FORUM 2013 Cyber Risks - not just a domain for IT

Cyber Risks – Not Just a Domain for IT
The Evolving Threat to Companies in Europe and Risk Transfer

Tracie Grella
Global Head of Professional Liability
AIG Property Casualty

1

Client Perception
How Concerned are you about this type
of risk for your company?
1

Cyber Risks

86%

2

Loss of Income

82%

3

Property Damage

80%

4

Workers Compensation

78%

5

Utility Interruption

76%

6

Securities and Investment Risk

76%

7

Auto/Fleet Risk

65%

All audiences agree:

Clients who believe
human error is a
significant source
of cyber risk

74%

Hackers are the
primary
source of cyber
threats

82%
IT is difficult to
keep up with cyber
threats because
they are evolving
so quickly

80%

8/10/2013

2

Cyber Crime Attacks

43%
of organizations in the
EuroZone experienced more
than 3 attacks

65%
of companies across 62 countries
are extremely concerned about
cyber attacks

Causes of a Data Breach

•

Top banks in the UK claims that
cyber attacks now represents a
major threat to their stability

Cyber Trends

•
•

4 of 5

•

Threat Actions: Hacking 52%, Social Tactics 29%
Threat Agents: Organized Crime 52%, State
Sponsored 19%, Insiders 14%
50% of insiders who committed sabotage were former
employees taking advantage of security that was not
disabled

(Verizon Data Breach Report 2013 and AIG)

•
•
•

70% of breaches were spotted by an external party,
9% were spotted by customers
76% of network intrusions exploited week or stolen
credentials
Claim volume up by 67% in 2012 and 71% in 2013
(AIG)
Only 20% of middle market and large organizations
purchase cyber (AIG)

(Verizon Data Breach Report 2013)

DLA Piper CIO Daniel Pollick
“There has been a change in atmosphere in the past 18
months. Governments are taking cyber security more
seriously and are pushing it to the top of business agendas”

3

Country Exposure
Italy:
16,456 hacks against
organizations in 1st
half of 2013, up 57%
from same time
last year

UK: Cost of Cyber Crime is
£27bn
Belgium:
Cost of Cyber
Crime EUR5bn

• Cost to UK Business estimated
£21bn
• Average cost of resolving a data
breach is £2.04m
• Ireland: 37 breaches in 2012 with
68 over last 3 years

Russia: number
of cyber crimes
grew 33% in
2012

8/10/2013

Germany:
Cost to German
business
EUR43bn

• Scotland: total cost of cyber
Crime is £5bn every min lose
£158

4

Business Enterprise Risk
Typical Hourly Cost of Downtime by Industry (in US Dollars)

The
6.48 million

Brokerage Service

Accounting

 Employees can’t access systems

Energy

2.8million
 Consumers can’t access your product

Telecom

2.0You disrupt a 3rd party’s supply chain
million


Manufacturing

 million
1.6Unexpected costs

Typical Hourly Cost of Downtime by Industry (in US Dollars)
Brokerage
RetailService
Energy
Telecom

Healthcare
Manufacturing
Retail
Healthcare
Media
Media

6.48 million
2.8million
2.0 million
1.6 million
1.1 million
636,000

 Reputation damage

1.1 million

 Stock drops

636,000

 Investigations

90,000

90,000

*Source: Network Computing, the Meta Group and Contingency Planning Research


8/10/2013

5

Business Enterprise Risk
Employees can’t access systems
• Down for an extended period
Consumers can’t access your product
• Loss in Net sales
• Infrastructure
• Breach of service agreements

Reputation Damage
• Cost to your Brand
• Consumer churn
• Loss of contracts or other business
opportunities access systems
Employees can’t
• Business lost to competitors
•Coupons and discounts product
Consumers can’t access your

You disrupt a 3rd party’s supply chain
• Inability for upstream production or delivery
• Legal Penalties for breach of contractual obligations

Stock drops a 3rd party’s supply chain
 You disrupt
• Average stock drop related to a cyber
event 5%

Typical Hourly Cost
Unexpected of Downtime by Industry (in US Dollars)
costs
Brokerage Service continuation costs million
6.48
• Business
2.8million
• Energy
Critical computer components damaged
• Telecom
Re-uploading and patching of system critical
2.0 million
software
Manufacturing
1.6 million
• Retail
Replacing lost or destroyed data sets
1.1 million

