november 30 december 1, 2016 emerging threats and new ......emerging threats and new areas of...
TRANSCRIPT
#ACICyberRisk
1
ACI’s 14th Advanced Forum onCyber & Data Risk Insurance
Sharon R. KleinPartnerPepper Hamilton [email protected]
Emerging Threats and New
Areas of CoverageEric Cernak
VP, Cyber Risk Practice Leader
The Hartford Steam Boiler
Inspection and Insurance Co.
860.722.5229
William T. Um
Policyholder Counsel
Kilpatrick Townsend & Stockton LLP
310.777.3747
November 30 – December 1, 2016
Wendi L. Boyden
Vice-President, Underwriting
OneBeacon Technology Insurance
617.725.6206
Tweeting about this conference?
#41243695v.2
#ACICyberRisk
2
Internet Of Things –The Risk Of The Machines
#ACICyberRisk
3
What is the “Internet of Things”
“Devices or sensors that connect,communicate or transmit informationwith or between each other throughthe Internet.”
FTC Report on Internet of Things “Privacy & Security in a Connected World”https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices
#ACICyberRisk
4
Examples of IoTs
• Fitness Trackers
• “Smart [INSERT ITEM]”, including thermostats, outlets,
appliances, etc.
• Personal assistants
• Wearables
• Tracking devices connected to keys, luggage, personal
items
• Baby monitors
#ACICyberRisk
5
Potential Benefits
• Convenience, data gathering, tracking
• Specific benefits to insurance companies of new tech
a. Identification
b. Tracking
c. Usage
d. Monitoring structural stress and providing alerts
e. Auto-alerts or shutdowns of systems and structures to prevent failure
f. Wearable fitness devices (watches, Ralph Lauren Polotech shirt with biometric monitoring)
#ACICyberRisk
6
Potential Risks
• Privacy concerns
• Lack of or inadequate encryption
• Lack of software updating
• Default settings ignore security and privacy concerns
• Entry
• Control
• Sabotage
• Theft
• Fraud
• Info collected and transmitted to device manufacturer
#ACICyberRisk
7
RANGE OF ENTERPRISE RISKS
Securities/Shareholder Lawsuits
Regulators
Individual Plaintiff
Class Action
HR Issues
Audits
Investigations
Remediation
Fines
Civil Penalties
Sales/Profit Loss
Media
Loss of Trust
Customer Loss
#ACICyberRisk
8
A narrow lens on cyberattacks can leave organizations unprepared for the broader potential costs
• Customer breach notification
• Post-breach customer protection
• Regulatory compliance costs
• Public relations costs
• Attorney fees and litigation
• Cybersecurity improvements
• Cost of lost customers
• Impact to current contracts
• Devaluation of trade name
• Loss of IP
• Impact of operational
disruption and/or destruction
• Insurance premium increases
• Increased cost to raise debt
Above the surface:
Below the surface:
#ACICyberRisk
9
…and unprepared for the duration of recovery efforts
Costs are incurred and impacts are felt over years, in several phases
Incident triage
Impact management
Business recovery
Repair damage to the business
and prevent occurrence of future
incidents
Minimize and address the direct
consequences of the incident
Analyze and take
immediate steps to stop
compromises in progress
Magnitu
de o
f costs
Impact over time
#ACICyberRisk
10
What does it cost?
Cost FactorsCost
(millions)
%
Total
Customer breach notification -- --
Post-breach customer protection -- --
Regulatory compliance -- --
Public relations $1.00 0.02%
Attorney fees and litigation $11.30 0.24%
Cybersecurity improvements $13.00 0.27%
Insurance premium increases $1.00 0.02%
Increased cost to raise debt -- --
Operational disruption $1,200.00 25.09%
Lost value of customer relationships -- --
Value of lost contracts $1,617.00 33.81%
Devaluation of trade name $1,697.00 35.48%
Loss of intellectual property $242.50 5.07%
Total 100.00%
Know
n c
osts
Hid
den c
osts
Total potential
impact >$4B
• Many of the costs
commonly associated
with PII-type data
breaches do not factor in
• Greatest impacts are
intangible costs
• The value of lost IP is not
the major cost, but the
theft of IP has rippling
impacts $4,782.80
#ACICyberRisk
11
There’s a big disconnect with the business
Cybersecurity programs continue to
focus on the threats, vulnerabilities and
probability.
