privacy & cyber risk the changing landscape › wp-content › uploads › 2015 › 06 ›...
TRANSCRIPT
L O C K T O N C O M P A N I E S
Privacy & Cyber Risk
The Changing Landscape June, 2015
Agenda
1. Introductions
2. How secure is your network? Carl Filpo (CM Technology Group)
3. A Risk Manager’s perspective: Andrew Wait (Lockton)
4. Insurable cyber and privacy protection: Michael Ussher (DUAL)
5. Q&A’s
How secure is your network?
Carl Filpo, CM Technology Group
https://prezi.com/login/
A Risk Manager’s Perspective
Andrew Wait, Lockton Companies Australia
Who is Lockton?
Lockton Companies Australia Pty Ltd is a corporate insurance broker providing clients with the
comfort and security of a major international broker, together with the highest levels of service and
client centricity that come from the service team being local owners of the business.
Our Mining industry practice offers clients a unique level of service from a highly experienced
team. Specialist products give peace of mind for mining project risks such as:
A comprehensive package covering exploration activities
Professional exposures associated with raising finance
Physical loss or damage in the construction phase including advance loss of profits
Physical loss or damage during the operational phase including business interruption
Comprehensive Contractors Plant & Equipment including business interruption
Public and Environmental liability
Directors’ and Officers’ liability
Employee All Risks Protection including Expatriate Medical & Evacuation, Personal Accident and Tropical
Disease Death Cover, Kidnap & Ransom
Workers Compensation
Aviation
Cargo and Marine exposures including Protection and Indemnity
Political Risk, Terrorism, Riots, Strikes, Civil Commotion and Malicious Damage
Bonding and Reclamation.
Cyber and Privacy Protection
Beyond the Media Headlines
Whitehaven Coal hoax wipes $300m
off market value in minutes (Jan 2013)
WestNet cyber attack could lead to
30,000 personal records stolen (Jun
2015). Potential cost estimate $4.35m.
Bundestag (May 2015) &
Stuxnet (Jun 2010) proved cyber
viruses can lead to physical hardware
damage and service interruption
Divided opinions of the real exposure – reality is very different
2014 - a year of far reaching changes.
Recognised trends:
Attackers are moving faster but defenses are not
(e.g. zero day vulnerability & watering holes).
Malware used in mass attacks increases and quickly adapts.
Digital extortion on the rise (e.g. ransomware & cryptolocker)
Leveraging social networks and Apps to find vulnerability.
(Source: Symantec, ISTR 20, April 2015)
The Only Constant is Change
“There are two types of companies, those who’ve been hacked and
those who don’t know they’ve been hacked” John Chambers, CEO CISCO
WARNING - Gratuitous facts to follow …
Globally in 2014 …..
17% of all android apps (>1 million) were actually malware in disguise.
1,000,000 new pieces of malware were released each day.
76% of scanned websites had vulnerabilities. 20% of which were critical.
496,657 web attacks blocked per day.
60% of attacks were directed against small and medium size companies.
(Source: Symantec, ISTR 20, April 2015)
By the Numbers
Australia in 2014 …..
Average cost of a breach is $2.8m.
5 million Australians affected.
Cost of $1.06 billion (what is the indirect cost??).
Probability of a >10,000 personal record breach in next 24 months is
18%; the chance of a fire is 0.5%.
Average cost of a stolen laptop is $49,000 rising to $115,000 if
undiscovered for more than a week.
(Source: Ponemon Institute, 2014 Cost of Data Breach Study: Australia, May 2014)
By the Numbers
Employee breaches are the leading cause but receive the least
attention. 59% of incidents in 2013 were from internal employees
Focusing on the causes …..
(Source: Symantec, ISTR 20, April 2015)
Ratio of Spear Phishing Email Attacks by Industry
Spear Phishing targets
individuals or companies to
steal information for sale.
Mining industry most targeted
with 44% (1 in 2.3) companies.
African countries are often
identified as sources and target
due to lower awareness,
security and ability to make
larger amounts of money.
(Angola and Mozambique
named)
(Source: Symantec, ISTR 20, April 2015)
Targeted Attacks
Security Breach
Understand the key risk drivers and consequences
1. Failure of Internal Processes
Accidental Act of Employee
2. Malicious Insider Threat
Acts of Disgruntled Employee
3. Unauthorised Access - Cyber Attack
Malicious Internal or External Threat
LEVEL 1Damage to Digital Assets - First Party Loss
(Software & Data)
LEVEL 2Network Interruption (BI) - First Party Loss
(System Outage)
LEVEL 3Privacy Breach - Stolen Data - First Party Loss
Third Party Liabilities
3 Potential Outcomes
3 Root Causes
Cyber Resilience
Cyber Resilience is the ability to prepare for, respond to, operate during and
recover from an incident.
NIST Framework provides a process
to build resilience.
Risk based methodology applied
proportionately to business context.
Outer ring highlights need to focus
on external interactions and
sources.
Inner process of governance defines
the process for building resilience. (Source: ASIC Report 429, Cyber Resilience, Mar 2015)
“building resistance is the key as prevention is now impossible!”