Investigations
Reputation damage
•Own internal
• Regulatory
Stock drops
•Shareholder Discovery

Healthcare

 Unexpected costs

 Investigations

636,000

Media

The Accounting

90,000


8/10/2013

6

How Insurance Can Respond
FINES

PRE BIND
SOLUTIONS

INCIDENT /
BREACH

INVESTIGATION

NOTIFICATION

FORENSICS

LEGAL / PR

8/10/2013

7

FINES

PRE BIND
SOLUTIONS

Awareness & Education
Loss Mitigation Tools

INCIDENT /
BREACH

INVESTIGATION

NOTIFICATION

FORENSICS

LEGAL / PR

8/10/2013

8

FINES

PRE BIND
SOLUTIONS

INCIDENT /
BREACH

INVESTIGATION

NOTIFICATION

FORENSICS

Cyber Extortion
Business Interruption
Crisis Management

Loss of Clients
Stock Drop

LEGAL / PR

8/10/2013

9

FINES

PRE BIND
SOLUTIONS

INCIDENT /
BREACH

INVESTIGATION

NOTIFICATION
FORENSICS

LEGAL / PR

8/10/2013

Costs to Identify Exposed Records
Contain the Breach
Restore Data

10

FINES

PRE BIND
SOLUTIONS

INCIDENT /
BREACH

INVESTIGATION

NOTIFICATION

FORENSICS

Breach Coach and Legal Defense
LEGAL

8/10/2013

Legal Costs to Aid Victims of ID Theft

11

Austria
Germany
Norway

FINES

PRE BIND
SOLUTIONS

Spain

• Mandatory
Notification
Telecomm
• Countries

INCIDENT /
BREACH

INVESTIGATION

Voluntary Notification
Regulators

FORENSICS
NOTIFICATION

Individuals
Credit Monitoring

8/10/2013

LEGAL / PR

12

FINES

PRE BIND
SOLUTIONS

3rd Party Liability
INCIDENT /
BREACH

INVESTIGATION

Shareholders

Client
Regulatory
NOTIFICATION

FORENSICS

LEGAL / PR

8/10/2013

13

Administrative
FINES

Industry Standards

PRE BIND
SOLUTIONS

PCI
INCIDENT /
BREACH

INVESTIGATION

NOTIFICATION

FORENSICS

LEGAL / PR

8/10/2013

14

Cyber risks – not just a domain for IT

October 1, 2013
Kevin P. Kalinich, J.D.
Global Practice Leader – Cyber Insurance
Aon plc
Kevin.Kalinich@aon.com

8/10/2013

15

Cyber Insurance Outline

•

2013 Evolving Trends
o Financial Statement
Impact
o Board of Directors Issue
o All Industries Impacted

•

Cyber Risk Identification
o Classify, Qualify &
Quantify

•

Risk Mitigation

•

Existing Insurance Policy Gap
Analysis

8/10/2013

16

2013 Evolving Trends


•
•
•

•

EU Organizations increasing reliance on
 Hacker steals data of 2 million Vodafone Germany
evolving technologies
clients
o Mobile (including payments)
 British police arrest eight over cyber theft at Barclays
o Cloud Computing
o Social Media
o Data Analytics (“Big Data”)
o Third Party Vendor Issues
Payment Card Industry Data Security Standards:
Fines & Penalties
Data transfers to US in wake of NSA
Cyber Risks Financial Statement Impact
o Actuarial Modeling
o Board of Directors Liability?
Managing Cyber Security as Business Risk:
Cyber Insurance in the Digital Age (August 2013:
http://assets.fiercemarkets.com/public/newsletter
/fiercehealthit/experian-ponemonreport.pdf)
http://www.emwllp.com/news/confidentialinformation-theft-cases-reach-record-high/
Aon Risk Solutions EMEA
Proprietary & Confidential |

17

E-Business Evolution
Social
Networks

SaaS
On-line
subscription

Outsourcing

Global
Business

Cloud
Computing


Proposed New EU Data Privacy Protection Law
 72 Hour Notice Period
 “Right to be forgotten”
 Penalties up to 2% of global annual turnover
 Take effect two years after adoption

Mobile Apps

18

Cyber Risk Identification

•

Identify & Classify Cyber Exposures (online and offline – hard copy)