Often, not enough attention is paid to
the true damages a particular
type of cyberattack can cause.
By looking realistically at the
potential costs, business leaders
can right-size investments to
better protect their most valuable
assets.
What are the
threats?
Where
are our
vulnerabilities?
How likely is
this type of
attack?
What is
the
business
impact?
#ACICyberRisk
12
What Are Some Of The Technologies That Are Already Present In Our Society That Pose New Risks?
#ACICyberRisk
13
Emerging Technologies
• Mobile Medical Applications
• Augmented/Virtual Reality
• Driverless or Connected Automobiles
#ACICyberRisk
14
What Are Mobile Medical Applications (MMA)
Applications Transmitting Medical Data on Individuals including:
• wellness tracking information created and shared by individual consumers
• medical data sent to a person directly from his or her medical device
• information sharing that is not with a health care provider, health plan or other covered entity
• mobile medical application used by consumers
• exchange of health care information in the cloud.
#ACICyberRisk
15
MMA Understanding Risk
15
BMI calculator
Trending algorithm for
determining next clinical action
Medication
reminder
Influenced by:
• General acceptance
• Pervasiveness
• Complexity
• Extent of reliance
Low Risk High Risk
Radiation dose
calculator
Medical image analyzer for
disease/anomaly detection
Cancer treatment
recommendation
Complex analyzer for
untrained user
Drug-drug interaction/
allergy verification
#ACICyberRisk
16
MMA Benefits
• Provides more complete patient data to Doctor for diagnosis and treatment
• Improves disease prevention and healthcare quality
• Engages patient in treatment plans
• Drives healthcare costs down
• Revolutionizes medical research and population health
#ACICyberRisk
17
MMA Risks
• Heightening security risks through cloud and network connections
• Increasing unauthorized access to and misuse of personal information
• Facilitating attacks as a gateway to other computers/systems
• Creating risks to personal safety
• Failing to warn in labels/privacy policies
• Jeopardizing intellectual property rights
#ACICyberRisk
18
MMA Underwriting Challenges
• Evaluating scope of privacy concerns
• What are the costs/risks associated with potential HIPAAviolations
• How would traditional GL policies fit in? Would bodily injury claims continue to be covered?
• Insufficient loss history to evaluate scope of risk
#ACICyberRisk
19
Augmented/Virtual Reality
Virtual Reality
• Creation of a virtual world that users can interact with
• Mainly used through a VR Helmet/goggles either alone or used in combination with games• FaceBook’s Oculus Rift
• Sony Playstation VR
• HTC’s Vive
#ACICyberRisk
20
Augmented/Virtual Reality
Augmented Reality
• Software that overlays the real world with the digital one
• Examples are:• Pokemon Go; • Wearable A/R glasses that can be paired with smartphones
such as Google Glass, Epson Moverio, Vuziox’s M100 Smart Glasses or Head Mounted Displays like Microsoft HoloLens
• Auto rear cameras with virutal lines that show where the steering wheel is pointing, and displays that project speed, song and GPS info on the front glass
• Applications that enable projection of a captured image on a specific area – Ex. Veinviewer (captures the image of the veins by an infrared camera and projects the images on the skin)
• Google, Samsung and Sony investing in smart contact lensetechnology
#ACICyberRisk
21
Augmented/Virtual Reality - Benefits
Healthcare
• used to treat human cognitive and behavioral conditions and provide training to medical students.
Real estate and automotive
• used to show properties and cars to potential buyers.
Sports industry
• provide zero-impact training to athletes.
Education
• incorporating the technology into learning tools designed to engage children.
• Also being used for advertising, space exploration, tourism, military and law enforcement purposes, and, naturally, entertainment
#ACICyberRisk
22
Augmented/Virtual Reality - Risks
Consumer Safety
1. Arising out of consumer use
2. Malware infection whicha. Deceives the user into falsely believing that certain
objects are or are not present in the real worldb. causes a sensory overload to users that could
physically harm them by flashing bright lights in the display, playing loud sounds, or delivering intense haptic (touch) feedback (i.e., attackers have been known to target epilepsy forums posting messages containing flashing animated gifs to trigger headaches or seizures.
