraud Prevention Model Act

#680

40© Marsh 40

Task Force Will Stay Abreast of What is Happening

FBIIC

FS-ISAC

Questions & Answers

42