•

Qualify

•

Quantify

•

Financial Statement Impact

•

A Checklist for Corporate Directors and the C-Suite: Data privacy & Security Oversight
(http://www.networkedlawyers.com/category/confidential-information-trade-secrets/)

http://www.aon.com/unitedkingdom/products-and-services/risk-services/datarisks.jsp


19

Exposure Analysis


20

Proprietary Cyber Risk Discovery Process

 Procurement
Process
 Vendor
Diligence
 Limitation of
Liability
 Cloud

Customized
Ongoing
Services

 New Products
and/or
Services
 Quality
Controls
 Employee
Training
 Contract
Management
 Dispute
Risk
Transfer
Resolution
Needs
Diagnostic

Program Design &
Marketing

 Content
development/
clearance
 Intellectual
Property
Review


 Data Risks
 Privacy
Policy
 Security
Controls
 Data
Breach
Response
Plan

21

Cyber Risk Actuarial Analysis growing
 RISK vs. UNCERTAINTY
 RISK = Something you can put a
price on
 (e.g. exactly 1 chance in 11 to hit
an inside straight in Texas
Hold’Em)
 UNCERTAINTY = risk that is
hard to measure (e.g. Cyber
exposure frequency & severity)
 “We ignore the risks that are
hardest to measure, even when
they pose the greatest threats
to our well-being”


-- Nate Silver, The Signal
And The Noise: Why So Many
Predictions Fail – But Some Don’t


 Review Comparable Cyber
Losses
 Peer Benchmarking
 Monte Carlo Simulations
 Financial Impact Options
 Risk Acceptance
 Risk Avoidance
 Risk Retention
 Risk Transfer
 Contractual Allocation
 Cyber Insurance
 Risk mitigation is key in all cases
 Board of Directors Liability?????
 Integrate with Enterprise Risk
Management

22

Risk Mitigation
•
•
•

•
•
•
•

Comprehensive Cyber Risk Mitigation Program: Need Management Support
Although IT Security & Use policies are important ----------------it is MUCH MORE THAN AN IT
SECURITY ISSUE
Engage inter-departmental coordination and cooperation
• Risk Management
• Finance/Treasury
• Legal
• Human Resources
• CIO, CPO, CISO, etc.
• IT Security
Education on Legal Exposures: train & monitor employees & all others
Ensure Compliance with Organization’s Privacy Policy regarding 3rd party Personally Identifiable
Information
Data Breach Management Policy – continuously update
Third Party Exposures
• Vendor/Supplier Management
• Contractual Considerations
• Vendor/Supplier Audits


23

Sample 10 Questions To Ask

Question

Takeaways/Possible Conclusion

Do you have an Information Security Policy ?

Most will say yes.
If no, it would suggest a lack of awareness of the issues and therefore
would be unlikely to be ready for the product.

Is it based on any Information Security
Standard?

Ideal answer would be ISO27002 as this is well understood and recognised
by the market.

What is the Governance Structure for
management IS Risk & Controls?

Presence of a structure is an indicator of a mature organisation who
understands and is looking to manage the risks.

How do you maintain assurance of your internal
IT controls ?

If there is an indication that a robust regime in place – a free scan should be
positioned as additional assurance. No evidence is an opportunity for a free
scan, but may also indicate a high risk.

Do you use third party suppliers?

Need for the product is increased if yes; need to find out the scope of
services – if critical, need for cyber risk transfer is increased.

Do you obtain assurance of their Data/Security
Controls?

Ideal answer is yes via a recognised method i.e. SSAE 16/SAS 70 or other
auditing standard. These will be readily accepted as evidence.

What is your approach to the management of
mobile devices?

Every client will have this issue; Laptop and device encryption are key
controls. Lack of an informed response is not a good indicator.

What are your key controls to determine if are
being subject to a cyber attack?

This provides an insight to the monitoring capability of the organisation.
Most have poor levels of control unless they have outsourced a service.

Do you have a Cyber response team or plan?

Key area for extra service sales – most do not and failure to response
quickly enough drives up and final incident cost.

Have you ever needed to complete a forensic
examination of your IT equipment?

As above – often key evidence is destroyed through lack of awareness


24

Can’t ‘traditional’ insurance help?

Property

General
Liability

Malware and
Denial-ofService attacks
do not constitute
‘physical perils’
and do not
damage
‘tangible
property’
CGL Privacy
coverage limited
to ‘publication
or utterance’
resulting in one
of traditional
privacy torts.

Unauthorized
access
exclusions.
E&O

Requires
negligence in
provision of
defined
business
activities.