Practical Examples of Risk Control
Establish clear security standards.
Areas of concern may include …
- file encryption - passwords requirements & sharing
- hardware testing & installation - hardware access ports
- software installation & updates - data records management
- removable media - credit card compliance (PCI/DSS)
- Wi-Fi access & traveling - mobile devices (personal use/company)
“building resistance is the key as prevention is now impossible!”
Practical Examples of Risk Control
Backup and restoration, reliable hardware usage and offsite storage (DRP)
Monitor network incursion attempts and vulnerabilities
Standards for internet access, social media, email, downloading/streaming
Data breach response plans linked to BCP’s & media communication plans
Incident handling and response procedures
Vendor assessments and relationship management
Power supply controls
Employee training, positive behaviour and culture development
“building resistance is the key as prevention is now impossible!”
Privacy
Cyber is the primary mechanism for privacy breach
Australian Privacy Principles – personally identifiable and sensitive:
APP 11: security of personal information from misuse, interference, loss,
unauthorised access, modification or disclosure
Federal government introducing mandatory notification scheme for late 2015
Need to consider:
1) the sensitivity;
2) the potential harm to individuals & organisations; and
3) how the company stores, processes and transmits personal
information.
What questions should you be asking yourself?
Develop a clear risk profile to build the best response plan
1. What types of data do
you hold? 2. Where is this data
stored? 3. Who has access to it?
4. What security is in place to protect it?
5. How will your business operate if you cannot
access your data?
6. What steps are in place to restore lost data?
7. Does the continuity plan address cyber threat
and data recovery?
8. What is the exposure? (financial, operational, legal &
reputational)
9. How can you mitigate the impact?
(financially, contractually & operationally)
Who’s at risk?
In a nutshell everyone!!
If the business …
1. has a key activity dependency on computers systems;
e.g. electronic billing systems, documentation issuance (e.g. engineering
reports), inventory management, remote control systems for mobile plant.
1. has a mobile workforce with laptops, tablets and phones storing
sensitive data;
2. has a critical supplier dependency with computer based systems;
3. collects, stores and transacts with customer credit card information;
4. collects, stores and uses personally identifiable information;
5. uses internet connections and especially cloud computing systems.
Take-aways
4 Key Messages:
1. What matters most to your business (identify the exposure)?
2. Understand the threat and exposure (assess the risks).
3. Create an enduring framework (embed the processes).
4. Incident planning and preparation (prepare for the worst).
USEFUL RESOURCES:
1. Symantec, Internet Security Threat Report (ISTR20), April 2015
2. ASIC Report 429, Cyber Resilience: Health Check, March 2015
3. Office of Australian Information Commissioner, Data Breach Notification Guide, August 2014
4. Office of Australian Information Commissioner, Privacy Regulatory Action Policy, March 2014
5. LMI Group, Cyber Security and Insurance, 2014
Insurable Risks
Cyber Liability & Privacy Protection
Michael Ussher, DUAL Australia
o The opportunity
o 3 simple reasons to buy
o Everyone has an exposure
o What’s covered
o Scary Facts
o Claims Scenarios
o Cyber Offer
http://www.youtube.com/watch?v=jSpvmMrCkAo
21 I
Agenda
o $2bn market in the USA (was $800m in 2012)
o The opportunity in Australia
o New product = new revenue
o <1% take up
o Every client has an exposure!!
Cyber – The Opportunity
1. New Privacy Act – fines & penalties up to $1.7M for company, $340k for
individuals
2. Miami Gold Coast Medical Centre – Russian hackers
3. Lost iPad/ laptop – we’ve all done it!
3 Simple Reasons to Buy
Security Breach … A Risk Manager’s Perspective
1. Failure of Internal Processes
Accidental Act of Employee
2. Malicious Insider Threat
Acts of Disgruntled Employee
3. Unauthorised Access - Cyber Attack
Malicious Internal or External Threat
LEVEL 1Damage to Digital Assets - First Party Loss
(Software & Data)
LEVEL 2Network Interruption (BI) - First Party Loss
(System Outage)
LEVEL 3Privacy Breach - Stolen Data - First Party Loss
Third Party Liabilities
Data Restoration (internal & external costs)
Software Restoration (purchase of new licenses)
Crisis Management (internal & external costs)
Forensic Costs
Network Security Restoration
Gross Profits
Crisis Management (internal & external costs)
Forensic Costs
Private Data Liability / Regulations
Media Content Liability
Crisis Management (internal & external costs)
Forensic Costs
Defence Costs
Notification Costs
Credit Monitoring
PCI DSS Liability
Contractual obligations
Cyber Extortion Costs
3 Potential Outcomes
3 Root Causes
What is insurable on a Cyber Policy?