Can be difficult to avoid if contained in wearables or implanted technology (contact lenses, windshields that display augmented content over the user’s view of the road)
#ACICyberRisk
23
Augmented/Virtual Reality - Risks
User Privacy
• Can collect a multitude of information in order for the device to function as intended• such as physical movement (head, hand, eye, whether the user is sitting or
standing, etc.), user location in order for the application to function as intended
• Location, shopping history, financial details, etc. – depends on the type of “reality” experience that each user is looking for
• Continuous collection of information even when the device is not in use
Ex: the software used for Oculus Rift continuously collects this information and sends it to FaceBook, even when the device is not in use. Thus FB, through Oculus, knows what content users are viewing on the Rift, where they are viewing it and the positional tracking of the device.
AR/VR apps are still in the young stage and may not have built in privacy as a fundamental feature (Ex. Pokemon in it’s initial version).
#ACICyberRisk
24
Augmented/Virtual Reality - Risks
Information Security
1) Regulatory Action – Federal Trade Commission
2) Theft of information by cyber criminals
#ACICyberRisk
25
Augmented/Virtual Reality -Underwriting Considerations and Challenges
• There are no universally approved security standards for IoT and Augmented Reality and chances are not many such risks have made privacy and security as fundamental and therefore merit a higher level of scrutiny
• Examine the company’s experience in the marketplace with AR/VR and their experience with building in security and privacy features in other products
• Analyze what the product does and what types of information needs to be collected in order to optimize use.
• Ensure privacy policy sets forth all sensitive information collected or to which the user is allowing access, and clearly spells out what the company does with the information collected and provides the appropriate opt out choices to the consumer.
• Additional guidance to the user on how they can achieve the most secure use of the product is a plus.
• Examine network security controls to weigh exposure to cyber theft• Access Controls in place – where multiple applications are being run on a single platform
are there appropriate access control measures in place to ensure that the AR application is not making its data accessible to other applications running on the platform, which may be malicious
• Encryption – is data that is being appropriately “shared” with other applications being done in a secure manner such as use of encryption
#ACICyberRisk
26
Connected Autos
•Semi-Autonomous Vehicle – One having driver assistance features, e.g. adaptive cruise control
•Connected Vehicle – One having a connection to the Internet
•Autonomous Vehicle – Capable of driving without human input
#ACICyberRisk
27
Connected Auto Benefits
•Less congestion and pollution – shared vehicles
• Increased mobility for aging population
•Potentially safer - Less driver fatigue
• Improved fleet management
• Improved crash response
•Car problem diagnosis
#ACICyberRisk
28
Connected Auto - Risks
Consumer Safety
•Vehicle-to-vehicle (V2V) communication issues
•Moral & Ethical decisions – programing for an unavoidable accident
#ACICyberRisk
29
Connected Auto - Risks
User Privacy
•Geo Tracking (GPS)
•Driving habits
•Personal Schedule
•Theft of user credentials – infotainment services
#ACICyberRisk
30
Connected Auto - Risks
Information Security
•Lack of Security by Design• Patching
• Long development cycles
•Extortion/ransomware/disablement
•Hacking/Loss of control
•Remote car theft
#ACICyberRisk
31
Underwriting Considerations and Challenges
•Who’s being “underwritten”? • Who is the “Driver”• OEM• Tier 1, Tier 2, etc.• Retrofitter • Gearhead/tech head
•Claims adjudication – mechanical breakdown, system corruption, wear & tear
•Mixed ‘ecosystem’ – Traditional, semi-autonomous, autonomous vehicles
• Interplay with products liability claims
#ACICyberRisk
32
FTC Guidance
What Should Companies Be Doing to Address These Risks?
• Make privacy a fundamental feature if sensitive personal information is collected
• Let prospective customers know what you’re doing to secure customer information
• Advise the consumer to change the factory default setting and ensure that process is a simple one for the consumer
• Take advantage of readily available security tools, and test security measures before launching your product
• Design your product with authentication in mind
• Protect the interfaces between your product and other devices or services
• Establish an effective approach for updating your security procedures
#ACICyberRisk
33