Crime

Crime policies
require intent…
theft of money,
securities, or
tangible
property.

Generally
Intentional acts
and insured vs.
insured issues.
No coverage for
expensive
crisis
expenses
required by law
or to protect
reputation.

Potential Elements of Coverage in Commercial Property, General Liability, Crime, and Kidnap &
Ransom Policies

25

Existing Coverage & Gaps


26

Existing Insurance Policy Claims Trends


Zurich v. Sony Declaratory Judgment Action: Over 55 class action lawsuits alleging billions of dollars in damages
(Sept. 2011 new service agreement enforceable: mandatory arbitration and no class action?). Direct costs to companies
impacted by cyber breaches, such as forensics, notification, credit monitoring and public relations costs, “are basic costs
we would cover under our Zurich Security and Privacy Protection policy,” says Zurich. Then if a claim is filed, “we have a
liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a
result.”



State National Insurance Co. v. Global Payments April 2013 $84 Million Declaratory Judgment Action regarding
excess Professional Liability policy: Card association claims do not arise out of negligence from “professional services”
or “technology-based services”



Hartford v. Crate & Barrel and Children’s retail Stores (Declaratory Judgment Action with respect to GL Policy):
– Over 125 Class Actions in California, lead by: Pineda v. Williams Sonoma, 51, Cal.4th 524, 246 P.3rd 612 (Cal.
2011) (Zip codes are personal identification information protected by California’s Song-Beverly Act)
– Massachusetts Class Action: Tyler v. Michaels Stores, Inc., No. 1:111-cv-10920-WGY (D. Mass. Filed May 23,
2011);.



Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah (GL Policy) -- Negligence
suit against insurance broker for not placing proper coverage



Tornado Technologies Inc. v. Quality Control Inspection, Inc. (OhioCt. App. August 2, 2012) – no negligence of
insurer for not warning insured to purchase special cyber policy



Retail Ventures v. National Union Fire Ins. (August 23, 2012) Crime Policy Endorsement Applies



Liberty v. Schnucks (August , 2013) Declaratory Judgment filed regarding General Liability policy


27

Scope of Available Coverage

Breac
h

Mitigation

Regulator
y

Liability

• Regulatory
• Individual
• Notification
Investigations
Actions
Costs
• Consumer
• Consumer
• IT Forensics
• Online and offline
Redress Funds
Class Actions
• PR +
breaches
• Civil Penalties
• Suits from
Advertising
• Accidental or “rogue”
• PCI – DSS
business
• Credit
employee actions
Fines
partners
Monitoring
• Breaches caused by
• UK & EU
• Suits from
• “Turnkey”
vendors or
country specific
financial
breach
outsourcers
laws
institutions
response from
• Coverage should be customized based on the nature of the business
carrier partners
o For example, FI consumer facing businesses can face a different liability chain (see recent
ATM’s)
• Additional coverage available:
o 1st Party Business Interruption: Lost revenue due to failed network security
o Information Asset: Loss or costs associated with restoring destroyed data
o Cyber Extortion: Pays an extortion demand to a party that holds the Insured’s system or data
hostage
o Media: Content based injuries (online and may include offline)

28

Insurance Underwriter Issues To Address
I.

Contractual Allocation of liability and hold harmless and indemnity between Insured and each of each counterparties

II.

Are all subsidiaries 100% wholly owned or are there joint ventures?

III. Does Insured comply with regulatory guidelines regarding disclosure of Cyber exposures, mitigation and risk transfer insurance
(ADR’s)?
IV. Review sample contracts from its suppliers as to allocation of liability, hold harmless and indemnity and insurance (name
Insured as “Additional Insured?”) We have set up “affinity” type programs for large players in the Financial Institutions space
where a supplier of the FI can obtain a $1 MM E & O policy for the benefit of the Insured FI
V.

Does Insured have any products or services that are protected from liability due to regulation? If so, what are the services and
products and what are the revenues compared to total revenues?

V.

Do we have a breakdown of revenue by each product/service as the exposures from each are different in both frequency and
severity?

VII.

What percentage of the products and services have been provided for over five years (at least 5 year’s worth of Loss History)?

VIII. What percentage of products and services have been provided for less than one year?
IX.

What type of internal or third party IT security assessments have been conducted? ISO 27001? SSAE 16?

X.

What is the QA process for new products and services?

XI.