Security Breach … A Risk Manager’s Perspective
1. Failure of Internal Processes
Accidental Act of Employee
2. Malicious Insider Threat
Acts of Disgruntled Employee
3. Unauthorised Access - Cyber Attack
Malicious Internal or External Threat
LEVEL 1Damage to Digital Assets - First Party Loss
(Software & Data)
LEVEL 2Network Interruption (BI) - First Party Loss
(System Outage)
LEVEL 3Privacy Breach - Stolen Data - First Party Loss
Third Party Liabilities
3 Potential Outcomes
3 Root Causes
Other insurance responses
Tangible Property - ISR COVER
Personal Injury or Death - WC COVER
Arising from employment practices - EML COVER
Arising from claim against Director or Officer - D&O COVER
Hardware failure from manufacturer fault - NO COVER
Arising from a betterment of the system - NO COVER
Violation of sanctions or fraudulent acts- NO COVER
Arising out of disruption from utility, telecommunications, satellites
or external services not under direct control of Insured
3rd PARTY RECOVERY
Not “online” = no risk
Electronic files / records
Every business uses a computer or network
Only big businesses at risk
SME’s are easy targets, they lack security measures of larger businesses
Simple mistakes
Ever left your company phone, memory stick or laptop out at a bar or in a
cab?
Unanticipated breaches
Did you know photocopiers contain a chip that records scanned and printed
data?
Everyone Has an Exposure
o Includes cover for:
Claims for compensation
Investigations
Fines & Penalties (New Privacy Act)
Defence Costs
Legal Representation Expenses
o Common claim:
Lose your iPad containing confidential client information.
The client sues you for breach of privacy, and
Privacy Commissioner launches an investigation, and issues a fine
What’s Covered: Third Party Claims
o The Insured’s own costs, including:
Credit Monitoring Costs
Cyber Extortion Costs
Data Restoration Costs
Forensic Consultant Costs
Notification Costs
Public Relations Costs
Legal Representation Expenses
o Common claim:
Your systems are hacked, client credit card data is stolen. We will pay:
Reimbursement of ransom payment to a hacker
Costs to notify all affected clients, and monitor their credit cards
Costs to repair your systems
What’s Covered: First Party Cover
o Reimbursement for lost profits, and
o Necessary expenses to maintain business operations
Common claim:
o Online retailers systems are hacked and the business is unable to trade, we
will cover:
o Lost profits from the interruption
o Additional expenses such as additional call centre staff to handle telephone
enquiries from clients trying to buy online
What’s Covered: Business Interruption
Stand Alone v. Policy Extension
o $2.8m average cost of a Data Breach Ponemon Institute Report 2014
o 56% Australian businesses experience Cyber Crime in 2013 CERT survey
o 48% increase in reported Cyber Security incidents 2013 PwC information
security survey
o 59% of businesses were unaware of the Privacy Act Changes McAfee
Survey
o $145 average cost of each lost or stolen record Ponemon Institute Report
2014
Scary Facts
The new Privacy Act
What’s changed?
A new set of privacy principles that covers the handling of personal
information by businesses has been introduced.
Enhanced Powers for the Privacy Commissioner
More power to conduct compliance audits to private organisations;
Can apply to the Federal Court or Federal Magistrates Court to
compel an entity to comply with an undertaking or to pay compensation
for breach of undertakings;
New civil penalties of up to $340,000 for individuals and $1.7 million for
companies.
Privacy Legislation
Since then…
Privacy breach: Medical records kept in garden shed - Tuesday, 15 July
2014
The Australian Privacy Commissioner, Timothy Pilgrim, has found a medical
centre in Melbourne in breach of the Privacy Act 1988 by failing to take
reasonable steps to secure sensitive medical records.
Privacy breach: 254,000 Australian online dating profiles hacked -
Wednesday, 25 June 2014
The Australian Privacy Commissioner, Timothy Pilgrim, has found that
Cupid Media Pty Ltd (Cupid) breached the Privacy Act 1988 by failing to
take reasonable steps to secure the personal information held on its dating
websites.
The Privacy Commissioner
Profile: $18M turnover / 80 staff
Background:
Insured targeted with a denial of service (DoS) attack in last few days of a
fundraising campaign. Donators unable to make donations for a day while the
website down.
What’s a DoS attack?
Hacker floods a targeted system with incoming web traffic until it is virtually
crippled
Outcome:
$1,500,000 paid
Lost donations
Rectifying damage to website
Claims Scenario: Charity
Profile: $5M turnover / 15 staff
Background:
Insured’s website was defaced and included a link to a competing retailer’s
website when hackers gained access to personal information of their customers
and overtook their website
Outcome:
$800,000 paid
Loss of income
Costs to repair website
Defence costs for regulatory actions by the Privacy Commissioner
Cost of notifying the affected individuals & credit monitoring services
Claims Scenario: On Line Retailer
Profile: $2M turnover / 8 staff
Background:
Server and client records locked by Ransomware software.
Only able to get the files released after paying a ransom of $50,000 to hackers.
Outcome:
$150,000 paid
Loss of income
Ransom demand & consultants costs to handle & negotiate ransom
Costs to restore network as hackers refused to release files despite ransom
payment
Claims Scenario: Law Firm
37 I
Questions
Our Mission
To be the worldwide value and service leader in insurance brokerage, employee benefits, and risk management
Our Goal
To be the best place to do business and to work
www.lockton.com
© 2014 Lockton, Inc. All rights reserved.
Images © 2014 Thinkstock. All rights reserved.