What is the escalation process to approve contractual changes with customers?

XII.

What is the escalation process to address and remedy complaints from customers?

XIII.

What percentage of customers are business (B2B) vs. Individuals (B2C)?


29

Optimal Cyber Program

Risk
Tolerance

Maximum
Probable
Loss
Peer
Purchasing
Data

Budget

Contractual
Requirement
s

Insurable
Risks


Scope of
Coverage/
Control

Optimal
Program

Market
Limitations

30

LIMITING THE IMPACT OF CYBER INCIDENTS

Presented by Ben Van Erck
EMEA RISK team

PID#
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

PROPRIETARY STATEMENT

This document and any attached materials are the sole property
of Verizon and are not to be used by you other than to evaluate
Verizon’s service.
This document and any attached materials are not to be disseminated,
distributed, or otherwise conveyed throughout your organization to
employees without a need for this information or to any third parties
without the express written permission of Verizon.

© 2013 Verizon. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s products and services
are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries.
All other trademarks and service marks are the property of their respective owners.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.

32

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

33

UNDERSTANDING THE WHO
VARIED MOTIVATIONS

VARIED TACTICS

• Aim is to maximize disruption
and embarrass victims from
both public and private sector.

• Use very basic methods and are
opportunistic.
• Rely on sheer numbers.

• Motivated by financial gain,
so will take any data that might
have financial value.

• More calculated and complex in
how they chose their targets.
• Criminals are now trading
information for cash.

• Often state-sponsored.
• Driven to get exactly what
they want, from intellectual
property to insider information.

• Often state-sponsored, use most
sophisticated tools to commit
most targeted attacks.
• Tend to be relentless.


34

ESPIONAGE

STATE-AFFILIATED
ESPIONAGE.
• STATE-AFFILIATED ACTORS PERPETRATED
19% OF ATTACKS LAST YEAR.
• TARGETS ARE NOT JUST GOVERNMENT AGENCIES,
AND NOT JUST MILITARY CONTRACTORS.

• BE AWARE OF THE “KNOCK-ON EFFECT” IN
YOUR SUPPLY CHAIN.


35

DIFFICULTY OF ATTACK


36

WHAT TO WORRY ABOUT

THIS YEAR’S BIGGEST THREATS?
SAME AS LAST YEAR’S.
• Very few surprises, mostly variations on theme.
• 75% of breaches were driven by financial motives.
• 95% of espionage relied on
plain old phishing.
• Well-established threats
shouldn’t be ignored.


37

WHAT TO WORRY ABOUT

WHAT DO ATTACKERS TARGET?
STILL THE TRADITIONAL ASSETS.
• The weak links haven’t changed much:

–Desktops 25%
–File servers 22%
–Laptops 22%
• Unapproved hardware accounts
for 43% of misuse cases.


38

ATTACK VELOCITY

QUICK TO COMPROMISE
• In 84% of cases, initial compromise took hours or less.


39

DETECTION VELOCITY

QUICK TO COMPROMISE
SLOW TO DISCOVERY
• 66% of breaches went undiscovered for months…
… Or even years.


40

INCIDENT RESPONSE PLAN

IT’S NOT ABOUT THE PLAN,
IT’S ABOUT THE PLANNING!
• Develop an IR plan (people, process, technology)
• Mock incident testing

– Table-top
– Fake incident
– Red vs Blue team
• Most important step in your IR process: learning from mistakes (yours and other people’s)

• Stakeholders
• Decision makers


42

Additional Information

• Download DBIR – www.verizonenterprise.com/dbir
• Learn about VERIS - www.veriscommunity.net and
http://github.com/vz-risk/veris
• Explore the VERIS Community Database:
http://public.tableausoftware.com/views/vcdb/Overview and learn
more about this data http://veriscommunity.net/doku.php?id=public
• Ask a question – DBIR@verizon.com

• Read our blog - http://www.verizonenterprise.com/security/blog/
• Follow on Twitter - @vzdbir and hashtag #dbir

43

DBIR: www.verizon.com/enterprise/databreach
VERIS: www.veriscommunity.net/

44

Please fill in the
session feedback
through the
FERMA Mobile app

45

FORUM 2013 Cyber Risks - not just a domain for IT

More Related Content

What's hot

Similar to FORUM 2013 Cyber Risks - not just a domain for IT

More from FERMA

Recently uploaded

FORUM 2013 Cyber Risks - not just a domain for IT